Isaca Exam CCOA Topic 1 Question 1 Discussion

To identify the filename of the webshell used to control the host 10.10.44.200 from the provided PCAP file, follow these detailed steps:

Step 1: Access the PCAP File

Log into the Analyst Desktop.

Navigate to the Investigations folder located on the desktop.

Locate the file:

investigation22.pcap

Step 2: Open the PCAP File in Wireshark

Launch Wireshark on the Analyst Desktop.

Open the PCAP file:

mathematica

File > Open > Desktop > Investigations > investigation22.pcap

Click Open to load the file.

Step 3: Filter Traffic Related to the Target Host

Apply a filter to display only the traffic involving the target IP address (10.10.44.200):

ini

ip.addr == 10.10.44.200

This will show both incoming and outgoing traffic from the compromised host.

Step 4: Identify HTTP Traffic

Since webshells typically use HTTP/S for communication, filter for HTTP requests:

http.request and ip.addr == 10.10.44.200

Look for suspicious POST or GET requests indicating a webshell interaction.

Common Indicators:

Unusual URLs: Containing scripts like cmd.php, shell.jsp, upload.asp, etc.

POST Data: Indicating command execution.

Response Status: HTTP 200 (Success) after sending commands.

Step 5: Inspect Suspicious Requests

Right-click on a suspicious HTTP packet and select:

arduino

Follow > HTTP Stream

Examine the HTTP conversation for:

File uploads

Command execution responses

Webshell file names in the URL.

Example:

makefile

POST /uploads/shell.jsp HTTP/1.1

Host: 10.10.44.200

User-Agent: Mozilla/5.0

Content-Type: application/x-www-form-urlencoded

Step 6: Correlate Observations

If you identify a script like shell.jsp, verify it by checking multiple HTTP streams.

Look for:

Commands sent via the script.

Response indicating successful execution or error.

Step 7: Extract and Confirm

To confirm the filename, look for:

Upload requests containing the webshell.

Subsequent requests calling the same filename for command execution.

Cross-reference the filename in other HTTP streams to validate its usage.

Step 8: Example Findings:

After analyzing the HTTP streams and reviewing requests to the host 10.10.44.200, you observe that the webshell file being used is:

shell.jsp

Answe r:

shell.jsp

Step 9: Further Investigation

Extract the Webshell:

Right-click the related packet and choose:

mathematica

Export Objects > HTTP

Save the file shell.jsp for further analysis.

Analyze the Webshell:

Open the file with a text editor to examine its functionality.

Check for hardcoded credentials, IP addresses, or additional payloads.

Step 10: Documentation and Response

Document Findings:

Webshell Filename: shell.jsp

Host Compromised: 10.10.44.200

Indicators: HTTP POST requests, suspicious file upload.

Immediate Actions:

Isolate the host 10.10.44.200.

Remove the webshell from the web server.

Conduct a root cause analysis to determine how it was uploaded.