Introduction When a Cyber Attack happens, in order to eliminate such sort of future attack, it’s very important to know how the security breach has had happened. This is done using Memory Forensics.

Bootstrap Protocol — The term bootstrap protocol (or boot protocol) comes from the idea of lifting yourself up by your own bootstraps, something that is obviously difficult to do. In other words, how does a client machine startup when it initially has neither an IP address nor an operating system? BOOTP makes this…

Reverse Address Resolution Protocol — RARP RARP is a TCP/IP protocol that is responsible for the translation of a Physical Address (e.g. — Ethernet address) to be translated into an IP address. The RARP is on the Network Access Layer (i.e. …

Dynamic Host Configuration Protocol ( DHCP ) — Every computer in the network has to have an IP Address. There are two ways in which IP Addresses are assigned to the computers. Static IP Dynamic IP Static IP In this method, the IP Address is assigned to the computer manually by the user. This was the original method that was…

Description Bob and Charlie were sending some messages among themselves,and I planned to intercept their messages and get something out of it, however, they are clever enough that no secret gets leaked. Please help me out to get the secret!! Solution Download the PCAP file. Analyse it using Wireshark. Following the TCP…

While analysing the DNS we shall find that there is a PNG header. So the we shall understand that PNG image is being transmitted. Let’s write a scapy script to extract the necessary chunks to carve out the PNG. from scapy.all import * p=rdpcap('dnscap.pcap') x="" y="" temp="" for i in p: if i in p[DNSQR] and i not in p[DNSRR]: # To remove all the response packets from the requested packets we are using this condition. x=(i[DNSQR].qname)[18:-18] # Here we are removing starting 18 bits of information since they are just scrap and the last 18 bits are .skulllabsec.org x=x.replace('.','') x=x.decode('hex') # Decode from Hex. if(x==temp): # To eliminate the retransmissions we check the current data with the previous data. continue # If same then move to next iteration. y+=x temp=x

After analysing several packets we can conclude that there is something to be done with ICMP. So apply the ICMP filter and start analyzing. We can see that packets from the source = 10.30.8.102 and destination = 192.168.42.83 has some ZIP Magic Numbers. In scapy there are lots of ways…