A fun activity using a packet capture file from the log4j exploit (CVE-2021-44228)
Open wireshark and import the PCAP located in this repository: log4j-exploit.pcap.
Looking at the packets, answer the following questions.
-
Which Packet numbers contain a TCP 3-way-handshake?.
hint: There are 9 of them. -
For the first handshake, which server ip and port is establishing a connection with which other server ip and port?
-
For the second?
-
What service is associated with the destination port?
-
For the third?
-
Looking at the first 4 packets, what can we determine is the type of service running on 172.14.141.132:8080?
-
Looking at the 4th packet, what header contains the payload for Log4shell (CVE-2021-44228)?
-
Looking at the first 4 packets, what is the first step of the exploit?
-
Which packet contains the reply to packet 4?
-
What is the ip-address of the vulnerable server? What is the ip-address of the attacking machine?
-
After recieving the initial payload in packet 4 and recieving the ACK packet, packet 5, what action does the vulnerable server take next?
-
Which packet from the attacking machine contains the information to redirect the vulnerable server?
-
Looking at this same packet, what is the name of the javaClass we are loading?
-
What is the name of the javaFactory?
-
What does the vulnerable server do next? (Starting at packet 18)
-
What packet contains the RCE that is sent to the server?
-
Looking at this packet's 'data', what might be the RCE command sent to the vulnerable server?
-
What is the order of establishing and finishing connections with the services and ports on each machine?
-
What type of service is running on each of the following ports:
-
172.16.141.132:8080
-
172.16.141.131:1389
-
172.16.141.131:8180
Now that you have answered the above questions, summarize the steps of the exploit takes as it runs. ex. First, a http request is sent to the server containing...