Scribd Logo
Upload

Welcome to Scribd!

  • Reto 4

    Uploaded by

    pgn_pedroguillen
    384 views5 pages
    Puzzle 4 sans is a network forensic investigation game. You are the network forensic investigator. Your mission is to answer the following questions: 1. What was the IP address of Mr. X's scanner? 2. What were the IP addresses of the targets Mr. X discovered?

    Original Description:

    Original Title

    reto 4

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Puzzle 4 sans is a network forensic investigation game. You are the network forensic investigator. Your mission is to answer the following questions: 1. What was the IP address of Mr. X's scanner? 2. What were the IP addresses of the targets Mr. X discovered?

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    384 views5 pages

    Reto 4

    Uploaded by

    pgn_pedroguillen
    Puzzle 4 sans is a network forensic investigation game. You are the network forensic investigator. Your mission is to answer the following questions: 1. What was the IP address of Mr. X's scanner? 2. What were the IP addresses of the targets Mr. X discovered?

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Puzzle 4 SANS While a fugitive in Mexico, Mr.

    X remotely infiltrates the Arctic Nuclear Fusion Research Facilitys (ANFRF) lab subnet over the Interwebs. Virtually inside the facility (pivoting through a compromised system), he conducts some noisy network reconnaissance. Sadly, Mr. X is not yet very stealthy. Unfortunately for Mr. X, the labs network is instrumented to capture all traffic (with full content). His activities are discovered and analyzed by you! Here is the packet capture containing Mr. Xs activity. As the network forensic investigator, your mission is to answer the following questions: 1. What was the IP address of Mr. Xs scanner? 2. For the FIRST port scan that Mr. X conducted, what type of port scan was it? (Note: the scan consisted of many thousands of packets.) Pick one: TCP SYN TCP ACK UDP TCP Connect TCP XMAS TCP RST

    3. What were the IP addresses of the targets Mr. X discovered? 4. What was the MAC address of the Apple system he found? 5. What was the IP address of the Windows system he found? 6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.) What was the IP address of Mr. Xs scanner? Para esta cuestin basta con abrir la captura pcap y darnos cuentas que se realiza desde la siguiente IP:

    For the FIRST port scan that Mr. X conducted, what type of port scan was it? (Note: the scan consisted of many thousands of packets.) Pick one: TCP SYN TCP ACK

    UDP TCP Connect TCP XMAS TCP RST

    Explicaremos antes de todo en que consiste cada uno: TCP SYN: Se le enva a la vctima SYN a un puerto y si la vctima contesta con un RST nos indica que esta cerrado como se aprecia en la siguiente imagen:

    Si nos contesta con un SYN/ACK indica que esta abierto, nmap manda luego un RST como se ve en la siguiente imagen

    TCP ACK Este escaner nos vale para saber si un puerto esta filtrado pero no nos asegura que este abierto o cerrado de manera que si mandamos un ACK a un puerto y no responde podemos determinar que esta fltrado como se ve en la siguiente imagen:

    Si por el contrario nos responde con un RST indica que el puerto esta sin filtrar:

    UDP Sirver para escanear los puertos UDP de la vctima. Se manda un paquete UDP al puerto que queramos y si tenemos de respuesta un ICM:Port Unreachable podemos llegar a la conclusin de que el puerto esta cerrado:

    Si no responde puede estar abierto o filtrado

    Y si responde con un UDP data indica que esta abierto:

    TCP Connect En este escaner se comprueba que un puerto esta cerrado de la misma manera que en TCP SYN, se le manda un SYN al puerto en cuestin y si responde con RST indica que esta cerrado:

    Sin embargo para comprobar que esta abierto un puerto se le manda un SYN y si responde con un SYN/ACK se ele envia un ACK seguido de un RST

    TCP XMAS En este escaneo se mandan 1 paquetes TCP con los flags FIN, URG y PUSH activados. Un puerto cerrado respondera con un RST:

    Y un puerto abierto no responder:

    TCP RST Esto es un tipo de ataque que consiste en mandar muchos paquetes con el flag RST activado si quieren mas informacin sobre el Scanner de Puertos y sus tipos no duden en consultar esta pgina es muy buena al respecto:

    http://www.networkuptime.com/nmap/index.shtml Ahora que tenemos mas o menos claro los tipos de escaneos que nos preguntan es facil decir que se trata de un Scaneo TCP connect Tenemos una utilidad muy buena en wireshar que es en el menu statistics--> flow graph (esto muestra los paquetes TCP

    Con esto se demuestra que es un TCP connect. What were the IP addresses of the targets Mr. X discovered? Viendo la capura podemos determinar que las ips atacadas son: 10.42.42.25 10.42.42.50 10.42.42.56 What was the MAC address of the Apple system he found? En cualquier trama que cojamos con destino u origen la ip 10.42.42.25 nos damos cuenta que es un dispositivo apple: Address: AppleCom_92:6e:dc (00:16:cb:92:6e:dc) por lo tanto la respuesta sera: 00:16:cb:92:6e:dc What was the IP address of the Windows system he found? Para esto buscamos los paquetes ICMP del Ping y comprobamos el TTL de manera que si tenemos un TLL de 255 podemos pensar que es un unix, 64 un linux y 128 un windows. Con esto contestamos a la pregunta: la ip que tiene windoes es --> 10.42.42.50 What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.) Los puertos abiertos son el 135 y 139

    You might also like