
Question and Answer

1.	What is a binary log file and how is one created? 
	Binary log file is a log file in binary format (0s and 1s). This can be created by tools such as tcpdump or 
	ethereal utilities. To run these tools, libpcap files must be installed for system-independent interface for 
 	user-level packet capture


2.	What is MD5 and what value does it provide? 
	MD5 is a tool to check the integrity of a file. MD5 takes as input a message of arbitrary length and produces as 
	output a 128-bit "fingerprint" or "message digest" of the input. 


3.	What is the attacker's IP address? 
	
	192.168.0.9
	192.168.0.1
	192.168.0.254
	192.168.0.199



4.	What is the destination IP address? 
	192.168.0.99


5.	We scanned the honeypot using five different methods. Can you identify the five different scanning methods, 
	and describe how each of the five works? 

	a.) TCP connect() scanning 
        The basic form of TCP scanning. The connect() system call provided by your operating system is used to 
        open a connection to every interesting port on the machine. If the port is listening, connect() 
        will succeed, otherwise the port isn't reachable. One strong advantage to this technique is that
        you don't need any special privileges

	b.) TCP SYN scanning
        This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection.
        You send a SYN packet, as if you are going to open a real connection and wait for a response. A SYN|ACK 
        indicates the port is listening. A RST is indicative of a non- liste


	c.) TCP FIN scanning
	There are times when even SYN scanning isn't clandestine enough. Some firewalls and packet filters watch for 
	SYNs to restricted ports, and programs like synlogger and Courtney are available to detect these scans. 
	FIN packets, on the other hand, may be able to pass through unmolested. The idea is that closed ports 
	tend to reply to your FIN packet with the proper RST. Open ports, on the other hand, tend to ignore the packet
	in question


	d.) UDP ICMP port unreachable scanning
	This scanning method varies from the above in that we are using the UDP protocol instead of TCP. While this
	protocol is simpler, scanning it is actually significantly more difficult. This is because open ports don't 
	have to send an acknowledgement in response to our probe, and closed ports aren't even required to send an
	error packet.

	e.) ICMP echo scanning
	This isn't really port scanning, since ICMP doesn't have a port abstraction. But it is sometimes useful to
	determine what hosts in a network are up by pinging them all. the -P option does this. ICMP scanning is now 
	in parallel, so it can be quite fast






6.	Which scanning tool was used to scan our honeypot? How were you able to determine this? 
	
	Nmap. This is only a guess since the scanning techniques above can be done by Nmap




7.	What is the purpose of port scanning? 
	
	Port Scanning is a technique attackers use to discover services they can break into a host or machine.
	By port scanning the attacker finds which ports are available or opened


8.	What ports were found open on our honeypot? 

	Ports 22, 53, 443, 111, 32768


9.	Bonus Question: What operating system was the attacker using?
	Windows NT