- Which systems (i.e. IP addresses) are involved? (2pts)
* 98.114.205.102 and 192.150.11.111
- What can you find out about the attacking host (e.g., where is it located)? (2pts) Hint: you may use “whois” on the web to find out the details of the location.
* Attacker came from Southampton, Pennsylvania, U.S. via Verizon Internet Services.
- How many TCP sessions are contained in the dump file? (2pts)
*5 tcp sessions
- How long did it take to perform the attack? (2pts)
*16sec
- Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
*os attacked: win XP, service: LSASS, vulnerability: buffer overflow
- Can you sketch an overview of the general actions performed by the attacker? (5pts)
* attacker establishes connection (445) and consequently logged in. attacker created a buffer overflow. He then introduces a new port to the victim where latter downloads the ssms.exe file
- What specific vulnerability was attacked? (2pts)
*buffer overflow
- Was there malware involved? What is the name of the malware (We are not looking for a detailed malware analysis for this challenge)? (2pts)
*yes, smss.exe
- Do you think this is a manual or an automated attack (2pts)? Why?
*automated. Too fast to be done manually.
Bonus:
- What actions does the shellcode perform? Please list the shellcode (10 pts)
