[네트워크 실습] Intrusion Detection and Honeypot Analysis

Objective

1) learn how to analyze the log of a honeypot and determine information about the attacks that occurred.

2) learn the behavior of attackers and the measures that should be taken to make system safe.

 

Task 

The file "attack.log" contains logs recorded during the time of the attack. Use Wireshark to analyze it. 

 

1. What is the IP of the attacker? How about its physical location (country) ?

2. What is the IP of the victim and its location?

3. Which vulnerability does the attacker use?

4. Describe the behavior of the attacker.

5. Write down the time when the attacker gains root access. How does it do it?

6. What is the IP of the machine where the attacker stores the root kit? Where is it located?

7. Follow the TCP Stream that holds the root kit. Save it as “raw” into a “.tgz” file and extract it with tar -zxvf. Recover and analyze the root kit. What files does it contain? Why?

8. What should you do if you want to protect you network from this type of attacks?

 

 

 

reference :

https://itwiki.kr/w/%ED%97%88%EB%8B%88%ED%8C%9F
https://en.wikipedia.org/wiki/Honeypot_(computing)

https://en.wikipedia.org/wiki/Buffer_overflow