Scan 23

This month's challenge is devoted to the beginner analyst. This is the first ever "beginners" Scan of The Month challenge. The purpose for this challenge is to help give you-the beginner analyst-an opportunity to see what you're made of. Don't be shy. This is an excellent way for you to develop new skills or sharpen some basic skills you already possess. Your objective is to analyze five different types of port scans generated by members from the South Florida Honeynet Project. Remember, the purpose for the beginner challenge is to learn.

All submissions are due no later then 23:00 EST, Sunday, September 22nd. Results will be released Monday, September 30.

Skill Level: Beginner

Neil Warner

The Challenge:
Members from the South Florida Honeynet team manually generated five different types of portscans from the Internet to a single honeypot. These are not portscans captured from the wild. The term "the wild" is used to describe any host we don't know about outside of our network. In other words, any host other than our own connected to the Internet involved in reconnaissance, an intrusion, and/or system compromise is a system in the wild. During each scan, our network intrusion detection sensor captured each scan and saved it to a binary log file. We used snort to capture each scan in tcpdump format. It's important to note that tcpdump and snort use the libpcap library to capture and store packets from off the wire. So you can learn more about the packet capture technologies used to capture the portscans during this challenge, we have provided links to help get you on the right foot. It is up to you-the beginner analyst-to pull the binary file into a packet decoder such as tcpdump, or ethereal to analyze each scan. Your mission, if you choose to accept it is to answer the questions below the best that you can.

Tools Used In The Challenge

Snort, network intrusion detection information.

Ethereal, a packet capture tool for reading binary logs files or just sniffing packets off the network. Has a very nice graphical interface.

Download the Binary
Note: We received reports of people failing the MD5 Checksum. Be sure you check the binary BEFORE decompressing it. The MD5 checksum shown below is show while the file is compressed.
MD5 (sotm23.tar.gz) = 9d28c5ee9ce7b77e3099a07ad303811f


Counter Hack, Ed Skoudis

Network Intrusion Detection, An Analyst’s Handbook,  Stephen Northcutt and Judy Novak

Intrusion Signatures and Analysis,  Stephen Northcutt, Mark Cooper, Matt Fearnow and Karen Frederick



  1. What is a binary log file and how is one created?

A binary log file is a non ascii file of raw output saved in tcpdump format.  You can create a binary log file using several different tools.  For example using tcpdump you would issue the command tcpdump –w filename, for snort you would issue snort –l filename –b and last you could use ethereal by doing a save as in the file menu and select libpcap (tcpdump, ethereal etc).

  1. What is MD5 and what value does it provide?

MD5 produces a one-way hash value of a file that is used to “fingerprint” a file.  For example if you ran md5sum on message_A the resultant 128-bit value will be the same when another person runs md5sum on the same message_A.  The resultant value is used to validate the integrity of the file ensuring that it is the same as when the first md5sum was run.

  1. What is the attacker's IP address?

  1. What is the destination IP address?

  1. We scanned the honeypot using five different methods. Can you identify the five different scanning methods, and describe how each of the five works?
    1. Starting with packet #1 a ping sweep takes place targeting one system <>.  Packet #2 shows the reply packet from which indicates a live host on the network.  Normally an attacker would target a network range to identify live hosts.  While not a port scanner a ping sweep can quickly identify live hosts.
    2. Starting with packet #3 a TCP ACK scan takes place against port 80 of the target system.  In a TCP ACK scan an attacker sends a packet with the ACK flag set.  The attacker in utilizing this type of scan is attempting to get packets by a packet-filtering device.  A packet-filtering device is looking for the initial packet of a three way handshake which would have the SYN flag set.  With the ACK flag set the attacker is hoping to trick the packet-filtering device into thinking this is a return packet of an existing connection.  If the target machine returns a RST as our target did, it means the packet got through the packet-filtering device or no packet-filter device exists and the target port is classified as “unfiltered”.  If no response or an “ICMP host unreachable” is returned to the attacker than the target port will be classified as “filtered”.
    3. Starting with packet #5  a TCP SYN scan is started.  A TCP SYN scan is also called a “half-open” scan.  The attacker sends a SYN to a target system and port.  If the port is closed the target system sends back a RST.  If the target port is open the target sends back a SYN, ACK.  On receipt of the SYN, ACK the attacker sends a RST to the target device.  This can be seen starting at packet #123012, the attacker ( sends a SYN to the target ( port 53).   The target sends back a SYN, ACK which means port 53 is open.  In packet #123018 the attacker sends a RST to the target.
    4. Starting at packet #148019 a NULL scan starts.  A NULL scan is when no flags are set.  A NULL scan attack is looking for a RST from the target when the port is closed or no response which might mean the port is open.  At packet #148067 the attacker sends a NULL scan to port 80 of the target.  The target did not respond which indicates that port 80 is open on the target system.
    5. At packet #150759 a TCP XMAS Tree scan starts.  A XMAS tree scan sets the FIN, URG and PSH flags.  If a port is closed and receives the XMAS tree scan the target will send back a RST.  If a port is open the target returns nothing. This is illustrated at packet #151186 where the attacker sends a XMAS Tree scan at port 53 (domain) of the target system.  The target system does not respond which indicates an open port.


  1. Which scanning tool was used to scan our honeypot? How were you able to determine this?

Nmap was the scanning tool used.  Starting at packet #150639 an OS finger print is started and as explained on page 216 in Counter Hack by Ed Skoudis indicates an exact match to  Nmap conducting an OS finger print.  As describe in the book the following sequence is seen:

·        SYN packet to open port

·        NULL packet to open port

·        SYN|FIN|URG|PSH packet to open port

·        ACK packet to open port

·        SYN packet to closed port

·        ACK packet to closed port

·        FIN|PSH|URG packet to closed port

·        UDP packet to closed port

  1. What is the purpose of port scanning?

Port scanning is used to determine open and closed ports on a target system.  By knowing the open ports an attacker can target  known exploits against the ports.  Using responses received back from open and closed ports Operating systems can also be identified and exploits ran against known vulnerabilities of the OS.

  1. What ports were found open on our honeypot?

The below table lists the open port and identifies one packet that is sent and no return packet is received that indicates the port is open.  Other packets with no replies within the trace also indicate the ports were open.

Open Port

Packet which Identify as Open Port

22 (SSH)


53 (Domain)


80 (HTTP)


111 (SUNRPC)


443 (HTTPS)