Network Forensics Puzzle Contest submition
Alan Tu
August 15, 2009
Executive Summary
On 13 August, at 05:58, Ann Dercover transmitted the secret recipe to an unauthorized user with AOL screen name Sec558user1.
Details
Evidence was extracted from authorized network monitoring of Ann's computer, IP address 192.168.1.158. At 05:57 on 13 August, Ann engaged in an illicit conversation with another user with AOL screen name Sec558user1. The transcript follows:
2009-08-13 05:57:37 Ann: Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
2009-08-13 05:58:12 Sec558user1: thanks dude
2009-08-13 05:58:26 Sec558user1: can't wait to sell it on ebay
2009-08-13 05:58:33 Ann: see you in hawaii!
At 05:58:04, Ann sent the secret recipe directly to Sec558user1's computer, which was connected to Anarchy-R-Us's local network with IP address 192.168.1.159.
File name: recipe.docx
File size: 12,008 bytes
File MD5 hash: 8350582774e1d4dbe1d61d64c89e0ea1
The contents of the file are:
Recipe for Disaster:
1 serving
Ingredients
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar.
Stir gently over low heat until sugar is fully dissolved.
Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.
Appendix: Technical Steps
Note: Wireshark/Tshark version 1.2.0 was used for this exercise.
1. Download the PCAP from http://jhamcorp.com/contest_01/evidence.pcap.
2. MD5 hash.
md5sum evidence.pcap
Evidence MD5 hash: d187d77e18c84f6d72f5845edca833f5 *evidence.pcap
3. We note that starting in frame 23, the suspect's computer 192.168.1.158 is exchanging data with an AOL server. The IM traffic is likely AOL.
4. Dump the XML while telling tshark to decode the packets as AIM traffic.
tshark -r evidence.pcap -R "tcp.port == 51128" -d tcp.port==443,aim -T pdml > aim.pdml
Evidence MD5 hash: 521ac14e6fdb7fd6698f418616ba970e *aim.pdml
5. By inspection of the parsed XML, we note that Ann's conversation partner has the AOL screen name "Sec558user1".
6. We write contest1.pl to extract Ann's conversation.
Contest1.pl MD5 hash: d7135be33f1074a2e0ddb62c02e37ff2
contest1.pl > transcript.txt
Evidence MD5 hash: b031f54da95457e8e7b13ad2268d0779
Results:
25 Aug 13, 2009 05:57:37.066461000 192.168.1.158:51128 > 64.12.24.50:443
Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
167 Aug 13, 2009 05:58:12.730162000 64.12.24.50:443 > 192.168.1.158:51128
thanks dude
184 Aug 13, 2009 05:58:26.641088000 64.12.24.50:443 > 192.168.1.158:51128
can't wait to sell it on ebay
212 Aug 13, 2009 05:58:33.968361000 192.168.1.158:51128 > 64.12.24.50:443
see you in hawaii!
7. We note that starting at frame 30, IP 192.168.1.159 is talking with another AOL server on port 443. This appears to be encrypted traffic ([17 03 01] is TLS 1.0 data, according to RFC 2246.) Nothing we can do about that.
8. We note a data transfer when 192.168.1.159 connected to the suspect's computer 192.168.1.158 on port 5190.
9. We note the following from the PDML file
This confirms the session to 192.168.1.158 port 5190 could be a file transfer.
10. The TCP payload of frame 112 begins with "OFT2." By a Google search, we find that "OFT2" refers to Oscar File Transfer protocol, v2. Oscar is the AIM application protocol.
11. By additional Google searching we locate a description of the OFT protocol here:
http://www.cs.cmu.edu/~jhclark/aim/On%20Sending%20Files%20via%20OSCAR.odt
12. We manually inspect packet 112, payload length of 256, which reveals the following information:
OFT2 header length 256 bytes [01 00]
no encryption or compression to be used
1 file to be transferred
File size 12008 bytes [2e e8]
Filename: recipe.docx
13. We write contest2.pl to extract the file.
Contest2.pl MD5 hash: 9e263df3210e85705881139bfd1ae5d7
contest2.pl > recipe.docx
File length: 12008 bytes
MD5 hash: 8350582774e1d4dbe1d61d64c89e0ea1
14. The first four bytes of recipe.docx is 50 4b 03 04. The components of this Microsoft Office 2007 document can be manually extracted as a ZIP file. The raw document contents can be found in word/document.xml.
15. The contents of the recipe:
Recipe for Disaster:
1 serving
Ingredients
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar.
Stir gently over low heat until sugar is fully dissolved.
Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.
#! perl -w
# Network Forensics Puzzle Contest
# Alan Tu
# August 15, 2009
use strict;
my $TSHARK = 'c:\progra~1\wireshark\tshark.exe'; # define tshark executable
die "tshark not found\n" unless -f $TSHARK;
# decode AIM session and output desired fields
my @results = `$TSHARK -r evidence.pcap -R \"tcp.port == 51128\" -d tcp.port==443,aim -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e aim.messageblock.message`;
# for each packet
for my $packet (@results)
{
chomp $packet;
my @fields = split("\t", $packet);
next unless $fields[6]; # message must not be null
printf("%d %s %s:%s > %s:%s\n%s\n\n", @fields);
}
#! perl -w
# Network Forensics Puzzle Contest
# Alan Tu
# August 15, 2009
use strict;
use Digest::MD5;
my $TSHARK = 'c:\progra~1\wireshark\tshark.exe'; # define tshark executable
die "tshark not found\n" unless -f $TSHARK;
# decode session with file transfer payload
my @results = `$TSHARK -r evidence.pcap -R "tcp.len > 0 and tcp.srcport == 5190" -T fields -e tcp.seq -e tcp.len -e data.data`;
# we need to track TCP sequence numbers
# This is error _detection_, not real TCP reassembly.
my($base_seq, undef, undef) = split("\t", $results[0]);
my $expected_seq = $base_seq;
my $file = "";
# for each packet
for my $packet (@results)
{
chomp $packet;
my($seq, $tcp_len, $data) = split("\t", $packet);
die "Out of order packet. Manual intervention required!\n" if $seq != $expected_seq;
$data =~ s/://g; # remove the colons separating the bytes
$file .= pack("H*", $data); # build the file
$expected_seq += $tcp_len;
}
$file = substr($file, 256); # strip the Oscar File Transfer protocol header
printf(STDERR "File length: %d bytes\n", length($file));
printf(STDERR "MD5 hash: %s\n", Digest::MD5::md5_hex($file));
binmode(STDOUT);
print $file;