Mais desafios: Honeynet Project, o retorno

Retornando de férias e com mais desafios de forense de rede para divulgar!

O projeto Honeynet começou em 1999, desde então a equipe do projeto elaborou vários desafios de forense de rede, dentre os quais, muitos concebidos pelo próprio idealizador do projeto, Lance Spitzner. Apesar de o último desafio ter sido publicado há vários meses atrás, a publicação foi retomada com o lançamento de mais um desafio no mês passado.

Está bem em cima da hora, este primeiro desafio da equipe do projeto Honeynet encerra hoje (01/Fev), assim este post serve apenas como aviso para que todos atualizem seus feeds.

Challenge 1 of the Forensic Challenge 2010 – pcap attack trace

Mon, 01/18/2010 – 06:18 — christian.seifert

Forensic Challenge 2010

Challenge 1 – pcap attack trace – (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.
Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.

Skill Level: Intermediate

The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

  1. Which systems (i.e. IP addresses) are involved? (2pts)
  2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
  3. How many TCP sessions are contained in the dump file? (2pts)
  4. How long did it take to perform the attack? (2pts)
  5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
  6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
  7. What specific vulnerability was attacked? (2pts)
  8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
  9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
  10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
  11. Do you think this is a manual or an automated attack? Why? (2pts)

Download:
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f