CS Personal
// cloudshark.org
Guest upload is turned off
Log In
2018-07-15 - TRAFFIC ANALYSIS EXERCISE - OH NOES! TORRENTZ ON OUR NETWORK!
Public Collection
0 Capture Files
File name
Packets
Size
There are no Captures in this Collection
Public File
[Our blog post](https://enterprise.cloudshark.org/blog/malware-exercise-tracking-bittorrent/) describes how we went through this [malware-traffic-analysis.net](https://malware-traffic-analysis.net) exercise using CloudShark. # SCENARIO You have received alerts on bittorrent traffic from 10.0.0.201 on your organization's network. Torrent traffic is often associated with file sharing of copyright-protected content; however, many cases of torrent traffic are perfectly legal (like this traffic analysis exercise). Characteristics of your network are: * LAN segment: 10.0.0.0/24 (10.0.0.0 through 10.0.0.255) * Broadcast address: 10.0.0.255 * Domain controller: 10.0.0.2 (DogOfTheYear-DC) * Domain: dogoftheyear.net # TASK Based on the pcap, answer the following questions: 1. What is the MAC address of the computer at 10.0.0.201? * [00:16:17:18:66:c8](/captures/b9089aac6eee?filter=ip.src%3D%3D10.0.0.201) 1. What is the host name of the computer at 10.0.0.201? * [BLANCO-DESKTOP](/captures/b9089aac6eee?filter=nbns%26%26ip.addr%3D%3D10.0.0.201) 1. What is the Windows user account name for the computer at 10.0.0.201? * [elmer.blanco](/captures/b9089aac6eee?filter=ip.addr%20%3D%3D%2010.0.0.201%20%26%26%20kerberos.CNameString%20and%20%21%28kerberos.CNameString%20contains%20%24%29) 1. What is the Microsoft Windows version (XP, 7, 8, or 10) of the computer at 10.0.0.201? * [Windows 10](/captures/b9089aac6eee?filter=ip.addr%20%3D%3D%2010.0.0.201%20%26%26%20http.user_agent) 1. What time in UTC did the torrent activity from 10.0.0.201 start? * [Jul 15, 2018 04:17:37.159914000 UTC](/captures/b9089aac6eee?filter=ip.addr%20%3D%3D%2010.0.0.201%20%26%26%20bittorrent) 1. What torrent file did the user at 10.0.0.201 download? * [Betty_Boop_Rhythm_on_the_Reservation.avi.torrent](/captures/b9089aac6eee?filter=ip.addr%20%3D%3D%2010.0.0.201%20%26%26%20%28http.request.uri%20contains%20%22.torrent%22%29) 1. What is the name of the torrent client used on 10.0.0.201? * [Deluge 1.3.15](/captures/b9089aac6eee?filter=ip.addr%20%3D%3D%2010.0.0.201%20%26%26%20http%20%26%26%20%21%28tcp.port%20%3D%3D%2080%29) 1. What file is being seeded (shared) by the torrent client on 10.0.0.201? * [ubuntu-18.04-desktop-amd64.iso sha1: e4be9e4db876e3e3179778b03e906297be5c8dbe](/captures/b9089aac6eee?filter=ip.addr%20%3D%3D%2010.0.0.201%20%26%26%20bittorrent)
CS Personal
//
cloudshark.org
CS Personal
//
cloudshark.org
