Hello there,
I got stuck on the Question:
Which employee is suspected of performing potentially malicious actions in the live environment?
I Connected to NoMachine, on interface ens224 and inspected all the traffic inside this NoMachine. It’s basically TCP, HTTP und FTP. I Posted every IP address and every login name I found in cleartext, nothing was the right answer.
Am I right trying to find the name/ip directly in the traffic? There are not many possability just 3 172.16… Adresses and 2 or 3 external adresses which i might have caused when I opened the browser.
Thanks for a hint!
1 Like
All you need to do is find the employee’s login information, and of course there’s a high chance you’ll find them from the HTTP and POST Metthod packets, try looking at the contents of each packet. , you may find that the “username” field contains the name of the employee you are looking for
3 Likes
Hey,
I was able to find the name of the jpeg file from the packets but i am not able to find the login name in the HTTP packets.
Could you please give a little hint.
Thanks in advance.
1 Like
follow http stream you will see all data you need
----> big hint : username start with “b”
1 Like
Hey,
Actually after looking carefully the logs with WireShark i was able to find the username 
Thanks anyway for your reply z3r0Day
Hi guys,
I can’t connect to NoMachine. Please can you help me to pass this questions?
