Analyst: Moh. RianZidni
Time Analysis: 2016-11-28 15: 00:00 ~ 16:20:00
Evidence File: Evidence04.pcap
Integrity Hash Value Of The Evidnce File: 9A06113D2E1ECF70943EBD522C7F3D399DC83B21
Attacker Time: 2010-02-03 08:34:06 ~2010-02-03 08:44:13
The Attacker’SIp Address: 10.42.42.253
Used Attack Technique: Port Scan
Feature An Attack: Syn
Victim Computer:
10.42.42.25 / 00:16:cb:92:6e:dc / Mac / X
10.42.42.50 / 70:5a:b6:51:d7:b2 / Windows / 135,139
10.42.42.56 / 00:26:22:cb:1e:79 / Mac / X
Analysis summary and opinion
- was the IP address of Mr. X’s scanner?
Clicking twice at the evidence will automatically open Wireshark. To determine Mr. X’s scanner we can simply see the first packet that is initializing the connection. The IP source shown is 10.42.42.253.
- For the FIRST port scan that Mr. X conducted, what type of port scan was it?
The first port scan that Mr. X conducted can be examine by following the TCP stream. We can follow the TCP stream of the first packet by using filter expression“tcp.streameq 0″. The information of the packet shown is SYN then responded with RST, ACK. This pattern is a common pattern for a 3 hand-shake of TCP Connect port scan.
The stream, in fact is an unsuccessful connection attempt. To make sure that TCP Connection is actually being used we can see that the following stream is also following this pattern. And using the filter “tcp.flags.syn==1 & tcp.flags.ack==1″ we can see the first successful packet is packet 779 in stream 390. The stream goes like this: SYN -> SYN, ACK -> ACK -> RST, ACK which is the pattern for a 3 hand-shake of TCP Connect.
- What were the IP addresses of the targets Mr. X discovered?
The IP addresses of the targets Mr. X discovered can be seen under Statistics –> Endpoints. Then examine under IPv4:5 because the port scan used is TCP connect. There we can see several endpoints addresses. Beside Mr. X’s address and 10.255.255.255 which is the gateway there are 3 other addresses:
10.42.42.50
10.42.42.56
10.42.42.25.
- What was the MAC address of the Apple system he found?
To see the MAC address of the Apple system Mr. X found we can examine each ethernet information for the addresses in number 3. The first address, 10.42.42.50 shows the destination is CompalIn_51:d7:b2.
The second address, 10.42.42.56 shows the destination is CompalIn_cb:1e:79
And the last address, 10.42.42.25 shows the destination is Apple_92:6e:dc which we can assume that it is the Apple system Mr. X found. The information next to it is the MAC address for 00:16:cb:92:6e:dc.
- What was the IP address of the Windows system he found?
To determine the MAC address of the Apple system we can distinguish each packet time to live for OSes. The following table is the TTL values for Linux, Windows, and AIX.
Then to see which IP address is the Windows system we can use the filter expression “ip.ttleq 128″. The result show that the packet that have TTL value of 128 have the IP destination of 10.42.42.50.
- What TCP ports were open on the Windows system?
(Please list the decimal numbers from lowest to highest.)
To see the TCP Ports that were open on the Windows system we can use the filter expression “tcp.flags.syn==1 & tcp.flags.ack==1″ as the successful connection plus “ip.ttleq 128″ to filter the Windows system connection. Wireshark will list he packets that fulfill the filter and you can simply see under tab Transmission Control Protocol, source port information. The port used are135 and 139.
1