TWO PCAPS I PROVIDED FOR UA-CTF IN NOVEMBER 2018

ASSOCIATED FILES:

• 2018-CTF-from-malware-traffic-analysis.net-1-of-2.pcap.zip   477 kB (477,445 bytes)
• 2018-CTF-from-malware-traffic-analysis.net-2-of-2.pcap.zip   6.2 MB (6,246,022 bytes)

NOTES:

• This is not a standard exercise where the answers are explained--consider this bonus material for people who've done the normal exercises and want more practice.
• I provided these two pcaps for a CTF event, where I also several suggested tasks (and my answers) for the organizers to choose from.
• After the event was completed, I was told I can make these public, so here they are!
• Zip archives are password-protected with the standard password.  If you don't know it, see the "about" page of this website.

 

BACKGROUND

After I provided two pcaps as part of a Capture The Flag (CTF) competition for UISGCON14 in October 2018 (link), I had the privilege of providing two pcaps for a UA-CTF event in November 2018.  This event happened in Kyiv Ukraine on 2018-11-16 through 17, and more than 30 students participated.

 

 

See below for more information about this event

• Tweet about the event
• Facebook page for the event (text in Ukrainian)
• News article in Ukrainian discussing the event
• Same link as above, but translated to English through Google Translate

I'm told this material can go public now.  Like last time, these pcaps contain activity I routinely post about here at malware-traffic-analysis.net, so it shouldn't be a big challenge for anyone who follows this blog.  But keep in mind the answers do not provide any details or explanations.

 

DETAILS

FIRST PCAP:  2018-CTF-from-malware-traffic-analysis.net-1-of-2.pcap.zip

LAN SEGMENT PROPERTIES:

• LAN segment: 192.168.2.0/24 (192.168.2.0 through 192.168.2.255)
• Domain: dnipromotors.com
• Domain controller: 192.168.2.4 - Dnipromotors-DC
• LAN segment gateway: 192.168.2.1
• LAN segment broadcast address: 192.168.2.255
• Windows client to investigate: 192.168.2.147

TASKS I SUGGESTED:

• What is the MAC address of the Windows client at 192.168.2.147?
• What is the host name for the Windows client at 192.168.2.147?
• Based on the Kerberos traffic, what is the Windows user account name used on 192.168.2.147?
• What is the URL that returned a Windows executable file?
• When did the URL happen? (date and time in UTC)
• How many bytes is the Windows executable file returned from that URL?
• What is the SHA256 file hash of the Windows executable file returned from that URL?
• After receiving the Windows executable file, what IP address did the infected Windows host try to establish a TCP connection with?

 

SECOND PCAP:  2018-CTF-from-malware-traffic-analysis.net-2-of-2.pcap.zip

LAN SEGMENT PROPERTIES:

• LAN segment: 172.17.1.0/24 (172.17.1.0 through 172.17.1.255)
• Domain: kyivartworks.com
• Domain controller: 172.17.1.2 - Kyivartworks-DC
• LAN segment gateway: 172.17.1.1
• LAN segment broadcast address: 172.17.1.255
• Windows client to investigate: 172.17.1.129

TASKS I SUGGESTED:

• What is the MAC address of the Windows client at 172.17.1.129?
• What is the host name for the Windows client at 172.17.1.129?
• Based on the Kerberos traffic, what is the Windows user account name used on 172.17.1.129?
• What URL in the pcap returned a Microsoft Word document?
• When did the URL happen? (date and time in UTC)
• How many bytes is the Word document returned from that URL?
• What is the SHA256 of the Word document returned from that URL?
• What URL in the pcap returned a Windows executable file?
• How many bytes is the Windows executable file returned from that URL?
• What is the SHA256 of the Windows executable file returned from that URL?
• What type of infection occurred in this pcap?
• In addition to HTTP post-infection traffic, what other type of post-infection traffic is generated by the infected Windows host?

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.