|
Wireshark Question
1 Attachment(s)
Good morning all,
I was wondering if anyone may be able to provide me with some assistance in Wireshark. I believe my host was a victim of an EK attack. I used Wireshark and was able to locate the payload (using Export Objects -> HTTPS). I confirmed my suspicious by using VirusTotal and had 21 / 60 engines detect. Now that I located the payload... how can I locate the URL of the compromised website? When I highlight the payload packet in Wireshark, I can see that there is a host name (the website that downloaded the payload) and a referer website. Is the referer website the compromised website that acted as the landing page? I have included a screenshot of my Wireshark which shows the referer and host name of the payload. Thanks in advance! |
I am no expert on Wireshark but I presume compare the IP address with the website against the "compromised" website. As far as getting the URL is concerned some DNS tools might be able to help you out. You will probably have to do some digging.
|
| All times are GMT -5. The time now is 07:01 AM. |