Tag: Network-Forensics | Yw4rf

2025-02-17

Network Forensics of LLMNR/NBT-NS Poisoning Attacks

Detailed network forensics writeup investigating an LLMNR/NBT-NS poisoning incident using Wireshark. The analysis tracks the attack chain, identifying the initial mistyped network query (FILESHAARE), the attacker's rogue IP (192.168.232.215), the compromised user (janesmith) whose NTLM hash was intercepted via SMB, and the hostname of the accessed machine (AccountingPC), demonstrating the vulnerability of unauthenticated name resolution protocols.

CyberDefenders Network-Forensics SOC Wireshark LLMNR-Poisoning NBT-NS-Poisoning Man-in-the-Middle Credential-Theft SMB-Authentication NTLM
2025-02-06

WebStrike - Network Forensics of Web Shell Upload and Data Exfiltration

Detailed network forensics writeup analyzing a PCAP file to investigate a web shell incident. The analysis successfully identifies the attack's origin (Tianjin, China), the attacker's User-Agent, and the exploitation of a file upload vulnerability to deploy a malicious web shell ('image.jpg.php' in the /reviews/uploads/ directory). Further investigation reveals the attacker's attempt to establish a reverse shell to port 8080 and the subsequent data exfiltration of the sensitive /etc/passwd file.

CyberDefenders Network-Forensics SOC-Analysis Wireshark Web-Shell File-Upload-Vulnerability Data-Exfiltration Netcat-Reverse-Shell HTTP-POST Geo-Location