lab 36

Question 1

List any external IP addresses you find?

Filter used:
!(ip.src == 10.0.0.0/8 || ip.src == 172.16.0.0/12 || ip.src == 192.168.0.0/16)

Explanation:
This filter excludes internal (private) IP addresses:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
It displays only external (public) IP addresses in the traffic.

External IP found:
75.30.5.55

Answer 1

75.30.5.55

Question 2

Display and Document the IPv4 Address
Filter/Command used:
ipconfig

Explanation:
This command retrieves the network configuration details of the system, including the IPv4 address, subnet mask, and default gateway.

Findings:

IPv4 Address: 10.10.1.5
Subnet Mask: 255.255.255.0
Default Gateway: 10.10.1.1

Action: Record these values for reference.

Answer 2

10.10.1.5

Question 3

Display Active Connections
Filter/Command used:
netstat -ano

Explanation:
This command lists all active network connections and listening ports.

Foreign Address (unusual): 75.30.5.55:1337
associated port #: 1337
State: ESTABLISHED
PID: 6668

Answer 3

1337

Question 4

Check for Unauthorized Accounts
Filter/Command used:
net user

Explanation:
This command lists all user accounts on the system, allowing identification of unauthorized or anomalous accounts.

Look for:
Accounts not following the organization’s naming convention.
Unexpected admin accounts.
Accounts created at unusual times.

Findings:

Accounts Found:
Adm1nistrator (admin)
Administrator (admin)
DefaultAccount (guest)
WDAGUtilityAccount (guest)

Answer 4

Adm1nistrator

Question 5

List Running Processes and Investigate Services
Filter/Command used:

To list running processes: tasklist
To list services: net start
Explanation:

List Running Processes:
The tasklist command displays all active processes with their names, PIDs, and memory usage.
Analyze the list for:

Unknown or suspicious process names (e.g., random strings, unfamiliar applications).
Processes consuming unusually high resources.
Processes tied to the external IP address from #2 (75.30.5.55:1337, PID 6668).
Odd characteristics in process names (e.g., obfuscation like “0” instead of “o”).

Suspicious Process: WinT0Ols.exe
Session Type: Console session.
Memory Usage: 24,168 K.
Unusual Name Format: Uses “0” instead of “o.”

Answer 5

WinT0Ols

Question 6

On which packet number does the attack start?

28
62
75
103

Answer 6

28

Question 7

What protocol is being used in the attack?

HTTP x
SSHv2
ICMP
TCP

Answer 7

TCP

Question 8

Retrieve the Security Onion VM’s IP Address
Filter/Command used:
To retrieve the primary IP address of the

ens32 interface:
bash
Copy code
ip a | grep ens32

Explanation:
The ip a command lists all network interfaces and their IP addresses.
The grep ens32 filter extracts only the lines related to the ens32 interface.

Steps:
Run ip a | grep ens32 in the terminal.

Findings:
Primary IP Address of ens32: 10.10.1.55
Subnet Mask: /24 (255.255.255.0)

Answer 8

10.10.1.55

Question 9

What type of encryption is being used on the compromised data?

RSA x
AES
None
SFTP

Answer 9

None

Question 10

Which of the following, based on the exploit, is the malware type? Select the correct answer.

Worm
Rootkit
Trojan
Spyware

Answer 10

Spyware

Question 11

Locate the Process Using Task Manager (GUI Method)

Steps:
Log in to the Windows machine (10.10.1.5).
Open Task Manager:
taskbar and select Task Manager
Navigate to the Details tab.
Find the suspicious process WinT0Ols.exe
Right-click the process and select Open File Location.

Findings:
C:\Users\admin\Downloads\dist

Answer 11

C:\Users\admin\Downloads\dist

Question 12

Which of the following were compromised? (Check all that apply)

Credit card numbers
Customer names
Social security numbers
Customer addresses

Answer 12

Customer names
Social security numbers
Customer addresses

Question 13

Which of the following is the data classification that is being exfiltrated? Select the correct answer.

PII, PHI, PCI
PII
PCI
PHI

Answer 13

PII

Question 14

Disable / end the malicious application running on the Windows Server.

Open Command Prompt
Disable the account using the command:
bash
net user Adm1nistrator /active:no
net user Adm1nistrator
look for active:no

Question 15

Open Task Manager:
Right-click the taskbar and select Task
Navigate to the Details tab.
Find the malicious process WinT0Ols.exe
Right-click the process and select End Task.

Question 16

Which of the following is the Windows application that can be used to determine if the exploit resurfaces? Select the correct answer.

Microsoft Antivirus Toolkit
Task Scheduler
Task Manager
Explorer

Answer 16

Task Manager