Wireshark
Found 4 related articles
Back to Tags- 2025-03-11
ApiBase - API Endpoint Enumeration and Privilege Escalation
Technical writeup detailing the compromise of a DockerLabs API-based system. Methodology includes Nmap scanning, API endpoint enumeration (GET/POST methods), credential brute-forcing via Caido, file transfer (SCP), and PCAP network analysis using Wireshark to extract critical credentials for root access.
- 2025-02-17
Network Forensics of LLMNR/NBT-NS Poisoning Attacks
Detailed network forensics writeup investigating an LLMNR/NBT-NS poisoning incident using Wireshark. The analysis tracks the attack chain, identifying the initial mistyped network query (FILESHAARE), the attacker's rogue IP (192.168.232.215), the compromised user (janesmith) whose NTLM hash was intercepted via SMB, and the hostname of the accessed machine (AccountingPC), demonstrating the vulnerability of unauthenticated name resolution protocols.
- 2025-02-06
WebStrike - Network Forensics of Web Shell Upload and Data Exfiltration
Detailed network forensics writeup analyzing a PCAP file to investigate a web shell incident. The analysis successfully identifies the attack's origin (Tianjin, China), the attacker's User-Agent, and the exploitation of a file upload vulnerability to deploy a malicious web shell ('image.jpg.php' in the /reviews/uploads/ directory). Further investigation reveals the attacker's attempt to establish a reverse shell to port 8080 and the subsequent data exfiltration of the sensitive /etc/passwd file.
- 2025-01-26
Noxious - LLMNR Poisoning and NTLMv2 Hash Cracking
Network forensics writeup detailing the analysis of an LLMNR poisoning attack. The process covers identifying the rogue device via LLMNR and DHCP traffic, locating the victim's credential leak (NTLMv2 hash) within SMB Session Setup packets, extracting NTLM Challenge/Response components, and performing hash cracking with Hashcat to recover the plaintext password, providing full context on the credential theft incident.