首頁 探索 說明
登入
SPIN
/
ID2T-toolkit
6
5
複刻 2
檔案 問題管理 20 合併請求 0 Wiki
標籤 里程碑
創建問題

#156 [MembersMgmtCommAttack] - Presence of external IPs among the bots injected

開啟中
giorgio.bertagnolli5 年之前創建 · 0 條評論
Giorgio Bertagnolli 評論 5 年之前'

After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true" I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs. Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs. Below an example of a conversation where the Bot's IP is external.

After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true" I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs. Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs. Below an example of a conversation where the Bot's IP is external.
登入 才能加入這對話。
標籤
清除已選取標籤
Bug Documentation Enhancement
未選擇標籤
Bug
Documentation
Enhancement
里程碑
清除已選取里程碑
未選擇里程碑
指派成員
取消指派成員
未指派成員
1 參與者
內容編輯 效果預覽
正在加載...
取消
保存
尚未有任何內容