A mysterious call is made to Romulus (a new accounts manager) at Factory-Made-Winning.
Use the packet capture in this folder to learn more about the phone call and answer the following question:
1. What is Romulus' password?
I opened the pcap in Wireshark first, but it did not identify any voip converstaions. I then tried xplico:
carl@bluestem:~$ ./xplico -m pcap -f /home/chester/DRILL/Evidence03.pcap
xplico v0.6.3
Internet Traffic Decoder (NFAT).
Cap. time: Thu Jun 23 13:40:49 2011
Total elaboration time: 4s
carl@bluestem:~$ ls xdecode/172.30.1.101/http/74.125.224.116
http_rs_body_1314482374_0xa51a2a8_1 post
carl@bluestem:~$ cat http_rs_body_1314482374_0xa51a2a8_1
relay.ip=74.125.127.126
relay.udp_port=19295
relay.tcp_port=19294
relay.ssltcp_port=443
stun.ip=74.125.127.126
stun.port=19302
username=1ZUfriXYKVltcU72
password=IyUDFIcH1JL8Ho8N
magic_cookie=rÆKÆ
Not a smoking gun, but the ip 74.125.127.126 is owned by google, so we’re probably looking at googlechat voip call. After some searching I found that xplico can take advantage of a tool called videosnarf to decode VOIP calls. I set up this tool and ran it on its own.
carl@bluestem:~$ videosnarf -i Evidence03.pcap
added new stream. :172.30.1.101(56213) to 74.125.127.126(19295). codec is 00
added new stream. :74.125.127.126(19295) to 172.30.1.101(56213). codec is 00
[+]Stream saved to file G711ULAW-media-1.wav
[+]Stream saved to file G711ULAW-media-2.wav
Bingo. If you listen to the G711ULAW wav files, you can hear both sides of a staged social-engineering call to Romulus. He willingly gives over his password to the caller.
Answer: rom127#
Hi,
ReplyDeletewhere I can download the pcap of this challenge?
Ciao.
Check out the site here: http://forensicscontest.com/
ReplyDeleteThis was Puzzle #9: Ann’s Deception (DEFCON 2011).
Here's a direct link to the pcap: http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/Evidence03.pcap