Advent Of Cyber — Day 17
Which version of SiLK is installed on the VM?
command: rwfileinfo suspicious-flows.silk
3.19.1What is the size of the flows in the count records?
command: rwfileinfo suspicious-flows.silk
11774What is the start time (sTime) of the sixth record in the file?
command: rwcut suspicious-flows.silk — num --recs=5
2023/12/05T09:33:07.755What is the destination port of the sixth UDP record?
command: rwfilter suspicious-flows.silk — proto=17 — pass=stdout | rwcut — fields=protocol,sIP,sPort,dIP,dPort — num-recs=5
49950What is the record value (%) of the dport 53?
command: rwstats suspicious-flows.silk — fields=dPort — values=records — count=5
35.332088What is the number of bytes transmitted by the top talker on the network?
command: rwstats suspicious-flows.silk — fields=sIP — values=bytes — count=5 — top
735229What is the sTime value of the first DNS record going to port 53?
command: rwfilter suspicious-flows.silk — saddress=175.175.173.22 — dport=53 — pass=stdout | rwcut — fields=sIP,dIP,stime | head -10
2023/12/08T04:28:44.825What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )
175[.]175[.]173[.]221Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )
command: rwfilter suspicious-flows.silk — saddress=175.215.235.223 — pass=stdout | rwstats — fields=sIP,flag,dIP — count=10
175[.]215[.]236[.]223What is the sent SYN packet’s number of records?
command: rwstats suspicious-flows.silk — fields=sIp,dIP,dPort — values=records — count=10
1658That’s it | Visit mansoorbarri.com for other hacking & IT related articles.
