Professional Documents
Culture Documents
Arson Writeup by Moustafa Ahmed
Arson Writeup by Moustafa Ahmed
Arson Writeup by Moustafa Ahmed
Arabic | English
Written By: Moustafa Ahmed Ismail AKA Volk
بسم هللا الرحمن الرحيم
Introduction
The difficulty of this lab is Medium,
And the idea of the lab is analyzing the Wireshark packets to
extract the PowerShell script then analyze the PowerShell script
to be able to decrypt the data that is being sent to the attacker
And this means that we should see the data that is sent to the
attacker on wireshark
I followed the TCP stream of the Post request which is marked
with yellow on the image and I did saw the data that is sent to
the attacker but its encrypted
$key = "llm0xB8WOfv9Ssq9+f0sIMFK6OyQHOzhdenMzRInqXA="
$ip = "192.168.1.11"
$port = "7788"
$implant_name = "razer"
$sleep_time = 5
The script will work, but after you finish, and if you do not
intend to run PowerShell scripts, it is better to go back to how
you were before, to be more secure, so you will write in cmd:
Set-ExecutionPolicy Restricted
مقدمة
ال labالصعوبه بتاعتهmedium
و فكره ال labانك تعمل analysisلل wireshark fileو من خالله تطلع ال
powershell fileو تحلل ال powershell fileو من خالله هتعرف ازاي
ال hackerر
اختق ال victimو ازاي كان بيرسق ال dataمنه و هتعرف ازاي تفك
تشفت ال dataدي
ر
طريقه حل الlab
افتضت أن ال victimممكن يكون حمل ال powershell scriptعن طريق ر
فبالتال جربت اعمل HTTP filterيف الwireshark
ي HTTP link
$key = "llm0xB8WOfv9Ssq9+f0sIMFK6OyQHOzhdenMzRInqXA="
$ip = "192.168.1.11"
$port = "7788"
$implant_name = "razer"
$sleep_time = 5