2015-10-13 - TRAFFIC ANALYSIS EXERCISE - ANSWERS

ASSOCIATED FILES:

ZIP files on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

ANSWERS FROM OTHERS

Links to write-ups below have answers which are a good supplement to this exercise.  I always appreciate people making the extra to post their work on these exercises!

 

ANSWERS FROM ME

 

DETAILS

I ran the first pcap through Security Onion using tcpreplay and got the following alerts:

 

A quick way to get an idea of the IP addresses involved is to use the following filter in Wireshark:

 

I ran the second pcap through Security Onion using tcpreplay and got the following alerts:

 

Nothing other than HTTP traffic after the EK activity...

 

Below you can see the gate redirecting from the compromised website to the Nuclear EK landing page:

 

FINAL WORDS

As always, thanks to anyone who's followed along.  I hope this has helped!

 

Click here to return to the main page.