Name: Amar Yousif
Answer 1: 00:25:00:fe:07:c4
Answer 2: AppleTV/2.4
Answer 3a: h
Answer 3b: ha
Answer 3c: hac
Answer 3d: hack
Answer 4: Hackers
Answer 5: http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
Answer 6: Sneakers
Answer 7: $9.99
Answer 8: iknowyourewatchingme
Description:
I wrote two simple scripts for this contest, applejuice and gzippedNOT.
applejuice takes a pcap file as input and prints out the Apple Store searches and other information by IP.
gzippedNOT takes an http payload file (without the tcp/ip header info) and attempts to deflate/decode the gzipped content.
Here’s how I’ll use these two scripts to solve the puzzle:
ToyBox#./applejuice -r evidence03.pcap
2009-12-27 22:08:16.927407 192.168.1.10 searched-for: media=movie q=h
2009-12-27 22:08:19.732619 192.168.1.10 searched-for: media=movie q=ha
2009-12-27 22:08:22.981673 192.168.1.10 searched-for: media=movie q=hac
2009-12-27 22:08:26.544983 192.168.1.10 searched-for: media=movie q=hack
2009-12-27 22:08:36.244529 192.168.1.10 clicked-on: pageName=MoviePage-US-Hackers-IainSoftley-333441649
2009-12-27 22:08:56.054955 192.168.1.10 searched-for: media=movie q=s
2009-12-27 22:08:58.462018 192.168.1.10 searched-for: media=movie q=sn
2009-12-27 22:09:01.772845 192.168.1.10 searched-for: media=movie q=sne
2009-12-27 22:09:12.801213 192.168.1.10 searched-for: media=movie q=sneb
2009-12-27 22:09:20.894813 192.168.1.10 searched-for: media=movie q=snea
2009-12-27 22:09:25.013675 192.168.1.10 searched-for: media=movie q=sneak
2009-12-27 22:09:29.090745 192.168.1.10 clicked-on: pageName=MoviePage-US-Sneakers-PhilAldenRobinson-283963264
2009-12-27 22:09:41.074431 192.168.1.10 searched-for: media=movie q=i
2009-12-27 22:09:47.413934 192.168.1.10 searched-for: media=movie q=ik
2009-12-27 22:09:49.643774 192.168.1.10 searched-for: media=movie q=ikn
2009-12-27 22:09:51.285462 192.168.1.10 searched-for: media=movie q=ikno
2009-12-27 22:09:54.533797 192.168.1.10 searched-for: media=movie q=iknow
2009-12-27 22:10:00.757932 192.168.1.10 searched-for: media=movie q=iknowy
2009-12-27 22:10:05.286998 192.168.1.10 searched-for: media=movie q=iknowyo
2009-12-27 22:10:07.396247 192.168.1.10 searched-for: media=movie q=iknowyou
2009-12-27 22:10:11.954453 192.168.1.10 searched-for: media=movie q=iknowyour
2009-12-27 22:10:14.189430 192.168.1.10 searched-for: media=movie q=iknowyoure
2009-12-27 22:10:16.762757 192.168.1.10 searched-for: media=movie q=iknowyourew
2009-12-27 22:10:21.703075 192.168.1.10 searched-for: media=movie q=iknowyourewa
2009-12-27 22:10:23.968028 192.168.1.10 searched-for: media=movie q=iknowyourewat
2009-12-27 22:10:26.748082 192.168.1.10 searched-for: media=movie q=iknowyourewatc
2009-12-27 22:10:28.835105 192.168.1.10 searched-for: media=movie q=iknowyourewatch
2009-12-27 22:10:30.327520 192.168.1.10 searched-for: media=movie q=iknowyourewatchi
2009-12-27 22:10:31.963279 192.168.1.10 searched-for: media=movie q=iknowyourewatchin
2009-12-27 22:10:33.845427 192.168.1.10 searched-for: media=movie q=iknowyourewatching
2009-12-27 22:10:35.390023 192.168.1.10 searched-for: media=movie q=iknowyourewatchingm
2009-12-27 22:10:39.390800 192.168.1.10 searched-for: media=movie q=iknowyourewatchingme
This gave us answers 3, 4, 6, and 8.
Now we’ll ngrep for the movie IDs 333441649 (Hackers) and 283963264 (Sneakers) to identify the conversations that we need to further analyze, like so:
ToyBox#ngrep -I evidence03.pcap 333441649 dst host 192.168.1.10 | grep ^T
T 8.18.65.67:80 -> 192.168.1.10:49168 [A]
T 8.18.65.67:80 -> 192.168.1.10:49168 [A]
ToyBox#ngrep -I evidence03.pcap 283963264 dst host 192.168.1.10 | grep ^T
T 8.18.65.67:80 -> 192.168.1.10:49176 [A]
T 8.18.65.67:80 -> 192.168.1.10:49176 [A]
Now that we know the IPs and Ports for the right conversations to analyze for each movie, we use tcpflow to carve out the payload files like so:
ToyBox#tcpflow -r evidence03.pcap 'src host 8.18.65.67 and src port 80 and dst host 192.168.1.10 and dst port 49168'
ToyBox#cp 008.018.065.067.00080-192.168.001.010.49168 hackers
ToyBox#tcpflow -r evidence03.pcap 'src host 8.18.65.67 and src port 80 and dst host 192.168.1.10 and dst port 49176'
ToyBox#cp 008.018.065.067.00080-192.168.001.010.49176 sneakers
Now that we have the http payload files for ‘hackers’ and ‘sneakers’, we’ll use gzippedNOT to decode the content and grep for additional info like so:
ToyBox#./gzippedNOT -r hackers | grep preview-url
preview-urlhttp://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
preview-urlhttp://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
preview-urlhttp://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
preview-urlhttp://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
preview-urlhttp://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
preview-urlhttp://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
ToyBox#./gzippedNOT -r sneakers | grep price-display
price-display$9.99
rent-price-display$2.99
price-display$9.99
rent-price-display$2.99
This yielded answers 5 and 7.
We’ll use our trusty ngrep one more time to find answer 2, like so:
ToyBox#ngrep -I evidence03.pcap User-Agent
input: evidence03.pcap
match: User-Agent
######
T 192.168.1.10:49163 -> 8.18.65.67:80 [AP]
GET /WebObjects/MZStore.woa/wa/viewGrouping?id=39 HTTP/1.1..Accept: */*..Accept-Language: en..Accept-Encoding: gzip, deflate..Cookie: s_vi=[CS]v1|259C17
6A85010C29-6000010D80115D7F[CE]..User-Agent: AppleTV/2.4..If-Modified-Since: Fri, 25 Dec 2009 04:42:31 GMT..X-Apple-Store-Front: 143441-1,3..Connection:
keep-alive..Host: ax.itunes.apple.com....
And we got answer 2: AppleTV/2.4
And finally we’ll deduce answer number 1, like so:
ToyBox# tcpdump -nner evidence03.pcap -c 1
reading from file evidence03.pcap, link-type EN10MB (Ethernet)
22:08:01.139183 00:25:00:fe:07:c4 > 00:23:69:ad:57:7b, ethertype IPv4 (0x0800), length 79: 192.168.1.10.49174 > 4.2.2.1.53: 40605+ A? ax.itunes.apple.com. (37)
00:25:00:fe:07:c4 (APPLE) > 00:23:69:ad:57:7b (CISCO LINKSYS)
------------------
1. What is the MAC address of Ann’s AppleTV?
00:25:00:fe:07:c4
2. What User-Agent string did Ann’s AppleTV use in HTTP requests?
AppleTV/2.4
3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
h, ha, hac, hack
4. What was the title of the first movie Ann clicked on?
Hackers
5. What was the full URL to the movie trailer (defined by -Y΄preview-url‘)?
http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v
6. What was the title of the second movie Ann clicked on?
Sneakers
7. What was the price to buy it (defined by ΄price-display‘)?
$9.99
8. What was the last full term Ann searched for?
iknowyourewatchingme