spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 14

The scan for April, 2001. This month's challenge calls on you to decode a successfull NT attack with only the snort binary log capture for analysis. All submissions are due no later then 17:00, 20 April. Results will be released 23 April.

The Challenge:
On 4 Feb. 2001, the system successfully attacked and compromised the honeypot, otherwise known as We have reason to believe that the attacker knew this was a honeypot, however we decided to release this challenge as it examplifies the most common of NT attacks found in the wild. Your only source of information is the snort binary log file that captured the entire attack. You can download this in (.gz format, MD5=af1588ce7f7798190694addef3f148f7), or (.zip format, MD5=aca62e19ba49546d2bfd1fa1c71b5751). You will have to extract and analyze the information from this binary log file. Remember, entries will not only be judge on your answers, but how easy they are to read, and if you show how you obtained/conducted your analysis.

  1. Which exploit(s) were used to attack the system?
  2. How were the exploits used to access and control the system?
  3. What was done once access was gained?
  4. How could this attack been prevented?
  5. How much time did you spend on this analysis and writeup?

Bonus Question:
Do you feel that the attacker in question knew if this was a honeypot? If so, why or why not?

The Results:

Writeups from the Honeynet Project members.
This month's attack were two commonly used NT exploits, specifically RSD and Unicode. The attacker gained access using Unicode, downloaded several binaries including netcat, then gained remote control of the system using a netcat connection.

Writeup from the Security Community

We received a total of twenty-three outstanding submissions. Below we have listed the top three, after that we have listed the remaining twenty submissions. We would like to once again thank and congratulate everyone who spent their time on this. The average submission required over nine hours of work. Many submissions indicated that the NT honeypot behaved oddly and must have been modified by the Honeynet Project. No modifications were ever made to the NT box. It was strictly a default installation with support for IIS. Any idosyncracies identified are a result of the operating system itself :)

Back to Top