Wireshark Question
by mb1994 from LinuxQuestions.org on (#5FSH5)
Good morning all,
I was wondering if anyone may be able to provide me with some assistance in Wireshark. I believe my host was a victim of an EK attack. I used Wireshark and was able to locate the payload (using Export Objects -> HTTPS). I confirmed my suspicious by using VirusTotal and had 21 / 60 engines detect. Now that I located the payload... how can I locate the URL of the compromised website? When I highlight the payload packet in Wireshark, I can see that there is a host name (the website that downloaded the payload) and a referer website. Is the referer website the compromised website that acted as the landing page? I have included a screenshot of my Wireshark which shows the referer and host name of the payload.
Thanks in advance!
Attached Thumbnails
I was wondering if anyone may be able to provide me with some assistance in Wireshark. I believe my host was a victim of an EK attack. I used Wireshark and was able to locate the payload (using Export Objects -> HTTPS). I confirmed my suspicious by using VirusTotal and had 21 / 60 engines detect. Now that I located the payload... how can I locate the URL of the compromised website? When I highlight the payload packet in Wireshark, I can see that there is a host name (the website that downloaded the payload) and a referer website. Is the referer website the compromised website that acted as the landing page? I have included a screenshot of my Wireshark which shows the referer and host name of the payload.
Thanks in advance!
Attached Thumbnails