LetsDefend - Port Scan Activity
LetsDefend
Port Scan Activity
Overview:
Today, we are going to walkthrough the Port Scan Activity challenge on LetsDefend. This is an easy-rated challenge, and is my first challenge on the site. In a nutshell, you download a PCAP file, analyze it and answer questions regarding the results. While there are various tools that can read PCAP files, I will be using Wireshark for this challenge.
Question 1: What is the IP Address scanning the environment?
There are many different methods that someone can use during a port scan. For example, there is the TCP-Connect method where the scanning machine will attempt a full TCP three way handshake on each port scanned, or the TCP-SYN scan (also referred to as a "Half-open" scan) where the scanning machine will initiate the TCP three way handshake, but instead of sending the final acknowledgment flag if it receives a SYN-ACK reply, it will send a packet with the RST flag set to not fully establish a TCP connection in attempt to avoid detection (though most modern EDR and SIEM platforms can detect this method nowadays.) There is also an ICMP sweep where the scanning machine will send an ICMP Echo request and see which devices send back an ICMP Reply. While there are many more techniques, knowing some of them we can start to analyze the packets and see if we can find a common IP using any one of these scanning methods against numerous ports.
Right off the bat, we can see SYN packets being sent to the same port number on multiple IP's, all sourcing from 10.42.42.253. Below I have highlighted two groups as an example. Notice how the first grouping has IP 10.42.42.253 sending requests destined to port 80 (HTTP) on multiple IP addresses, and the same for port 389 (LDAP). This is definitely our answer for the first question.
Question 2: What is the IP address found as a result of the scan?
To be honest, I wasn't 100% sure of what this question was asking for in particular, as we technically see three other IP addresses (10.42.42.25, .50 and .56.) I assumed we were probably looking for a successful connection from the scanning IP to a port so as I started digging into logs, I found a successful TCP connection on ports 135 (RPC) and 139 (NetBIOS) on the address 10.42.42.50.
To further investigate this, we can apply a filter that will show us only packets that have an ACK flag set with the following filter: tcp.flag.ack==1 && tcp.flag.syn==0
After analyzing this, 10.42.42.50 is the only IP that had received a packet with the ACK flag set from the scanning IP of 10.42.42.253 so I went with this as my answer.
Question 3: What is the MAC address of the Apple system it finds?
This question was a fairly quick find. Upon analyzing the packets I was able to find some NetBIOS Session Service packets being sent to the LAN's broadcast address that had the devices NetBIOS name. We can see from below that in the Ethernet II protocol that the source was "Apple_92:6e:dc." We then look at the MAC Address listed just to the right of the NetBIOS name for this device and we have our answer.
Question 4. What is the IP address of the detected Windows system?
This question was also fairly quick to find. From the analysis of the prior questions, we know we have four IP addresses. 10.42.42.25, .50, .56 and .253. We know that .25 is the Apple device, and that .253 is the scanning device. This leaves us with two IP's. And going back to the answer on the second question, we know that .50 was the only device that had a successful TCP connection made to the scanning device (also indicative of a TCP-Connect scan) , so this was my first instinct as to the device that was the detected Windows System.
Summary
Overall this was a fairly fun challenge as I do enjoy a good packet analysis session. I'm still fairly new to packet analysis and want to dive deeper into the topic as I know how powerful of a skill it is to have when hunting for threats on networks.