1. What is a binary log file and how is one created? Log files are usually stored in either plain text or binary format. The binary log file is a file that that contains records in binary form. There are some advantages to storing data in binary format. Advantages of storing log information in binary format: Can generate log entries at a rapid rate. Reduce the file size. Easy to read by a log analyzing program. Disadvantages of storing log information in binary format: Errors in the log file may render the log file useless. A tool is needed to look at the log file. 2. What is MD5 and what value does it provide? MD5 (Message-Digest) is a method to produce digital signatures. The MD5 algorithm takes input data and produces an 128-bit fingerprint of the input. It is generally accepted that two different sets of data can not create the same fingerprint. The value provided by MD5 is that you can verify the integrity of information provided to you by comparing the MD5 signature of the information against the MD5 signature created by the information provider. 3. What is the attacker's IP address? 192.168.0.9 4. What is the destination IP address? 192.168.0.99 5. We scanned the honeypot using five different methods. Can you identify the five different scanning methods, and describe how each of the five works? Scanning method I - SYN scanning: SYN scanning works in a similar way to doing a normal TCP handshake, but instead of the client sending an ACK response the connection is teared down by sending a RST. Open port: client -> SYN server -> SYN+ACK client ->RST Closed port: client -> SYN server ->RST+ACK Scanning method II - NULL scanning: A null scan does not set any flags in the TCP header. Normal behavior of the BSD networking code is to drop incoming connection if the port is open and return a RST if the port is closed. Open port: client -> NULL server -> "does nothing" Closed port: client -> NULL server -> RST Scanning method III - XMAS scanning: XMAS scans turns on the FIN, URG and PUSH flags in the TCP header. If the crafted TCP package is sent to a closed port the package will be dropped. When it is sent to an open port a TCP package with the RST flag set will be returned. The XMAS scanned used two decoys (192.168.0.254, 192.168.0.199). They are used to hide the real attacker 192.168.0.9. open port: client -> XMAS (FIN,URG,PUSH) server-> RST closed port: client -> XMAS (FIN, URG, PUSH) server-> "does nothing" Scanning method IV TCP - TCP Connect (): A TCP connect scan does a full three-way TCP handshake. The handshake will be completed on open ports and a RST+ACK will be returned on closed ports: Open port: client -> SYN server -> SYN+ACK client -> ACK Closed port: client -> SYN server -> RST+ACK Scanning method V - UDP ICMP_PORT_UNREACHABLE: A UDP scan sends a UDP package to a port and waits for a ICMP_PORT_UNREACHABLE to return. If it does not return, the port can be considered to be open. To stop false positives it is common to send at least two UDP packages. Open port: client-> udp packet server-> "does nothing" client-> udp packet server-> "does nothing" Closed port: client -> udp packet server -> ICMP PORT UNREACHABLE 6. Which scanning tool was used to scan our honeypot? How were you able to determine this? NMAP was used as a scanning tool. It is one of few port scanners publicly available that has support for XMAS, FIN, SYN scan and OS detection with ECN packages, which all was used in our scan. Obvious NMAP behavior was also shown in the file. Example of NMAP's crafted TCP package: Window size: 2048 Time to live: 64 Maximum segment size: 0 Don't fragment flag set Window scaling not present Packet size: 40 I used the tool p0f (http://www.stearns.org/p0f) which can analyze the binary snort log file and detect NMAP crafted packages. 7. What is the purpose of port scanning? The purpose of port scanning is to gather information about a target. Information that can be gathered by a portscan includesn: Operating system Opened and closed ports The type and version of a daemons Firewall ACL The information can be used to launch attacks against vulnerable services running on the target. 8. What ports were found open on our honeypot? TCP ports: 22 (ssh) 111 (sunrpc) 32768 80 (http) 443 (https) 53 (domain) I issues a "tcpdump -n -r tcp[13]=18" to see what packages was sent with the SYN+ACK flag set. This showed me the open TCP ports. "tcpdump -n -r udp" showed me that no open udp ports had answered any udp packages. Bonus Question: What operating system was the attacker using? When the attacked did a full tcp handshake on open ports the following TCP header signature showed up in the log files: Window size: 5840 Time to live: 64 Maximum segment size: 1460 Don't fragment flag set Window scaling: 0 sackOK: 1 nop flag: 1 Packet size: 60 The above matches the signature from a Linux 2.4.2-2.4.14 kernel. I used p0f (http://www.stearns.org/p0f) to find the operating system the attacker was using. p0f -s provided me with information on the attacker's operating system.