Scan of the month 28


The National Digital certification Agency - Tunisia

Agence Nationale de Certification Electronique - Tunisie

ANCE submission


Network Security Team :

Table of Content



Technical Analysis

The Challenge :

Members of the AT&T Mexico Honeynet captured a unique attack. As common, what is interesting is not how the attackers broke in, but what they did afterwards. Your mission is to analyze the network capture of the attacker's activity and decode the attacker's actions. There are two binary log files. Day1 captured the break in, Day3 captures some unique activity following the compromise.


  1. What is the operating system of the honeypot? How did you determine that? (see day1)
  2. How did the attacker(s) break into the system? (see day1)
  3. Which systems were used in this attack, and how?(see day1)
  4. Create a diagram that demonstrates the sequences involved in the attack. (see day1)
  5. What is the purpose/reason of the ICMP packets with 'skillz' in them? (see day1)
  6. Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on a n IPv4 network. Can you identify that protocol and why it was used? (see day3)
  7. Can you identify the nationality of the attacker? (see day3)

Bonus Questions

  1. What are the implications of using the unusual IP protocol to the Intrusion Detection industry?
  2. What tools exist that can decode this protocol?