Port Scan Activity (LetsDefend)

Can you determine evidences of port scan activity?

**https://app.letsdefend.io/challenge/port-scan-activity**

1- What is the IP address scanning the environment?

10.42.42.253

Screenshot 2025-08-27 001118.png

we observe multiple SYN packets originating from 10.42.42.253 and targeting the same ports across different IP addresses. This pattern is characteristic of a TCP port scan.

In the first few packets, the attacker probes several hosts on port 80(HTTP).
Later (packets 11–15), the attacker repeats the same behavior but against port 389(LDAP).

This confirms that 10.42.42.253 is actively scanning the environment for open services.

2- What is the IP address found as a result of the scan?

10.42.42.50

Screenshot 2025-08-27 001310.png

To identify which host responded to the attacker’s scan, I applied the following Wireshark filter:

ip.dst == 10.42.42.253 && tcp.flags.syn == 1 && tcp.flags.ack == 1

This filter captures packets sent back to the attacker (10.42.42.253) where the flags contain both SYN and ACK. A SYN+ACK response is the standard reply from a host when the scanned port is open.

From the results, 10.42.42.50 responded