2018-12-18 - TRAFFIC ANALYSIS EXERCISE - EGGNOG SOUP

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2018-12-18-traffic-analysis-exercise.pcap.zip   35.7 MB (35,659,096 bytes)

NOTES:

• All zip archives on this site are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Shown above:  I used Eggnogsoup.com as a joke when I created the domain for this exercise's Active Directory environment.  I did not realize "eggnog soup" is a real thing.

 

Shown above:  When cooking up an exercise like this, I add a few Windows hosts and a scoop of non-Windows hosts to the mix.

 

SCENARIO

LAN segment data:

• LAN segment range:  172.16.3[.]0/24 (172.16.3[.]0 through 172.16.3[.]255)
• Domain:  eggnogsoup[.]com
• Domain controller:  172.16.3[.]2 - EggNogSoup-DC
• LAN segment gateway:  172.16.3[.]1
• LAN segment broadcast address:  172.16.3[.]255

YOUR TASK

Answer the following questions:

• How many hosts besides the Domain Controller at 172.16.3[.]2 are active on the network?
• List the IP addresses for the hosts found when investigating the previous question.
• Which IP address represents a host running Ubuntu?
• What type of host is using IP address 172.6.3[.]188?
• Which IP address is mostly likely an Amazon Fire tablet?
• Which three IP addresses represent Windows hosts that connect to the domain controller at 172.16.3[.]2?
• Which of the three Windows hosts shows indications of an infection with Emotet and IcedID banking Trojan (Bokbot)?
• Which IP address is a host running Android 8.0.0?
• What is the brand and model of the phone running Android 8.0.0?
• What is the brand and type of device on 172.16.3[.]112?

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.