This challenge takes you into the world of voice communications on the internet. VoIP is becoming the de-facto standard for voice communication. As this technology becomes more common, malicious parties have more opportunities and stronger motives to control these systems to conduct nefarious activities. This challenge was designed to examine and explore some of the attributes of the SIP and RTP protocols. 

 

Challenge Files:

  • "log.txt" was generated from an unadvertised, passive honeypot located on the internet such that any traffic destined to it must be nefarious. Unknown parties scanned the honeypot with a range of tools, and this activity is represented in the log file.
    • The IP address of the honeypot has been changed to "honey.pot.IP.removed". In terms of geolocation, pick your favorite city.
    • The MD5 hash in the authorization digest is replaced with "MD5_hash_removedXXXXXXXXXXXXXXXX"
    • Some octets of external IP addresses have been replaced with an "X"
    •  Several trailing digits of phone numbers have been replaced with an "X"
    •  Assume the timestamps in the log files are UTC.
  • "Voip-trace.pcap" was created by honeynet members for this forensic challenge to allow participants to employ network analysis skills in the VOIP context. 
# Question Weight Solved
1 What is the transport protocol being used? 50 36
2 The attacker used a bunch of scanning tools that belong to the same suite. Provide the name of the suite. 100 28
3 What is the User-Agent of the victim system? 100 25
4 Which tool was only used against the following extensions: 100,101,102,103, and 111? 150 20
5 Which extension on the honeypot does NOT require authentication? 150 21
6 How many extensions were scanned in total? 150 18
7 There is a trace for a real SIP client. What is the corresponding user-agent? 150 20
8 Multiple real-world phone numbers were dialed. Provide the first 11 digits of the number dialed from extension 101? 150 19
9 What are the default credentials used in the attempted basic authentication? (format is username:password) 150 24
10 Other than SIP, what are the other two UDP protocols present in the trace? 200 24
11 Which codec does the RTP stream use? 200 24
12 How long is the sampling time (in milliseconds)? 200 15
13 What was the password for the account with username 555? 200 19
14 Which RTP packet header field can be used to reorder out of sync RTP packets in the correct sequence? 250 19
15 The trace includes a secret hidden message. Can you hear it? 300 20