(Network Forensics) An attacker sends TLS and SSL handshake packets to a victim on port 135 and the client acknowledges then attacker closes the connection, how and why?!

The details are a little sketchy: I don't understand if the server sends a hello, or if the ack you refer to is something else. I assume the client gets a server hello, and then shuts down. (If protocol is broken in some other way ... forget what I say below.)

That sounds very much like an attempt to figure out what crypto suites this SSL server supports at different protocol levels. That's usually done as a part of a security assessment. It could also be done as a part of general information collection: such as how many public services still support SSLv3, which RFC7568 basically forbids to be used any more. And if anyone out there still supports any old and faulty cipher suites. The Shodan project does this types of scan, and some of the larger security vendors do it as part of their research into current practices, which will become whitepapers in the fullness of time.

And of course attackers may do it, but attacks against SSL/TLS typically need a privileged network location to pull off.

/r/computerforensics Thread