• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Simple SFDC Forensics Challenge.

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Dec 23, 2002 6:06 pm    Post subject: Simple SFDC Forensics Challenge. Reply with quote

Here you go, something for you all to have a go at..It's one I had a go at, a guy at rootwars.org set it.

It's a fairly easy one.

Grab this:

Binary Capture File

1) What alerts would snort find if it was listening to the line when these packets went through?

Download and install snort, read the Instructions, and run this capture file
through it. Look at your alert log.

2) What is the IP address of the attacking machine?
3) What is the IP of the defending machine?
4) Bonus Question :What is a MAC address? and what was the MAC address's of the attacking machine?

Level 2: For those who have been here before...
TIP : Question 8 is not silly, just look and you will find it.
5) In packet 41, what is going on?
6) List what users exist on the target machine
7) One user had their password broken with brute force methods, what was the user's password?
8) Bonus Question: What is my favourite colour?

Level 3: Think, This will be where the big boys show their stuff.
9) If the defending machine was administered by you, what would you have done different to stop this machine from falling prey to this style of
attack?
10) If you were pen testing this network and you attacked the machine in this way, what would your next steps be?

There has been a lot of talk of these kind of attacks lately..

So let's see who's got some skills and who hasn't

Keep your answers and post them on or around midday GMT Jan 3rd.

It's not a hard challenge so I expect plenty of people to get high marks.

For those that are totally new to this, Ethereal, Snort and TCPDump might be useful (You'll need LibPCap for all of these).
Back to top
View user's profile Send private message Visit poster's website
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Tue Dec 24, 2002 4:57 am    Post subject: Re: Simple SFDC Forensics Challenge. Reply with quote

ShaolinTiger wrote:
For those that are totally new to this, Ethereal, Snort and TCPDump might be useful (You'll need LibPCap for all of these).


ie *nix systems! Smile

winPcap not totally upto the job!
Back to top
View user's profile Send private message Send e-mail
max_blakk
Just Arrived
Just Arrived


Joined: 29 Oct 2002
Posts: 0
Location: South Wales UK

Offline

PostPosted: Fri Jan 03, 2003 2:21 pm    Post subject: Reply with quote

Here goes nothing, no laughing at the back please.. :D

1) What alerts would snort find if it was listening to the line when these packets went through?

Connect to administrative share IPC$

(couldnt get snort to give me any alerts with this.. tried snort < ch1.capture and snort -r ch1.capture.. oh well...

2) What is the IP address of the attacking machine?

192.168.10.25

3) What is the IP of the defending machine?

192.168.10.2

4) Bonus Question :What is a MAC address? and what was the MAC address's of the attacking machine?

Media Access controller, REALTEK NIC (00:e0:4c:0a:6b:13)

5) In packet 41, what is going on?

Connect to "Interprocess Communication Share" - Null Session..??

6) List what users exist on the target machine

080100686 Administrator Guest IUSR_FP5SERVER IWAM_FP5SERVER twat

7) One user had their password broken with brute force methods, what was the user's password?

Rough guess.. twat1 (twat)

8) Bonus Question: What is my favourite colour?

????? No idea couldnt find jack...

9) If the defending machine was administered by you, what would you have done different to stop this machine from falling prey to this style of attack?

Block port 445 at border firewall if uneeded. Blocked port with local win2k firewall also.

Change password policy, 8 characters min (from the 0 setting..!!! packet 72) recommend combo of numbers and characters, set min/max pass age, max attempt lockouts.
Disable NetBIOS SMB on untrusted interface (binding)(e.g. ppp)

10) If you were pen testing this network and you attacked the machine in this way, what would your next steps be?

Just reaching.... help !!!! :)

Check for open port 3389 (terminal services) using the twat combo..
Back to top
View user's profile Send private message MSN Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Jan 03, 2003 2:25 pm    Post subject: Reply with quote

Pretty good, I'll mark it later.

No one else got any answers?

You should have been able to read it easy enough with something like snort -r ch1.capture -v -X -l

Ethereal gobbled it up nicely too.
Back to top
View user's profile Send private message Visit poster's website
max_blakk
Just Arrived
Just Arrived


Joined: 29 Oct 2002
Posts: 0
Location: South Wales UK

Offline

PostPosted: Fri Jan 03, 2003 4:07 pm    Post subject: Reply with quote

Thx for the syntax ShaolinTiger...!!

Cool Bonus Question: What is my favourite colour?

