Can someone tell me if there is anything malicious in this pcap?
Thankyou so much!
asked 23 Oct '17, 08:07
To me it looks as if the 192.168.56.105 is trying to determine what operating system the 192.168.56.107 is running by sending it various weird packets (like TCP packet with no flags at all) and analysing its reaction to them, and maybe it also checks for presence of known protocol stack vulnerabilities the same way.
Mentioning of nmap in the HTTP OPTIONS request supports this theory, but it may as well be that the 192.168.56.105 already became a botnet zombie and tries to find an exploitable vulnerability on its network neighbor (possibly using nmap).
answered 23 Oct '17, 09:01