There it looks like some Ajax stuff getting posted and some other things going on. There's a three-way handshake were connection to port 443. It switches over between those two to port 443 because there is a SYN, SYN ACK, and there's an ACK. We see that eventually the traffic goes from port 8080 right about here. Because I want to see the whole picture here. That will take out the 8080 traffic that we were looking at there. We can say,& not equal to TCP port, or actually with the TCP port is not equal to 8080. One of the thing we can do is we can exclude a port. As long as it's staying in port 8080 we could say not equal to port 8080 as well if we wanted to rule out everything else. We can just scroll like that and not worry about a bunch of other traffic as missing it. Remember we are got a filter of these two. Once it got it, the traffic switches here, from port 8080. Then we got to port 8080 and got the Exploit that Jar. Because if you look at it, we're over port 80. After that got pulled down is when that 8080 connection actually started. After that Exploit that Jar, we want to see what happened.
We can go back and as I always say, part of the network forensics is you're moving a bunch of hay from around a bunch of needles and as you find needles, you put that hay back in there to give you context and then you move forward with that. We don't know what that Java exploit is that's what we were getting ready to do is dig deeper. All the makings of a Java Exploit is what it looks like. Then we saw a com.class coming down at the end here. We saw some Metasploit looking stuff here we subtle payload class. One thing we saw on that 8080 traffic when we follow TCP stream on it, we saw that this Exploit that Jar file is being pulled down. Just to be clear, if you wanted to filter on traffic on the port, we could add to this filter and just do TCP port 8080.
Remember we found that by looking at port 8080 traffic between those. We also saw that it went there, tried to download a page and downloading a Java file named Exploit that Jar. We had figured out that there was definitely some traffic Interesting between 192,168,153, 131 and 177, we saw that 131 apparently thought that 177 was Facebook. You'll get to see how we continue to move this case forward and are able to extract the information that we need from being able to pull out the needed data. This is going to be our continuation of Wireshark.
0 kommentar(er)
