Created: 12/01/2024 12:13 Last Updated: 05/06/2024 20:17
Can you determine evidences of port scan activity?
Log file: ~~https://files-ld.s3.us-east-2.amazonaws.com/port+scan.zip Pass: 321~~ /root/Desktop/ChallengeFile/port_scan.pcap
Note: pcap file found public resources.
Let's open this pcap file in Wireshark
As this challenge was named, this network activity indicate that 10.42.42.253 was TCP port scanning to other system in the network.
Using this filter tcp.flags.syn == 1 && tcp.flags.ack == 1 && ip.dst == 10.42.42.253, I got the result of this scan since this scan was likely to be a TCP port scanning so the active host will response back with SYN, ACK.
Go to Statistics > Resolved Addresses to find out more about devices that were detected in this network activity.
After doing some research I found this blog , It was useful to find out that a Quanta Computer we found earlier is Windows system or not
We can use ip.ttl == 128 to check if this system is using Windows.
Or we can just check from Port Scanning result, if port 139 (Microsoft RPC) was responsed back.
What is the IP address scanning the environment?
10.42.42.253
What is the IP address found as a result of the scan?
10.42.42.50
What is the MAC address of the Apple system it finds?
00:16:cb:92:6e:dc
What is the IP address of the detected Windows system?
10.42.42.50
This pcap file was captured while System 10.42.42.253 was conducted port scanning and a Windows system 10.42.42.50 was responsed back at port 135 and 139.