Ann, afraid that someone may be watching her, decides to capture all of her home traffic. She mentions her fear to Mr. X and explains that she has been capturing her home traffic for days and will be sending the packets out for analysis later in the day. She sends her captures to the one person she knows can trust. After their discussion, Mr. X rushes to his lab, to see if he can intercept Ann's outbound message and use her capture to get more detail on her upcoming activities..
1. What is the date, as it appears in the capture, of the cryptographer's speaking engagement? (hint: It isn't at Defcon)
This one was slightly more difficult. The scenario says Mr X. is trying to capture Ann’s message, so I went looking for emails. First I used tcpflow to dump all the network conversations into separate files. This probably could have been easier by using NetworkMiner or NetWitness, but I preferred to work on these on a Linux shell.
carl@bluestem:~$ tcpflow -r Evidence02.pcap
Then I searched for the word “Subject” in the resulting files, since that should be in any Email. One hit stood out:
carl@bluestem:~$ grep -a Subject *
172.030.001.100.51805-205.188.192.001.00080:
From":"ann1smysterious@aol.com","To":"d_tangent@aol.com,","Cc":"","Bcc":"","Subject":"My Trusted Friend","RichBody":"You are the only one that I can trust. I need to know if someone monitoring me. Attached is a capture of my traffic
As the scenario said, Ann sent a pcap to a person she could trust. Let’s get that pcap. Using foremost, the magic number for a pcap is 0xd4c3b2a1.
carl@bluestem:~$ cat /etc/foremost.conf
pcap n 5000000 \xd4\xc3\xb2\xa1
carl@bluestem:~$ foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080
Processing: 172.030.001.100.51805-205.188.192.001.00080
|*|
carl@bluestem:~$ file output/pcap/00000030.pcap
output/pcap/00000030.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
This is the Help.pcap plus some extra data on the end, since we didn’t specify a specific file size. Tcpdump will still parse the file.
A quick look around this cap and we see the site of a well-known cryptographer (remember we are looking for the date of a cryptographer’s speaking engagement).
carl@bluestem:~$ tcpdump -nn -r Help.pcap -A -s0 port 80 | grep Host | sort | uniq
Host: www.schneier.com
Looking at the pcap, we determine the IP of schneier.com to be 204.11.246.48, so we can focus on that. Once again, tcpflow to break up this pcap into parse-friendly conversations.
carl@bluestem:~$ tcpflow -r Help.pcap host 204.11.246.48
carl@bluestem:~$ grep GET *
172.030.001.100.60176-204.011.246.048.00080:GET /schedule.html HTTP/1.1
Looks promising. So, we’ll use the other half of this file that matches this request to get the response.
carl@bluestem:~$ head 204.011.246.048.00080-172.030.001.100.60176 (server response)
HTTP/1.1 200 OK
Date: Wed, 22 Jun 2011 21:05:31 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Last-Modified: Tue, 17 May 2011 01:51:36 GMT
ETag: "e78-4a36f03207a00"
Accept-Ranges: none
Content-Encoding: gzip
Gzipped data. So we’ll use foremost again to carve the gzip file.
carl@bluestem:~$ cat /etc/foremost.conf
gz n 50000 \x1f\x8b
carl@bluestem:~$ foremost -c /etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176
Processing: 204.011.246.048.00080-172.030.001.100.60176
|*|
carl@bluestem:~$ file output/gzip/00000000.gzip
output/gzip/00000000.gzip: gzip compressed data, from Unix
Gunzip it and inside we have an HTML file. And searching the html file, we find:
Global AppSec Latin America 2011 Conference
October 6-7, 2011
Keynote
Answer: October 6-7, 2011
No comments:
Post a Comment
Comments are moderated and will appear only after being reviewed.