Challenge 1 posted - Signed books as prizes!
The first challenge of the Honeynet Forensic Challenge 2010 has been posted at http://honeynet.org/node/504. The task is to analyze a packet capture that was collected by a honeypot. Analyze and answer the following questions:
Get the pcap at http://honeynet.org/files/attack-trace.pcap_.gz, they were provided together with the questions by Tillmann Werner. Deadline for submissions is Monday, February 1st 2010 at 17:00 EST. There will be some small prizes, among them signed copies of our book "Virtual Honeypots: From Botnet Tracking to Intrusion Detection". Full information is available at http://honeynet.org/node/504.
- Which systems (i.e. IP addresses) are involved? (2pts)
- What can you find out about the attacking host (e.g., where is it located)? (2pts)
- How many TCP sessions are contained in the dump file? (2pts)
- How long did it take to perform the attack? (2pts)
- Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
- Can you sketch an overview of the general actions performed by the attacker? (6pts)
- What specific vulnerability was attacked? (2pts)
- What actions does the shellcode perform? Pls list the shellcode. (8pts)
- Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
- Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
- Do you think this is a manual or an automated attack? Why? (2pts)
Get the pcap at http://honeynet.org/files/attack-trace.pcap_.gz, they were provided together with the questions by Tillmann Werner. Deadline for submissions is Monday, February 1st 2010 at 17:00 EST. There will be some small prizes, among them signed copies of our book "Virtual Honeypots: From Botnet Tracking to Intrusion Detection". Full information is available at http://honeynet.org/node/504.
