Results 1 to 7 of 7

Thread: BuYS: Wireshark - Stuff on wire Share/Save - My123World.Com!

  1. #1

    BuYS: Wireshark - Stuff on wire

    Name:  question-wireshark.jpg
Views: 135
Size:  93.9 KB

    what is happening in this trace file ?
    is this normal or abnormal ? explain in detail..

    bonus point: identify the source application

    Time Frame: 24 hrs

    *ppplz don't PM me.. directly reply in this thread with ur answer..

    enjoy..
    Last edited by b0nd; 03-24-2011 at 07:25 AM. Reason: Prepended BuYS in the Title
    --
    When you know what you want,and you want it badly enough,you'll find a way to get it.

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    A linksys router is responding to an echo request as the TTL = 150 not very reliable way to determine but still it could be linksys. And all I could notice here is a ICMP Header check sum [Validation disabled] this property could be either set or I see the chances of some sort of secret message embedded in the ICMP packet.

    Note: Its possible to hide messages in ICMP messages. Even could bypass firewalls using this technique making a backdoor. Any way I gave it a shot.


    A gentle request would be, lets have one question "brush your skill" at a time, as of now BOnds question on nmap is still on unanswered, so it would be better if we could have one question at a time.
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    Thanks Double_zero thats very interesting way of quizzing......I remeber honeynet project having such quizzes wherein they give u the log files to analyze the incidents.....sure helps to improve ur incident management skills.....keep it coming

  4. #4
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    My wild guess is Man in The middle attack ..

    Yo yo and I googled and in 1 result I got id=0xe77e as the id if Ettercap is being used. Long shot nyways
    In the world of 0s and 1s, are you a zero or The One !

  5. #5
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Abhay yep bro ur ans has to be right, its a way to check ettercap poisoning http://www.ewh.ieee.org/r6/scv/comso...eakerNotes.txt

    Nice work
    Hacking Is a Matter of Time Knowledge and Patience

  6. #6
    @fb1h2s - i think 24 hrs are enough for a question, in case if people think it is not enough than we can increase the time frame, but we have to standardize it. like 48 hrs,72 hrs etc. wat you say ?

    @AnArki - thanks

    @Abhaythehero - Right answer but where is explanation ? anyway thanks for your time man..

    Answer:

    As we can see in the arp packets that the two different IP addresses are saying that they are on the same mac address, now in normal world it is not possible because hardware address is unique universally for every Ethernet(NIC) card. Situation can be dangerous when we see the same mac address of two different IPs in a LAN. So by looking at the packets we can say that it is a MITM(Man In The Middle) attack, now MITM can be of various types like ARP Poisoning, ICMP Redirection, Fake DHCP Server but for this trace file we can easily say that it is a ARP Cache Poisoning based MITM attack.

    ARP Poisoning Explanation: http://www.oxid.it/downloads/apr-intro.swf

    Ettercap is the source application because ettercap put IP ID=0xe77e to check for the another poisoner on the network.

    Note: IP ID should be unique for each and every packet doesn't matter packet is retransmitted or not. RFC-791

    /
    DZZ
    --
    When you know what you want,and you want it badly enough,you'll find a way to get it.

  7. #7
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Hehehe .. was an educated guess (now I know my answer is right .. I have changed it from 'wild' to 'educated' )

    @fb1h2s thanx bro

    @DouBle_Zer0 I think 24hrs is little less time frame .. this can be increased just to facilitate more and more participation as some people visit forums once in 2-3 days.I think minimum should be 2 days atleast.
    In the world of 0s and 1s, are you a zero or The One !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •