Scenario:
Your organization’s security team has detected a surge in suspicious network activity. There are concerns that LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) poisoning attacks may be occurring within your network. These attacks are known for exploiting these protocols to intercept network traffic and potentially compromise user credentials. Your task is to investigate the network logs and examine captured network traffic.
Tools:
- Wireshark
Challenge download link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/146
Q1-
In the context of the incident described in the scenario, the attacker initiated their actions by taking advantage of benign network traffic from legitimate machines. Can you identify the specific mistyped query made by the machine with the IP address 192.168.232.162?
- Frist of all I filtered LLMNR Protocol (Link-local Multicast Name Resolution) and the IP-add 192.168.232.162
Using This Filter :
llmnr and ip.addr==192.168.232.162
From packet 52 I Saw a LLMNR Query with name (fileshaare)
which is mistyped query ( the correct query is fileshare )
- THE ANSWER : fileshaare
Q2-We are investigating a network security incident. For a thorough investigation, we need to determine the IP address of the rogue machine. What is the IP address of the machine acting as the rogue entity?
Since we know it was a poisoning attack , if we go to packet 55 or 56
we will see the IP-add 192.168.232.215 reply to the mistyped query from the
first question !!!! , so I was sure the attacker IP is 192.168.232.215
- THE ANSWER : 192.168.232.215
Q3-During our investigation, it’s crucial to identify all affected machines. What is the IP address of the second machine that received poisoned responses from the rogue machine?
He is asking about victim IP-add so I Filtered The PCAP With the
Attacker IP- add :
The Attacker is communicating with 2 IP-adds :
1– 192.168.232.162
2- 192.168.232.176
- THE ANSWER : 192.168.232.176
Q4-We suspect that user accounts may have been compromised. To assess this, we must determine the username associated with the compromised account. What is the username of the account that the attacker compromised?
To solve this question I filtered the PCAP with attacker IP and SMP2 Protocol , Using this filter :
- THE ANSWER : janesmith
Q5-As part of our investigation, we aim to understand the extent of the attacker’s activities. What is the hostname of the machine that the attacker accessed via SMB?
Going to packet 242 and follow TCP stream :
From the screenshot above the hostname of the victim machine is
AccountingPC.
- THE ANSWER : AccountingPC.
BY : Ahmed Nasser
