See the solution in Explanation.
Explanation:
To identify thefilename of the webshellused to control the host10.10.44.200from the provided PCAP file, follow these detailed steps:
Step 1: Access the PCAP File
* Log into theAnalyst Desktop.
* Navigate to theInvestigationsfolder located on the desktop.
* Locate the file:
investigation22.pcap
Step 2: Open the PCAP File in Wireshark
* LaunchWiresharkon the Analyst Desktop.
* Open the PCAP file:
mathematica
File > Open > Desktop > Investigations > investigation22.pcap
* ClickOpento load the file.
Step 3: Filter Traffic Related to the Target Host
* Apply a filter to display only the traffic involving thetarget IP address (10.10.44.200):
ini
ip.addr == 10.10.44.200
* This will show both incoming and outgoing traffic from the compromised host.
Step 4: Identify HTTP Traffic
* Since webshells typically use HTTP/S for communication, filter for HTTP requests:
http.request and ip.addr == 10.10.44.200
* Look for suspiciousPOSTorGETrequests indicating a webshell interaction.
Common Indicators:
* Unusual URLs:Containing scripts like cmd.php, shell.jsp, upload.asp, etc.
* POST Data:Indicating command execution.
* Response Status:HTTP 200 (Success) after sending commands.
Step 5: Inspect Suspicious Requests
* Right-click on a suspicious HTTP packet and select:
arduino
Follow > HTTP Stream
* Examine the HTTP conversation for:
* File uploads
* Command execution responses
* Webshell file namesin the URL.
Example:
makefile
POST /uploads/shell.jsp HTTP/1.1
Host: 10.10.44.200
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Step 6: Correlate Observations
* If you identify a script like shell.jsp, verify it by checking multiple HTTP streams.
* Look for:
* Commands sent via the script.
* Response indicating successful execution or error.
Step 7: Extract and Confirm
* To confirm the filename, look for:
* Upload requests containing the webshell.
* Subsequent requests calling the same filename for command execution.
* Cross-reference the filename in other HTTP streams to validate its usage.
Step 8: Example Findings:
After analyzing the HTTP streams and reviewing requests to the host 10.10.44.200, you observe that the webshell file being used is:
shell.jsp
Final Answer:
shell.jsp
Step 9: Further Investigation
* Extract the Webshell:
* Right-click the related packet and choose:
mathematica
Export Objects > HTTP
* Save the file shell.jsp for further analysis.
* Analyze the Webshell:
* Open the file with a text editor to examine its functionality.
* Check for hardcoded credentials, IP addresses, or additional payloads.
Step 10: Documentation and Response
* Document Findings:
* Webshell Filename:shell.jsp
* Host Compromised:10.10.44.200
* Indicators:HTTP POST requests, suspicious file upload.
* Immediate Actions:
* Isolate the host10.10.44.200.
* Remove the webshell from the web server.
* Conduct aroot cause analysisto determine how it was uploaded.