'Re: [Wireshark-users] Hacking question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] Hacking question
From:       "Ryan Zuidema" <ryan.zuidema () knchlaw ! com>
Date:       2009-02-24 17:09:26
Message-ID: 004501c996a2$a9736470$fc5a2d50$ () zuidema () knchlaw ! com
[Download RAW message or body]

This is a multipart message in MIME format.

[Attachment #2 (multipart/alternative)]
This is a multipart message in MIME format.


Remember that if you have "resolve transport names" turned on it will still
resolve the source ports as well as destination. You are looking at an http
conversation there. The "brutus" source port was chosen randomly by the
client.

 

-Ryan 

 

From: wireshark-users-bounces@wireshark.org
[mailto:wireshark-users-bounces@wireshark.org] On Behalf Of Edsel barrios
Sent: Tuesday, February 24, 2009 6:55 AM
To: Community support list for Wireshark
Subject: [Wireshark-users] Hacking question

 

I am using WireShark 1.0.3 and I was running a scan on my network when I
noticed some weird packages coming from the outside and they had a prefix of
Brutus

1573    250.604174    10.0.0.5    129.101.198.59    TCP    brutus > http
[ACK] Seq=515 Ack=5841 Win=17520 Len=0

has anyone seen something like this. Honestly my first thought was of the
password sniffer Brutus.

Any ideas would be appreciated.

Thank you,
Edsel


[Attachment #5 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Remember that if you have &#8220;resolve transport names&#8221;
turned on it will still resolve the source ports as well as destination. You
are looking at an http conversation there. The &#8220;brutus&#8221; source port
was chosen randomly by the client.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-Ryan <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> \
wireshark-users-bounces@wireshark.org [mailto:wireshark-users-bounces@wireshark.org] \
<b>On Behalf Of </b>Edsel barrios<br>
<b>Sent:</b> Tuesday, February 24, 2009 6:55 AM<br>
<b>To:</b> Community support list for Wireshark<br>
<b>Subject:</b> [Wireshark-users] Hacking question<o:p></o:p></span></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>I am using WireShark 1.0.3 and I was running a scan on my
network when I noticed some weird packages coming from the outside and they had
a prefix of Brutus<br>
<br>
1573&nbsp;&nbsp;&nbsp; 250.604174&nbsp;&nbsp;&nbsp; 10.0.0.5&nbsp;&nbsp;&nbsp;
129.101.198.59&nbsp;&nbsp;&nbsp; TCP&nbsp;&nbsp;&nbsp; brutus &gt; http [ACK]
Seq=515 Ack=5841 Win=17520 Len=0<br>
<br>
has anyone seen something like this. Honestly my first thought was of the
password sniffer Brutus.<br>
<br>
Any ideas would be appreciated.<br>
<br>
Thank you,<br>
Edsel<o:p></o:p></p>

</div>

</body>

</html>



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic