实验简介

Instructions:

• Uncompress the lab (pass: cyberdefenders.org)

Scenario:

Your organization's security team has detected a surge in suspicious network activity. There are concerns that LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) poisoning attacks may be occurring within your network. These attacks are known for exploiting these protocols to intercept network traffic and potentially compromise user credentials. Your task is to investigate the network logs and examine captured network traffic.

Tools:

• Wireshark

产品说明:-解压实验室(通过:cyberdefenders.org)场景:贵公司的安全团队检测到可疑网络活动激增。您的网络中可能会发生LLMNR(链路本地多播名称解析)和NBT-NS (NetBIOS名称服务)中毒攻击。众所周知，这些攻击是利用这些协议来拦截网络流量，并可能危及用户凭据。您的任务是调查网络日志并检查捕获的网络流量。工具:—Wireshark

实验下载地址

https://cyberdefenders.org/blueteam-ctf-challenges/poisonedcredentials/

题目

Q1

In the context of the incident described in the scenario, the attacker initiated their actions by taking advantage of benign network traffic from legitimate machines. Can you identify the specific mistyped query made by the machine with the IP address 192.168.232.162?

在场景中描述的事件上下文中，攻击者通过利用来自合法计算机的良性网络流量来启动他们的行动。您能识别IP地址为192.168.232.162的机器所输入的特定错误查询吗?通过描述得到网络可以操作KKMNR和NBT-NS攻击中毒攻击，题目得到机器IP地址为192.168.232.162

构造筛选器语法ip.addr == 192.168.232.162 and llmnr

从数据包中看到一个fileshaare的LLMNR的查询，文件共享英文翻译应该是fileshare

答案：fileshaare

Q2

We are investigating a network security incident. For a thorough investigation, we need to determine the IP address of the rogue machine. What is the IP address of the machine acting as the rogue entity?

我们正在调查一起网络安全事件。为了进行彻底的调查，我们需要确定恶意机器的IP地址。充当恶意实体的机器的IP地址是什么?

通过第一题可以看到错误的查询是来自192.168.232.215，这里可以确定攻击者的IP地址是192.168.232.215

答案：192.168.232.215

Q3

During our investigation, it's crucial to identify all affected machines. What is the IP address of the second machine that received poisoned responses from the rogue machine?

在我们的调查过程中，识别所有受影响的机器至关重要。从恶意机器接收中毒响应的第二台机器的IP地址是什么?

构造筛选器查看攻击者IP访问的哪些机器 ip.src == 192.168.232.215

答案：192.168.232.176

Q4

We suspect that user accounts may have been compromised. To assess this, we must determine the username associated with the compromised account. What is the username of the account that the attacker compromised?

我们怀疑用户帐户可能已被泄露。要评估这一点，我们必须确定与受损帐户关联的用户名。被攻击者入侵的账户的用户名是什么?

构造筛选器查看攻击者使用哪个账号密码登录了文件共享服务 ip.src == 192.168.232.215 and smb2

答案：janesmith

Q5

As part of our investigation, we aim to understand the extent of the attacker's activities. What is the hostname of the machine that the attacker accessed via SMB?

作为我们调查的一部分，我们的目标是了解攻击者活动的范围。攻击者通过SMB访问的机器的主机名是什么?

通过分析第四题找到的数据包可以发现攻击者登录的计算机

答案：ACCOUNTINGPC

本文所有翻译都来自于网易有道（部分单词翻译不准，英语好的可以自己翻译）热烈欢迎各路大佬指点！

原文始发于微信公众号（网络安全学习爱好者）：cyberdefenders---PsExec Hunt Blue Team Lab