Have I Been PWNed or PWNed Myself... I Don't Know What I'm Doing, but I'd REALLY Like To.

Nov 5, 2015 08:14 PM

Firstly, love this forum (Null-Byte specifically not the whole WonderHowTo thing), you fine fellows have been very informative. As a rule I lurk and read and am not much of a joiner but desperate times call for desperate measures. I can not master this skill-set at my aging age without help...

So please... HELP ME!

I have been playing with Metasploit trying to get remote connections to work with little luck. I can get shells all over if I'm local but try reaching out and no luck. In the process I think I have payloads on every bkox I own calling to somewhere... for something... but who knows what.

Now, I also work in a somewhat sensitive and grey sort of area as far as the state and its agencies of one form or another may or may not take an undue interest in (totally unwarranted of course) from time to time. The likelihood of this being the cause of my concern is so minuscule I would say it borders on nonexistent but I thought I'd throw it in the mix. I also am a person who whenever I express how I see things in the world, my perspective if you will, I seem to be generally disliked for doing so. I tell the truth, blunt and true... apeople don't like that so much... So... maybe I pissed off a hacker? I find this unlikely also.

The most plausible reason for my concern is either I have somehow hacked myself or, less preferably, nut none the less possible... What I am witnessing in WireShark traffic wise is normal and I really am a cluless half retarded old junky whos once sharp mind has finally melted. If such is the case I need to reasses everything whith this in mind, and perhaps ... Give up??? Try harder??? I wouldn't know I guess on account of being fucked in the head.

SO... any good Samaritan out there want to help me find out? I am not sure the best way to share the specifics so I'm open to suggestions. I don't think sharing a packet dump in open forum is something I want to do just yet.

My concerns were born out of my attacker machine lightening up in Armitage with a whole bunch of gibberish appearing underneath ,and seemingly binding to itself... when I have not pooped a payload on it nor even touched any non windows ones... and this attacker machine being a Linux one... it doesn't make sense. I open a listener and I start listening to myself.... very strange.

On WireShark monitoring my only out connection at the moment eth1 (a USB prepaid mobile broadband dongle) I am getting a lot of stuff I have never seen on wlan wireless connections but I am the first to admit I am way over my head when watching the packets in WireShark... I grasp a bit of whats going on... but not much in the grand scheme. I will post a small sample below, and hope this post gets a response or two from someone who gets it. I thank you for reading this and for this wonderful resource.

Walter Coen Sobcheck

No. Time Source Destination Protocol Length Info

23036 2091.463325000 192.168.1.1 239.255.255.250 SSDP 460 NOTIFY HTTP/1.1

Frame 23036: 460 bytes on wire (3680 bits), 460 bytes captured (3680 bits) on interface 0

Ethernet II, Src: Elitegro8e:4b:ac (00:0d:87:8e:4b:ac), Dst: IPv4mcast7f:ff:fa (01:00:5e:7f:ff:fa)

Destination: IPv4mcast7f:ff:fa (01:00:5e:7f:ff:fa)

Address: IPv4mcast
7f:ff:fa (01:00:5e:7f:ff:fa)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

Source: Elitegro8e:4b:ac (00:0d:87:8e:4b:ac)

Address: Elitegro
8e:4b:ac (00:0d:87:8e:4b:ac)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Type: IP (0x0800)

Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 239.255.255.250 (239.255.255.250)

Version: 4

Header Length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

Total Length: 446

Identification: 0x0000 (0)

Flags: 0x02 (Don't Fragment)

Fragment offset: 0

Time to live: 1

Protocol: UDP (17)

Header checksum: 0xc68b validation disabled

Source: 192.168.1.1 (192.168.1.1)

Destination: 239.255.255.250 (239.255.255.250)

Source GeoIP: Unknown

Destination GeoIP: Unknown

User Datagram Protocol, Src Port: 51438 (51438), Dst Port: 1900 (1900)

Source Port: 51438 (51438)

Destination Port: 1900 (1900)

Length: 426

Checksum: 0x9ced validation disabled

Stream index: 2

Hypertext Transfer Protocol

NOTIFY HTTP/1.1\r\n

HOST: 239.255.255.250:1900\r\n

CACHE-CONTROL: max-age=1800\r\n

lOCATION: http://192.168.1.1:45815/rootDesc.xml \r\n

SERVER: E588 UPnP/1.0 MiniUPnPd/1.6\r\n

NT: uuid:000D878E-000D-878E-4BAC-000D878E4BA1\r\n

USN: uuid:000D878E-000D-878E-4BAC-000D878E4BA1\r\n

NTS: ssdp:alive\r\n

OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01\r\n

01-NLS: 1\r\n

BOOTID.UPNP.ORG: 1\r\n

CONFIGID.UPNP.ORG: 1337\r\n

DATE: Thu, 05 Nov 2015 18:41:38 GMT\r\n

\r\n

Full request URI: [http://239.255.255.250:1900 *

Related Articles

637263493835297420.jpg

How to Use Zero-Width Characters to Hide Secret Messages in Text (& Even Reveal Leaks)

636455706472146367.jpg

How to Hide DDE-Based Attacks in MS Word

Comments

No Comments Exist

Be the first, drop a comment!