#156 [MembersMgmtCommAttack] - Presence of external IPs among the bots injected

Mở
%! (template.HTML=6 năm trước cách đây)đang mở bởi giorgio.bertagnolli · 0 ý kiến

After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true" I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs. Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs. Below an example of a conversation where the Bot's IP is external.

After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true" I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs. Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs. Below an example of a conversation where the Bot's IP is external.
Đăng nhập để tham gia bình luận.
Không có nhãn
Bug
Không có Milestone
Không có người được phân công
1 tham gia
Đang tải...
Hủy bỏ
Lưu
Ở đây vẫn chưa có nội dung nào.