Forum Thread: Have I Been PWNed or PWNed Myself... I Don't Know What I'm Doing, but I'd REALLY Like To.

Firstly, love this forum (Null-Byte specifically not the whole WonderHowTo thing), you fine fellows have been very informative. As a rule I lurk and read and am not much of a joiner but desperate times call for desperate measures. I can not master this skill-set at my aging age without <gulp> help...

So please... HELP ME!

I have been playing with Metasploit trying to get remote connections to work with little luck. I can get shells all over if I'm local but try reaching out and no luck. In the process I think I have payloads on every bkox I own calling to somewhere... for something... but who knows what.

Now, I also work in a somewhat sensitive and grey sort of area as far as the state and its agencies of one form or another may or may not take an undue interest in (totally unwarranted of course) from time to time. The likelihood of this being the cause of my concern is so minuscule I would say it borders on nonexistent but I thought I'd throw it in the mix. I also am a person who whenever I express how I see things in the world, my perspective if you will, I seem to be generally disliked for doing so. I tell the truth, blunt and true... apeople don't like that so much... So... maybe I pissed off a hacker? I find this unlikely also.

The most plausible reason for my concern is either I have somehow hacked myself or, less preferably, nut none the less possible... What I am witnessing in WireShark traffic wise is normal and I really am a cluless half retarded old junky whos once sharp mind has finally melted. If such is the case I need to reasses everything whith this in mind, and perhaps ... Give up??? Try harder??? I wouldn't know I guess on account of being fucked in the head.

SO... any good Samaritan out there want to help me find out? I am not sure the best way to share the specifics so I'm open to suggestions. I don't think sharing a packet dump in open forum is something I want to do just yet.

My concerns were born out of my attacker machine lightening up in Armitage with a whole bunch of gibberish appearing underneath ,and seemingly binding to itself... when I have not pooped a payload on it nor even touched any non windows ones... and this attacker machine being a Linux one... it doesn't make sense. I open a listener and I start listening to myself.... very strange.

On WireShark monitoring my only out connection at the moment eth1 (a USB prepaid mobile broadband dongle) I am getting a lot of stuff I have never seen on wlan wireless connections but I am the first to admit I am way over my head when watching the packets in WireShark... I grasp a bit of whats going on... but not much in the grand scheme. I will post a small sample below, and hope this post gets a response or two from someone who gets it. I thank you for reading this and for this wonderful resource.

Walter Coen Sobcheck

No. Time Source Destination Protocol Length Info
23036 2091.463325000 SSDP 460 NOTIFY HTTP/1.1

Frame 23036: 460 bytes on wire (3680 bits), 460 bytes captured (3680 bits) on interface 0
Ethernet II, Src: Elitegro8e:4b:ac (00:0d:87:8e:4b:ac), Dst: IPv4mcast7f:ff:fa (01:00:5e:7f:ff:fa)
Destination: IPv4mcast7f:ff:fa (01:00:5e:7f:ff:fa)
Address: IPv4mcast
7f:ff:fa (01:00:5e:7f:ff:fa)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: Elitegro8e:4b:ac (00:0d:87:8e:4b:ac)
Address: Elitegro
8e:4b:ac (00:0d:87:8e:4b:ac)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: (, Dst: (
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 446
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 1
Protocol: UDP (17)
Header checksum: 0xc68b validation disabled
Source: (
Destination: (
Source GeoIP: Unknown
Destination GeoIP: Unknown
User Datagram Protocol, Src Port: 51438 (51438), Dst Port: 1900 (1900)
Source Port: 51438 (51438)
Destination Port: 1900 (1900)
Length: 426
Checksum: 0x9ced validation disabled
Stream index: 2
Hypertext Transfer Protocol
CACHE-CONTROL: max-age=1800\r\n
lOCATION: \r\n
SERVER: E588 UPnP/1.0 MiniUPnPd/1.6\r\n
NT: uuid:000D878E-000D-878E-4BAC-000D878E4BA1\r\n
USN: uuid:000D878E-000D-878E-4BAC-000D878E4BA1\r\n
NTS: ssdp:alive\r\n
OPT: ""; ns=01\r\n
01-NLS: 1\r\n
DATE: Thu, 05 Nov 2015 18:41:38 GMT\r\n
Full request URI: [ *

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active