honeynet reverse challenge | ||
Prev | Next |
Identify and explain the purpose of the binary.
It is a multiple purpose utility for a variety of DoS attacks, and remote control (e.g. remote access to a root shell).
Identify and explain the different features of the binary. What are its capabilities?
It has 12 different commands (as chosen by the first double-byte of the encrypted payload):
See here.
Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.
sniffer looking for NVP packets, or in general, any out of the ordinary traffic which does not look like typical UDP, TCP, or ICMP traffic. And, perhaps looking for packets which the other socket listens for (which looks for a stream connection to provide a shell). Lastly, looking for DoS traffic going outward would be another indication that a tool like this is present on the interior network. A tool like RID can also help test for and indentify DDoS agents.
Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.
No debugging symbols, forks a lot, staticly linked (large bin), compiler optimized (most likely). The binary could have been more obscured (using something like a 'booter' which decrypts the code and then executes it), but was not.
Identify two tools in the past that have demonstrated similar functionality.
Trinoo, and Shaft are similar DDoS agent tools.
Prev | Next | |
analysis | costs |