Comments on: Puzzle #4 Update

By: Steve

Steve — Fri, 28 May 2010 11:22:00 +0000

@Ahmed: an exploit/a port scan could be unsuccessful from the hacker’s point of view. Although, it implies an attacker and one or more targets. A target is a host that you try to attack as an attacker. In other terms, even if there is no answer from a target, it remains a target although.

By: Adam

Adam — Wed, 24 Mar 2010 19:55:24 +0000

Nice solution, Sébastien DAMAYE! I also used a database (SQLite) to solve the puzzle, but mine doesn’t have nice graphs It looks like we both got the same answers so hopefully we’re both correct.

As far as your open question about telling the difference between SYN and TCP Connect scans when there aren’t any open ports… AFAIK you’re only option is to find the scanner used and differences between the two scan types. For example, Nmap apparently doesn’t change the source port on SYN segments sent during a SYN scan, but it does change the source port for each TCP Connect SYN segment it sends.

By: Sébastien DAMAYE

Sébastien DAMAYE — Fri, 19 Mar 2010 04:16:53 +0000

By: Ahmed Adel

Ahmed Adel — Thu, 18 Mar 2010 18:08:26 +0000

I wanted to make sure that I understand the question about the targets right, does this question means all the IPs that responded even if they had no open ports on them??

By: Deepak Khemani

Deepak Khemani — Mon, 22 Feb 2010 06:22:12 +0000

I have submitted my ansewres for puzzle 4. Before resubmitting I would like to clarify the meaning of “First Port Scan”.

And regarding the sweet part of competion. If I win the competition will the prize be delivered to India as I am participating from India.

Thanks

By: sherri

sherri — Sun, 21 Feb 2010 09:31:03 +0000

Hi Sébastien,

Normally we use “tcpdump -s 0 -nn” to get our captures. The “-s 0″ flag tells tcpdump to capture the entire packet, and the “-nn” tells it not to resolve hostnames or portnames. Hope that helps! If you have questions about specific discrepancies, feel free to post them and we’ll be happy to give you feedback.

best,
Sherri

By: Sébastien DAMAYE

Sébastien DAMAYE — Sat, 20 Feb 2010 09:35:38 +0000

Just for information, would it be possible to know the tool (and parameters) you use for your captures? It would help me understanding why my tcpdump gives me different results. Many thanks in advance.

By: Sébastien DAMAYE

Sébastien DAMAYE — Wed, 17 Feb 2010 17:18:04 +0000

Maybe you should precise what you hear by “FIRST port scan”. Do you want us to precise THE scan type Mr. X uses for the VERY FIRST port he scans (may only include ONE port) OR the ports scans techniques used for the FIRST campaign of port scan (may include many techniques and many ports)? Thank you for your precisions.