1. Which systems (i.e. IP addresses) are involved? (2pts)
98.114.205.102 and 192.150.11.111
2. What can you find out about the attacking host (e.g., where is it located)? (2pts) Hint: you may use “whois” on the web to find out the details of the location.
The attacking host is 98.114.205.102. The host is located in Southampton, Pennsylvania, United States. Its postal code is 18966. The ISP it uses is Verizon Internet Services.
3. How many TCP sessions are contained in the dump file? (2pts)
There are 5 TCP sessions: DCERPC (Distributed Computing Environment / Remote Procedure Call), DSSETUP (Directory Services Setup), SMB (Server Message Block), Socks, and TCP.
4. How long did it take to perform the attack? (2pts)
16.219218 seconds
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
The operating system of the victim is Windows 5.1 or Windows XP.
The service involved is the Local Security Authority Subsystem Service (LSASS).
The vulnerability is a LSASS buffer overflow against the function: DsRoleUpgradeDownlevelServer.
6. Can you sketch an overview of the general actions performed by the attacker? (5pts)
- The attacker establishes a connection request to port 445.
- The request is acknowledged, therefore port is open.
- The attacker closes the port.
- Establishes a connection to \\192.150.11.111\ipc$
- Initiates an attack on the vulnerability
- Attacker introduces a new port to the victim to listen to (port 1957) and lets the victim download the file ssms.exe via FTP
- The file is successfully downloaded, thus the victim now introduced malware into the system
7. What specific vulnerability was attacked? (2pts)
LSASS buffer overflow
8. Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
Yes. The file is smss.exe
9. Do you think this is a manual or an automated attack (2pts)? Why?
Given that the attack is executed within 16 seconds, which is quite fast, the attack is automated. If it was manual, then it would take the attacker longer time to stage an attack.
98.114.205.102 and 192.150.11.111
2. What can you find out about the attacking host (e.g., where is it located)? (2pts) Hint: you may use “whois” on the web to find out the details of the location.
The attacking host is 98.114.205.102. The host is located in Southampton, Pennsylvania, United States. Its postal code is 18966. The ISP it uses is Verizon Internet Services.
3. How many TCP sessions are contained in the dump file? (2pts)
There are 5 TCP sessions: DCERPC (Distributed Computing Environment / Remote Procedure Call), DSSETUP (Directory Services Setup), SMB (Server Message Block), Socks, and TCP.
4. How long did it take to perform the attack? (2pts)
16.219218 seconds
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
The operating system of the victim is Windows 5.1 or Windows XP.
The service involved is the Local Security Authority Subsystem Service (LSASS).
The vulnerability is a LSASS buffer overflow against the function: DsRoleUpgradeDownlevelServer.
6. Can you sketch an overview of the general actions performed by the attacker? (5pts)
- The attacker establishes a connection request to port 445.
- The request is acknowledged, therefore port is open.
- The attacker closes the port.
- Establishes a connection to \\192.150.11.111\ipc$
- Initiates an attack on the vulnerability
- Attacker introduces a new port to the victim to listen to (port 1957) and lets the victim download the file ssms.exe via FTP
- The file is successfully downloaded, thus the victim now introduced malware into the system
7. What specific vulnerability was attacked? (2pts)
LSASS buffer overflow
8. Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
Yes. The file is smss.exe
9. Do you think this is a manual or an automated attack (2pts)? Why?
Given that the attack is executed within 16 seconds, which is quite fast, the attack is automated. If it was manual, then it would take the attacker longer time to stage an attack.
8:32 AM |
Category: |
0
comments
Comments (0)