ESU's IT staff noticed some peculiar traffic from DEADFACE at the beginning of the attack. They sent a series of handshakes - the IT staff is stumped as to what DEADFACE was trying to do.
What type of scan did DEADFACE launch first?
Submit the flag as
Upon opening the provided PCAP in Wireshark the overwhelming number of SYN packets, in a very short amount of time, is hard to miss:
Additionally, we know from the earlier Toolbox challenge that Nmap was used to scan the server. Nmap's default scan mode is TCP SYN a.k.a "Stealth Scan", which sends a SYN packet to all the ports to be scanned, as if looking to establish 3-way handshakes (SYN, ACK, SYN-ACK), but sends a RST packet if/when the target replies with an ACK. This specific behavior can be seen in stream 37; here the target server replied with an ACK for port 80 and Nmap responded with a RST instead of a SYN-ACK:
The accepted flag was: