2020-05-28 - TRAFFIC ANALYSIS EXERCISE - CATBOMBER
- Zip archive of the pcap: 2020-05-28-traffic-analysis-exercise.pcap.zip 6.1 MB (6,148,841 bytes)
- 2020-05-28-traffic-analysis-exercise.pcap (8,322,070 bytes)
- All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
LAN segment data:
- LAN segment range: 10.5.28.0/24 (10.5.28.0 through 10.5.28.255)
- Domain: catbomber.net
- Domain controller: 10.5.28.8 - Catbomber-DC
- LAN segment gateway: 10.5.28.1
- LAN segment broadcast address: 10.5.28.255
This month's pcap is a Trickbot infection in an Active Directory (AD) environment where the infection spreads to the Domain Controller (DC).
- Based on the Trickbot infection's HTTP POST traffic, what is the IP address, host name, and user account name for the infected Windows client?
- What is the other user account name and other Windows client host name found in the Trickbot HTTP POST traffic?
- What is the infected user's email password?
- Two Windows executable files are sent in the network traffic. What are the SHA256 file hashes for these files?
- Click here for the answers.
Click here to return to the main page.