A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
1. List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)
ARP, IP, DHCP, DNS, HTTP, ICMP, IGMP, NBNS, TCP
2. List IPs, hosts names / domain names. What can you tell about it? What to deduce from the setup? Does it look like real situations? (4pts)
10.0.2.2
10.0.3.2
10.0.4.2
10.0.5.2
10.0.2.15
10.0.3.15
10.0.4.15
10.0.5.15
192.168.1.1
192.168.56.50
192.168.56.51
192.168.56.52
64.236.114.1
74.125.77.101
74.125.77.102
209.85.227.100
209.85.227.106

3. List all the web pages. List those visited containing suspect and possibly malicious javascript and who's is connecting to it? Briefly describe the nature of the malicious web pages (6pts)
- sploitme.com.cn/?click=3feb5a6b2f - redirect
- rapidshare.com.eyu.ru/login.php – loads another page (sploitme.com)
- honeynet.org
- google.fr
- google.com
- google-analytics.com
- sploitme.com.cn/fg/show.php?s=3feb5a6b2 – 404 page
- sploitme.com.cn/fg/load.php?=1
4. Can you sketch an overview of the general actions performed by the attacker? (2pts)
5. What steps are taken to slow the analysis down? (2pts)
6. Provide the javascripts from the pages identified in the previous question. Decode/de-obfuscate them too. (8pts)
7. On the malicious URLs, what do you think the variable 's' refers to? List the differences. (2pts)
8. Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)
The attacks are toward Microsoft Windows and its variations. The attacks also are specific to browsers, most specifically Internet Explorer 6 and above.
9. Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this) (5pts)

1. Which systems (i.e. IP addresses) are involved? (2pts)
98.114.205.102 and 192.150.11.111

2. What can you find out about the attacking host (e.g., where is it located)? (2pts) Hint: you may use “whois” on the web to find out the details of the location.
The attacking host is 98.114.205.102. The host is located in Southampton, Pennsylvania, United States. Its postal code is 18966. The ISP it uses is Verizon Internet Services.

3. How many TCP sessions are contained in the dump file? (2pts)
There are 5 TCP sessions: DCERPC (Distributed Computing Environment / Remote Procedure Call), DSSETUP (Directory Services Setup), SMB (Server Message Block), Socks, and TCP.

4. How long did it take to perform the attack? (2pts)
16.219218 seconds

5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
The operating system of the victim is Windows 5.1 or Windows XP.

The service involved is the Local Security Authority Subsystem Service (LSASS).

The vulnerability is a LSASS buffer overflow against the function: DsRoleUpgradeDownlevelServer.

6. Can you sketch an overview of the general actions performed by the attacker? (5pts)
- The attacker establishes a connection request to port 445.
- The request is acknowledged, therefore port is open.
- The attacker closes the port.
- Establishes a connection to \\192.150.11.111\ipc$
- Initiates an attack on the vulnerability
- Attacker introduces a new port to the victim to listen to (port 1957) and lets the victim download the file ssms.exe via FTP
- The file is successfully downloaded, thus the victim now introduced malware into the system

7. What specific vulnerability was attacked? (2pts)
LSASS buffer overflow

8. Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
Yes. The file is smss.exe

9. Do you think this is a manual or an automated attack (2pts)? Why?
Given that the attack is executed within 16 seconds, which is quite fast, the attack is automated. If it was manual, then it would take the attacker longer time to stage an attack.

私のブログへようこそ！
Welcome to my blog!
これは、IT Security and Analyticsでの私の要件のためのものです!
This is for my requirements in IT Security and Analytics!
楽しい時を過す！
Have fun! ^__^