spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 23

This month's challenge is devoted to the beginner analyst. This is the first ever "beginners" Scan of The Month challenge. The purpose for this challenge is to help give you-the beginner analyst-an opportunity to see what you're made of. Don't be shy. This is an excellent way for you to develop new skills or sharpen some basic skills you already possess. Your objective is to analyze five different types of port scans generated by members from the South Florida Honeynet Project. Remember, the purpose for the beginner challenge is to learn.

All submissions are due no later then 23:00 EST, Sunday, September 22nd. Results will be released Monday, September 30.

Skill Level: Beginner

The Challenge:
Members from the South Florida Honeynet team manually generated five different types of portscans from the Internet to a single honeypot. These are not portscans captured from the wild. The term "the wild" is used to describe any host we don't know about outside of our network. In other words, any host other than our own connected to the Internet involved in reconnaissance, an intrusion, and/or system compromise is a system in the wild. During each scan, our network intrusion detection sensor captured each scan and saved it to a binary log file. We used snort to capture each scan in tcpdump format. It's important to note that tcpdump and snort use the libpcap library to capture and store packets from off the wire. So you can learn more about the packet capture technologies used to capture the portscans during this challenge, we have provided links to help get you on the right foot. It is up to you-the beginner analyst-to pull the binary file into a packet decoder such as tcpdump, or ethereal to analyze each scan. Your mission, if you choose to accept it is to answer the questions below the best that you can.

Tools You Can Use in This Challenge
Learn about tcpdump and libpcap.

Snort, network intrusion detection information.

Ethereal, a packet capture tool for reading binary logs files or just sniffing packets off the network. Has a very nice graphical interface.

Download the Binary
Note: We received reports of people failing the MD5 Checksum. Be sure you check the binary BEFORE decompressing it. The MD5 checksum shown below is show while the file is compressed.
MD5 (sotm23.tar.gz) = 9d28c5ee9ce7b77e3099a07ad303811f


  1. What is a binary log file and how is one created?
  2. What is MD5 and what value does it provide?
  3. What is the attacker's IP address?
  4. What is the destination IP address?
  5. We scanned the honeypot using five different methods. Can you identify the five different scanning methods, and describe how each of the five works?
  6. Which scanning tool was used to scan our honeypot? How were you able to determine this?
  7. What is the purpose of port scanning?
  8. What ports were found open on our honeypot?

  9. Bonus Question: What operating system was the attacker using?

The Results:
This months challenge questions, judging and team write-up are done by the South Florida Honeynet Project, led by Richard La Bella, Jeff Dell, Darren Bounds, Castor Morales, and Tyler Hudak.

Writeup from Richard La Bella of the South Florida Honeynet Project

Writeups from the Security Community

Top Three Entries

Next Eight Entries

Remaining Entries

Back to Top