Credential stuffing has been on the rise and you have seen countless stories on your cybersecurity RSS feeds of companies having to conduct public disclosures of breaches. You know it is in the best interest of your US-based company, your US-based customers, and your CISO’s job tenure (you like her leadership style) to keep them out of the headlines, so you decide to start hunting your custom API for evidence of credential stuffing.

Your mission is to analyze this custom_api_capture.pcapng file and determine if credential stuffing is occurring!

Couple hints to start your investigation: Geo-infeasibility, Impossible travel, Account breach/compromise

Answer *:(* required fields)

Using only the information in the screenshot below – which of the following statements is true about this packet?

NOTE: Additional padding was manually added to the end of this packet.

Answer *:(* required fields)

What is the login and password I used?

All the clues you need will be in this trace.pcapng file and the points below:

  • The trace file includes me surfing “cnn.com” as well as accessing a local device
  • The protocol I used was HTTP but not TCP port 80
  • If you find the correct IP pair, you will see me unsuccessfully try to connect on TCP port 80
  • I then try again with the correct TCP port number
  • After connecting, I login to the device

Answer *:(* required fields)

This pcap file has been collected from a Wireless network in which the User is complaining of significantly slower performance and throughput. You are tasked with identifying the issue. Only one answer is correct.

Answer *:(* required fields)

There’s a trace. There’s trouble. But beware of smoke and mirrors. So the question is – what’s going on?

Answer *:(* required fields)

A new application server has been installed in the DMZ and the DBA is using SQL*Plus on the application server to test the connection to the Database server in the internal network. The connection seems to start OK, but then freezes. Pressing CTRL+C is also ignored and didn’t get the DBA back to the command prompt.

During the test, all packets to/from the Database server were captured on the application server. Have a look at the packets and pick the correct answer.

Answer *:(* required fields)

Below you can download two trace files. The clue is in the first trace file and the answer is in the second trace file.

Challenge: First open Trace #1 to find the clue to the question. After you have the clue, open Trace #2 to find the answer.

Asked by:

Mike Pennacchi

Answer *:(* required fields)