spacer [an error occurred while processing this directive]
About the Project
Our Book
Status Reports

Scan of the Month

Welcome to the 'Scan of the Month' challenge. The purpose of these challenges are to help the security community develop the forensic and analysis skills to decode real attacks. It can be difficult finding real attacks that you can analyze and share your results with the community. These challenges address that problem. This is done by taking attacks we have captured in the wild and challenging the security community to decode them. Unfortunately, due to resource limitations, we can no longer provide a new challenge every month.

Send all submissions via email to Please send all submissions in .txt, .html, or .pdf format. If it is in .txt format, make sure it is formated for browsers. Remember, your documentation will be posted on a Unix webserver, do NOT have spaces in your filenames! If you have multiple files, please .gz or .bz2 them into a single, compressed file. Do NOT use .zip compression, our SPAM filters will deny any .zip attachments. If a specific SotM challenge receives more the thirty submission, we can only post the Top 25 due to limited time and resources.

*NOTE* Most of the code, files, and images supplied in the Scan of the Month challenges are real, malicious items found in the wild. These files were designed by attackers to cause harm. As always, use best practices to securely analyze these challenges so as not to cause harm to yourself. The Honeynet Project makes no warranties about the challenges, nor is it responsible for any damages caused by these challenges.


The grading is based on following issues: Hint: To get placed in the Top entries, not only do you have to have all correct answers, BUT you must document in-depth all your tools and techniques, in an easy to understand format. Remember, the goal is not only for you to learn, but for others to learn from your work. If someone can't understand your documentation, it is of little value to anyone.

  • One point for each correctly answered question of the challenge
  • Do you show the methods used to analyze the data and obtain your conclusions (5 points).
  • How easy is it to read and understand your submission, use of whitespace, format, organization, etc (5 points).
  • The depth of the technical information and analysis you provide (5 points).
  • Note: You do not get any points for the Bonus question, its is used only to break any ties in judging.


Scans 1 - 19
Scan 20 - Solaris dtspcd attack.
Scan 21 - Obfuscated UDP network sweep.
Scan 22 - Determine why the Reverse Challenge attacker was breaking into systems.
Scan 23 - The very first challenge for beginners, decode a network scan.
Scan 24 - Recover and analyze captured evidence from a floppy.
Scan 25 - Analyze a worm recovered by a Honeynet.
Scan 26 - Continuation from SotM24, investigate the drug supplier Jimmy Jungle
Scan 27 - Indepth analysis of a Win2000 compromise, part of a large botnet.
Scan 28 - Italian blackhats break into a Solaris server then enable IPv6 tunneling for communications.
Scan 29 - One of our most unique challenges, analyze a live hacked Linux system.
Scan 30 - Analyze a month of honeynet firewall logs.
Scan 31 - Discover how an OpenProxy is abused.
Scan 32 - Analyze a Malware binary.
Scan 33 - Advanced reverse engineering challenge.
Scan 34 - Analyze real honeynet logs for attacks and activity.

All binary network captures are in pcap format. The Honeynet Project recommend you use either Snort or Ethereal to read and analyze the these files. To help you decode the signatures, the following RFC's are provided. If you want to learn more about decoding TCP/IP, we highly recommend the book TCP/IP Illustrated, Volume 1, by Richard Stevens.

IP - RFC 791
ICMP - RFC 777
TCP - RFC 793
UDP - RFC 768

Back to Top