![]() ![]() Interestingly, we see 1 request from 40.80.148.42 vs. Index=botsv1 sourcetype=stream:http http_method="POST" form_data=*username*passwd* Let’s search for POST requests involving the username and passwd fields: Index=botsv1 sourcetype=stream:http src_ip="40.80.148.42" http_method="POST" usernameįrom the above code, we see the structure of the authentication form it is composed of a username field, a passwd field and a login field. ![]() In addition, it involves a username and a password. Requesting the HTTP methods shows a vast majority of POST requests:Ī brute force attack involves POST requests. joomla/templates/protostar/js/template.jsĪnswer: joomla #5 - What address is performing the brute-forcing attack against our website? joomla/media/jui/js/jquery-noconflict.js User-Agent: Mozilla/5.0 (Windows NT 6.1 WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/.0 Safari/537.21Īcunetix-Product: WVS/10.0 (Acunetix Web Vulnerability Scanner - Free Edition)Īcunetix-Scanning-agreement: Third Party Scanning PROHIBITEDĪsnwer: acunetix #3 - What is the IP address of our web server? index=botsv1 sourcetype=stream:http src_ip="40.80.148.42"Īnswer: 192.168.250.70 #4 - What content management system is using?įrom the previous POST requests sent, we can easily guess that the CMS is Joomla. POST /joomla/index.php/component/search/ HTTP/1.1Ĭontent-Type: application/x-www-form-urlencodedĬookie: ae72c62a4936b238523950a4f26f67d0=v7ikb3m59romokqmbiet3vphv3 Top 3 requests should Acunetix (Free Edition) scanning requests: Index=botsv1 sourcetype=stream:httpĪnswer: 40.80.148.42 #2 - What web scanner scanned the server? index=botsv1 sourcetype=stream:http src_ip="40.80.148.42" It is now obvious that the interesting information is in the botsv1 index. WinEventLog:Microsoft-Windows-Sysmon/Operational ![]() The 1st index does not seem to contain interesting data sources for our investigation: Work your way through the first scenario in order to track down P01s0n1vy! Don’t hesitate to use the material provided to give you a nudge! 1.20 #20 - What does this hex code decode to?.1.19 #19 - What special hex code is associated with the customized malware discussed in the previous question?.Using research techniques, provide the SHA256 hash of this malware. This malware is usually connected to P01s0n1vy’s initial attack infrastructure. 1.18 #18 - GCPD reported that common TTPs (Tactics, Techniques, Procedures) for the P01s0n1vy APT group if initial compromise fails is to send a spear phishing email with custom malware attached to their intended target.1.17 #17 - Based on the data gathered from this attack and common open source intelligence sources for domain names, what is the email address that is most likely associated with P01s0n1vy APT group?.1.16 #16 - What IP address has P01s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?.What fully qualified domain name (FQDN) is associated with this attack? 1.15 #15 - This attack used dynamic DNS to resolve to the malicious IP.1.14 #14 - What is the name of the file that defaced the website?.1.13 #13 - What is the MD5 hash of the executable uploaded?.1.12 #12 - What is the name of the executable uploaded by P01s0n1vy?.1.11 #11 - How many unique passwords were attempted in the brute force attempt?.1.10 #10 - How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login rounded to 2 decimal places?.1.9 #9 - What was the average password length used in the password brute forcing attempt rounded to closest whole integer?.1.8 #8 - What was the correct password for admin access to the content management system running ?.1.7 #7 - One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song.1.6 #6 - What was the first password attempted in the attack?.1.5 #5 - What address is performing the brute-forcing attack against our website?.1.4 #4 - What content management system is using?.1.3 #3 - What is the IP address of our web server?.1.2 #2 - What web scanner scanned the server?.1.1 #1 - What IP is scanning our web server?.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |