Network Forensics – Round 4: The Curious Mr. X

by DFIRninja
Categories: Analysis, Network Forensics
Tags: , ,
Comments: 1 Comment

Network Forensics – Round 4: The Curious Mr. X

Round 4! Below is the scenario for round 4 in the Network Forensics Challenge Series:

While a fugitive in Mexico, Mr. X remotely infiltrates the Arctic Nuclear Fusion Research Facility’s (ANFRF) lab subnet over the Interwebs. Virtually inside the facility (pivoting through a compromised system), he conducts some noisy network reconnaissance. Sadly, Mr. X is not yet very stealthy.

Unfortunately for Mr. X, the lab’s network is instrumented to capture all traffic (with full content). His activities are discovered and analyzed… by you!

At the bottom of the article, you can find the packet capture containing Mr. X’s activity. As the network forensic investigator, your mission is to answer the following questions:

  1. * What was the IP address of Mr. X’s scanner?
  2. * For the FIRST port scan that Mr. X conducted, what type of port scan was it? (Note: the scan consisted of many thousands of packets.) Pick one:
  • UDP
  • TCP Connect
  1. * What were the IP addresses of the targets Mr. X discovered?
  2. * What was the MAC address of the Apple system he found?
  3. * What was the IP address of the Windows system he found?
  4. * What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)

X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Can you reconstruct the output from the tool, roughly the way Mr. X would have seen it?

Again for this challenge I utilized the same tools as the other rounds to accomplish the above tasks. There are always other commercial and open source tools that you could utilize for this challenge, but the below *starred* tools are what I used:





You can also write different scripts in order to parse out the pertinent information you are seeking out of the packet capture.

After verifying the packet capture (evidence04.pcap) has the correct hash (804648497410b18d9a7cb1d4b2252ef7), we are ready to start the round. First, we are looking for the IP address of Mr. X’s scanner. To find the answer to this question, within wireshark, go to Statistics > Endpoints > IPv4. You’ll notice the distribution of the number of packets heavily favors (Figure 1). This is a good indication that this IP address is the scanner’s IP. You can also find similar results within Statistics > Conversations > IPv4 (Figure 1.1). You can also use NetworkMiner to find this answer. If you open the pcap file in NetworkMiner and expand all the hosts listed, it will show you how many packets were sent from each IP address and you’ll notice that has sent significantly more than the others (Figure 1.2).

1_IP address of the scanner
Figure 1
1.2 Conversations for scanner IP
Figure 1.1
1.4 network miner IP of scanner
Figure 1.2

Now for question 2, what type of port scan was the first scan that Mr. X conduct? You get a multiple choice option for this one. To answer this, you need to be able to distinguish between the different types of scans offered in the multiple choice answers. A quick Google search will tell you more if you don’t have a good grasp on them. Let’s say we searched all the possible answers in Google, finding the right answer, you would have stumbled on TCP Connect. TCP Connect, Like TCP SYN, sends a TCP packet with SYN flag activated, but completes the connection by sending an ACK to acknowledge the reception of a SYN/ACK packet in case the port is open. The connection is then closed by sending a RST packet. If the port is closed, the target would send back a RST/ACK. In Figure 2, you’ll notice the pattern of the port scan, with RST/ACK’s being sent back due to the closed ports. Then in Figure 2.1, you’ll see where the scan comes across an open port, completing the whole connection (SYN, SYN/ACK, ACK), then closing the connection with a RST/ACK packet.

2. TCP Connect Scan
Figure 2
2.1 TCP Connect Scan
Figure 2.1

Question 3 wants to know what the IP addresses were of the targets Mr. X discovered. Again, there are multiple different ways to figure this out. First, in wireshark, we could go to Statistics > Conversations > IPv4 (Figure 3). Here you’ll see the different IPs of the targets (everything excluding the scanner IP and the broadcast IP, which includes,, and Also in wireshark, going to Statistics > Endpoints > IPv4, You’ll get a similar view of the target IP addresses (Figure 4).

3. Figure 3 conversations
Figure 3
4. Figure 4 Endpoints
Figure 4

On to question number 4, what was the MAC address of the Apple system he found. Again, lets go to Statistics > Endpoints within wireshark. 4th down in the list of five endpoints, you’ll find the name of the Apple device (Figure 5). In the bottom left corner of the window, you’ll see a checkbox for “Name Resolution”. If you uncheck the box, you’ll find the MAC address of the Apple device, 00:16:cb:92:6e:dc (Figure 6).

5. Figure 5 endpoints with names
Figure 5
6. Figure 6 endpoints with mac addresses
Figure 6

Question 7 is wanting to know what was the IP address of the Windows system he found. A quick and easy way to find this answer would be to open the pcap with NetworkMiner. Once loaded, under the hosts tab, you’ll find that is the windows machine (Figure 7).

7. Figure 7 Windows Machine
Figure 7

For the last question, what TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.) Again, we are going to utilize wireshark Endpoints. In wireshark, click on Statistics > Endpoints > TCP: and filter on Address. You already know what IPs are what, so not looking at the scanning IP, you can fairly quickly find that the only open ports are 135 and 139 on You’ll notice that for most (not all) of the other packets, there are only 4 bytes, but then when the scan finds an open port, you’ll see more data being transferred (Figure 8). You can also quickly find this answer by opening the pcap with NetworkMiner (Figure 8.1).

6_tcp open ports
Figure 8
6.1_tcp open ports with networkminer
Figure 8.1

Let’s answer some of the extra credit in the challenge. X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Short answer is NMAP. You’ll notice by going through the packet capture that there is a fairly common item in the details pane, “window size value: 31337”. A quick Google search on that shows you that you are dealing with an NMAP scan. There are a good amount of network scanners out there, and the challenge for you is to go use some of them and compare the output. Get used to seeing how each operate and what the output as well as the network traffic look like from each to be able to figure out which tool Mr. X used.

Great job! We have completed the challenge. This was a good challenge to look at scanning traffic. I hope you enjoyed the walkthrough. Please ask questions if you have any, and stay tuned for the next round. Below is a link to the challenge:


1 Comment »

  1. anthony says:

    Your answer for question number 2 might be off.

    See the Windows Machine with open ports. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-listener.

Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Monday