{"id":1979,"date":"2021-08-20T13:44:25","date_gmt":"2021-08-20T11:44:25","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=1979"},"modified":"2021-09-19T11:05:58","modified_gmt":"2021-09-19T09:05:58","slug":"btlo-network-analysis-web-shell","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/btlo-network-analysis-web-shell\/","title":{"rendered":"BTLO &#8211; Network Analysis &#8211; Web Shell"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span><p>Views: 539<\/p>\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center\" style=\"font-size:35px\"><strong>Scenario : <\/strong><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>The <a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/security-awareness\/operations\/what-is-soc.html\" target=\"_blank\" rel=\"noreferrer noopener\">SOC<\/a> received an alert in their SIEM for \u2018Local to Local Port Scanning\u2019 where an internal private IP began scanning another internal system. Can you investigate and determine if this activity is malicious or not? You have been provided a <a href=\"https:\/\/mikadmin.fr\/blog\/category\/network\/\" target=\"_blank\" rel=\"noreferrer noopener\">PCAP<\/a>, investigate using any tools you wish.<\/p><\/blockquote>\n\n\n\n<div class=\"wp-block-image is-style-default\"><figure class=\"aligncenter size-medium\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"272\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/laptopimage-300x272.png\" alt=\"\" class=\"wp-image-1992\"\/><\/figure><\/div>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Sur ce challenge, nous utiliserons principalement <strong><span style=\"color:#00d084\" class=\"tadv-color\">Wireshark<\/span><\/strong> et <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">tshark<\/span><\/strong>.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center\" style=\"font-size:35px\"><strong>Challenge Submission :<\/strong><\/p>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the IP responsible for conducting the port scan activity?<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Afin de retrouver l&rsquo;ip responsable du scan de port nous pouvons par exemple v\u00e9rifier les flags SYN \u00e0 1 et les ACK \u00e0 0 (TCP SYN &#8211; nmap -sS) \u00e0 l&rsquo;aide de ce filtre <strong><span style=\"color:#00d084\" class=\"tadv-color\">Wireshark<\/span><\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-cpp\">tcp.flags.syn==1 and tcp.flags.ack==0<\/code><\/pre>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Ce qui nous donnes bien l&rsquo;adresse IP source responsable :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"751\" height=\"221\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image.png\" alt=\"network\" class=\"wp-image-1998\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image.png 751w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-300x88.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-150x44.png 150w\" sizes=\"auto, (max-width: 751px) 100vw, 751px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"604\" height=\"83\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-1.png\" alt=\"\" class=\"wp-image-1999\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-1.png 604w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-1-300x41.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-1-150x21.png 150w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the port range scanned by the suspicious host?<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"625\" height=\"228\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-2.png\" alt=\"\" class=\"wp-image-2008\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-2.png 625w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-2-300x109.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-2-150x55.png 150w\" sizes=\"auto, (max-width: 625px) 100vw, 625px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"488\" height=\"538\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-3.png\" alt=\"\" class=\"wp-image-2010\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-3.png 488w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-3-272x300.png 272w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-3-136x150.png 136w\" sizes=\"auto, (max-width: 488px) 100vw, 488px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"524\" height=\"94\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-4.png\" alt=\"\" class=\"wp-image-2011\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-4.png 524w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-4-300x54.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-4-150x27.png 150w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-left is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the type of port scan conducted?<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous avons d\u00e9j\u00e0 r\u00e9pondu \u00e0 la question plus haut, c&rsquo;est donc du <a href=\"https:\/\/nmap.org\/book\/synscan.html\" target=\"_blank\" rel=\"noreferrer noopener\">TCP SYN<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"425\" height=\"102\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-5.png\" alt=\"\" class=\"wp-image-2019\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-5.png 425w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-5-300x72.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-5-150x36.png 150w\" sizes=\"auto, (max-width: 425px) 100vw, 425px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-left is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">Two more tools were used to perform reconnaissance against open ports, what were they?&nbsp;<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Pour celle-ci, nous pouvons utiliser l&rsquo;outil<strong> <span style=\"color:#cf2e2e\" class=\"tadv-color\">tshark<\/span><\/strong> afin de r\u00e9cup\u00e9rer les diff\u00e9rents <strong>user-agent<\/strong> qui ont effectu\u00e9 la phase de reconnaissance :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\">tshark -Y &#039;http contains &quot;User-Agent:&quot;&#039; -T fields -e http.user_agent -r BTLOPortScan.pcap | sort | uniq -c | sort -nr<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"606\" height=\"142\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-7.png\" alt=\"\" class=\"wp-image-2021\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-7.png 606w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-7-300x70.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-7-150x35.png 150w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"816\" height=\"99\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-6.png\" alt=\"\" class=\"wp-image-2020\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-6.png 816w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-6-300x36.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-6-150x18.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-6-768x93.png 768w\" sizes=\"auto, (max-width: 816px) 100vw, 816px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-left is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the name of the php file through which the attacker uploaded a web shell?<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Afin de retrouver ce fichier, il est possible d&rsquo;utiliser ce filtre <strong><span style=\"color:#00d084\" class=\"tadv-color\">wireshark<\/span><\/strong> permettant de r\u00e9cup\u00e9rer les requ\u00eates <strong>POST<\/strong> de la part de l&rsquo;ip malveillante <strong>10.251.96.4<\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-csharp\">ip.src == 10.251.96.4 &amp;&amp; http.request.method == POST<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"786\" height=\"561\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-8.png\" alt=\"\" class=\"wp-image-2027\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-8.png 786w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-8-300x214.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-8-150x107.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-8-768x548.png 768w\" sizes=\"auto, (max-width: 786px) 100vw, 786px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"745\" height=\"118\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-9.png\" alt=\"\" class=\"wp-image-2028\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-9.png 745w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-9-300x48.