Because I couldn't figure out how to upload my pcap document here I was forced to copy paste it onto the blog XD
Using the packet capture (pcap) file named “First PCAP attack-trace”, please answer the questions posed below, and substantiate your answers by providing the supporting data (taken from the pcap file). Then, you should save your file following this format: <student#_lastname_report_pcap1.doc>. Then upload the file to your respective individual folders in the yahoogroup.
For obvious reasons, you are reminded to conduct yourselves in a mature, ethical and moral behaviour. Plagiarism and dishonesty are not tolerated.
Good luck in your first pcap analysis!
- Which systems (i.e. IP addresses) are involved? (2pts)
192.150.11.111
98.114.205.102
- What can you find out about the attacking host (e.g., where is it located)? (2pts) Hint: you may use “whois” on the web to find out the details of the location.
Adobe Systems Inc. & Verizon Online
I believe the attacking party was Verizon though.
- How many TCP sessions are contained in the dump file? (2pts)
179
- How long did it take to perform the attack? (2pts)
Approximately 16 seconds.
- Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
Windows XP (5.1)
Windows 2000
- Can you sketch an overview of the general actions performed by the attacker? (5pts)
- What specific vulnerability was attacked? (2pts)
The attacker flooded the target computer with [ACK] requests so I believe this is a buffer overflow attack.
- Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
ssms.exe
- Do you think this is a manual or an automated attack (2pts)? Why?
Automated, primarily because of the frequency of attacks, as well as the fact that so much was done in such a small amount of time.
Bonus:
- What actions does the shellcode perform? Please list the shellcode (10 pts)
No comments:
Post a Comment