Network Forensics Contest - Part II Answers
I'm talking about ForensicsContest.com - a site to help educate the masses and keep security teams sharp
If you haven't done packet capture analysis in a while, I suggest you visit the site and start from the beginning.
Linux Walkthru:
1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?
First things first, verify the MD5SUM of the evidence file:
$ md5sum evidence02.pcap
cfac149a49175ac8e89d5b5b5d69bad3 evidence02.pcap
Next, viewing the packet capture with TCPDump, grab the email auth:
tcpdump -Alnqvvvs0 -r evidence02.pcap port 587 |less
.....
250-AUTH=LOGIN PLAIN XAOL-UAS-MB
250-AUTH LOGIN PLAIN XAOL-UAS-MB
250-STARTTLS
250-CHUNKING
250-BINARYMIME
250-X-AOL-FWD-BY-REF
250-X-AOL-DIV_TAG
250-X-AOL-OUTBOX-COPY
250 HELP
06:35:31.222415 IP (tos 0x0, ttl 128, id 126, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.159.1036 > 64.12.102.142.587: tcp 12
E..4.~@....d....@.f....K....&6.3P.......AUTH LOGIN
06:35:31.222996 IP (tos 0x0, ttl 127, id 7762, offset 0, flags [none], proto TCP (6), length 40) 64.12.102.142.587 > 192.168.1.159.1036: tcp 0
E..(.R......@.f......K..&6.3....P...x...
06:35:31.332979 IP (tos 0x0, ttl 127, id 7763, offset 0, flags [none], proto TCP (6), length 58) 64.12.102.142.587 > 192.168.1.159.1036: tcp 18
E..:.S......@.f......K..&6.3....P....J..334 VXNlcm5hbWU6
06:35:31.333745 IP (tos 0x0, ttl 128, id 127, offset 0, flags [DF], proto TCP (6), length 66) 192.168.1.159.1036 > 64.12.102.142.587: tcp 26
E..B..@....U....@.f....K....&6.EP...O...c25lYWt5ZzMza0Bhb2wuY29t
06:35:31.334435 IP (tos 0x0, ttl 127, id 7764, offset 0, flags [none], proto TCP (6), length 40) 64.12.102.142.587 > 192.168.1.159.1036: tcp 0
E..(.T......@.f......K..&6.E....P...x...
06:35:31.444079 IP (tos 0x0, ttl 127, id 7765, offset 0, flags [none], proto TCP (6), length 58) 64.12.102.142.587 > 192.168.1.159.1036: tcp 18
E..:.U......@.f......K..&6.E....P....6..334 UGFzc3dvcmQ6
06:35:31.444690 IP (tos 0x0, ttl 128, id 128, offset 0, flags [DF], proto TCP (6), length 54) 192.168.1.159.1036 > 64.12.102.142.587: tcp 14
E..6..@....`....@.f....K....&6.WP...S
..NTU4cjAwbHo=
Pay special attention to the 334 status code:
334 VXNlcm5hbWU6 => Username:
334 UGFzc3dvcmQ6 => Password:
Immediately following each 334 status code is another base64 encoded string:
c25lYWt5ZzMza0Bhb2wuY29t => sneakyg33k@aol.com
NTU4cjAwbHo= => 558r00lz
As you can see, you have the first two answers - this isn't going to be too hard. (Yes, I know about tools like ettercap, mailsnarf and dsniff that will extract this data off the wire - lets pretend we don't know about them)
Looking at the packet capture you'll see an email to sec558@gmail.com, but read carefully, the question is: What is Ann’s secret lover’s email address? The email to sec558 doesn't appear to be loving:
Sorry-- I can't do lunch next week after all. Heading out of town. Another time! -Ann.
A little further into the packet we see another email, this time to mistersecretx@aol.com:
Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann.
With an attachment:
Content-Transfer-Encoding: base64.
Content-Disposition: attachment;.
filename="secretrendezvous.docx"
Using wireshark, Follow the TCPStream for this packet and extract the base64 encoded attachment.
I used openssl to decode the base64 content like so:
$ openssl base64 -d -in email-attachment.b64 -out secretrendezvous.docx.
DOCX formatted files are also pkzip files, as shown by the "file" command:
$ md5sum secretrendezvous.docx; file secretrendezvous.docx
9e423e11db88f01bbff81172839e1923 secretrendezvous.docx
secretrendezvous.docx: Zip archive data, at least v2.0 to extract
by unzipping the file, you are able to extract image1.png
$ md5sum image1.png; file image1.png
aadeace50997b1ba24b09ac2ef1940b7 image1.png
image1.png: PNG image, 756 x 439, 8-bit/color RGB, non-interlaced
Which givs you the last two answers....
Total time from download to completetion, including screen shotting all of my work, took less than 15 minutes.
I would have had enough time to meet Ann at the airport, steal her identity and enjoy my trip to Mexico! :)
Labels: base64, Forensics Contest, PCAPs
posted by wiretapp at
18:10
0 Comments
