Forensic Challenge 2010

Dissecting the SotM Attack Trace Pcap

Hi everybody,

our first Scan of the Month Challenge in 2010 is over! We received 91 submissions in total, and some parts of the solutions are so interesting that I would like to publicly highlight them in this post. Now that the winners are announced (Congratulations Ivan, Franck, and Tareq!), I think I also owe you an explanation why we asked the specific questions and what we expected as answers. I am sure you will be surprised how many pieces of information you can dig up in a plain pcap - I was indeed when I had a look at the solutions we received. Enjoy!

First challenge of the Forensic Challenge 2010 has been posted.

We have just posted the first challenge of the Forensic Challenge 2010. The first challenge deals with a network attack. It has been provided by Tillmann Werner from the Giraffe Chapter. It is accessible at https://honeynet.org/node/504. Submissions are due on Monday, February 1st 2010 and results will be released on Monday, February 15th 2010. The top three submissions will be awarded with small prizes. Check it out!

Challenge 1 of the Forensic Challenge 2010 - pcap attack trace

Forensic Challenge 2010

Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.
Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.

Skill Level: Intermediate

The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

  1. Which systems (i.e. IP addresses) are involved? (2pts)
  2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
  3. How many TCP sessions are contained in the dump file? (2pts)
  4. How long did it take to perform the attack? (2pts)
  5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
  6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
  7. What specific vulnerability was attacked? (2pts)
  8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
  9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
  10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
  11. Do you think this is a manual or an automated attack? Why? (2pts)

Download:
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

Sample Solution:
Forensic Challenge 2010 - Scan 1 - Solution_final.pdf Sha1: 7482a4d020cddde845344f8b02e05012

This work by Tillmann Werner is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners:

  1. Ivan Rodriguez Almuina (Switzerland) - Ivan's submission - Sha1: 988d675a83ab8a4d6487ef69b16b3cfd41d1c7d6
  2. Franck Guenichot (France) - Franck's submission - Sha1: c951552faf6118a352cc33a9b001350df9050575
  3. Tareq Saade (USA) - Tareq's subission - Sha1: 969e73527a2c7a1b27e6b36f4cfa324fd8a66e94
Syndicate content