2015-10-13 - TRAFFIC ANALYSIS EXERCISE - ANSWERS

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip arcive of the two pcaps:  2015-10-13-traffic-analysis-exercise-pcaps.zip   7.6 MB (7,639,200 bytes)

ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

ANSWERS FROM OTHERS

Links to write-ups below have answers which are a good supplement to this exercise.  I always appreciate people making the extra to post their work on these exercises!

• http://malware.kiwi/traffic-analysis-exercise-1013-results/
• https://www.herbiez.com/?p=218

 

ANSWERS FROM ME

 

DETAILS

I ran the first pcap through Security Onion using tcpreplay and got the following alerts:

 

A quick way to get an idea of the IP addresses involved is to use the following filter in Wireshark:

• http.request or (!(tcp.port eq 80) and !(tcp.port eq 12189) and tcp.flags eq 0x0002) or classicstun

 

I ran the second pcap through Security Onion using tcpreplay and got the following alerts:

 

Nothing other than HTTP traffic after the EK activity...

 

Below you can see the gate redirecting from the compromised website to the Nuclear EK landing page:

 

FINAL WORDS

As always, thanks to anyone who's followed along.  I hope this has helped!

 

Click here to return to the main page.