Well, I was off to a great start, then basically shut down during the holidays. There was a little studying here and there, but nothing like there should have been. There are about eight weeks left till the test.


Just to see, I decided to try to tackle the SANS 2013 holiday hack challenge. I fired up the Linux VM from SANS 503 with wireshark, SNORT, etc and dug through the pcap. After spending about 6 hours on it I decided to look through the winning answer write-up.

Not good.

I missed basic stuff like ARP poisoning, malicious email, SQL injection. The good: I saw the scans (looked like nmap), SMB password guessing attack (hyrda?), buffer overflow attempts. metasploit use with PSEXEC and VNC. I spent a while trying to playback VNC using chaosreader, but no go. Some of the network was mapped well, but the initial malicious host was missed.

Not good. . . not horrific either.

Now I’m working on better organizing my method for going through a pcap.

  1. Look at Statistics à Conversations, TCP tab. Sort bytes column to see top talker sessions. Check UDP too. (In the challenge, the top session was a video device – resolved by filtering that traffic out and re-saving the PCAP – made things much faster)
    1. Two-packet conversations likely indicate trying to connect to a closed port. (SYN –> RST/ACK)
    2. Three-packet conversations likely indicate a TCP SYN scan (half open) can finding an open port (SYN à SYN/ACK à RST)
    3. More on detecting scans here: http://faculty.scf.edu/bodeJ/CIS2352/NMAP%20Detection%20and%20Countermeasures.pdf
  2. Look at Analyze à Expert filter. Look at errors and warnings tabs. Warnings tab has indicators of ARP attacks.
  3. I’ll work on this more later. . .