LetsDefend Challenge DFIR: Port Scan Activity
Question1: What is the IP address scanning the environment?
一番沢山パケットを飛ばしていそうなのが怪しい.
$ tshark -r port\ scan.pcap -z conv,ip -q
================================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.42.42.25 <-> 10.42.42.253 3405 228014 2007 120664 5412 348678 0.607596000 603.2091
10.42.42.50 <-> 10.42.42.253 2044 137680 2027 122269 4071 259949 0.000000000 603.9423
10.42.42.56 <-> 10.42.42.253 2013 135910 2013 121868 4026 257778 0.607594000 605.4745
10.42.42.25 <-> 10.42.42.50 40 2996 60 4968 100 7964 183.844341000 360.7820
10.42.42.50 <-> 10.255.255.255 0 0 12 1104 12 1104 166.033287000 53.3117
10.42.42.25 <-> 10.255.255.255 0 0 4 368 4 368 183.843619000 360.4177
================================================================================
A. {10.42.42.253}
Question2: What is the IP address found as a result of the scan?
SYN,ACK,FINでFINまでしていて,ip.dstがスキャンしているipのものだと思われる.
$ tshark -r port\ scan.pcap -Y "tcp.flags.fin==1 && ip.dst==10.42.42.253" 13535 603.076261 10.42.42.50 → 10.42.42.253 NBSS 71 Negative session response, Unspecified error 13536 603.076264 10.42.42.50 → 10.42.42.253 TCP 66 135 → 43490 [FIN, ACK] Seq=1 Ack=33 Win=65503 Len=0 TSval=177445 TSecr=3450708 13546 603.080033 10.42.42.50 → 10.42.42.253 TCP 66 135 → 43492 [FIN, ACK] Seq=25 Ack=169 Win=65367 Len=0 TSval=177446 TSecr=3450709
A.{10.42.42.50}
Question3: What is the MAC address of the Apple system it finds?
$ tshark -r port\ scan.pcap -z conv,ip -q
================================================================================
IPv4 Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
10.42.42.25 <-> 10.42.42.253 3405 228014 2007 120664 5412 348678 0.607596000 603.2091
10.42.42.50 <-> 10.42.42.253 2044 137680 2027 122269 4071 259949 0.000000000 603.9423
10.42.42.56 <-> 10.42.42.253 2013 135910 2013 121868 4026 257778 0.607594000 605.4745
10.42.42.25 <-> 10.42.42.50 40 2996 60 4968 100 7964 183.844341000 360.7820
10.42.42.50 <-> 10.255.255.255 0 0 12 1104 12 1104 166.033287000 53.3117
10.42.42.25 <-> 10.255.255.255 0 0 4 368 4 368 183.843619000 360.4177
================================================================================
$ tshark -r port\ scan.pcap -z conv,eth -q
================================================================================
Ethernet Conversations
Filter:<No Filter>
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
Apple_92:6e:dc <-> QuantaCo_82:1f:4a 3405 228014 2007 120664 5412 348678 0.607596000 603.2091
QuantaCo_82:1f:4a <-> CompalIn_51:d7:b2 2027 122269 2044 137680 4071 259949 0.000000000 603.9423
QuantaCo_82:1f:4a <-> CompalIn_cb:1e:79 2013 121868 2013 135910 4026 257778 0.607594000 605.4745
Apple_92:6e:dc <-> CompalIn_51:d7:b2 40 2996 60 4968 100 7964 183.844341000 360.7820
CompalIn_51:d7:b2 <-> Broadcast 0 0 12 1104 12 1104 166.033287000 53.3117
Apple_92:6e:dc <-> Broadcast 0 0 4 368 4 368 183.843619000 360.4177
================================================================================
ipの統計と見比べると,どのipのmacaddrがAppleのか分かる.
Apple_92:6e:dc (00:16:cb:92:6e:dc)
A.{00:16:cb:92:6e:dc}
Question4: What is the IP address of the detected Windows system?
どうしたらwindowsのipが分かるのか少し考えたが,今回のipは4種類のみ
10.42.42.25 apple? 10.42.42.50 ?????? 10.42.42.253 スキャナー 10.255.255.255 ブロードキャスト
こうやって見ると,一つに絞られる.
A.{10.42.42.50}
