恶意流量练习题之2015-01-18-traffic-analysis-exercise
文章目录
pacp包地址
https://www.malware-traffic-analysis.net/2015/01/18/2015-01-18-traffic-analysis-exercise-1-of-2.pcap.zip
https://www.malware-traffic-analysis.net/2015/01/18/2015-01-18-traffic-analysis-exercise-2-of-2.pcap.zip
问题与回答
2015-01-18-traffic-analysis-exercise-1-of-2.pcap
- What is the date and time of the activity?
2015.1.9 07:51:21 - 07:52:04
- What is the IP address of the Windows host that gets infected?
使用http.request过滤,可以判断出被感染的主机ip是192.168.139.158
- What is the domain name and IP address of the compromised web site?
ip:108.168.211.93
domain:www.subaruoutback.org
- What is the domain name and IP address that delivered the exploit kit (EK)?
ip:205.234.186.112
domain:atypefresh.in
- What is the name of the EK?
上传到vt,可知是Fiesta EK
2015-01-18-traffic-analysis-exercise-1-of-2.pcap
- What is the date and time of the activity?
2015.1.14 23:27:20 - 23:34:18
- What is the IP address of the Windows host that gets infected?
由上图可知,被感染的windows主机ip是192.168.204.137
- What is the domain name and IP address of the compromised web site?
追踪流发现freeforsgames.com被重定向到20.c368.464.75b43b.e3161.dec8.033da1.8c.hl39dj2plwle.lowamounts.in
所以可知,被攻陷的站点的IP和域名为:
ip:188.227.165.20
domain:freeforsgames.com
- What is the domain name and IP address that delivered the exploit kit (EK)?
ip:5.196.214.27
domain:20.c368.464.75b43b.e3161.dec8.033da1.8c.hl39dj2plwle.lowamounts.in
- What is the name of the EK?
将数据包上传到vt
漏洞工具包为Magnitude