2019-11-12 - TRAFFIC ANALYSIS EXERCISE - OKAY-BOOMER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2019-11-12-traffic-analysis-exercise.pcap.zip   9.2 MB (9,182,767 bytes)

• 2019-11-12-traffic-analysis-exercise.pcap   (11,439,800 bytes)

 

 

SCENARIO

LAN segment data:

• LAN segment range:  10.11.11[.]0/24 (10.11.11[.]0 through 10.11.11[.]255)
• Domain:  okay-boomer[.]info
• Domain controller:  10.11.11[.]11 - Okay-Boomer-DC
• LAN segment gateway:  10.11.11[.]1
• LAN segment broadcast address:  10.11.11[.]255

 

YOUR TASK

Review the pcap and answer the following questions:

• What operating system and type of device is on 10.11.11[.]94?
• What operating system and type of device is on 10.11.11[.]121?
• Based on the MAC address for 10.11.11[.]145, who is the manufacturer or vendor?
• What operating system and type of device is on 10.11.11[.]179?
• What version of Windows is being used on the host at 10.11.11[.]195?
• What is the user account name used to log into the Windows host at 10.11.11[.]200?
• What operating system and type of device is on 10.11.11[.]217?

• What IP is the Windows host that downloaded a Windows executable file over HTTP?
• What is the URL that returned the Windows executable file?
• What is the SHA256 file hash for that Windows executable file?
• What is the detection rate for that SHA256 hash on VirusTotal?
• What public IP addresses did that Windows host attempt to connect over TCP after the executable file was downloaded?
• What is the host name and Windows user account name used on that IP address?

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.