HoneyNet Reverse Challenge 2000


[email protected]

This set of documents details my analysis of the HoneyNet Project Reverse Challenge binary, named the-binary. The Reverse Challenge is a competition designed to see who can dig the most out of a blackhat cracker tool found in the wild, and communicate what they've found in a concise manner.

index.html This index of files and directories submitted
timestamp.html Timestamp and MD5 checksums of all submitted files generated by Stamper
summary.html Summary for a non-technical audience, such as management and the media
advisory.html Advisory for a technical audience, such as administrators and incident handlers
analysis.html Details of how the analysis was performed showing tools and methods
answers.html Answers to the challenge questions
costs.html Incident cost estimate
reading.html References and further reading related to this analysis
files.tar Other files produced during the analysis, as listed below.

Contents of files.tar:
the-binary.strings.txt partial output from running strings on the-binary
the-binary.objdump.txt raw output from running objdump -dS on the-binary
the-binary.cmd REC command file used to guide REC disassembler
convert-syscall.pl Perl script to comment REC output with system call names
the-binary.rec.txt raw output of running REC on the-binary using the-binary.cmd after being processed by convert-syscall.pl
the-binary.txt a commented version of some sections of the REC output
the-client/pingit.c client used to probe the-binary and confirm functionality
the-client/dumpit.c dumps decoded packets in hex
the-client/the-client.c advanced client
the-client/Makefile Makefile for the above programs
dos-attacks/flood-dns1.txt tcpdump output showing DNS flood 1
dos-attacks/flood-dns2-0.txt tcpdump output showing DNS flood 2
dos-attacks/flood-dns2-127.txt tcpdump output showing DNS flood 2
dos-attacks/flood-dns3-0.txt tcpdump output showing DNS flood 3
dos-attacks/flood-dns3-127.txt tcpdump output showing DNS flood 3
dos-attacks/flood-dns3-dns.txt tcpdump output showing DNS flood 3 demonstrating server side name resolving
dos/attacks/flood-frag-icmp.txt tcpdump output showing ICMP fragment flood
dos/attacks/flood-frag-udp-1.txt tcpdump output showing UDP fragment flood
dos/attacks/flood-frag-udp-2.txt tcpdump output showing UDP fragment flood
output/netstat-an.txt output from "netstat -an" when the-binary is running output/psax-fgrep-mingetty.txt output from "ps ax | fgrep mingetty" when the-binary is running
output/fuser-uv-slash.txt output from "fuser -uv /" when the-binary is running
output/ls-alR-proc-454.txt output from "ls -alR /proc/454" when the-binary is running as process 454
output/proc-454-cmdline.txt content of /proc/454/cmdline when the-binary is running as process 454
output/proc-454-maps.txt content of /proc/454/maps when the-binary is running as process 454
output/proc-454-status.txt content of /proc/454/status when the-binary is running as process 454
snort/local.rules snort rule for detecting network IP traffic with an unusual protocol