Do you think this is a manual or an automated attack? Why? (2pts).By carving the binary out of the pcap and obtaining a sha1 hash of the file Virtual Total Reports it as being titled smss.exe with a variety of back door names. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts). HOW TO IDENTIFY COMPROMISED COMPUTER WIRESHARK PCAP WINDOWSI think its a honeypot because at quick glance the TTL values don’t match a Windows machine, this machine said it was Windows 2000 in the SMB header, but uses a Linux TTL value of 64. In an IP header different operating systems will provide different time to live values.Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts).MS04-011 LSASS DsRoleUpgradeDownlevelServer function.What specific vulnerability was attacked? (2pts).TCP Connection 5 – Binary is downloaded to victim machine. TCP Connection 4 – A user logs in via a FTP backdoor and requests a binary to be downloaded. HOW TO IDENTIFY COMPROMISED COMPUTER WIRESHARK PCAP CODE
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |