The scan for April, 2001. This month's challenge calls on you to decode
a successfull NT attack with only the snort binary log capture for analysis.
All submissions are due no later then 17:00, 20 April. Results will be released
23 April.
NOTE: People have been having problems downloading the .gz file, so it is
also provided now in .zip format for Window users. MD5 checksums are provided
for both files. Hope this helps :)
The Challenge:
The Results:
Writeups from the Honeynet Project members.
We received a total of twenty-three outstanding submissions. Below we have listed the top three,
after that we have listed the remaining twenty submissions. We would like to once again thank and
congratulate everyone who spent their time on this. The average submission required over nine hours
of work. Many submissions indicated that the NT honeypot behaved oddly and must have been
modified by the Honeynet Project. No modifications were ever made to the NT box. It was strictly
a default installation with support for IIS. Any idosyncracies identified are a result of the
operating system itself :)
Starting in May we will use a point system
to rate all entries. This way we can better describe who was rated why. If you entry is not
posted, or if you have any questions, drop us an email. And now, on to the results.
On 4 Feb. 2001, the system 213.116.251.162 successfully attacked and compromised the
honeypot 172.16.1.106, otherwise known as lab.wiretrip.net. We have reason to
believe that the attacker knew this was a honeypot, however we decided to release
this challenge as it examplifies the most common of NT attacks found in the
wild. Your only source of information is the snort binary log file that captured
the entire attack. You can download this in
(.gz format,
MD5=af1588ce7f7798190694addef3f148f7), or
(.zip format,
MD5=aca62e19ba49546d2bfd1fa1c71b5751). You will
have to extract and analyze the information from this binary log file. Remember,
entries will not only be judge on your answers, but how easy they are to
read, and if you show how you obtained/conducted your analysis.
Bonus Question:
Do you feel that the attacker in question knew if this was a honeypot?
If so, why or why not?
This month's attack were two commonly used NT exploits, specifically RSD and
Unicode. The attacker gained access using Unicode, downloaded several binaries
including netcat, then gained remote control of the system using a netcat
connection.