Security Videos

Entries in Network Security (3)


Network Challenge - 001 - Solution

I Wanted to send a big thanks out to everyone who sent solutions in for the Network challenge. While there were many responses, two (2) stood out amongst the rest. I don't plan on doing prizes for all of these contests, but I was so impressed by these responses, that I wanted to do something special on this ocassion. The winners of this first challenge are:

  • First Place: @dfir_it ($150 amazon Gift Card) Solution is below
  • Second Place: @CYINT_DUDE ($50 Amazon Gift Card) Solution

The first place solution is so well written, that I figured it was worth posting in it's entirety here (with permission from the author of course). See below for the solution, and keep any eye on dfir.it where the author intends to post more details on how he arrived at the answers you see below.

@dfir_it Winning Contest Submission:


Network Challenge - 001 - Linux

One of my favorite sites is "Malware Traffic Analysis" where the author routinely posts network challenges. In the spirit of contributing to this effort of providing material for analysts to sharpen their skills, I developed a challenge focused around a popular scenario I often come across in research and other analysis efforts. As a heads up, any malware you may come across in the analysis of this PCAP is in fact real malware. Please take care in how you analyze. 

When reviewing this PCAP and writing your response please keep in mind what you would really want in an investigation. The questions I ask at the end of this article are intentionally vague, as I didn't want to give too much away with the questions. What I am hoping to see in responses is that the analysts are able to adequately tell a story of what likely occurred, identify network and host indicators that can help further scope this incident, and write detection rules in the detection languages of their choice to find future instances of this activity. 


The due date for submissions is September 25, 2016. Enjoy!


Client provides a PCAP involving all traffic they have from a victim Linux server.  A snort signature alerted for files downloaded from an HFS server. The client does not have any other context to provide. Other than the following is the Snort Signature that was alerted on:

alert tcp any any -> any any (msg:"HFS [File Download]";flow:to_client,established; content:"HFS 2.";distance:0; content:"HFS_SID="; classtype:suspicious; sid:999999; rev:1;)


  1. Determine what likely occurred based on the evidence from the PCAP.
  2. Identify any network and/or host artifacts that could be used to scope this incident further.
  3. If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity. 


Feel free to submit your responses directly to NetChallenge[at]tekdefense.com or comment on this blog post with a link to your own article with a response. I'll review responses, and perhaps give out a few prizes to those with great writeups.


TekTip ep11 - Kippo SSH Honeypot

Description: Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker
Uses:  Alert to potiential threats, watch how hackers operate, gather exploits and malware
http://bruteforce.gr/honeybox Honeybox is a distro that contains numerous honeypot software, all on a single box.  Additionally, the distro preconfigures the honeypot to utilize some of the many enhancements Brutforce Labs have created for these honeypots.
*If at home, to make this accessible from the internet you will need to enable port forwarding at your modem, and potientially your Virtual Machine software.
kippo/kippo.cfg : Main configuration file
kippo/honeyfs :  This is the fake filesystem that wll be presented to the user.
kippo/data/userdb.txt :  This file allows us to modify the username and password combinations that will work when attackers attempt to log into the honeypot.
kippo/log/tty/ : In this directory you will find the logs for each session established by attackers.
- will start kippo
/kippo/utils/playlog.py : Replay an attacker session from the kippo/log/tty directory.
Usage: playlog.py [-bfhi] [-m secs] [-w file] <tty-log-file>
 -f             keep trying to read the log until it's closed
 -m <seconds>   maximum delay in seconds, to avoid boredom or fast-forward to the end. (default is 3.0)
-i             show the input stream instead of output
 -b             show both input and output streams
 -c             colorify the output stream based on what streams are being received
 -h             display this help
~/kippo/utils/playlog.py 20121012-115031-8544.log