What is the IP responsible for conducting the port scan activity?
Port scanning is done for TCP ports.
In order to see the port scan activity, we have to to go Statistics > Conversations > TCP.
What is the port range scanned by the suspicious host?
Let's sort Port B in an ascending order.
We can see that the last port scanned is 1024.
What is the type of port scan conducted?
We can filter the packets using the following filter:
The packets that we filtered are TCP packets with the SYN flag set.
Two more tools were used to perform reconnaissance against open ports, what were they?
The application/tool and its version can be identified using the User-Agent header.
Using the following filter we can filter out packets sent to the suspicious agent and the User-Agent header.
As we can see the first tool is GoBuster which is enumerating all the directories.
In order to find the second tool, we have to scroll down until we find an encoded URI.
The second tool is SQLmap.
What is the name of the php file through which the attacker uploaded a web shell?
The HTTP POST method is used to upload data to a server. We can filter for these packets using the following filter:
Scrolling down, we can see a POST request made for a upload.php file.
The Referer header in the packet tells us the address from which a resource has been requested.
What is the name of the web shell that the attacker uploaded?
Let's follow the TCP stream for the same packet by going to Follow > TCP Stream.
As we can see the Content-Disposition header is set to form-data with the dbfunctions.php as the filename.
What is the parameter used in the web shell for executing commands?
In the same TCP Stream we can see an if statement that takes cmd as the parameter.
What is the first command executed by the attacker?
The commands to the uploaded file are sent using GET requests. We can use the following filter to separate out these packets.
There were three commands executed: id, python code and whoami.
What is the type of shell connection the attacker obtains through command execution?
We need to open the packet with the python script.
Once formatted, the script looks as follows:
It creates a socket object s and connects to the specified IP address ("10.251.96.4") and port (4422).
It then uses subprocess.call to execute the /bin/sh shell with the "-i" flag, which opens an interactive shell session, effectively allowing the user to control the remote server.
This is inline with the characteristics of a reverse shell.
What is the port he uses for the shell connection?
We saw that the reverse shell connects to port 4422.
