Obtain Information
- Forensic Tool: Wireshark
- Traffic Capture File: 2024_part_4.pcap MD5 (4780F5090FBC44BCF58D2B989D569A68)
- Source IP: 192.168.56.1
- Destination IP: 192.168.56.101
- First Packet Timestamp: 2014-01-15 01:37:24
- Last Packet Timestamp: 2014-01-15 01:38:23
- Elapsed Time: 00:00:59
Sources of Evidence
Network Intrusion Analysis
Based on the captured network packets, the client (192.168.56.1) attempts to log into the FTP server (192.168.56.101) multiple times. By analyzing the FTP protocol commands, such as USER and PASS, along with the server’s responses, it is observed that the client attempted to log in 30 times with different passwords (e.g., “1” and “2”), and all attempts failed.
This behavior is consistent with a password enumeration attack, where the client repeatedly tries different passwords until the login is successful or the attack is aborted.
Key Evidence Analysis
-
Packet Capture:
- In the FTP session, the client sends a
USERcommand to provide a username, followed by aPASScommand to send the password. The server’s responses (e.g., 331 code asking for a password, 530 code indicating a failed login) reveal multiple login attempts by the client.
- In the FTP session, the client sends a
-
Traffic Flow Analysis:
- Through the Wireshark capture, we observe all interactions between the client and the server, including login requests, server responses, failed login attempts, and subsequent
QUITcommands to close the connection.
- Through the Wireshark capture, we observe all interactions between the client and the server, including login requests, server responses, failed login attempts, and subsequent
-
Repeated Login Attempts:
- The client repeatedly sends
USERandPASScommands with different passwords. The server responds with530 Login incorrecteach time, indicating that the login attempts were unsuccessful.
- The client repeatedly sends
-
Traffic Analysis Result:
- After 30 password attempts, the client ceases its login attempts. Key packets include:
6 0.006512 192.168.56.1 192.168.56.101 FTP 76 Request: USER bro
8 0.009093 192.168.56.101 192.168.56.1 FTP 98 Response: 331 Password required for bro.
10 0.009567 192.168.56.1 192.168.56.101 FTP 74 Request: PASS 1
12 2.371080 192.168.56.101 192.168.56.1 FTP 88 Response: 530 Login incorrect.
14 2.371558 192.168.56.1 192.168.56.101 FTP 72 Request: QUIT
16 2.371849 192.168.56.101 192.168.56.1 FTP 80 Response: 221 Goodbye.
Resut
Conclusion:
- The client with IP address 192.168.56.1 attempted to log in to the FTP server at 192.168.56.101, performing multiple password enumeration attempts over a duration of 1 minute (from 2014-01-15 01:37:24 to 2014-01-15 01:38:23).
- Each attempt involved sending different passwords, with all login attempts being unsuccessful. This indicates an FTP password enumeration brute force attack.
- The attack lasted for 59 seconds, during which the attacker tried a total of 30 different passwords, and all attempts were rejected by the FTP server.
- This type of activity is typical of an attacker attempting to gain unauthorized access by systematically testing a range of passwords, exploiting weak authentication mechanisms.
This report highlights potential security threats on the network and provides practical recommendations to enhance network security and protect against unauthorized access attempts.