The easiest way to answer this question is to refer to the TCP tab in conversations window. Q4:How many TCP sessions are present in the captured traffic?
Since we have the public IP of the attacker we can easily track the geo location by any Geo-IP tracker tool available online. Q2: What is the target’s IP address?įrom above we can conclude easily conclude that the target ip is 192.150.11.111 Q3: Provide the country code for the attacker’s IP address (a.k.a geo-location). Now 2 things stand out here 98.114.205.102, a public IP is making a SMB connection with 192.150.11.111, a internal server and from this we can conclude the attacker ip. In the above snippet we can see that 98.114.205.102 is initiating a TCP handshake with 192.150.11.111. Now, lets jump into the questions Q1 : What is the attacker’s IP address? This was probably used for downloading dataįrom the above point we can make a reasonable guess that attacker used SMB protocol to make a connection and then used RPC to execute code remotely. PacketMaze Challenge: Part 2 Wireshark Pcap analysis
0 kommentar(er)
