2015-01-09 - TRAFFIC ANALYSIS EXERCISE: WINDOWS USER VIEWS A WEBSITE AND GETS EXPLOIT KIT (EK) TRAFFIC
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
PCAP AND ANSWERS:
- 2015-01-09-traffic-analysis-exercise.pcap.zip 357.5 kB (357,529 bytes)
- 2015-01-09-traffic-analysis-exercise-answers.pdf.zip 909.4 kB (909,384 bytes)
NOTES:
- This exercise was meant to be a regular blog entry, so the pcap only includes the exploit kit traffic and chain of events leading to it.
SCENARIO
A Windows host visits a website that kicks off a chain of events leading to an exploit kit.
QUESTIONS
BASIC QUESTIONS:
1) What is the date and time of this activity?
2) What is the IP address and MAC address for the Windows host that hit the exploit kit?
3) What is the domain name and IP address of the compromised web site?
4) What is the domain name and IP address for the exploit kit?
5) What web browser is the Windows host using?
EXTRA QUESTIONS:
1) What is the exploit kit?
2) What type of exploits were sent by this exploit kit? (Flash, IE, Java, Silverlight, etc.)
3) Which HTTP request returned a redirect to the exploit kit?
4) In Wireshark, which tcp.stream contains the malware payload?
5) What snort events (EmergingThreats or VRT/Talos) are generated by this traffic?
6) What version of Flash player is the Windows host using?