Forensic Challenge 2010
Challenge 1 – pcap attack trace – (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.
Send submissions (please use the MS word submission template or the Open Office submission template) [email protected] no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.
Skill Level: Intermediate
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
- Which systems (i.e. IP addresses) are involved? (2pts)
- What can you find out about the attacking host (e.g., where is it located)? (2pts)
- How many TCP sessions are contained in the dump file? (2pts)
- How long did it take to perform the attack? (2pts)
- Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
- Can you sketch an overview of the general actions performed by the attacker? (6pts)
- What specific vulnerability was attacked? (2pts)
- What actions does the shellcode perform? Pls list the shellcode. (8pts)
- Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
- Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
- Do you think this is a manual or an automated attack? Why? (2pts)
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f
Forensic Challenge 2010 – Scan 1 – Solution_final.pdf Sha1: 7482a4d020cddde845344f8b02e05012
This work by Tillmann Werner is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
- Ivan Rodriguez Almuina (Switzerland) – Ivan’s submission – Sha1: 988d675a83ab8a4d6487ef69b16b3cfd41d1c7d6
- Franck Guenichot (France) – Franck’s submission – Sha1: c951552faf6118a352cc33a9b001350df9050575
- Tareq Saade (USA) – Tareq’s subission – Sha1: 969e73527a2c7a1b27e6b36f4cfa324fd8a66e94