PoisonedCredentials Lab

Network Forensics Lab

1-First of All to detect the Miss-typed Query I added The Ip in filter to and also Saw The Protocol We All our Work is for LLMNR Protocol so here is the query

2-After the Respond of the Query we Easily seen that the Ip Source Of The Query is Defiantly The Ip of the Attacker

3- And As same as the Previous Question The Query respond From the Second rogue Ip

4- To Identify the UserName I use Network Miner and Simply in the Credentials Tab here it`s

5-To Determine the Hostname I started to look up in the packet For User Cybercactus.local and This hostname i get it from Network miner so when i found it directly follow the tcp stram and here we go