Welcome! #
- LetsDefend is a Blue Team Training platform.
- This writeup is a challenge on LetsDefend.
Challenge Details: #
- Role targeted: Security Analyst
- Skill Level: Easy
Description: #
Can you determine evidences of port scan activity?
Log file: /root/Desktop/ChallengeFile/port_scan.pcap
Note: pcap file found public resources.
Lab Start: #
Wireshark: #
- Let’s go through each question one by one.
What is the IP address scanning the environment? #
- Filter:
tcp.flags == 0x002- If we filter just for TCP SYN packets, we quickly get the answer:
10.42.42.253
- If we filter just for TCP SYN packets, we quickly get the answer:
What is the IP address found as a result of the scan? #
- Filter:
tcp.flags.ack == 1 and tcp.flags.reset == 0 and ip.addr == 10.42.42.253- If we filter only conversations involving the scanning computer where someone responded, and not with a reset, we get the answer.
10.42.42.50
- If we filter only conversations involving the scanning computer where someone responded, and not with a reset, we get the answer.
What is the MAC address of the Apple system it finds? #
- Filter:
eth.src_resolved contains Apple- If we filter on source MAC addresses and only include those that resolve to Apple, we get the answer.
00:16:cb:92:6e:dc
- If we filter on source MAC addresses and only include those that resolve to Apple, we get the answer.
What is the IP address of the detected Windows system? #
- Filter:
ip.dst == 10.42.42.253 and ip.ttl == 128 and tcp.flags.reset == 0- If we filter for computers talking back to the scanning computer, based on the IP packet time-to-live field being 128 (the value Windows machines tend to have), and ignore reset packets… We get the answer.
10.42.42.50
- If we filter for computers talking back to the scanning computer, based on the IP packet time-to-live field being 128 (the value Windows machines tend to have), and ignore reset packets… We get the answer.
