Submit Your Answers for Puzzle 6!

Your Name (required)
 

Your Email (required)
 

1. What was the full URI of Vick Timmes’ original web request? (Please include the port in your URI.)
 

2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled “COMMENT”, then filled their data element with a string. What was the value of this string?
 

3. Vick’s computer made a second HTTP request for an object.

• a. What was the filename of the object that was requested? 
• b. What is the MD5sum of the object that was returned? 

4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
 

5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
 

6. In packet 17, the malicious server sent a file to the client.

• a. What type of file was it? Choose one:

  What type of file was it? Choose one: Windows executable
   GIF image
   PHP script
   Zip file
   Encrypted data
  

• b. What was the MD5sum of the file? 

7. Vick’s computer repeatedly tried to connect back to the malicious server on
port 4445, even after the original connection on port 4444 was closed. With
respect to these repeated failed connection attempts:

• a) How often does the TCP initial sequence number (ISN) change? (Choose one.) Every packet
   Every third packet
   Every 10-15 seconds
   Every 30-35 seconds
   Every 60 seconds
• b) How often does the IP ID change? (Choose one.) Every packet
   Every third packet
   Every 10-15 seconds
   Every 30-35 seconds
   Every 60 seconds
• c) How often does the source port change? (Choose one.) Every packet
   Every third packet
   Every 10-15 seconds
   Every 30-35 seconds
   Every 60 seconds

8. Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
 

9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
 

10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
 

Solution Description

Additional Text (feel free to paste code here)

By submitting this form, you agree to the following: Exceptional solutions may be incorporated into the SANS Network Forensics Investigative Toolkit (SNIFT kit). Exceptional submissions may also be used as examples and tools in the Network Forensics course, with full attribution. By submitting your answer to this puzzle, you agree that your code submissions will be freely published under the GPL license, and your solution’s text will be licensed according to the Creative Commons v3 “Attribution” License. All authors will receive full credit for their work.

Recent Comments

• Ingeniowerks Security » Ms. Moneymany’s Mysterious Malware on Puzzle #5: Ms. Moneymany’s Mysterious Malware
• Puzzle #8 Winners » Network Forensics Puzzle Contest on Puzzle #8
• Thanassis on Puzzle #8 Answers
• NeonFlash on Puzzle #8 Answers
• ste7an on Puzzle #8 Answers