This challenge takes you into the world of voice communications on the internet. VoIP is becoming the de-facto standard for voice communication. As this technology becomes more common, malicious parties have more opportunities and stronger motives to control these systems to conduct nefarious activities. This challenge was designed to examine and explore some of the attributes of the SIP and RTP protocols.
Challenge Files:
- "log.txt" was generated from an unadvertised, passive honeypot located on the internet such that any traffic destined to it must be nefarious. Unknown parties scanned the honeypot with a range of tools, and this activity is represented in the log file.
- The IP address of the honeypot has been changed to "honey.pot.IP.removed". In terms of geolocation, pick your favorite city.
- The MD5 hash in the authorization digest is replaced with "MD5_hash_removedXXXXXXXXXXXXXXXX"
- Some octets of external IP addresses have been replaced with an "X"
- Several trailing digits of phone numbers have been replaced with an "X"
- Assume the timestamps in the log files are UTC.
- "Voip-trace.pcap" was created by honeynet members for this forensic challenge to allow participants to employ network analysis skills in the VOIP context.
| # | Question | Weight | Solved | |
|---|---|---|---|---|
| 1 | What is the transport protocol being used? | 50 | 36 | |
| 2 | The attacker used a bunch of scanning tools that belong to the same suite. Provide the name of the suite. | 100 | 28 | |
| 3 | What is the User-Agent of the victim system? | 100 | 25 | |
| 4 | Which tool was only used against the following extensions: 100,101,102,103, and 111? | 150 | 20 | |
| 5 | Which extension on the honeypot does NOT require authentication? | 150 | 21 | |
| 6 | How many extensions were scanned in total? | 150 | 18 | |
| 7 | There is a trace for a real SIP client. What is the corresponding user-agent? | 150 | 20 | |
| 8 | Multiple real-world phone numbers were dialed. Provide the first 11 digits of the number dialed from extension 101? | 150 | 19 | |
| 9 | What are the default credentials used in the attempted basic authentication? (format is username:password) | 150 | 24 | |
| 10 | Other than SIP, what are the other two UDP protocols present in the trace? | 200 | 24 | |
| 11 | Which codec does the RTP stream use? | 200 | 24 | |
| 12 | How long is the sampling time (in milliseconds)? | 200 | 15 | |
| 13 | What was the password for the account with username 555? | 200 | 19 | |
| 14 | Which RTP packet header field can be used to reorder out of sync RTP packets in the correct sequence? | 250 | 19 | |
| 15 | The trace includes a secret hidden message. Can you hear it? | 300 | 20 |