pacp包地址
https://www.malware-traffic-analysis.net/2014/12/15/2014-12-15-traffic-analysis-exercise.pcap.zip
问题与回答
BASIC QUESTIONS
-
What are the host names of the 3 Windows hosts from the pcap?
-
What is(are) the IP address(es) of the Windows host(s) that hit an exploit kit?
-
What is(are) the MAC address(es) of the Windows host(s) that hit an exploit kit?
过滤dhcp可以看到以上几个主机,再进行过滤查找
MYHUMPS-PC - 192.168.204.137 - 00:0c:29:9d:b8:6d
ROCKETMAN-PC - 192.168.204.139 - 00:0c:29:61:c1:89
WORKSTATION6 - 192.168.204.146 - 00:0c:29:fc:bc:2e
在追踪192.168.204.137访问了epzqy.iphaeba.eu:22780,这里面存在了swf文件,dump下来发现是swf的漏洞利用文件,因此判断192.168.204.137受到了攻击,MYHUMPS-PC - 192.168.204.137 - 00:0c:29:9d:b8:6d
-
What is(are) the domain name(s) of the compromised web site(s)?
-
What is(are) the IP address(es) of the compromised web site(s)?
通过info信息判断被攻陷的网站是域名是www.theopen.be,ip是213.186.33.19
-
What is(are) the domain name(s) for the exploit kit(s)?
-
What is(are) the IP address(es) for the exploit kit(s)?
根据问题2,3和导出的http对象可知,提供漏洞工具的域名和ip分别是epzqy.iphaeba.eu:22780 -和168.235.69.48
- Did any of these hosts get infected? If so, which host(s)?
MYHUMPS-PC被感染
EXTRA QUESTIONS
- What is(are) the exploit kit(s) noted in the pcap?
SWEET ORANGE EK
- What type of exploit was used by this(these) exploit kit(s)? (Flash, Java, IE, etc)
发现一个利用flash漏洞
dump出的sha1:965da0c6cdb44e29aedf8546884b509b7268912a
-
What URL(s) acted as a redirect between the compromised website(s) and the exploit kit?
-
What is(are) the IP address(es) of the redirect URL(s)?
追踪流查找,发现col.reganhosting.com/link中包含漏洞攻击网址,ip为185.14.30.113