A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
1. List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)
ARP, IP, DHCP, DNS, HTTP, ICMP, IGMP, NBNS, TCP
2. List IPs, hosts names / domain names. What can you tell about it? What to deduce from the setup? Does it look like real situations? (4pts)
10.0.2.2
10.0.3.2
10.0.4.2
10.0.5.2
10.0.2.15
10.0.3.15
10.0.4.15
10.0.5.15
192.168.1.1
192.168.56.50
192.168.56.51
192.168.56.52
64.236.114.1
74.125.77.101
74.125.77.102
209.85.227.100
209.85.227.106
3. List all the web pages. List those visited containing suspect and possibly malicious javascript and who's is connecting to it? Briefly describe the nature of the malicious web pages (6pts)
- sploitme.com.cn/?click=3feb5a6b2f - redirect
- rapidshare.com.eyu.ru/login.php – loads another page (sploitme.com)
- honeynet.org
- google.fr
- google.com
- google-analytics.com
- sploitme.com.cn/fg/show.php?s=3feb5a6b2 – 404 page
- sploitme.com.cn/fg/load.php?=1
4. Can you sketch an overview of the general actions performed by the attacker? (2pts)
5. What steps are taken to slow the analysis down? (2pts)
6. Provide the javascripts from the pages identified in the previous question. Decode/de-obfuscate them too. (8pts)
7. On the malicious URLs, what do you think the variable 's' refers to? List the differences. (2pts)
8. Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)
The attacks are toward Microsoft Windows and its variations. The attacks also are specific to browsers, most specifically Internet Explorer 6 and above.
9. Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this) (5pts)
1. List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)
ARP, IP, DHCP, DNS, HTTP, ICMP, IGMP, NBNS, TCP
2. List IPs, hosts names / domain names. What can you tell about it? What to deduce from the setup? Does it look like real situations? (4pts)
10.0.2.2
10.0.3.2
10.0.4.2
10.0.5.2
10.0.2.15
10.0.3.15
10.0.4.15
10.0.5.15
192.168.1.1
192.168.56.50
192.168.56.51
192.168.56.52
64.236.114.1
74.125.77.101
74.125.77.102
209.85.227.100
209.85.227.106
3. List all the web pages. List those visited containing suspect and possibly malicious javascript and who's is connecting to it? Briefly describe the nature of the malicious web pages (6pts)
- sploitme.com.cn/?click=3feb5a6b2f - redirect
- rapidshare.com.eyu.ru/login.php – loads another page (sploitme.com)
- honeynet.org
- google.fr
- google.com
- google-analytics.com
- sploitme.com.cn/fg/show.php?s=3feb5a6b2 – 404 page
- sploitme.com.cn/fg/load.php?=1
4. Can you sketch an overview of the general actions performed by the attacker? (2pts)
5. What steps are taken to slow the analysis down? (2pts)
6. Provide the javascripts from the pages identified in the previous question. Decode/de-obfuscate them too. (8pts)
7. On the malicious URLs, what do you think the variable 's' refers to? List the differences. (2pts)
8. Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)
The attacks are toward Microsoft Windows and its variations. The attacks also are specific to browsers, most specifically Internet Explorer 6 and above.
9. Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this) (5pts)
8:43 AM |
Category: |
0
comments
Comments (0)