\u00a0Automated, this happened in 16 seconds. I highly doubt an attacker would have been able to manually scan, exploit, enter 7 commands, download and execute a binary in that time.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\nSummary<\/h4>\n
To wrap it all up this was a buffer overflow of a function that was accessible via SMB on port 445. The service was exploited via buffer overflow and then arbitrary commands were allowed be executed on behalf of the attacker. \u00a0I realize that this wasn’t a walkthrough or the most technical breakdown but hopefully it gives you guys some insight as to how I look at pcaps and how you could reconstruct an attack when looking at network traffic captures.<\/p>\n","protected":false},"excerpt":{"rendered":"
Overview – Wireshark Workflow This is an example of my workflow for examining malicious network traffic. \u00a0The traffic I’ve chosen is traffic from The Honeynet Project\u00a0and is one of their challenges captures. \u00a0For small pcaps I like to use Wireshark just because its easier to use. Sometimes I’ll pull apart large a pcap, grab the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[63],"tags":[76,78,77],"class_list":["post-1688","post","type-post","status-publish","format-standard","hentry","category-security","tag-network","tag-pcap","tag-wireshark"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-re","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1688","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=1688"}],"version-history":[{"count":3,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1688\/revisions"}],"predecessor-version":[{"id":1700,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1688\/revisions\/1700"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=1688"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=1688"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=1688"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Wireshark](\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/11\/NetAn-1.1.png?resize=1080%2C502&ssl=1\")
<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n![\"NetAn](\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/11\/NetAn-1.2.png?resize=1080%2C420&ssl=1\")
<\/a><\/li>\n<\/ul>\n<\/li>\n![\"NetAn](\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/11\/NetAn-1.3.png?resize=1080%2C496&ssl=1\")
<\/a><\/li>\n<\/ul>\n<\/li>\n![\"Wireshark\"](\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/11\/NetAn-1.4.png?resize=1080%2C684&ssl=1\")
<\/li>\n<\/ul>\n<\/li>\n![\"Wireshark](\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/11\/NetAn-1.6.png?resize=778%2C660&ssl=1\")
<\/a><\/li>\n<\/ul>\n<\/li>\n![\"Wireshark](\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/11\/NetAn-1.5.png?resize=1044%2C786&ssl=1\")
<\/li>\n<\/ul>\n<\/li>\n![\"Wireshark](\"https:\/\/i0.wp.com\/www.hackmethod.com\/wp-content\/uploads\/2015\/11\/NetAn-1.7.png?resize=811%2C650&ssl=1\")
<\/a><\/li>\n<\/ul>\n<\/li>\n