BTLO: Network Analysis – Web Shell

The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system.

View the PCAP file in wireshark.

What is the IP responsible for conducting the port scan activity?

Head to the conversations tab and we can see that the ports are in ascending order. This suggests it is some type of port scanning activity.

What is the port range scanned by the suspicious host?

Statistics –> IPv4 Statistics –> Destination and Ports to view the ports scanned by the ip.

What is the type of port scan conducted?

Filtering out to the IP we can see it is a TCP SYN protocol scan.

Two more tools were used to perform reconnaissance against open ports, what were they?

We can find tools by filtering out the user agents. Use the following filter :

ip.dst == && http.user_agent

What is the name of the php file through which the attacker uploaded a web shell?

Filter the request method to POST and scroll down to the end to find an upload file.

Follow the TCP stream of that packet and we can see the referrer php file.

What is the name of the web shell that the attacker uploaded?

In the TCP stream we are able to find the filename uploaded.

What is the parameter used in the web shell for executing commands?

We are able to see the php script and find the parameter.

What is the first command executed by the attacker?

Filter out ip.src== && http.request.method==GET and find the parameter with cmd.

What is the type of shell connection the attacker obtains through command execution?

There is a python script uploaded via the shell. It will be a reverse shell.

What is the port he uses for the shell connection?

URL decode the python reverse shell script to find the port.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: