Hi guys and girls, like the title says I have to prove that my network was hacked into and data was exfiltrated. I'm a total newbie on this program with about 6 hours in watching tutorials and messing around with it. It's for my Ethical hacking class and any comments on where to start first or what I should be on the lookout for would be greatly appreciated. Thank you
asked 27 Oct '17, 09:57
Bad news - Wireshark can only show you what is/was going on while a network traffic capture is/was running. So if your network has been hacked into for a one-time theft of data and that theft has already been completed, capturing network traffic any time after that cannot give you any clue about what has happened.
If you do have network captures from the suspected time of being hacked, you may use Wireshark to analyse them. But even in that case, it is normally close to impossible to find out the ultimate destination of the stolen data / ultimate source of the attack, as the IP addresses you eventually find to be involved are typically just proxies (whose admins have no clue that they were used for the attack as these boxes have themselves been also hacked before).
If some machines in your network got infected by malware and e.g. act as proxies for further attacks as described above, capturing the traffic and analysing it may highlight that - if you are lucky enough to be capturing while the malware is active.
answered 27 Oct '17, 13:41