Members from the South Florida Honeynet team manually
generated five different types of portscans from the Internet to a single
honeypot. These are not portscans captured from the wild. The term "the wild" is
used to describe any host we don't know about outside of our network. In other
words, any host other than our own connected to the Internet involved in
reconnaissance, an intrusion, and/or system compromise is a system in the wild.
During each scan, our network intrusion detection sensor captured each scan and
saved it to a binary log file. We used snort to capture each scan in tcpdump
format. It's important to note that tcpdump and snort use the libpcap library to
capture and store packets from off the wire. So you can learn more about the
packet capture technologies used to capture the portscans during this challenge,
we have provided links to help get you on the right foot. It is up to you-the
beginner analyst-to pull the binary file into a packet decoder such as tcpdump,
or ethereal to analyze each scan. Your mission, if you choose to accept it is to
answer the questions below the best that you can.
Tools You Can Use in
Learn about tcpdump and libpcap.
Snort, network intrusion
Ethereal, a packet capture
tool for reading binary logs files or just sniffing packets off the network. Has
a very nice graphical interface.
Note: We received reports of people failing the MD5
Checksum. Be sure you check the binary BEFORE decompressing it. The MD5 checksum
shown below is show while the file is compressed.
MD5 (sotm23.tar.gz) = 9d28c5ee9ce7b77e3099a07ad303811f
- What is a binary log file and how is one created?
- What is MD5 and what value does it provide?
- What is the attacker's IP address?
- What is the destination IP address?
- We scanned the honeypot using five different methods. Can you identify the
five different scanning methods, and describe how each of the five works?
- Which scanning tool was used to scan our honeypot? How were you able to
- What is the purpose of port scanning?
- What ports were found open on our honeypot?
- Bonus Question: What operating system was the attacker
This months challenge questions, judging and team
write-up are done by the South Florida Honeynet
Project, led by Richard La Bella, Jeff Dell, Darren Bounds, Castor Morales,
and Tyler Hudak.
Writeup from Richard La Bella of the South Florida
Writeups from the Security Community
Top Three Entries
Next Eight Entries