SuperSonic: Ep.6 – TEMPLE
I have Problems with the last two questions:
In which file did the attacker find the credentials for the second account they accessed?
I extracted the 14 files with SMB/Wireshark but i am not able to find anyything.
Which two user accounts did the attacker use to access the SMB share? (Use a comma to separate the two usernames.)
I think i found one Account in the 14 files but at restart of the lab i dont find it anymore.
(This are the last two Questions for Supersonic-Badge)
yeah, these files are...
Anyway use filter to get only SMB traffic and then search through pcap using Edit -> Find Packet
You can use that to find strings within packets and if you know SMB header structure you should be able to spot logon information. From there you can follow up the traffic to see what's being done by each user and find out which sessions are bogus.