# # SCAN OF THE MONTH #11: January, 2001 # # Challenge to see who can determine which tool was used # and the purpose of this scan. Packet decodes using snort # (http://www.snort.org). # # The packets were captured from the wild as part of the # Honeynet Project, http://project.honeynet.org QUESTIONS: ---------- Below is a specific scan ran against our honeypot, 172.16.1.106. As you read through these signatures, the challenge is to answer the following questions: ### QUESTION 1: What is the scan attempting to determine? ### QUESTION 2: What is unique about the scan methodology? ### QUESTION 3: Can you name the scanning tool? BONUS QUESTION: What known vulnerabilities exist on the honeypot? 12/20-14:47:46.458282 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:41996 DF **S***** Seq: 0x10E4921 Ack: 0x0 Win: 0x2000 TCP Options => MSS: 1460 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:46.459764 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:63004 DF **S***A* Seq: 0x13BF84BE Ack: 0x10E4922 Win: 0x2238 TCP Options => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:46.734157 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:42252 DF ******A* Seq: 0x10E4922 Ack: 0x13BF84BF Win: 0x2238 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:47.973665 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:42508 DF *****PA* Seq: 0x10E4922 Ack: 0x13BF84BF Win: 0x2238 48 H =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:48.090572 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:63260 DF ******A* Seq: 0x13BF84BF Ack: 0x10E4923 Win: 0x2237 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:48.330383 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:42764 DF *****PA* Seq: 0x10E4923 Ack: 0x13BF84BF Win: 0x2238 45 E =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:48.491264 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:63516 DF ******A* Seq: 0x13BF84BF Ack: 0x10E4924 Win: 0x2236 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:48.722711 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:43020 DF *****PA* Seq: 0x10E4924 Ack: 0x13BF84BF Win: 0x2238 41 44 AD =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:48.891755 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:63772 DF ******A* Seq: 0x13BF84BF Ack: 0x10E4926 Win: 0x2234 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:49.102466 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:43276 DF *****PA* Seq: 0x10E4926 Ack: 0x13BF84BF Win: 0x2238 20 2F / =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:49.292334 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:64028 DF ******A* Seq: 0x13BF84BF Ack: 0x10E4928 Win: 0x2232 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:49.499083 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:43532 DF *****PA* Seq: 0x10E4928 Ack: 0x13BF84BF Win: 0x2238 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:49.693020 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:64284 DF ******A* Seq: 0x13BF84BF Ack: 0x10E4929 Win: 0x2231 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:51.430835 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:43788 DF *****PA* Seq: 0x10E4928 Ack: 0x13BF84BF Win: 0x2238 20 48 54 54 08 HTT. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:51.595723 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:64540 DF ******A* Seq: 0x13BF84BF Ack: 0x10E492D Win: 0x222D =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:52.227849 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:44044 DF *****PA* Seq: 0x10E492D Ack: 0x13BF84BF Win: 0x2238 0D 0A .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:52.396863 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:65052 DF ******A* Seq: 0x13BF84BF Ack: 0x10E492F Win: 0x222B =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:53.073680 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:44300 DF *****PA* Seq: 0x10E492F Ack: 0x13BF84BF Win: 0x2238 0D 0A .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:53.097313 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:65308 DF *****PA* Seq: 0x13BF84BF Ack: 0x10E4931 Win: 0x2229 48 54 54 50 2F 31 2E 31 20 34 30 30 20 42 61 64 HTTP/1.1 400 Bad 20 52 65 71 75 65 73 74 0D 0A 53 65 72 76 65 72 Request..Server 3A 20 4D 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F : Microsoft-IIS/ 34 2E 30 0D 0A 44 61 74 65 3A 20 57 65 64 2C 20 4.0..Date: Wed, 32 30 20 44 65 63 20 32 30 30 30 20 32 30 3A 34 20 Dec 2000 20:4 37 3A 35 30 20 47 4D 54 0D 0A 43 6F 6E 74 65 6E 7:50 GMT..Conten 74 2D 4C 65 6E 67 74 68 3A 20 34 30 37 0D 0A 43 t-Length: 407..C 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 ontent-Type: tex 74 2F 68 74 6D 6C 0D 0A 0D 0A t/html.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:53.097846 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:29 DF ***F**A* Seq: 0x13BF8549 Ack: 0x10E4931 Win: 0x2229 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:53.306817 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:44556 DF ******A* Seq: 0x10E4931 Ack: 0x13BF854A Win: 0x21AE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:56.230167 213.56.230.173:1295 -> 172.16.1.106:80 TCP TTL:111 TOS:0x0 ID:44812 DF ***F**A* Seq: 0x10E4931 Ack: 0x13BF854A Win: 0x21AE =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/20-14:47:56.231463 172.16.1.106:80 -> 213.56.230.173:1295 TCP TTL:127 TOS:0x0 ID:285 DF ******A* Seq: 0x13BF854A Ack: 0x10E4932 Win: 0x2229