O projeto Honeynet começou em 1999, desde então a equipe do projeto elaborou vários desafios de forense de rede, dentre os quais, muitos concebidos pelo próprio idealizador do projeto, Lance Spitzner. Apesar de o último desafio ter sido publicado há vários meses atrás, a publicação foi retomada com o lançamento de mais um desafio no mês passado.
Está bem em cima da hora, este primeiro desafio da equipe do projeto Honeynet encerra hoje (01/Fev), assim este post serve apenas como aviso para que todos atualizem seus feeds.
Challenge 1 of the Forensic Challenge 2010 – pcap attack trace
Mon, 01/18/2010 – 06:18 — christian.seifert
Forensic Challenge 2010
Challenge 1 – pcap attack trace – (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.
Send submissions (please use the MS word submission template or the Open Office submission template) email@example.com no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.
Skill Level: Intermediate
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
- Which systems (i.e. IP addresses) are involved? (2pts)
- What can you find out about the attacking host (e.g., where is it located)? (2pts)
- How many TCP sessions are contained in the dump file? (2pts)
- How long did it take to perform the attack? (2pts)
- Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
- Can you sketch an overview of the general actions performed by the attacker? (6pts)
- What specific vulnerability was attacked? (2pts)
- What actions does the shellcode perform? Pls list the shellcode. (8pts)
- Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
- Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
- Do you think this is a manual or an automated attack? Why? (2pts)
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f