PoisonedCredentials Lab
CyberDefenders Network Forensics Lab
Scenario
Your organization’s security team has detected a surge in suspicious network activity. There are concerns that LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) poisoning attacks may be occurring within your network. These attacks are known for exploiting these protocols to intercept network traffic and potentially compromise user credentials. Your task is to investigate the network logs and examine captured network traffic.
Question 1
In the context of the incident described in the scenario, the attacker initiated their actions by taking advantage of benign network traffic from legitimate machines. Can you identify the specific mistyped query made by the machine with the IP address 192.168.232.162?
Answer 1
With the information provided, I set out to look for a query using the NBNS protocol. Packet number 47 provided the answer, “FILESHAARE”.
Question 2
We are investigating a network security incident. To conduct a thorough investigation, We need to determine the IP address of the rogue machine. What is the IP address of the machine acting as the rogue entity?
Answer 2
Since we are looking for poisoning attacks using LLMNR and NBT-NS, I chose to look closer around packet 47 for some sort of interception request. A request comes in pretty quickly from the rogue machine, at packet 51. 192.168.232.215.
Question 3
As part of our investigation, identifying all affected machines is essential. What is the IP address of the second machine that received poisoned responses from the rogue machine?
Answer 3
Filtering the responses from the rogue machine, you can clearly see it interact with another machine, 192.168.232.176.
Question 4
We suspect that user accounts may have been compromised. To assess this, we must determine the username associated with the compromised account. What is the username of the account that the attacker compromised?
Answer 4
Using a search command, ntlmssp.auth.username, you are able to find any authentication requests. Resulting in Jane Smith’s account being revealed.
Question 5
As part of our investigation, we aim to understand the extent of the attacker’s activities. What is the hostname of the machine that the attacker accessed via SMB?
Answer 5
Filtering the packets to show SMB/SMB2 protocols and making sure their source was the attackers IP address. It simple to find a session setup request and the name of the PC they were attempting to access.
Last updated