2018-11-13: TWO PCAPS I PROVIDED FOR UA-CTF

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

THE TWO PCAP FILES:

• 2018-11-13-UA-CTF-1-of-2.pcap.zip   477 kB (477,395 bytes)
• 2018-11-13-UA-CTF-2-of-2.pcap.zip   6.2 MB (6,245,972 bytes)

NOTES:

• This is not a standard exercise where the answers are explained--consider this bonus material for people who've done the normal exercises and want more practice.
• I provided these two pcaps for a CTF event, where I also several suggested tasks (and my answers) for the organizers to choose from.
• After the event was completed, I was told I can make these public, so here they are!

 

BACKGROUND

After I provided two pcaps as part of a Capture The Flag (CTF) competition for UISGCON14 in October 2018 (link), I had the privilege of providing two pcaps for a UA-CTF event in November 2018.  This event happened in Kyiv Ukraine on 2018-11-16 through 17, and more than 30 students participated.

 

 

See below for more information about this event

• Tweet about the event
• Facebook page for the event (text in Ukrainian)

I'm told this material can go public now.  Like last time, these pcaps contain activity I routinely post about here at malware-traffic-analysis.net, so it shouldn't be a big challenge for anyone who follows this blog.  But keep in mind the answers do not provide any details or explanations.

 

DETAILS

FIRST PCAP:  2018-11-13-UA-CTF-1-of-2.pcap.zip

LAN SEGMENT PROPERTIES:

• LAN segment: 192.168.2[.]0/24 (192.168.2[.]0 through 192.168.2[.]255)
• Domain: dnipromotors[.]com
• Domain controller: 192.168.2[.]4 - Dnipromotors-DC
• LAN segment gateway: 192.168.2[.]1
• LAN segment broadcast address: 192.168.2[.]255
• Windows client to investigate: 192.168.2[.]147

TASKS I SUGGESTED:

• What is the MAC address of the Windows client at 192.168.2[.]147?
• What is the host name for the Windows client at 192.168.2[.]147?
• Based on the Kerberos traffic, what is the Windows user account name used on 192.168.2[.]147?
• What is the URL that returned a Windows executable file?
• When did the URL happen? (date and time in UTC)
• How many bytes is the Windows executable file returned from that URL?
• What is the SHA256 file hash of the Windows executable file returned from that URL?
• After receiving the Windows executable file, what IP address did the infected Windows host try to establish a TCP connection with?

 

SECOND PCAP:  2018-11-13-UA-CTF-2-of-2.pcap.zip

LAN SEGMENT PROPERTIES:

• LAN segment: 172.17.1[.]0/24 (172.17.1[.]0 through 172.17.1[.]255)
• Domain: kyivartworks[.]com
• Domain controller: 172.17.1[.]2 - Kyivartworks-DC
• LAN segment gateway: 172.17.1[.]1
• LAN segment broadcast address: 172.17.1[.]255
• Windows client to investigate: 172.17.1[.]129

TASKS I SUGGESTED:

• What is the MAC address of the Windows client at 172.17.1[.]129?
• What is the host name for the Windows client at 172.17.1[.]129?
• Based on the Kerberos traffic, what is the Windows user account name used on 172.17.1[.]129?
• What URL in the pcap returned a Microsoft Word document?
• When did the URL happen? (date and time in UTC)
• How many bytes is the Word document returned from that URL?
• What is the SHA256 of the Word document returned from that URL?
• What URL in the pcap returned a Windows executable file?
• How many bytes is the Windows executable file returned from that URL?
• What is the SHA256 of the Windows executable file returned from that URL?
• What type of infection occurred in this pcap?
• In addition to HTTP post-infection traffic, what other type of post-infection traffic is generated by the infected Windows host?

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.