Thursday, October 27, 2016

SANS Cyber Defense Challenge-Day 2 Solution

What’s the secret word for SANS San Diego 2016 day 2?


cryptololcat

If you use Wireshark in most of these, you will find the answer that you need.
mystery.pcap
What type of request does 192.168.11.62 send to 192.168.11.1 in the first DNS Request?
The answer was in the question.

DNS Request

What is the DNS Transaction ID in hexadecimal in the DNS query?
You put a filter in Wireshark called dns.id == 0x2870.
0x2870

From your knowledge of DNS, how many responses should there be to a DNS query?
General knowledge question here and hint for the question What is this type of attack called?.
1

What is the number of the frame where the transaction ID in the response matches that first request?

If you look at pcaps in Wireshark, it tries to tell you which frame response matches with which query-they aren't always right next to each other in the pcap because of other traffic.  Look at the first packet's transaction id.  Then filter according to it.
Wireshark Filter:  dns.id == 0x2870
102

What is the IP address sent in the spoofed DNS A record responses?
This was all over the pcap.  There was only one IP Address that was not 10.10.10.10: 108.61.4.52.  (You use the filter dns.a != 0a:0a:0a:0a.  0a is 10 in hex.  != means not =.  So you find the valid response that way.)  10.10.10.10 was not the true response.  The computer accepts whichever answer it gets first.

10.10.10.10

What is this type of attack called?

DNS Cache Poisoning

Which frame triggered the ICMP Type 3 Code 3 packet?
You look at packet 104,  frame.number = 104, then you look at its transaction id which is 0x0065, then you filter by the transaction id.
dns.id == 0x0065
The transaction ID in 103 matched the ICMP Type 3 Code 3 packet in 104.  It will not always be the packet near it.

portscan.pcap

What TCP port is *not* open on 192.168.198.190?

port 137-the only one with no traffic  Sometimes resets signal closed/filtered ports, but every answer had traffic other than resets, so the only one that was *closed* was port 137.  In Wireshark, If you filter by port like tcp.port == 137, you don't see any traffic.  If you do the same with udp.port == 137, you will still see not traffic.  You can do that with every answer by just changing the port number and seeing that the others had traffic.

What OS is running on 192.168.188.190?

I found this in the SMB traffic for the Session Setup and Andx Response.  Wireshark>Statistics>Protocol Hierarchy>SMB Session Service>Right Click and click "Apply As Filter"  Click on a Session Setup and Andx packet, and Right Click and click Follow TCP Stream
Windows 7 Enterprise 7601

What is the day 2 phrase that pays?

In Wireshark, go to file>export>objects>http, you will see that there is a pdf called "day2.pcap".  The phrase that pays was in the pdf file.

bustapcap


What version of squid was used for http proxy?

The filter that I used for this one in Wireshark is:  icmp contains squid.  Or you could use icmp contains 73:71:75:69:64

3.5.19

What is the ICMP tunnel phrase?
So the filter I used for this one is:  icmp contains 74:75:6e:6e:65:6c
That is the hex for tunnel.

In the pcap traffic, you will notice that the sanschallenge.org website has a special domain, test.sanschallenge.org.  You will also see a file called tunnel.html.  So, if you navigate to test.sanschallenge.org/tunnel.html, a page will load that says, “tunnelsallthewaydown”.

No comments:

Post a Comment