https://cyberdefenders.org/labs/45

Description

A PCAP analysis exercise highlighting attacker's interactions with honeypots and how automatic exploitation works. (Note that the IP address of the victim has been changed to hide the true location.)

Tools

• BrimSecurity
• NetworkMiner
• Wireshark
• Libemu (sctest)
• scdbg

Questions

1. What is the attacker's IP address?

Let's start by opening the .pcap in Wireshark and checking the Endpoints from the Statistics menu.

There's only two - presumably, one is the attacker, one is the target. This is easy, as the challenge gives us a couple of the digits of the IP. Without this, we would need to look a bit deeper - but as we investigate further, it's still easy to determine.

98.114.205.102

2. What is the target's IP address?

This will be the other one.

192.150.11.111

3. Provide the country code for the attacker's IP address (a.k.a geo-location).