Wireshark-users: [Wireshark-users] Novice question about automated exploit tool packet-capture with Wireshark

From: William Long <wakeboarder72@xxxxxxxxxxx>
Date: Sun, 1 Feb 2009 15:11:58 -0500

I'm trying to review a .pcap of about 900 packets related to a school assignment in which the "suspect" machine probed and attempted to gain access to the "target". I see many packets in which the suspect tried to GET several files, all of which have the same name, but different file extensions. The target machine responded with "404 Not Found" messages. Later, the suspect tried to PUT and POST and HEAD files, also to no avail. Can anyone tell me whether or not these packets are part of an automated exploit being conducted by the "suspect"? Thanks, a sample of some of the packets is shown below:   GET /IG0PMUq2YRoM.html HTTP/1.1 Connection: Keep-Alive Host: 192.168.1.100 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8   HTTP/1.1 404 Not Found Date: Wed, 05 Sep 2007 19:19:51 GMT Server: Apache/1.3.34 (Debian) Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1   119 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /IG0PMUq2YRoM.html was not found on this server.<P> <HR> <ADDRESS>Apache/1.3.34 Server at 192.168.1.100 Port 80</ADDRESS> </BODY></HTML> 0   GET /IG0PMUq2YRoM.cgi HTTP/1.1 Connection: Keep-Alive Host: 192.168.1.100 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8   HTTP/1.1 404 Not Found Date: Wed, 05 Sep 2007 19:19:51 GMT Server: Apache/1.3.34 (Debian) Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1   118 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /IG0PMUq2YRoM.cgi was not found on this server.<P> <HR> <ADDRESS>Apache/1.3.34 Server at 192.168.1.100 Port 80</ADDRESS> </BODY></HTML> 0   GET /IG0PMUq2YRoM.sh HTTP/1.1 Connection: Keep-Alive Host: 192.168.1.100 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Windows Live™: E-mail. Chat. Share. Get more ways to connect. Check it out.