1. Difficulty: Easy
Evidence: SWT-syslog_messages
Question: At what time (UTC, including year) did the portscanning activity from IP address 123.150.207.231 start?
Evidence: SWT-syslog_messages
Question: At what time (UTC, including year) did the portscanning activity from IP address 123.150.207.231 start?
This was easy. I opened the file using a text editor and used the Find function(CTRL-F on a windows machine). Then I just listed the first instance that was found. I guessed that the year was 2013 because that is when the file was created.
Aug 29, 2013 09:58:55
gw
*
2. Difficulty: Easy
Evidence: nitroba.pcap
Question: What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?
Evidence: nitroba.pcap
Question: What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?
I used Wireshark's Display Filter to search for the MAC Address 00:1f:f3:5a:77:9b, and all the IP's that it used were listed.
0.0.0.0
169.254.90.183
192.168.1.64
169.254.20.167
*
3. Difficulty: Medium
Evidence: ftp-example.pcap
Question: What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?
Evidence: ftp-example.pcap
Question: What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?
-rw-rw-r-- 2 ftp ftp
27888036 Jul 03 2011
scenery-backgrounds-6.0.0-1.el6.noarch.rpm
Source IP Address: 149.20.20.135
Destination IP Address: 192.168.75.29
Source Port: 30472
Destination Port: 51851
*
4. Difficult: Medium
Evidence: nfcapd.201405230000 (requires nfdump v1.6.12. Note that nfcapd.201405230000.txt is the same data in nfdump’s “long” output format.)
Question: How many IP addresses attempted to connect to destination IP address 63.141.241.10 on the default SSH port?
Evidence: nfcapd.201405230000 (requires nfdump v1.6.12. Note that nfcapd.201405230000.txt is the same data in nfdump’s “long” output format.)
Question: How many IP addresses attempted to connect to destination IP address 63.141.241.10 on the default SSH port?
First of all, I made a file that only contained the connections to the destination IP Address 63.141.241.10, then I weeded out the connections until I had the connections only on port 22, which is the default SSH port. I took out the excess information, leaving only the IP Addresses. Then I used the uniq command in Linux along with the -d switch for the repeated lines, and the -u switch for the unique lines. I added the repeated connections and the unique connections to get my answer. (The repeated switch only prints out each repeated connection example once. So, if 169.72.0.0 connected more than once, it would only list that IP once.)
49 unique IP Addresses
*
5. Difficulty: Hard
Evidence: stark-20120403-full-smb_smb2.pcap
Question: What is the byte size for the file named “Researched Sub-Atomic Particles.xlsx”
Evidence: stark-20120403-full-smb_smb2.pcap
Question: What is the byte size for the file named “Researched Sub-Atomic Particles.xlsx”
I found this answer by using the File>Export Object>SMB Objects menu in Wireshark. It showed a listing of files, and their sizes.
13,625 bytes
*
6. Difficulty: Very Hard
Evidence: snort.log.1340504390.pcap
Question: The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing. Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.
Bonus Question: Identify the meaning of the bytes that precede the substring above.
Evidence: snort.log.1340504390.pcap
Question: The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing. Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.
Bonus Question: Identify the meaning of the bytes that precede the substring above.
Even though I didn't find the substring or offset, the use of ports 33333 and 44444 make me suspect that the malware could possibly be Prosiak. That is the spelling that I had found when looking up the port numbers. I'm not certain if it is correct.