.

Should I be worried? CandC server

<<

t3st

Newbie
Newbie

Posts: 3

Joined: Wed Feb 15, 2012 11:03 am

Post Mon Dec 17, 2012 6:48 am

Should I be worried? CandC server

Hi there,
I have scanned the wi-fi in my workplace and have come across this connection:
CandC (00:**:7f:**:d6:**)
[WPS ESS]
[WPA-PSK-TKIP]
Ch 6 2437mhz

I have googled CandC server and worryingly came across this:
"A botnet's originator (known as a "bot herder" or "bot master") can control the group remotely, usually through an IRC, and often for criminal purposes. This server is known as the command-and-control (C&C) server."
So is this CandC server I have found something to worry about?
Please can you advise if there are innocent CandC servers or always related to botnets?
Thanks for your time,
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Dec 17, 2012 9:01 am

Re: Should I be worried? CandC server

Without more information, I would have a hard time telling you that THIS particular machine you've listed is a C and C botnet controller / host, or simply a machine going by that name.  I fact, I have my doubts that it is, at least, solely from the information you've given us, thus far.  A name, alone, means little.

That said...

What tool did you use to 'scan' the wireless?  Where did you come by the name, "CandC"?  Can you, at least, give us the first set of MAC address numbers that you left out (between the 00 and 7F) so that we can see who makes the adapter (assuming it's MAC wasn't altered)?  What ports does it have open, etc?  We have VERY little information, here, to even begin to tell you anything about this box.

Let's assume, for instance, that it IS a C and C botnet box.  I'd be hard pressed to think the code would 'advertise' itself as C and C, as usually, they wouldn't want to be detected.  It's more likely just a chosen name that someone gave this box.  What I'd recommend / propose, is that you take the hostname and IP address, give it to IS&T (unless that's you), at your workplace, and let them find said machine and investigate it.  If your work has wifi, then it would be assumed that someone there would be capable of locating the box in question.  If not, I think it's time they contract someone who can.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon Dec 17, 2012 10:34 pm

Re: Should I be worried? CandC server

I wonder if someone named it CandC, meaning CNC.
OSWP, Sec+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Dec 17, 2012 11:11 pm

Re: Should I be worried? CandC server

Honestly wondered the same, but as there's been no further reply / info given...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

t3st

Newbie
Newbie

Posts: 3

Joined: Wed Feb 15, 2012 11:03 am

Post Tue Dec 18, 2012 5:45 am

Re: Should I be worried? CandC server

Hi there, thank you for your replies.

I didn't want to put down to much information, as if it was innocent, I would be posting details of an actual server on a public forum. I am in the "recon" stage of my learning and have been reading about how network admins make the mistake of doing this, so I was careful not to do the same.
I was using an android app called wi-fi analyser, but the CandC doesn't appear on another app called Network discovery (that brings up so many ip add's of computers, servers and mobile phones).

I have notfied our DBA.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Dec 18, 2012 6:58 am

Re: Should I be worried? CandC server

OK.  Well, if further info comes up, or more specific questions arise, we'll see what help we can provide, at that time.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

t3st

Newbie
Newbie

Posts: 3

Joined: Wed Feb 15, 2012 11:03 am

Post Tue Dec 18, 2012 9:29 am

Re: Should I be worried? CandC server

Thanks Hayabusa

rgds
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Dec 19, 2012 5:36 am

Re: Should I be worried? CandC server

t3st,

assuming by wifi analyser you mean the wireless tool by Farpoc?

I use the same tool, as it's essentially a wireless spectrum analyser similar to aircrack/kismet/etc, My guess is CandC is merely a SSID of a neighbouring AP and (hopefully) not a direct threat to your environment.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Dec 19, 2012 10:59 am

Re: Should I be worried? CandC server

I'm using the one by Farpoc, but other than finding access points, I haven't noticed it doing some of the same things of air crack or Kisment. Those don't just show the access points, but end points too.

The nice thing about Wifi Analyser, it helps you find the least congested channel.
OSWP, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Dec 20, 2012 1:10 pm

Re: Should I be worried? CandC server

Maybe it's for multiplayer Command and Conquer games.

Legitimate attackers would probably be more discreet. I'm personally more suspicious of "Free WiFi" SSIDs ;)
The day you stop learning is the day you start becoming obsolete.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software