https://blueteamlabs.online/home/challenge/12
The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system. Can you investigate and determine if this activity is malicious or not? You have been provided a PCAP, investigate using any tools you wish.
Having a quick look down the packets, there are a huge number of grey and red lines (this is determined by Wireshark in Coloring Rules... in the View menu). These are SYN
and RST, ACK
packets . For a normal connection there would be SYN, ACK
and ACK
too, but these don't.
We can filter just for these:
tcp.flags==0x002 || tcp.flags==0x014
(I found these codes by looking within the Packet Details box, under Transmission Control Protocol, then Flags)
The SYN
packets are all from 10.251.96.4 to 10.251.96.5, and the RST, ACK
in the reverse direction.
So 10.251.96.4 is doing the scanning.
Let's filter just for these scan packets:
ip.src==10.251.96.4 && tcp.flags==0x002
This gives us the scan (grey lines), then some green lines. These are for TCP port 80 and presumably the connection(s) made after the scan was complete.
Select a packet and in the Packet Details box, expand Transmission Control Protocol, right click on Destination Port, then Apply as Column. Then, if you click this new column, it will sort by DPort.
The first one is 1, and the last is 1024.