How to spot rootkit in wireshark

asked 2020-09-26 17:07:09 +0000

danypep gravatar image

updated 2020-09-26 17:07:52 +0000

So there's a rootkit installed on machine 192.168.119 and we have to answer this:

Knowning that port 80 is used by default to do HTTP requests, show that this protocol has been used to send non-sens information linked to passwords from machine to a distant server.

So i checked all the HTTP protocols in the photo below and i have no clue about what it looks like.

We got a tips that to answer this question we need to know what a passwd file look like but it still doesn't help me at all.

Any tips on what to look at in the packets to spot something related to a password ? thank you.

edit retag flag offensive close merge delete


The description of a passwd file, which holds the encrypted hashes of account passwords on Linux and BSD (and possibly other OS's) machines can be found here.

You can maybe try using "Follow -> HTTP Stream" to see the HTTP payloads, but the required information may not be there, it could be transported in other parts of the HTTP protocol.

grahamb gravatar imagegrahamb ( 2020-09-26 20:06:27 +0000 )edit