Getting close now my fave colour is BLUE...!!!
Back to top
View user's profile Send private message MSN Messenger
Phaedrus
Just Arrived
Just Arrived


Joined: 27 Nov 2002
Posts: 0


Offline

PostPosted: Tue Jan 07, 2003 8:46 am    Post subject: Late submission Reply with quote

I got kinda bogged down with a couple projects I've been working on, here's what I came up with with snort and ethereal.

1) What alerts would snort find if it was listening to the line when these packets went through?
None, snort wasn't feeling co-operative.

2) What is the IP address of the attacking machine?
(apparently)192.168.10.2


3) What is the IP of the defending machine?
192.168.10.25

4) Bonus Question :What is a MAC address? and what was the MAC address's of the attacking machine?
MAC address == firmware address of NIC/network interface.
Attacker's MAC == 00:a0:24:ba:f4:31

5) In packet 41, what is going on?
Null session connect request.

6) List what users exist on the target machine
Administrator Guest tw*t

7) One user had their password broken with brute force methods, what was the user's password?
couldn't find the password.

Cool Bonus Question: What is my favourite colour?
Blue

Level 3: Think, This will be where the big boys show their stuff.
9) If the defending machine was administered by you, what would you have done different to stop this machine from falling prey to this style of
attack?
not sure, perhaps disalow null session connects?

10) If you were pen testing this network and you attacked the machine in this way, what would your next steps be?
no clue on this one.
Back to top
View user's profile Send private message
tikbalang
Just Arrived
Just Arrived


Joined: 28 Mar 2003
Posts: 0
Location: manila, philippines

Offline

PostPosted: Fri Apr 11, 2003 1:25 pm    Post subject: Reply with quote

1) What alerts would snort find if it was listening to the line when these packets went through?
Download and install snort, read the Instructions, and run this capture file
through it. Look at your alert log.
-- no idea, not tryied the snort before


2) What is the IP address of the attacking machine?
--- 192.168.10.25

3) What is the IP of the defending machine?
---192.168.10.2

4) Bonus Question :What is a MAC address? and what was the MAC address's of the attacking machine?
---dest = 00:a0:24:ba:f4:31 (3com_ba:f4:31)
---src = 00:e0:4c:0a:6b:13 (RealtekS_0a:6b:13)

Level 2: For those who have been here before...
TIP : Question 8 is not silly, just look and you will find it.
5) In packet 41, what is going on?
--- establishing session to \\192.168.10.2\ipc$

6) List what users exist on the target machine
--- administrator; twat;

7) One user had their password broken with brute force methods, what was the user's password?
--- user = twat
--- pass = twat1

Cool Bonus Question: What is my favourite colour?
--- blue (you like it nasty)


Level 3: Think, This will be where the big boys show their stuff.
9) If the defending machine was administered by you, what would you have done different to stop this machine from falling prey to this style of
attack?
--- lockout user after 3 bad attempt (with lockout status forever until administrator unlock it)

10) If you were pen testing this network and you attacked the machine in this way, what would your next steps be?
--- increase password length
--- meet complexity requirements
--- account lockout (3 bad attempt)

please post your evaluation on my answer...
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Fri Apr 11, 2003 2:04 pm    Post subject: Reply with quote

Dude this is SO long ago I can't even remember the answers LOL

I'll have a look see if I still got em...
Back to top
View user's profile Send private message Visit poster's website
dissolutions
Just Arrived
Just Arrived


Joined: 15 Dec 2002
Posts: 2


Offline

PostPosted: Fri Apr 11, 2003 7:50 pm    Post subject: Reply with quote

ST could you make up some more challenges... ?

Last edited by dissolutions on Fri Apr 11, 2003 11:04 pm; edited 1 time in total
Back to top
View user's profile Send private message Send e-mail
squidly
Trusted SF Member
Trusted SF Member


Joined: 07 Oct 2002
Posts: 16777215
Location: Umm.. I dont know.. somewhere

Offline

PostPosted: Fri Apr 11, 2003 10:40 pm    Post subject: Reply with quote

ACtually I would like to have some more chalanges.. when I get my linux box up and running.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
Rottz
Just Arrived
Just Arrived


Joined: 29 Mar 2003
Posts: 3
Location: East Coast, USA

Offline

PostPosted: Sat Apr 12, 2003 12:05 am    Post subject: Checkout Honeynet Reply with quote

Checkout the honeynet scan of the month if you want a good challenges.
I'll create another thread for it with more details, this thread is old.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
tikbalang
Just Arrived
Just Arrived


Joined: 28 Mar 2003
Posts: 0
Location: manila, philippines

Offline

PostPosted: Sat Apr 12, 2003 6:08 pm    Post subject: Reply with quote

sorry guys, just join this forum. lot of catching up to do.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register