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-9-150x24.png 150w\" sizes=\"auto, (max-width: 745px) 100vw, 745px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-left is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the name of the web shell that the attacker uploaded?&nbsp;<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Pour retrouver le nom du fichier il suffit simplement d&rsquo;utiliser la m\u00eame requ\u00eate et de regarder la partie <strong>MIME<\/strong> :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"130\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-10.png\" alt=\"\" class=\"wp-image-2030\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-10.png 962w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-10-300x41.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-10-150x20.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-10-768x104.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"590\" height=\"101\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-11.png\" alt=\"\" class=\"wp-image-2031\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-11.png 590w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-11-300x51.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-11-150x26.png 150w\" sizes=\"auto, (max-width: 590px) 100vw, 590px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-left is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the parameter used in the web shell for executing commands?<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Afin d&rsquo;identifier le param\u00e8tre permettant d&rsquo;ex\u00e9cuter les commandes nous pouvons utiliser cette commande <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">tshark<\/span><\/strong> :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\">tshark -Y &#039;http contains &quot;dbfunctions.php&quot;&#039; -r BTLOPortScan.pcap | s\nort | uniq -c | sort -nr<\/code><\/pre>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"184\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-12-1024x184.png\" alt=\"\" class=\"wp-image-2032\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-12-1024x184.png 1024w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-12-300x54.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-12-150x27.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-12-768x138.png 768w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-12.png 1088w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"656\" height=\"101\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-13.png\" alt=\"\" class=\"wp-image-2033\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-13.png 656w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-13-300x46.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-13-150x23.png 150w\" sizes=\"auto, (max-width: 656px) 100vw, 656px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-left is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the first command executed by the attacker?<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Afin de trier et savoir qu&rsquo;elle est la premi\u00e8re commande ex\u00e9cut\u00e9e nous utilisons cette commande :<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\">tshark -Y &#039;http contains &quot;dbfunctions.php&quot;&#039; -T fields -e frame.time_delta -e http.request.uri -r BTLOPortScan.pcap | sort -n<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"606\" height=\"180\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-14.png\" alt=\"\" class=\"wp-image-2034\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-14.png 606w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-14-300x89.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-14-150x45.png 150w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"503\" height=\"85\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-15.png\" alt=\"\" class=\"wp-image-2035\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-15.png 503w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-15-300x51.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-15-150x25.png 150w\" sizes=\"auto, (max-width: 503px) 100vw, 503px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-left is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the type of shell connection the attacker obtains through command execution?<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Comme nous pouvons le voir \u00e0 la question pr\u00e9c\u00e9dente, il s&rsquo;agit d&rsquo;un <a href=\"https:\/\/www.netsparker.com\/blog\/web-security\/understanding-reverse-shells\/\" target=\"_blank\" rel=\"noreferrer noopener\">reverse shell<\/a> :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"82\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-17-1024x82.png\" alt=\"\" class=\"wp-image-2037\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-17-1024x82.png 1024w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-17-300x24.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-17-150x12.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-17-768x62.png 768w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-17.png 1105w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"106\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-16.png\" alt=\"\" class=\"wp-image-2036\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-16.png 790w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-16-300x40.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-16-150x20.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-16-768x103.png 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<blockquote class=\"wp-block-quote has-text-align-left is-layout-flow wp-block-quote-is-layout-flow\"><p><strong><span style=\"color:#0693e3\" class=\"tadv-color\">What is the port he uses for the shell connection?&nbsp;<\/span><\/strong><\/p><\/blockquote>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Le port et l&rsquo;ip sont pr\u00e9sents dans le reverse shell :<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"68\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-18-1024x68.png\" alt=\"\" class=\"wp-image-2038\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-18-1024x68.png 1024w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-18-300x20.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-18-150x10.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-18-768x51.png 768w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-18.png 1107w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"482\" height=\"102\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-19.png\" alt=\"\" class=\"wp-image-2039\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-19.png 482w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-19-300x63.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/08\/image-19-150x32.png 150w\" sizes=\"auto, (max-width: 482px) 100vw, 482px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:35px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 4<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span>The SOC received an alert in their SIEM for \u2018Local to Local Port Scanning\u2019 where an internal private IP began scanning another internal system. <a href=\"https:\/\/mikadmin.fr\/blog\/btlo-network-analysis-web-shell\/\" class=\"more-link\">Continuer la lecture <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1988,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4,2],"tags":[68,70,5,31,63],"class_list":["post-1979","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","category-network","tag-blueteam","tag-btlo","tag-infosec","tag-network","tag-writeup"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1979","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=1979"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1979\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/1988"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=1979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=1979"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=1979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}