Members of the
Mexico Honeynet Project captured a unique attack. As common, what
is interesting is not how the attackers broke in, but what they
did afterwards. Your mission is to analyze the network capture
of the attacker's activity and decode the attacker's actions. There
are two binary log files. Day1 captured the break in, Day3
captures some unique activity following the compromise. The honeypot
in question is IP 192.168.100.28. Make sure you review the
challenge criteria before submitting your
Download the Binaries
MD5 (day1.log.gz) = 79e5871791542c8f38dd9cee2b2bc317
MD5 (day3.log.gz) = af8ab95f41530fe3561b506b422ed636
- What is the operating system of the honeypot? How
did you determine that? (see day1)
- How did the attacker(s) break into the system? (see day1)
- Which systems were used in this attack, and how?(see day1)
- Create a diagram that demonstrates the sequences
involved in the attack. (see day1)
- What is the purpose/reason of the ICMP packets with
'skillz' in them? (see day1)
- Following the attack, the attacker(s) enabled a
unique protocol that one would not expect to find on a n
IPv4 network. Can you identify that protocol and why it
was used? (see day3)
- Can you identify the nationality of the attacker?
- What are the implications of using the unusual
IP protocol to the Intrusion Detection industry?
- What tools exist that can decode this protocol?
This months challenge questions, judging and team writeup are done by
the Raul Garcia of the
Mexico Honeynet Project.
Raul's official writeup
Writeup from the Security Community
We would like to thank the community for all of the increadible submissions
we received. This was one of the hardest challenges yet to judge, as there
were many extremely well done submissions. The difference between first and
tenth place is only a couple of points. There were a total of 39 submissions.
However, because of space and resource limitations, we can only post the top 30
Top 2 Entries
Next Top 3 Entries
Next Top 10 Entries