On 4 Feb. 2001, the system 220.127.116.11 successfully attacked and compromised the
honeypot 172.16.1.106, otherwise known as lab.wiretrip.net. We have reason to
believe that the attacker knew this was a honeypot, however we decided to release
this challenge as it examplifies the most common of NT attacks found in the
wild. Your only source of information is the snort binary log file that captured
the entire attack. You can download this in
MD5=aca62e19ba49546d2bfd1fa1c71b5751). You will
have to extract and analyze the information from this binary log file. Remember,
entries will not only be judge on your answers, but how easy they are to
read, and if you show how you obtained/conducted your analysis.
Which exploit(s) were used to attack the system?
How were the exploits used to access and control the system?
What was done once access was gained?
How could this attack been prevented?
How much time did you spend on this analysis and writeup?
Do you feel that the attacker in question knew if this was a honeypot?
If so, why or why not?
Writeups from the Honeynet Project members.
This month's attack were two commonly used NT exploits, specifically RSD and
Unicode. The attacker gained access using Unicode, downloaded several binaries
including netcat, then gained remote control of the system using a netcat
Writeup from the Security Community
We received a total of twenty-three outstanding submissions. Below we have listed the top three,
after that we have listed the remaining twenty submissions. We would like to once again thank and
congratulate everyone who spent their time on this. The average submission required over nine hours
of work. Many submissions indicated that the NT honeypot behaved oddly and must have been
modified by the Honeynet Project. No modifications were ever made to the NT box. It was strictly
a default installation with support for IIS. Any idosyncracies identified are a result of the
operating system itself :)