[MembersMgmtCommAttack] - Presence of external IPs among the bots injected #61
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue by giorgio.bertagnolli
Thursday Aug 16, 2018 at 17:34 GMT
Originally opened as https://git.tk.informatik.tu-darmstadt.de/SPIN/ID2T-toolkit/issues/156
After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true"
I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs.
Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs.
Below an example of a conversation where the Bot's IP is external.
The text was updated successfully, but these errors were encountered: