Name: Franck GUENICHOT Description: Network Forensics Puzzle Contest #2| =================================== Challenge by Jonathan Ham & Sherri Davidoff Solution by Franck GUENICHOT (franck.guenichot[at]orange[dot]fr) Tools Used: _ TShark 1.2.2 _ smtpdump (home made ruby script to extract some smtp info from a pcap file) _ docxtract (home made ruby script to extract files from a docx package) The Challenge ============= """ After being released on bail, Ann Dercover disappears! Fortunately, investigators were carefully monitoring her network activity before she skipped town. “We believe Ann may have communicated with her secret lover, Mr. X, before she left,” says the police chief. “The packet capture may contain clues to her whereabouts.” You are the forensic investigator. Your mission is to figure out what Ann emailed, where she went, and recover evidence including: 1. What is Ann’s email address? 2. What is Ann’s email password? 3. What is Ann’s secret lover’s email address? 4. What two items did Ann tell her secret lover to bring? 5. What is the NAME of the attachment Ann sent to her secret lover? 6. What is the MD5sum of the attachment Ann sent to her secret lover? 7. In what CITY and COUNTRY is their rendez-vous point? 8. What is the MD5sum of the image embedded in the document? Please use the Official Submission form to submit your answers. Prize TBD. Here is your evidence file: http://forensicscontest.com/contest02/evidence02.pcap MD5 (evidence02.pcap) = cfac149a49175ac8e89d5b5b5d69bad3 """ Quick Answers: ============== 1. What is Ann’s email address? A: sneakyg33k@aol.com 2. What is Ann’s email password? A: 558r00lz 3. What is Ann’s secret lover’s email address? A: mistersecretx@aol.com 4. What two items did Ann tell her secret lover to bring? A: a fake passport and a bathing suit. 5. What is the NAME of the attachment Ann sent to her secret lover? A: secretrendezvous.docx 6. What is the MD5sum of the attachment Ann sent to her secret lover? A: 9e423e11db88f01bbff81172839e1923 7. In what CITY and COUNTRY is their rendez-vous point? A: Playa del Carmen, Mexico 8. What is the MD5sum of the image embedded in the document? A: aadeace50997b1ba24b09ac2ef1940b7 Detailled Answers ================= Initial Analysis ---------------- Well, first we have to verify the evidence file integrity: franck@ODIN:~/Analysis/Sources/Puzzle_2$ md5sum evidence02.pcap cfac149a49175ac8e89d5b5b5d69bad3 evidence02.pcap The file seems to be ok (if we could still trust MD5 sums...) We know that our evidence file may contain some email communications between Ann and Mr X, but we have to know which email protocol we have to deal with. We could use Tshark Protocol Hierarchy Statistics (PHS) to gather this information: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ tshark -r evidence02.pcap -zio,phs **OUTPUT CUT** =================================================================== Protocol Hierarchy Statistics Filter: frame frame frames:572 bytes:325968 eth frames:572 bytes:325968 ip frames:542 bytes:324708 udp frames:52 bytes:9937 syslog frames:26 bytes:6839 ntp frames:8 bytes:720 nbdgm frames:4 bytes:903 smb frames:4 bytes:903 mailslot frames:4 bytes:903 browser frames:4 bytes:903 nbns frames:12 bytes:1104 dns frames:2 bytes:371 tcp frames:490 bytes:314771 smtp frames:247 bytes:301625 imf frames:2 bytes:1376 arp frames:30 bytes:1260 =================================================================== ######################################################################################################################### From the ouput above, we now know that we have to deal with Simple Mail Transfer Protocol (SMTP) To continue the investigation, i've written a small ruby script: smtpdump. Here the help screen: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ./smtpdump smtpdump version 0.1, Copyright (C) 2009 Franck GUENICHOT smtpdump comes with ABSOLUTELY NO WARRANTY; This is free software, and you are welcome to redistribute it under certain conditions. (GPL v3) Usage: smtpdump [$options] -r -A, --auth Display SMTP Auth informations (only LOGIN method) -e, --info Display Email informations -b, --brief Display minimum email informations -x, --xtract Extract email attachments -m, --md5 Display extracted attachment MD5 Hash -s, --save Save raw email to file -f, --flow-index Filters only given index flow -r, --read Read the given pcap file [REQUIRED] -v, --version Display version information -h, --help Display this screen ######################################################################################################################### Basically, this tool filters a pcap file and extracts some useful informations on smtp conversations. smtpdump uses what i've called 'a flow'.A flow in smtpdump is a unidirectional data stream sent by a client to a server. smtpdump filters only flows with a destination tcp port of 25 (smtp) or 587 (submission). Here's the first ouput using smtpdump with our evidence pcap file: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ./smtpdump -r evidence02.pcap === SMTP flows === [1] 192.168.1.159:1036 => 64.12.102.142:587 [2] 192.168.1.159:1038 => 64.12.102.142:587 ######################################################################################################################### ok we can see to conversation from a client (192.168.1.159) to a server (64.12.102.142) on the submission port (587) Let's try to get more info. What about answering question 1 & 2 ? To find the answer, we have to extract SMTP authentication infos. smtpdump could make the job for us (but by now, unfortunately, it's only able to dump AUTH LOGIN method credentials) You can use -a option to display smtp authentication infos for all the flows: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ./smtpdump -r evidence02.pcap -a === SMTP flows === [1] 192.168.1.159:1036 => 64.12.102.142:587 === Authentication infos === Found LOGIN method Username: sneakyg33k@aol.com Password: 558r00lz [2] 192.168.1.159:1038 => 64.12.102.142:587 === Authentication infos === Found LOGIN method Username: sneakyg33k@aol.com Password: 558r00lz ######################################################################################################################### So, Ann's email address (and email's account username) is: sneakyg33k@aol.com and her password is: 558r00lz Next, we want to know Ann's secret lover email address and what two items did Ann tell her secret lover to bring. We definitively have to extract the email data (or SMTP DATA) from the flow, we could use -e and -b options together to display some useful information about the sent email: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ./smtpdump -r evidence02.pcap -e -b === SMTP flows === [1] 192.168.1.159:1036 => 64.12.102.142:587 === Email infos === Mail From Ann Dercover to sec558@gmail.com Subject: lunch next week [2] 192.168.1.159:1038 => 64.12.102.142:587 === Email infos === Mail From Ann Dercover to mistersecretx@aol.com Subject: rendezvous ######################################################################################################################### Two flows, two emails... Flow 2 seems to be a good candidate, if we look at the subject. So, Ann's secret lover email address is surely: mistersecretx@aol.com Let's display the content of the flow #2 with the -f option of smtpdump: -f will filter only the #2 flow and removing -b option from the command line tell smtpdump to display the email content too: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ./smtpdump -r evidence02.pcap -e -f 2 [2] 192.168.1.159:1038 => 64.12.102.142:587 === Email infos === Mail From Ann Dercover to mistersecretx@aol.com Subject: rendezvous Content: Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann
Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann
Attachment: secretrendezvous.docx ######################################################################################################################### Ok, we could easily answer the question #4 by just reading the content of the email: the guy has to bring his fake passport and a bathing suit. We could also answer #5 by reading the attachment name: secretrendezvous.docx Now we have to extract the attachment to be able to answer #6. Again, smtpdump has interresting options for us: -x (to extract the attachment) and -m (to display the md5 sum of the file extracted). Let's do it: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ./smtpdump -r evidence02.pcap -f 2 -x -m [2] 192.168.1.159:1038 => 64.12.102.142:587 === Attachments infos === Type: multipart/alternative Type: application/octet-stream Saving file to disk: secretrendezvous.docx File: secretrendezvous.docx (MD5: 0x9e423e11db88f01bbff81172839e1923) ######################################################################################################################### The file is now extracted from the email's data and saved (in local subdir) to a file named like the original attachment. -m option was used so we could read on screen the answer to question #6: the MD5 sum of the attachment is 9e423e11db88f01bbff81172839e1923. ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ls -lh secretrendezvous.docx -rw-r--r-- 1 franck franck 203K 2009-11-01 02:16 secretrendezvous.docx ######################################################################################################################### It's a docx file, we could try to open it in OpenOffice to read its content: "Meet me at the fountain near the rendezvous point. Address below. I’m bringing all the cash." and an image copied from google maps and displaying a rendez vous point in the city of Playa del Carmen in the country of Mexico. Finally to answer the last question, i've written a small script, docxtract, able to extract files from a docx package and to display md5 sum of extracted files. Here's the help screen: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ./docxtract docxtract version 0.1 Copyright (C) 2009 Franck GUENICHOT docxtract comes with ABSOLUTELY NO WARRANTY; This is free software, and you are welcome to redistribute it under certain conditions. (GPL v3) Usage: docxtract -x [-i] [-d ] -x, --xtract xtract files (by default to current dir) -i, --img_only (extract) images only -m, --md5 Display extracted file MD5 Hash -d, --destdir DIR define destination DIR -h, --help Display this screen ######################################################################################################################### docxtract is able to extract only images stored in word/media directory with the -i options. Let's use it: ######################################################################################################################### franck@ODIN:~/Analysis/Sources/Puzzle_2$ ./docxtract -x -i -m secretrendezvous.docx Extracting: image1.png (194124 bytes) MD5: aadeace50997b1ba24b09ac2ef1940b7 ######################################################################################################################### So the final answer is aadeace50997b1ba24b09ac2ef1940b7 Again, Ann is caught ! Conclusion ========== Again this challenge was very entertaining, and i wish there will be a #3 !!! Thanks to Jonathan Ham & Sherri Davidoff for their Network Forensics Puzzle Contest #2. :-) References: =========== TShark : http://www.wireshark.org/docs/man-pages/tshark.html SMTP authentication tutorial http://www.fehcom.de/qmail/smtpauth.html Ruby doc http://www.ruby-doc.org/ruby-1.9/index.html Tmail http://tmail.rubyforge.org/rdoc/index.html