This set of documents details my analysis of the HoneyNet Project Reverse Challenge binary, named the-binary. The Reverse Challenge is a competition designed to see who can dig the most out of a blackhat cracker tool found in the wild, and communicate what they've found in a concise manner.
| index.html | This index of files and directories submitted |
| timestamp.html | Timestamp and MD5 checksums of all submitted files generated by Stamper |
| summary.html | Summary for a non-technical audience, such as management and the media |
| advisory.html | Advisory for a technical audience, such as administrators and incident handlers |
| analysis.html | Details of how the analysis was performed showing tools and methods |
| answers.html | Answers to the challenge questions |
| costs.html | Incident cost estimate |
| reading.html | References and further reading related to this analysis |
| files.tar | Other files produced during the analysis, as listed below. |
Contents of files.tar:
| the-binary.strings.txt | partial output from running strings on the-binary |
| the-binary.objdump.txt | raw output from running objdump -dS on the-binary |
| the-binary.cmd | REC command file used to guide REC disassembler |
| convert-syscall.pl | Perl script to comment REC output with system call names |
| the-binary.rec.txt | raw output of running REC on the-binary using the-binary.cmd after being processed by convert-syscall.pl |
| the-binary.txt | a commented version of some sections of the REC output |
| the-client/pingit.c | client used to probe the-binary and confirm functionality |
| the-client/dumpit.c | dumps decoded packets in hex |
| the-client/the-client.c | advanced client |
| the-client/Makefile | Makefile for the above programs |
| dos-attacks/flood-dns1.txt | tcpdump output showing DNS flood 1 |
| dos-attacks/flood-dns2-0.txt | tcpdump output showing DNS flood 2 |
| dos-attacks/flood-dns2-127.txt | tcpdump output showing DNS flood 2 |
| dos-attacks/flood-dns3-0.txt | tcpdump output showing DNS flood 3 |
| dos-attacks/flood-dns3-127.txt | tcpdump output showing DNS flood 3 |
| dos-attacks/flood-dns3-dns.txt | tcpdump output showing DNS flood 3 demonstrating server side name resolving |
| dos/attacks/flood-frag-icmp.txt | tcpdump output showing ICMP fragment flood |
| dos/attacks/flood-frag-udp-1.txt | tcpdump output showing UDP fragment flood |
| dos/attacks/flood-frag-udp-2.txt | tcpdump output showing UDP fragment flood |
| output/netstat-an.txt | output from "netstat -an" when the-binary is running output/psax-fgrep-mingetty.txt output from "ps ax | fgrep mingetty" when the-binary is running |
| output/fuser-uv-slash.txt | output from "fuser -uv /" when the-binary is running |
| output/ls-alR-proc-454.txt | output from "ls -alR /proc/454" when the-binary is running as process 454 |
| output/proc-454-cmdline.txt | content of /proc/454/cmdline when the-binary is running as process 454 |
| output/proc-454-maps.txt | content of /proc/454/maps when the-binary is running as process 454 |
| output/proc-454-status.txt | content of /proc/454/status when the-binary is running as process 454 |
| snort/local.rules | snort rule for detecting network IP traffic with an unusual protocol |