Since we are dealing with a PCAP file we need to find a way to extract information from it. There are of course various methods to do so, including tcpdump, Wireshark and tons of other tools. But in the spirit of a contest, I had to write my own script, especially since I wanted to dump the content of a stream, something that these tools aren't really well equiped to do (there are other tools to do so, some of which are listed here: http://isc.sans.org/diary.html?storyid=6961). But anyway, to cut a long story short, I wrote a script called pcapcat in Perl which is short for PCAP cat, that reads the content of a PCAP file and gives you an option to dump the content of a TCP stream into a file To use the script on the given evidence file we can use the default option of only showing new connections (that is we are looking for SYN packets without any other flags, ignoring ECN). If we do that we only see few connections, since the IM conversation obviously was started before the packet capture started, so we only have partial information from it. Therefore we need to call the script so that it shows us all TCP packets, like this: perl pcapcat -r evidence.pcap -a [1] TCP 192.168.1.2:55488 -> 192.168.1.30:22[16] [2] TCP 192.168.1.30:22 -> 192.168.1.2:55488[24] [3] TCP 192.168.1.2:55488 -> 192.168.1.30:22[16] [4] TCP 192.168.1.30:22 -> 192.168.1.2:55488[24] [5] TCP 192.168.1.2:54419 -> 192.168.1.157:80[2] [6] TCP 192.168.1.2:54419 -> 192.168.1.157:80[16] [7] TCP 192.168.1.157:80 -> 192.168.1.2:54419[18] [8] TCP 192.168.1.2:54419 -> 192.168.1.157:80[17] [9] TCP 192.168.1.157:80 -> 192.168.1.2:54419[16] [10] TCP 192.168.1.2:54419 -> 192.168.1.157:80[16] Read more packets [Y|n]: y [11] TCP 192.168.1.157:80 -> 192.168.1.2:54419[17] [12] TCP 192.168.1.158:51128 -> 64.12.24.50:443[24] [13] TCP 64.12.24.50:443 -> 192.168.1.158:51128[16] [14] TCP 192.168.1.158:51128 -> 64.12.24.50:443[24] [15] TCP 64.12.24.50:443 -> 192.168.1.158:51128[16] [16] TCP 192.168.1.158:51128 -> 64.12.24.50:443[24] [17] TCP 64.12.24.50:443 -> 192.168.1.158:51128[16] [18] TCP 64.12.24.50:443 -> 192.168.1.158:51128[24] [19] TCP 64.12.25.91:443 -> 192.168.1.159:1221[24] [20] TCP 64.12.24.50:443 -> 192.168.1.158:51128[24] Read more packets [Y|n]: n Not printing out more packets The script prints by default only new TCP connections (that is TCP SYN). To be able to capture an already started IM conversation I had to use the -a option to the script, to tell it to print and index number of all TCP connections (as previously stated). The IM conversation is taking place on port 443 (usually associaed to HTTPS traffic). To capture the IM conversation we therefore dump the content of the first associated traffic: perl pcapcat -r evidence.pcap -a -d 12 -w conversation To examine the content of the conversation the usage of xxd can be useful 0000000: 2a02 0061 00b7 0004 0006 0000 0000 0045 *..a...........E 0000010: 3436 3238 3737 3800 0001 0b53 6563 3535 4628778....Sec55 0000020: 3875 7365 7231 0002 008f 0501 0004 0101 8user1.......... 0000030: 0102 0101 0083 0000 0000 4865 7265 2773 ..........Here's 0000040: 2074 6865 2073 6563 7265 7420 7265 6369 the secret reci 0000050: 7065 2e2e 2e20 4920 6a75 7374 2064 6f77 pe... I just dow 0000060: 6e6c 6f61 6465 6420 6974 2066 726f 6d20 nloaded it from 0000070: 7468 6520 6669 6c65 2073 6572 7665 722e the file server. 0000080: 204a 7573 7420 636f 7079 2074 6f20 6120 Just copy to a 0000090: 7468 756d 6220 6472 6976 6520 616e 6420 thumb drive and 00000a0: 796f 7527 7265 2067 6f6f 6420 746f 2067 you're good to g 00000b0: 6f20 2667 743b 3a2d 2900 0300 002a 0200 o >:-)....*.. 00000c0: 6200 2200 0400 1400 0000 0000 4600 0000 b.".........F... 00000d0: 0000 0000 0000 010b 5365 6335 3538 7573 ........Sec558us 00000e0: 6572 3100 002a 0256 d400 cb00 0100 0a80 er1..*.V........ 00000f0: 0085 2a8b 4100 0e00 0200 0400 0000 4500 ..*.A.........E. 0000100: 0100 0200 0300 0100 0100 0000 5000 0009 ............P... 0000110: c400 0007 d000 0005 dc00 0003 2000 0017 ............ ... 0000120: 7000 0017 7000 0094 dc00 0002 0000 0050 p...p..........P 0000130: 0000 0bb8 0000 07d0 0000 05dc 0000 03e8 ................ ... 00007c0: 2000 0400 0c00 0000 0000 4935 3038 3834 .........I50884 00007d0: 3936 0000 010b 5365 6335 3538 7573 6572 96....Sec558user Here we obviously have the option of creating a Perl script to parse the content of the IM traffic to display it "nice", but I leave that as an exercise for later.... By examining this we see that Ann's username is Sec558User1. We could also find out this by issuing a simple strings command against the file strings -a -t d evidence.pcap > evidence.str cat evidence.str ... 2277 Sec558user1 2308 Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-) 2612 Sec558user1 ... We also see in the same output (strings): 67136 GET /adiframe/3.0/5113.1/221794/0/-1/size=120x90;noperf=1;alias=93245558;cfp=1;noaddonpl=y;artexc=all;artinc=art_image%2Cart_img1x1%2Cart_3pimg%2Cart_text%2Cart_imgtrack;kvmn=93245558;target=_blan k;aduho=360;grp=143115875;misc=143115875 HTTP/1.1 67383 Accept: */* 67396 Referer: http://www.aim.com/redirects/inclient/AIM_UAC_v2.adp?magic=93245558&width=120&height=90&sn=Sec558user1 67509 Accept-Language: en-us 67533 Accept-Encoding: gzip, deflate 67565 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 67634 Host: at.atwola.com 67655 Connection: Keep-Alive 67679 Cookie: JEB2=4A839DDB6E65181C45921CB2F00016D8; ATTACID=a3Z0aWQ9MTU4NzdpYTAwYTh2Ymk=; ATTAC=a3ZzZWc9OTk5OTk6NTAyODA=; badsrfi=V0d710994e8ccb8db64a83a07939b2; atdemo=a3ZhZz1hbTM6dWEzOTtrdnVnPTE7; Ax Data=; atdses=0 That is we can see that there is a HTTP request containing the Referer "sn=Sec558user1", furhter strenghtening our hypothesis that the username is Sec558user1 Let's examine all connections that were created during the capture time. perl pcapcat -r evidence.pcap [1] TCP 192.168.1.2:54419 -> 192.168.1.157:80 [2] TCP 192.168.1.159:1271 -> 205.188.13.12:443 [3] TCP 192.168.1.159:1272 -> 192.168.1.158:5190 [4] TCP 192.168.1.159:1273 -> 64.236.68.246:80 If we examine the created conversations, we see that only one ocurred between two internal hosts (that is direct connection). The other newly created sessions all belong to Ann (192.168.1.159) except one empty HTTP session. [3] TCP 192.168.1.159:1272 -> 192.168.1.158:5190 This could be an indication of a file transfer. We know that the IP address of Anna is 192.168.1.158 (given) and of the unknown laptop 192.168.1.159. Let's examine that in further detail: perl pcapcat -r evidence.pcap -w file -d 3 Try to find out which kind of file this is... file file file: data No luck here, examine the header: cat file | xxd | head -4 0000000: 4f46 5432 0100 0101 0000 0000 0000 0000 OFT2............ 0000010: 0000 0000 0001 0001 0001 0001 0000 2ee8 ................ 0000020: 0000 2ee8 0000 0000 b164 0000 ffff 0000 .........d...... 0000030: 0000 0000 0000 0000 ffff 0000 0000 0000 ................ Now we see that the file has the magic number OFT2, indicating that this is an OFT file (Oscar File Transfer). To extract the transferred file itself, I created a script called oftcat. To get the structure I downloaded the source code for Pidgin and read the file oft.c found inside libpurple/protocols/oscar/oft.c, there you can get a nice description of the structure (in c) We want to extract the file content, so let's try it out: ./oftcat -r file ------------------------------------------------------------ File name: file ------------------------------------------------------------ Parsing OFT (Oscar File Transfer) header Name of file transferred: Total number of files 1 Files left: 1 Total parts: 1 Parts left: 1 Total size: 12008 Size: 12008 Checksum: 2976120832 ID string 'Cool FileXfer' Type: PEER_TYPE_GETFILE_RECEIVELISTING, PEER_TYPE_RESUMEACK, PEER_TYPE_RESUME, PEER_TYPE_GETFILE_REQUESTLISTING, PEER_TYPE_RESUMEACCEPT, PEER_TYPE_GETFILE_ACKLISTING, PEER_TYPE_PROMPT, Name offset 0 ------------------------------------------------------------ ------------------------------------------------------------ Parsing OFT (Oscar File Transfer) header Name of file transferred: Cookie value: 7174647 Total number of files 1 Files left: 1 Total parts: 1 Parts left: 1 Total size: 12008 Size: 12008 Checksum: 2976120832 ID string 'Cool FileXfer' Flag: PEER_CONNECTION_FLAG_IS_INCOMING, Type: PEER_TYPE_GETFILE_RECEIVELISTING, PEER_TYPE_DONE, PEER_TYPE_RESUMEACK, PEER_TYPE_RESUME, PEER_TYPE_RESUMEACCEPT, PEER_TYPE_GETFILE_RECEIVEDLISTING, PEER_TYPE_ACK, PEER_TYPE_GETFILE_REQUESTFILE, PEER_TYPE_GETFILE_ACKLISTING, Name offset 28 ------------------------------------------------------------ parsing file information Final header (after file transfer) ------------------------------------------------------------ Parsing OFT (Oscar File Transfer) header Name of file transferred: Cookie value: 7174647 Total number of files 1 Files left: 1 Total parts: 1 Parts left: 1 Total size: 12008 Size: 12008 Checksum: 2976120832 ID string 'Cool FileXfer' Flag: PEER_CONNECTION_FLAG_IS_INCOMING, Type: PEER_TYPE_GETFILE_RECEIVELISTING, PEER_TYPE_DONE, PEER_TYPE_RESUMEACK, PEER_TYPE_RESUME, PEER_TYPE_RESUMEACCEPT, PEER_TYPE_GETFILE_RECEIVEDLISTING, PEER_TYPE_ACK, PEER_TYPE_GETFILE_REQUESTFILE, PEER_TYPE_GETFILE_ACKLISTING, Name offset 28 ------------------------------------------------------------ File: recipe.docx saved in file recipe.docx We see that the file name is "recipe.docx", which the tool oftcat saves as the file name "recipe.docx". We can then use tools such as cat_open_xml.pl (antiword for office 2007 documents) or simply open it using Word to extract the content itself. cat_open_xml.pl recipe.docx ./cat_open_xml.pl recipe.docx Recipe for Disaster: 1 serving Ingredients: 4 cups sugar 2 cups water In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary. And to extract metadata information from the file: read_open_xml.pl recipe.docx ========================================================================== cmd line: ./read_open_xml.pl recipe.docx ========================================================================== Document name: recipe.docx Date: Fri Aug 14 20:09:28 GMT 2009 -------------------------------------------------------------------------- Application Metadata -------------------------------------------------------------------------- Template = Normal.dotm TotalTime = 1 Pages = 1 Words = 43 Characters = 249 Application = Microsoft Office Word DocSecurity = 0 Lines = 2 Paragraphs = 1 ScaleCrop = false HeadingPairs = Title1 TitlesOfParts = Company = LinksUpToDate = false CharactersWithSpaces = 291 SharedDoc = false HyperlinksChanged = false AppVersion = 12.0000 -------------------------------------------------------------------------- File Metadata -------------------------------------------------------------------------- title = subject = creator = lmg keywords = description = lastModifiedBy = lmg revision = 2 created = 2009-08-12T21:33:00Z modified = 2009-08-12T21:33:00Z So to answer the questions 1. What is the name of Ann's IM buddy? Sec558user1 2. What was the first comment in the captured IM conversation? Here's the secret recipe... I just downloaded it from the file server.Just copy to a thumb drive and you're good to go >:-) 3. What is the name of the file Ann transferred? recipe.docx 4. What is the magic number of the file you want to extract (first four bytes)? well the OFT2 is the magic number of the file in transit. Then we need to "extract" the real file which is captured inside the transit file (the docx file) So to answer this, the magic value or the first four bytes are: 4f46 5432 or OFT2 And for the docx file (since that is a ZIP file) we have: 504b or PK 5. What was the MD5sum of the file? 8350582774e1d4dbe1d61d64c89e0ea1 recipe.docx 52c13d8c0a99ac0d3210e8e8edb046bf file 6. What is the secret recipe? Recipe for Disaster: 1 serving Ingredients: 4 cups sugar 2 cups water In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.