Network Forensics Exercises

Warmup

Warmup: Basic Statistics

PCAP

• Which IP address received the most packets?
• Which IP address sent the fewest packets?
• Which IP address sent the most bytes?

Exercises

Adventure A: Stealthy Exfil I

PCAP

Investigate the capture, find a data exfil method, recover the data, and reconstruct the original contents. Find a 12-character hex string.

Hint: If it's not TCP, and it's not UDP, it's probably ...

Adventure B: Command Injection Exploit

PCAP

An attacker is targeting Trendnet equipment on your network. Find the address of the equipment that was successfully exploited.

Hint: Look at this talk.

Adventure C: Stealthy Exfil II

PCAP

Investigate the capture, find a data exfil method, recover the data, and reconstruct the original contents. Find a 12-character hex string.

Hint: UDP 53

Extra Fun

Bonus A: Identify a Beaconer

PCAP

A workstation at 192.168.106.152 is periodically beaconing to a malicious IP address. What is the malicious IP?

Bonus B: Stealthy Exfil III

PCAP

Investigate the capture, find a data exfil method, recover the data, and reconstruct the original contents. Find a 12-character hex string.

Hint: man cryptcat

Bonus C: Memory + Network Forensics

Memory Dump PCAP

Given a packet capture and a memory dump from a machine, find the flag.

Bonus D: Tunnels

PCAP

Find the tunnel, extract the transmitted data, and get the flag.

Hint: I [53]

License