pacp包地址

https://www.malware-traffic-analysis.net/2014/12/15/2014-12-15-traffic-analysis-exercise.pcap.zip

问题与回答

BASIC QUESTIONS

1. What are the host names of the 3 Windows hosts from the pcap?

2. What is(are) the IP address(es) of the Windows host(s) that hit an exploit kit?

3. What is(are) the MAC address(es) of the Windows host(s) that hit an exploit kit?

过滤dhcp可以看到以上几个主机，再进行过滤查找

MYHUMPS-PC - 192.168.204.137 - 00:0c:29:9d:b8:6d
ROCKETMAN-PC - 192.168.204.139 - 00:0c:29:61:c1:89
WORKSTATION6 - 192.168.204.146 - 00:0c:29:fc:bc:2e

在追踪192.168.204.137访问了epzqy.iphaeba.eu:22780，这里面存在了swf文件，dump下来发现是swf的漏洞利用文件，因此判断192.168.204.137受到了攻击，MYHUMPS-PC - 192.168.204.137 - 00:0c:29:9d:b8:6d

4. What is(are) the domain name(s) of the compromised web site(s)?

5. What is(are) the IP address(es) of the compromised web site(s)?

通过info信息判断被攻陷的网站是域名是www.theopen.be，ip是213.186.33.19

6. What is(are) the domain name(s) for the exploit kit(s)?

7. What is(are) the IP address(es) for the exploit kit(s)?

根据问题2，3和导出的http对象可知，提供漏洞工具的域名和ip分别是epzqy.iphaeba.eu:22780 -和168.235.69.48

8. Did any of these hosts get infected? If so, which host(s)?

MYHUMPS-PC被感染

EXTRA QUESTIONS

1. What is(are) the exploit kit(s) noted in the pcap?

SWEET ORANGE EK

2. What type of exploit was used by this(these) exploit kit(s)? (Flash, Java, IE, etc)

发现一个利用flash漏洞

dump出的sha1:965da0c6cdb44e29aedf8546884b509b7268912a

3. What URL(s) acted as a redirect between the compromised website(s) and the exploit kit?

4. What is(are) the IP address(es) of the redirect URL(s)?

追踪流查找，发现col.reganhosting.com/link中包含漏洞攻击网址，ip为185.14.30.113