#156 [MembersMgmtCommAttack] - Presence of external IPs among the bots injected

Aberto
6 anos atrás foi aberto por giorgio.bertagnolli · 0 comentários

After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true" I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs. Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs. Below an example of a conversation where the Bot's IP is external.

After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true" I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs. Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs. Below an example of a conversation where the Bot's IP is external.
Faça login para participar desta conversação.
Sem milestone
Não atribuída
1 participantes
Carregando...
Cancelar
Salvar
Ainda não há conteúdo.