spacer [an error occurred while processing this directive]
Home
About the Project
Research Alliance
Challenges
Presentations
Whitepapers
Tools
Our Book
Funding/Donations
Mirrors

spacer
spacer  
Scan of the Month
spacer

Scan 28

This month's challenge is to analyze a successful compromise and the attacker's actions after it. All submissions are due no later then 23:00 GMT, Friday, May 23rd. Results will be released Friday, May 30.

Skill Level: Intermediate

The Challenge:
 Members of the Mexico Honeynet Project captured a unique attack. As common, what is interesting is not how the attackers broke in, but what they did afterwards. Your mission is to analyze the network capture of the attacker's activity and decode the attacker's actions. There are two binary log files. Day1 captured the break in, Day3 captures some unique activity following the compromise. The honeypot in question is IP 192.168.100.28. Make sure you review the challenge criteria before submitting your writeup.

Download the Binaries
day1.log.gz MD5 (day1.log.gz) = 79e5871791542c8f38dd9cee2b2bc317
day3.log.gz MD5 (day3.log.gz) = af8ab95f41530fe3561b506b422ed636

Questions

  1. What is the operating system of the honeypot? How did you determine that? (see day1)
  2. How did the attacker(s) break into the system? (see day1)
  3. Which systems were used in this attack, and how?(see day1)
  4. Create a diagram that demonstrates the sequences involved in the attack. (see day1)
  5. What is the purpose/reason of the ICMP packets with 'skillz' in them? (see day1)
  6. Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on a n IPv4 network. Can you identify that protocol and why it was used? (see day3)
  7. Can you identify the nationality of the attacker? (see day3)

Bonus Question:

  • What are the implications of using the unusual IP protocol to the Intrusion Detection industry?
  • What tools exist that can decode this protocol?

The Results:
This months challenge questions, judging and team writeup are done by the Raul Garcia of the Mexico Honeynet Project.

Raul's official writeup

Writeup from the Security Community
We would like to thank the community for all of the increadible submissions we received. This was one of the hardest challenges yet to judge, as there were many extremely well done submissions. The difference between first and tenth place is only a couple of points. There were a total of 39 submissions. However, because of space and resource limitations, we can only post the top 30 entries.

Top 2 Entries

Next Top 3 Entries

Next Top 10 Entries

Remaining Entries


Back to Top