While a fugitive in Mexico, Mr. X remotely infiltrates the Arctic Nuclear Fusion Research Facility’s (ANFRF) lab subnet over the Interwebs. Virtually inside the facility (pivoting through a compromised system), he conducts some noisy network reconnaissance. Sadly, Mr. X is not yet very stealthy.
Unfortunately for Mr. X, the lab’s network is instrumented to capture all traffic (with full content). His activities are discovered and analyzed… by you!
Here is the packet capture containing Mr. X’s activity. As the network forensic investigator, your mission is to answer the following questions:
1. What was the IP address of Mr. X’s scanner?
IP주소 10.42.42.253에서 SYN 패킷만 보내지는 것으로 보안 연결이 되지 않는 것을 알 수 있습니다.
2. For the FIRST port scan that Mr. X conducted, what type of port scan was it? (Note: the scan consisted of many thousands of packets.) Pick one:
- TCP SYN
- TCP ACK
- UDP
- TCP Connect
- TCP XMAS
- TCP RST
SYN 패킷을 연속적으로 보내는 것으로 보아 TCP SYN 스캔이라는 것을 알 수 있습니다.
3. What were the IP addresses of the targets Mr. X discovered?
10.42.42.25, 10.42.42.50, 10.42.42.56
4. What was the MAC address of the Apple system he found?
apple 검색을 하면 아래와 같이 Apple_92 MAC 주소는 00:16:cb:92:6e:dc 라는 것을 알 수 있습니다.
5. What was the IP address of the Windows system he found?
ICMP 프로토콜을 필터를 걸고 보면 10.42.42.50의 TTL값이 128로 보아 Windows System이라는 것을 알 수 있습니다.
6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)
SYN+ACK 패킷을 찾아보면 135, 139 포트가 열려있는 것을 알 수 있습니다.
'포렌식 > SANS Forensic Contest Puzzle' 카테고리의 다른 글
| Puzzle #6: Ann’s Aurora (0) | 2026.06.03 |
|---|---|
| Puzzle #5: Ms. Moneymany’s Mysterious Malware (0) | 2026.06.03 |
| Puzzle #3: Ann’s AppleTV (0) | 2026.06.03 |
| Puzzle #2: Ann Skips Bail (0) | 2026.06.03 |
| Puzzle #1: Ann’s Bad AIM (0) | 2026.06.03 |
