Wireshark-users: Re: [Wireshark-users] Knowing What Exploit from .pcap File

From: Zaki Akhmad <zakiakhmad@xxxxxxxxx>
Date: Tue, 9 Aug 2011 13:47:40 +0700
On Fri, Aug 5, 2011 at 3:57 PM, Sake Blok <sake@xxxxxxxxxx> wrote:

> The whole idea behind a "Capture The Flag" is that the flag is sort of hidden and that it takes skill to find it. I'm no web security expert, so I am also not able to recognize the exploit (without taking time to delve into it). But some simple steps that get you on the way are:
>
> 1) Have a look at which conversations are in the file (two TCP conversations in this case)
>
> 2) Do a follow-tcp-stream on all of them and look at the results, this will show you that
>        - Host .50 is requesting some webcontent from host .5
>        - Host .50 is using port 4444 on host .5 which seems to offer a form of cmd shell in which a file is being retrieved
>
> 3) Going back to the webcontent being retrieved, you can see there is a script being run and that the program code of the script is obscured in some way.
>
> So... things to look at are
>
> 1)  Is port 4444 a known port of some exploit?
>
> 2)  Can you "decrypt" the javascript code and does that point you in the right direction
>
> 3)  etc.

Thank you for your explanation. I really appreciate it!

-- 
Zaki Akhmad