FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Sans SEC505
    • Powershell Scripting Fundamentals
    • Book One
      • The Object-Oriented Command Shell
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • WEInnovate Training
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Fluent-Bit
      • Winlogbeat & Filebeat
      • Send Logs from Winlogbeat through Logstash to ELK
      • Audit policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Boss of the SOC V1 - Web Defacement
    • Lumma C2
    • Network Analysis
Powered by GitBook
On this page
  1. WEInnovate Training

Network Analysis

PreviousLumma C2

Last updated 5 days ago

Task: As a SOC analyst at BookWorld, an online bookstore, you detect an unusual spike in database queries and server resource usage, triggering an automated alert. Concerned about potential malicious activity, you must analyze network traffic to identify the attack vector, assess a possible data breach, and determine if the attacker gained deeper access to internal systems.

Q1) What is the attacker's IP?

We can obtain this information using the Statistics tab in Wireshark.

Let's verify whether this IP address belongs to the attacker.

ip.addr==111.224.250.131

We can also obtain this information using TShark.

tshark -r PCAP3.pcap -z endpoints,ip -q

Answer: 111.224.250.131

Q2) Determine the original city of the attacker.

From this website: https://ipgeolocation.io/

Answer: Shijiazhuang

Q3) Can you provide the vulnerable PHP script name?

http.request.uri contains ".php"

Let's direct our attention to the search.php page.

http.request.uri contains "search.php"

The attacker is attempting to perform an SQL Injection on this page.

Using Tshark:

tshark -r PCAP3.pcap -Y 'http.request.uri contains "search.php"' -T fields -e http.request.uri | sort | uniq

Answer: search.php

Q4) What's the complete request URI of the first SQLi attempt by the attacker?

http.request.uri contains "search.php"

Answer: https://bookworldstore.com/search.php?search=book%20and%201=1;%20--%20-

Q5) Can you provide the complete request URI that was used to read the web server's available databases?

Let's use Ctrl + F to search for the term "Information_schema" within the packet data.

We've received some hits. Let's analyze each one by following its TCP stream to gather relevant information.

Using Tshark:

First, we need to identify the frame number of the packets containing information_schema.

tshark -r PCAP3.pcap -Y "http.request" -T fields -e http.request.uri -e tcp.stream | grep -Ei "information_schema"

Next, we will analyze the TCP stream for each connection individually.

tshark -r PCAP3.pcap -z follow,http,ascii,151 -q

Answer: https://bookworldstore.com/search.php?search=book%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7178766271%2CJSON_ARRAYAGG%28CONCAT_WS%280x7a76676a636b%2Cschema_name%29%29%2C0x7176706a71%29%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-

Q6) What's the table name containing the website users' data?

http.request.uri contains "search.php"

Let's use Ctrl + F to search for the term "Information_schema" within the packet data.

Using Tshark:

tshark -r PCAP3.pcap -z follow,http,ascii,154 -q

Answer: cutomers

Q7) What's the name of the directory discovered by the attacker?

http.request.method == POST

Answer: /admin

Q8) What are the credentials used by the attacker for logging in?

Let's analyze the HTTP stream associated with the fourth packet in this capture.

http.request.method == POST

Answer: admin:admin123!

Q9) What's the name of the malicious script uploaded by the attacker?

http.request.method == POST

Let's analyze the HTTP stream associated with the fifth packet.

Answer: NVri2vhp.php