The Mind of a Black Hat Hacker - Looking at PCAP Files

docx

School

Renton Technical College *

*We aren’t endorsed by this school

Course

482

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

4

Uploaded by MagistratePencil8798

Report
The Mind of a Black Hat Hacker - Looking at PCAP Files ex1.pcap As I will do with every file, I will identify and start with the source IP address and determine whether it is associated with any suspicious or abusive activities via abuseipdb.com. Several IP addresses came up again and again and as I ran them in the database, several of them (ex: 192.168.1.121) would come up and be reported as suspicious within the Brute-Force, Hacking, and/or Web App Attack Categories. This would lead me to determine that these IP addresses were involved in an attempt to crack passwords within various databases/ data centers to collect user information. Based on that information alone, I would flag and report that data and proceed with the next steps to mitigate any potential breaches. To further elaborate on that theory, I would look at specific data packets that appear out of the norm. Packets highlighted in green, purple, or light blue are normal packets that I would not spend too much time on unless either the source or IP address appears to be suspicious. At that point, I would move on to packets that are highlighted in either black or red; packets highlighted in black or red indicate either an error or a potential issue. Looking at the two screenshots above, I would again, first look at the source and destination IP addresses. At that point, I would look at whatever the error was that was produced. Based on the screenshots, there is nothing that I would say is suspicious. ex2.pcap
Looking at this file, I see that many of the IP addresses being scanned are private IP addresses. Upon research of these IP addresses, almost none of them appear suspicious. However, as I look further down the list, there would be multiple error codes in a row as the screenshot above indicates. Though suspicious, it is not at all impossible, as further research on one packet shows that a TCP Flag that an ACKed segment was not captured. Due to the number of packets sent in a row, my theory is that one of the devices may not be connected. Therefore, multiple SYN packets are sent but because the device is not connected, an ACK segment cannot be sent back, resulting in these error codes. If I were to look solely at the fact that these source IP addresses are targeting other private IP addresses, it would lead me to believe that there is no reason to be suspicious. In other words, there is no reason or benefit that could come from one private IP address to attack another. Based on the captured packets, I do not see a reason to suspect any foul play and chalk it up as a false positive. ex3.pcap Initially, the packets captured on this file appear to be unsuspicious. There are not too many errors that would capture my attention. Nonetheless, my procedure would remain the same. Looking at the IP addresses, almost all would match a different Data Center (ex: 162.244.35.36 and 172.217.0.255). What piqued my interest, however, was the destination address that the Data Center (172.217.0.255) would send information to, which upon research would be a private IP address. This does not necessarily mean that the Data Center is sending information to a home computer, but it is something worth noting if multiple packets are being sent to that private IP address. Unfortunately, because of the limitations of what can be seen through Wireshark, it is difficult to determine whether that theory is correct. Even a Domain Search of certain IP addresses was unsuccessful. At this point, we can only view what the issues are and from there, determine if there are any suspicious activities worth reporting. Based on the different errors provided in these captured packets, there is no suspicious activity from what I can see. There are a few warnings and retransmissions, but other than that, there is nothing worth reporting. ex4.pcap In an earlier statement, I stated, “If I were to look solely at the fact that these source IP addresses are targeting other private IP addresses, it would lead me to believe that there is no reason to be suspicious.” Based on this file, I can say that it is possible. An example via the screenshot above, shows a private IP address sending a packet over to another private IP address. What is suspicious about this is that the Destination IP address is associated with a report that included Brute-Force and SSH
abuse. The same Source IP address would come up several times during this packet transfer that I would deem suspicious. Another suspicion I came across, was with IP address 213.186.33.87. This IP address was not only associated with a Data Center in France, but it has also been associated with numerous reports that included email spam, spoofing, hacking, phishing, brute-force, and others. This could be theorized as an attempt to crack passwords and steal user-sensitive information. Upon further investigation, I would find other IP addresses associated with different Data Centers, as well as reports of malicious activity. Based on the error packets captured on this file, it would be difficult to assume that there could be any malicious activity going on. However, if I were to base my suspicion on the history of those IP addresses, I would report that. Furthermore, it would be based on that history, that I would investigate and prioritize which ports were being targeted. For example, since IP address 213.186.33.87 has had a history of email spam and phishing, I would filter the “Info” column to see if those ports have been targeted, which in this case, they have not been. ex5.pcap For this file, in investigating the error packets, generally, I would be suspicious about any of them that appear in a row such as the one for file 2. This could mean a possible DDoS attack is taking place. However, that is not the case for this file. Instead of error packets, a particular communication thread between IP addresses 31.31.196.204 and 172.16.123.105 has piqued my interest. Using abuseipdb.com, I was able to see that 31.31.196.204 belongs to a Data Center in Russia, whereas 172.16.123.105’s location could not be determined. 31.31.196.204 has been associated with reports that include DDoS attacks, brute-force attacks, SSH abuse, and web app attacks. Looking at the communication between these IP addresses, I see that a lot of the packets are being trafficked to port 443 which primarily deals with communication between a client browser and server. This could correspond with the reports that the IP address is associated with. ex6.pcap
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Looking at this file, there were several things that caught my attention. One thing, as the first screenshot displays, is “continuation.” Upon research, continuation means that Wireshark failed to recognize the full message, which, unfortunately, could not be investigated further, leaving it rather ambiguous. The IP addresses were not reported having any malicious activity attached to them and so I believe it is something that can be ignored, as well as “Destination unreachable” messages seen in the second screenshot. The third screenshot shows an encrypted alert message. The encrypted alert message means that Wireshark could not decrypt it, which would be cause for concern, especially since they occur in a row. However, the IP addresses do not belong to any notable Data Centers or organizations, but it would still be reported as a minor issue. The fourth screenshot is the more notable issue. An ignored unknown record indicates that the reassembly of traffic has failed. In my perspective, this would not be a major issue, if not one of the source IP addresses belonged to a Microsoft Data Center that has been reported to have multiple malicious activities including DNS Compromise, DNS Poisoning, Fraud Order, DDos Attack, FTP Brute- Force, Ping of Death, Phishing, Web Spam, Bad Web Bot, Web Spam, and others. The port seen to have the most traffic going through it is port 443 which would coincide with these reports.

Related Documents

SRS-Team-1.docx
Team_4_Lab_1.docx
EJPME II_Post test_module 8.docx
Lab 10 for Cyber Range.docx
Lab 6a – PW Cracking.docx
Lab 6b -- PW sec.docx
W5 Quiz Graded.docx
IT 210 Milestone One.docx
XubuntuIR2.docx
XubuntuIR3.docx
XubuntuIR1.docx
Case+study+3+week+2.pdf