How to spot rootkit in wireshark

  • retag add tags

So there's a rootkit installed on machine 192.168.119 and we have to answer this:

Knowning that port 80 is used by default to do HTTP requests, show that this protocol has been used to send non-sens information linked to passwords from machine 192.168.1.119 to a distant server.

So i checked all the HTTP protocols in the photo below and i have no clue about what it looks like.

We got a tips that to answer this question we need to know what a passwd file look like but it still doesn't help me at all.

Any tips on what to look at in the packets to spot something related to a password ? thank you.

https://imgur.com/pmuxQU5

danypep's avatar
1
danypep
asked 2020-09-26 17:07:09 +0000, updated 2020-09-26 17:07:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

The description of a passwd file, which holds the encrypted hashes of account passwords on Linux and BSD (and possibly other OS's) machines can be found here.

You can maybe try using "Follow -> HTTP Stream" to see the HTTP payloads, but the required information may not be there, it could be transported in other parts of the HTTP protocol.

grahamb's avatar grahamb (2020-09-26 20:06:27 +0000) edit
more
  • delete
add a comment see more comments