LetsDefend Challenge DFIR: Port Scan Activity writeup
LetsDefend Challenge DFIR: Port Scan Activity
Question1: What is the IP address scanning the environment?
一番沢山パケットを飛ばしていそうなのが怪しい.
$ tshark -r port\ scan.pcap -z conv,ip -q ================================================================================ IPv4 Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.42.42.25 <-> 10.42.42.253 3405 228014 2007 120664 5412 348678 0.607596000 603.2091 10.42.42.50 <-> 10.42.42.253 2044 137680 2027 122269 4071 259949 0.000000000 603.9423 10.42.42.56 <-> 10.42.42.253 2013 135910 2013 121868 4026 257778 0.607594000 605.4745 10.42.42.25 <-> 10.42.42.50 40 2996 60 4968 100 7964 183.844341000 360.7820 10.42.42.50 <-> 10.255.255.255 0 0 12 1104 12 1104 166.033287000 53.3117 10.42.42.25 <-> 10.255.255.255 0 0 4 368 4 368 183.843619000 360.4177 ================================================================================
A. {10.42.42.253}
Question2: What is the IP address found as a result of the scan?
SYN,ACK,FINでFINまでしていて,ip.dstがスキャンしているipのものだと思われる.
$ tshark -r port\ scan.pcap -Y "tcp.flags.fin==1 && ip.dst==10.42.42.253" 13535 603.076261 10.42.42.50 → 10.42.42.253 NBSS 71 Negative session response, Unspecified error 13536 603.076264 10.42.42.50 → 10.42.42.253 TCP 66 135 → 43490 [FIN, ACK] Seq=1 Ack=33 Win=65503 Len=0 TSval=177445 TSecr=3450708 13546 603.080033 10.42.42.50 → 10.42.42.253 TCP 66 135 → 43492 [FIN, ACK] Seq=25 Ack=169 Win=65367 Len=0 TSval=177446 TSecr=3450709
A.{10.42.42.50}
Question3: What is the MAC address of the Apple system it finds?
$ tshark -r port\ scan.pcap -z conv,ip -q ================================================================================ IPv4 Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 10.42.42.25 <-> 10.42.42.253 3405 228014 2007 120664 5412 348678 0.607596000 603.2091 10.42.42.50 <-> 10.42.42.253 2044 137680 2027 122269 4071 259949 0.000000000 603.9423 10.42.42.56 <-> 10.42.42.253 2013 135910 2013 121868 4026 257778 0.607594000 605.4745 10.42.42.25 <-> 10.42.42.50 40 2996 60 4968 100 7964 183.844341000 360.7820 10.42.42.50 <-> 10.255.255.255 0 0 12 1104 12 1104 166.033287000 53.3117 10.42.42.25 <-> 10.255.255.255 0 0 4 368 4 368 183.843619000 360.4177 ================================================================================ $ tshark -r port\ scan.pcap -z conv,eth -q ================================================================================ Ethernet Conversations Filter:<No Filter> | <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | Apple_92:6e:dc <-> QuantaCo_82:1f:4a 3405 228014 2007 120664 5412 348678 0.607596000 603.2091 QuantaCo_82:1f:4a <-> CompalIn_51:d7:b2 2027 122269 2044 137680 4071 259949 0.000000000 603.9423 QuantaCo_82:1f:4a <-> CompalIn_cb:1e:79 2013 121868 2013 135910 4026 257778 0.607594000 605.4745 Apple_92:6e:dc <-> CompalIn_51:d7:b2 40 2996 60 4968 100 7964 183.844341000 360.7820 CompalIn_51:d7:b2 <-> Broadcast 0 0 12 1104 12 1104 166.033287000 53.3117 Apple_92:6e:dc <-> Broadcast 0 0 4 368 4 368 183.843619000 360.4177 ================================================================================
ipの統計と見比べると,どのipのmacaddrがAppleのか分かる.
Apple_92:6e:dc (00:16:cb:92:6e:dc)
A.{00:16:cb:92:6e:dc}
Question4: What is the IP address of the detected Windows system?
どうしたらwindowsのipが分かるのか少し考えたが,今回のipは4種類のみ
10.42.42.25 apple? 10.42.42.50 ?????? 10.42.42.253 スキャナー 10.255.255.255 ブロードキャスト
こうやって見ると,一つに絞られる.
A.{10.42.42.50}