Name: Tom Samstag After downloading the evidence PCAP file, I checked it out in tshark to see what I was dealing with: # tshark -nr evidence02.pcap | less I knew from the description that I was looking for email sent by Ann, and by searching tshark output for SYN packets, I could see that there were two TCP streams going to an SMTP server running on the submission port, 587. I started to write up a perl script to reassemble the streams using Net::Pcap when I realized that I was reinventing the wheel and that libnids already took care of reassembling TCP streams. Furthermore, dsniff and it associated tools would allow me to get all the info I needed from the PCAP file. Dsniff and its associated tools appear to have been abandoned by their original author, but there is a series of patches from Debian that seem to be applied by most distros before installing. These patches allow, among other features, to read from a PCAP file instead of listening for packets on a network interface. I will assume that any user of dsniff will have these patches applied. The plan was to run the pcap file through dsniff to automate the search for Ann's email address and the de-base64 her password. Then, use mailsnarf, which comes in the dsniff package, to extract the emails into an mbox file for further analysis. Unfortunately, I found out that neither of these programs would work as-is for me. Due to limitations and bugs, neither program worked on the given PCAP file. So I went on a bit of a side-mission to fix the otherwise great programs and fired up GDB. First came dsniff. After stepping through the code, it appeared that the smtp authentication handling code in decode_smtp.c was expecting the password sequence to be given in a different format than the data file. All of the RFCs I could find though said that the data file was correct in its protocol, so I am unsure where the dsniff authors saw it done differently. Changing a few lines allowed dsniff to properly decode the authentication of Ann's smtp exchange. The patch for dsniff is attached but can also be found on my website given below. Running the new dsniff on the pcap file gave the answer to the first two questions: # ~/dsniff-2.4-mine/dsniff -p evidence02.pcap dsniff: using evidence02.pcap ----------------- 11/22/09 01:41:02 tcp 192.168.1.159.1036 -> smtp-mc.mx.aol.com.587 (smtp) c25lYWt5ZzMza0Bhb2wuY29t [sneakyg33k@aol.com] NTU4cjAwbHo= [558r00lz] ----------------- 11/22/09 01:41:02 tcp 192.168.1.159.1038 -> smtp-mc.mx.aol.com.587 (smtp) c25lYWt5ZzMza0Bhb2wuY29t [sneakyg33k@aol.com] NTU4cjAwbHo= [558r00lz] Next, loading up mailsnarf in GDB, I found that mailsnarf.c was only looking for SMTP traffic on port 25 and not on port 587. A simple fix (patch also included) and I had the emails that Ann sent: # ~/dsniff-2.4-mine/mailsnarf -p evidence02.pcap > evidence02.mbox With Ann's emails now extracted to an mbox file, since I couldn't find a small utility to do what I wanted, I wrote a small perl script to extract each email from the mbox file and further write out each part of the multipart MIME messages. It uses MIME::Parser and although modules for directly using mbox files exist (Mail::Box::Mbox, Mail::Folder::Mbox, Email::Folder::Mbox, etc), just figuring out which one would be best to use was too much effort compared to the quick 25-line script. mboxParse.pl is attached and after running it, I had all of Ann's emails and attachments extracted: # ./mboxParse.pl evidence02.mbox # ls msg-* msg-1258872709-7757-0: Message msg-7757-1.txt msg-7757-2.html msg-1258872709-7757-1: Message msg-7757-3.txt msg-7757-4.html secretrendezvous.docx Looking at the Message and txt files of each of these emails answered questions 3 and 4, and the attachment was extracted, answering question 5. Taking the md5sum of secretrendezvous.docx answered question 6. Next, since the attachment is a docx file, I turned to the cat_open_xml.pl script from http://blog.kiddaland.net/2009/07/antiword-for-office-2007/ to show its contents. Unfortunately, it didn't directly answer any of the questions. Knowing the a docx file is just a zip file of xml files and embedded media, I figured I'd find the answer to question 8 and wrote a quick perl script called archivehash.pl. It gives the md5 of each file within a zip file. I want to expand on this script after the contest, but for now, sticking with zip/md5 was enough to complete the puzzle: # ./archivehash.pl msg-1258872709-7757-1/secretrendezvous.docx f7a7f13f9d124fcc3527e57f342a0979 [Content_Types].xml 77bf61733a633ea617a4db76ef769a4d _rels/.rels c9c49c2d0f5b9a5ce63d1e0d86bb5e25 word/_rels/document.xml.rels 5b1a947f30db83f4170b009dedd38fab word/document.xml aadeace50997b1ba24b09ac2ef1940b7 word/media/image1.png 9d84374caf9c73ec77677afd23cb7b22 word/theme/theme1.xml 4788c0aa840fb18d7e5bd74936317dcc word/settings.xml 15065d2de3eddbb09d84337a09fd7985 word/webSettings.xml d0c2c9bec6e9c2597b174ababf1b2191 word/styles.xml 32ecd3799f69751a53ce10825372fd36 docProps/core.xml 5583fc19ed6bdf4ee5402f32ef42c492 word/numbering.xml de2ae9c06e07370391b996f069f1dfba word/fontTable.xml b3923a08674ac7c56babca89c3409107 docProps/app.xml Finding image1.png in the output gave the answer to question 8, and unzipping it from the docx and viewing it gave the answer to question 7: # unzip msg-1258872709-7757-1/secretrendezvous.docx word/media/image1.png Archive: msg-1258872709-7757-1/secretrendezvous.docx extracting: word/media/image1.png All of the scripts and patches written for completing this puzzle can be found on my homepage at http://modtwo.com/networkforensics/puzzle2/