2014-12-15 - TRAFFIC ANALYSIS EXERCISE: 1 PCAP, 3 HOSTS, AND 1 EXPLOIT KIT (EK)
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
PCAP AND ANSWERS:
- 2014-12-15-traffic-analysis-exercise.pcap.zip 4.3 MB (4,270,062 bytes)
- 2014-12-15-traffic-analysis-exercise-answers.pdf.zip 414.8 kB (414,806 bytes)
- 2014-12-15-traffic-analysis-exercise-additional-information.pdf.zip 624.0 kB (623,968 bytes)
SCENARIO
3 windows computers are active in this pcap. At least one of them hits an exploit kit. You must determine if any of these hosts were infected.
QUESTIONS
BASIC QUESTIONS:
1) What are the host names of the 3 Windows hosts from the pcap?
2) What is(are) the IP address(es) of the Windows host(s) that hit an exploit kit?
3) What is(are) the MAC address(es) of the Windows host(s) that hit an exploit kit?
4) What is(are) the domain name(s) of the compromised web site(s)?
5) What is(are) the IP address(es) of the compromised web site(s)?
6) What is(are) the domain name(s) for the exploit kit(s)?
7) What is(are) the IP address(es) for the exploit kit(s)?
8) Did any of these hosts get infected? If so, which host(s)?
EXTRA QUESTIONS:
1) What is(are) the exploit kit(s) noted in the pcap?
2) What type of exploit was used by this(these) exploit kit(s)? (Flash, Java, IE, etc)
3) What URL(s) acted as a redirect between the compromised website(s) and the exploit kit?
4) What is(are) the IP address(es) of the redirect URL(s)?