Hey there and welcome to Jorel's blog.
This site was created as a requirement for my ITSA (Information Technology - Security and Analytics) class but I do intend to use it when I'm done with all the schoolwork and other stuff that keep me busy these days, so stay tuned :)

Thursday, 13 October 2011

Pcap 2


 Again, because I couldn't figure out how to upload a document here I was forced to copy paste the actual report XD
Using the packet capture (pcap) file named “Second PCAP Exercise”, please answer the questions posed below, and substantiate your answers by providing the supporting data (taken from the pcap file).  Then, you should save your file following this format: <student#_lastname_report_pcap2.doc>.  Then upload the file to your respective individual folders in the yahoogroup. 

I do encourage you to collaborate to discuss the captured file, but  for obvious reasons, you are reminded to conduct yourselves in a mature, ethical and moral behaviour.  Plagiarism and dishonesty are not tolerated. 
Good luck!
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
1.    List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)
ARP, BROWSER, DHCP, DNS, HTTP, ICMP, IGMP, NBNS, TCP

2.     List IPs, hosts names / domain names. What can you tell about it? What to deduce from the setup? Does it look like real situations? (4pts)
0.0.0.0             -           Local Server
10.0.2.2           -          
10.0.2.15         -
10.0.2.255       -
10.0.3.2           -
10.0.3.15         -
10.0.3.255       -
10.0.4.2           -
10.0.4.15         -
10.0.5.2           -
10.0.5.15         -
64.236.114.1   -           AOL Transit Data Network
74.125.77.101 -           Google Inc. GOOGLE
74.125.77.102 -           Google Inc. GOOGLE
192.168.1.1     -          
192.168.56.50 -
192.168.56.51 -
192.168.56.52 -
209.85.277.99 -          
209.85.277.100           -
209.85.277.106           -
224.0.0.22       -
255.255.255.255         -           Broadcast port
CadmusCo_a1:5f:bf -
CadmusCo_ba:0b:03 -
CadmusCo_cd:3d:55 -
RealtekU_12:35:00 -

3.     List all the web pages. List those visited containing suspect and possibly malicious javascript and who's is connecting to it? Briefly describe the nature of the malicious web pages (6pts)


4.     Can you sketch an overview of the general actions performed by the attacker? (2pts)


5.     What steps are taken to slow the analysis down? (2pts)


6.     Provide the javascripts from the pages identified in the previous question. Decode/de-obfuscate them too. (8pts)


7.     On the malicious URLs, what do you think the variable 's' refers to? List the differences. (2pts)


8.     Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)


9.     Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this) (5pts)
Bonus points:
10.  What actions does the shellcodes perform? Please list the shellcodes (+md5 of the binaries). What's the difference between them? (8pts)

Posted by at No comments:

Pcap 1


Because I couldn't figure out how to upload my pcap document here I was forced to copy paste it onto the blog XD


Using the packet capture (pcap) file named “First PCAP attack-trace”, please answer the questions posed below, and substantiate your answers by providing the supporting data (taken from the pcap file).  Then, you should save your file following this format: <student#_lastname_report_pcap1.doc>.  Then upload the file to your respective individual folders in the yahoogroup. 

For obvious reasons, you are reminded to conduct yourselves in a mature, ethical and moral behaviour.  Plagiarism and dishonesty are not tolerated. 

Good luck in your first pcap analysis!

  1. Which systems (i.e. IP addresses) are involved? (2pts)
192.150.11.111
98.114.205.102

  1. What can you find out about the attacking host (e.g., where is it located)? (2pts)  Hint: you may use “whois” on the web to find out the details of the location.
Adobe Systems Inc. & Verizon Online
I believe the attacking party was Verizon though.

  1. How many TCP sessions are contained in the dump file? (2pts)
179

  1. How long did it take to perform the attack? (2pts)
Approximately 16 seconds.

  1. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
Windows XP (5.1)
Windows 2000

  1. Can you sketch an overview of the general actions performed by the attacker? (5pts)

  1. What specific vulnerability was attacked? (2pts)
The attacker flooded the target computer with [ACK] requests so I believe this is a buffer overflow attack.

  1. Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
ssms.exe

  1. Do you think this is a manual or an automated attack (2pts)?  Why?
Automated, primarily because of the frequency of attacks, as well as the fact that so much was done in such a small amount of time.


Bonus:
  1. What actions does the shellcode perform? Please list the shellcode (10 pts)
Posted by at No comments:
Subscribe to: Comments (Atom)