From: John Levine [levine@ece.gatech.edu]
Sent: Thursday, September 19, 2002 3:30 PM
To: Richard
Cc: Henry Owen; gtg993j@mail.gatech.edu
Subject: Scan 23

Richard,
	Here is my input.  This was a good exercise because it got me to use a variety of references.  Here are my answers:

1.  What is a binary log file and how is one created?
Binary log files capture all of the packets on a network in 'tcpdump'
format.   The entire packet is logged.  This file can be played back  by
any sniffer that supports tcpdump format, such as ethereal or tcpdump. It can also be played back with SNORT.  A binary file can be created using SNORT with the command ./snort -l ./log -b (from the SNORT User's Manual)

2.  What is MD5 and what does it provide?
MD5 (Message Digest Algorithm) is a secure hash algorithm that produces a 128 bit message digest based on the input being processed in 512-bit blocks.  It provides a signature to check and see if a file has been tampered with.  Its security has become questionable in recent times. (Network Security Essentials by William Stallings)

3.  What is the attacker's IP address?
192.168.0.9

4.  What is the destination IP address?
192.168.0.99

5.  What were the 5 different scanning methods used?
	1.  TCP SYN e.g. 18332
	2.  TCP XMAS Tree e.g. 150652
	3.  NULL (No flags set) e.g. 150641
	4.  UDP Scanning to Target Port e.g. 150654
	5.  PING e.g.155982

6.  What scanning tool was used to scan the honeypot?  How were you able to determine this? NMAP was used to scan the honeypot.  I was bale to determine this by examining the ICMP PING packets sent by the attacker.  These packets had a data field of 0(Total length of IP packet 28 bytes: 20 byte IP Header length + 8 byte ICMP Header length).  According to the SNORT signature database, these are the characteristics of the ICMP PING NMAP.

7.  What is the purpose of port scanning?
An attacker will send packets to ports on a specific computer to determine if any services are operating on those ports.  Each open port is a potential path for a hacker to attack a computer.  (Counterhack by Ed
Skoudis)

8.  What ports were found to be open on the honeypot?
ssh (22)
sunrpc (111)
32768
http (80)
https (443)
domain (53)

9.  BONUS Question:  What operating system was the attacker using? I think LINUX is being used because of the use of  high numbered ports to conduct the scans.

In all, a good exercise.

John Levine
Henry Owen
Julian Grizzard