After reviewing the submissions so far, it seems that question #2 is perhaps a little too ambiguous. We’re amending it to read:
For the FIRST port scan that MR. X conducted, what type was it?
If you’ve already posted a submission, please re-evaluate your answer accordingly, and feel free to re-submit!
Also, we’ll be extending the deadline by two weeks to 3/18/10.
Cheers!
February 17, 2010 at 12:18 pm
Maybe you should precise what you hear by “FIRST port scan”. Do you want us to precise THE scan type Mr. X uses for the VERY FIRST port he scans (may only include ONE port) OR the ports scans techniques used for the FIRST campaign of port scan (may include many techniques and many ports)? Thank you for your precisions.
February 20, 2010 at 4:35 am
Just for information, would it be possible to know the tool (and parameters) you use for your captures? It would help me understanding why my tcpdump gives me different results. Many thanks in advance.
February 21, 2010 at 4:31 am
Hi Sébastien,
Normally we use “tcpdump -s 0 -nn” to get our captures. The “-s 0” flag tells tcpdump to capture the entire packet, and the “-nn” tells it not to resolve hostnames or portnames. Hope that helps! If you have questions about specific discrepancies, feel free to post them and we’ll be happy to give you feedback.
best,
Sherri
February 22, 2010 at 1:22 am
Hi
I have submitted my ansewres for puzzle 4. Before resubmitting I would like to clarify the meaning of “First Port Scan”.
And regarding the sweet part of competion. If I win the competition will the prize be delivered to India as I am participating from India.
Thanks
March 18, 2010 at 1:08 pm
I wanted to make sure that I understand the question about the targets right, does this question means all the IPs that responded even if they had no open ports on them??
March 18, 2010 at 11:16 pm
@Ahmed: an exploit/a port scan could be unsuccessful from the hacker’s point of view. Although, it implies an attacker and one or more targets. A target is a host that you try to attack as an attacker. In other terms, even if there is no answer from a target, it remains a target although.
March 24, 2010 at 2:55 pm
Nice solution, Sébastien DAMAYE! I also used a database (SQLite) to solve the puzzle, but mine doesn’t have nice graphs 😉 It looks like we both got the same answers so hopefully we’re both correct.
As far as your open question about telling the difference between SYN and TCP Connect scans when there aren’t any open ports… AFAIK you’re only option is to find the scanner used and differences between the two scan types. For example, Nmap apparently doesn’t change the source port on SYN segments sent during a SYN scan, but it does change the source port for each TCP Connect SYN segment it sends.
May 28, 2010 at 5:22 am
@Ahmed: an exploit/a port scan could be unsuccessful from the hacker’s point of view. Although, it implies an attacker and one or more targets. A target is a host that you try to attack as an attacker. In other terms, even if there is no answer from a target, it remains a target although.