2015-10-13 - TRAFFIC ANALYSIS EXERCISE - ANSWERS
- ZIP archive of the PCAPs: 2015-10-13-traffic-analysis-exercise-pcaps.zip 7.6 MB (7,638,848 bytes)
ZIP files on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
ANSWERS FROM OTHERS
Links to write-ups below have answers which are a good supplement to this exercise. I always appreciate people making the extra to post their work on these exercises!
ANSWERS FROM ME
I ran the first pcap through Security Onion using tcpreplay and got the following alerts:
A quick way to get an idea of the IP addresses involved is to use the following filter in Wireshark:
- http.request or (!(tcp.port eq 80) and !(tcp.port eq 12189) and tcp.flags eq 0x0002) or classicstun
I ran the second pcap through Security Onion using tcpreplay and got the following alerts:
Nothing other than HTTP traffic after the EK activity...
Below you can see the gate redirecting from the compromised website to the Nuclear EK landing page:
As always, thanks to anyone who's followed along. I hope this has helped!
Click here to return to the main page.