How to spot rootkit in wireshark
So there's a rootkit installed on machine 192.168.119 and we have to answer this:
Knowning that port 80 is used by default to do HTTP requests, show that this protocol has been used to send non-sens information linked to passwords from machine 192.168.1.119 to a distant server.
So i checked all the HTTP protocols in the photo below and i have no clue about what it looks like.
We got a tips that to answer this question we need to know what a passwd file look like but it still doesn't help me at all.
Any tips on what to look at in the packets to spot something related to a password ? thank you.
The description of a passwd file, which holds the encrypted hashes of account passwords on Linux and BSD (and possibly other OS's) machines can be found here.
You can maybe try using "Follow -> HTTP Stream" to see the HTTP payloads, but the required information may not be there, it could be transported in other parts of the HTTP protocol.