![]() Essentially, this is a small program to perform a dictionary or word-list attack against local administrative accounts. If one of the accounts password matches a word found in the word-list, it is placed in the “Good List” window. Next, the user can click Start to guess the passwords for the accounts identified. Below is a screenshot of Advanced Port Scanner 2:Ī user of the program can supply it with a word-list by clicking the Download Pass button. As mentioned in the first article, it was a log entry generated by this program that caught my eye and clued me in to the compromised account. The attackers likely used the program to scan the network and find additional hosts to compromise. This is a legitimate port scanning tool used by both administrators and attackers apparently. ![]() Pscan24.exe: This is the installer and standalone executable for the program: Advanced Port Scanner 2. I discovered the following files downloaded to the server: Now we can look at the tools the attackers used and try to understand their techniques. ![]() Maybe they forgot to encrypt it on their way out?Įither way, this oversight provides us with an interesting opportunity. If the attackers wanted to keep their foothold, it would make sense to encrypt this server last. The attacker’s tools were downloaded to the server, so it appears they used this server to stage their attack. It’s not clear why, but the first server the attackers compromised was not encrypted with ransomware. ![]() In this article, we will look at some of the tools used by the attackers. This is a follow up to my previous article in which we looked at Ransomware attack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |