Tags: forensics 

Rating:

# 2_Analysis

We're asked a few more questions about the attack that that we need to answer.

First off, we need to find the time in UTC that the scanning initially started. We already know the attacker and victim IP addresses from the previous level, and we already know that the attack started with an nmap scan, so we can use the same filter and get the time from the first packet sent in the nmap scan.

```
( ip.src == 10.187.195.95 ) and ( ip.dst == 10.0.80.17 ) and tcp
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/2_Analysis-1.png)

We find that the first packet was sent on May 22, 2018, at 12:07:35 PDT. In UTC, this is May 22, 2018, at 19:07:35.

Next, we're asked for the name of the first tool that they're using. This is the tool that they're using to scan ports.

We can already assume that it's nmap, but in case you need confirmation, a little bit further in the pcap, we find an `HTTP GET /nmap...`packet. This confirms that the first tool used was indeed nmap.

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/2_Analysis-2.png)

Now we need to find out what the third tool used was, and what the version string of that third tool is. The first tool is nmap. The second tool was a directory scanner. The third one attacked a login. Let's scroll to where the login page is attacked and have a look.

We need to get rid of the tcp filter now, since we're also dealing with HTTP traffic.

```
( ip.src == 10.187.195.95 ) and ( ip.dst == 10.0.80.17 )
```

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/2_Analysis-3.png)

We find the start of an online bruteforce attack. We can see that the user-agent is sqlmap/1.2.4#stable, and that the page being attacked is adminlogin.php.

Original writeup (https://github.com/shawnduong/ctf-writeups/blob/master/2019-TAMU/DriveByInc/2_Analysis.md).