Using Wireshark, open the PacketCapture.log file (a packet trace of a network security incident) and analyze the traffic to answer the following questions. 

On September 16th a Redhat Linux 6.2 honeypot was compromised. The compromised system has an IP of 192.168.1.102. After successfully breaking into the box, the attacker ended up using 3 modes of connecting and running commands (some of this activity is encrypted).

 

1. The intruder used FTP as part of their activities.                                                                  a)Which vulnerability did the intruder exploit (i.e. other than just saying "FTP")?         b)What packet number begins the FTP attack on the SITE?                                         c)Which packet number indicates the FTP attack succeeded?
2. Name a few of the commands (or actions) the intruder ran on the system.
3. The intruder downloaded 3 rootkits, what were they called?
   Can ZERO or ZER0 be one of THREE?
4. The intruder used SSH as part of their activities.                                                               a)What port was the SSH daemon installed on? LESS THAN FORTY                                          b)What SSH client did the hacker use? What operating system?
5. What does the rootkit do to hide the presence of the attacker on the system?
6. Recover (tell how you did it too) the rootkits from the snort binary capture.

please use this link to download the PacketCapture.log file:- https://ufile.io/voa5dg24