With two binary logfiles at hand I had to find out by analysing network data what happened to a honeypot after being cracked.
Questions to be answered:
- What is the operating system of the honeypot? How did you determine that?
- How did the attacker(s) break into the system?
- Which systems were used in this attack, and how?
- Create a diagram that demonstrates the sequences involved in the attack.
- What is the purpose/reason of the ICMP packets with 'skillz' in them?
- Following the attack, the attacker(s) enabled a unique protocol that one would not expect to find on a n IPv4 network. Can you identify that protocol and why it was used?
- Can you identify the nationality of the attacker?
- What are the implications of using the unusual IP protocol to the Intrusion Detection industry?
- What tools exist that can decode this protocol?