https://blueteamlabs.online/home/challenge/12

Table of Contents

Introduction

The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system. Can you investigate and determine if this activity is malicious or not? You have been provided a PCAP, investigate using any tools you wish.

Questions

What is the IP responsible for conducting the port scan activity?

Having a quick look down the packets, there are a huge number of grey and red lines (this is determined by Wireshark in Coloring Rules... in the View menu). These are SYN and RST, ACK packets . For a normal connection there would be SYN, ACK and ACK too, but these don't.

We can filter just for these:

tcp.flags==0x002 || tcp.flags==0x014

(I found these codes by looking within the Packet Details box, under Transmission Control Protocol, then Flags)

The SYN packets are all from 10.251.96.4 to 10.251.96.5, and the RST, ACK in the reverse direction.

So 10.251.96.4 is doing the scanning.

What is the port range scanned by the suspicious host?

Let's filter just for these scan packets:

ip.src==10.251.96.4 && tcp.flags==0x002

This gives us the scan (grey lines), then some green lines. These are for TCP port 80 and presumably the connection(s) made after the scan was complete.

Select a packet and in the Packet Details box, expand Transmission Control Protocol, right click on Destination Port, then Apply as Column. Then, if you click this new column, it will sort by DPort.

The first one is 1, and the last is 1024.

What is the type of port scan conducted?