Saturday, September 26, 2009

Network Forensics Contest Results

A month or two ago started a nice little Network Forensic contest. It wasn't too hard and wasn't too easy. It gave me a chance to parse through some traffic and see what was going on. Then to carve a file out of a packet capture, using some of the SANS 508 stuff I learned awhile back before I picked up my GCFA cert.

The original puzzle can be found here and then again here when SANS decided to sponsor it and give an On-Demand course away for the winner.

Well happy to say I at least got everything right, though I didn't win, nor was I one of the finalists. All of the finalists scripted out a way to answer the questions, or had one program that did it all (or most of it). The results can be found here.

Erik Hjelmvik, author of NetworkMiner, who is using some of the tcp and dhcp fingerprinting stuff from Satori was one of the finalists and implemented some new stuff in 0.89 to become a finalist, though not a semifinalist since it wasn't all scripted out either. (When I used NetworkMiner to parse it out, it was only version 0.88, Erik hadn't released 0.89 until after I put my submission in).

From a straight Network Forensics standpoint I understand why they wanted it scripted out, but from understanding how to actually do it I'm glad I didn't depend on an automated program to do it (granted each of the finalists I believe had to write their own programs to do this). If you understand how to carve the data out then you can do this with pretty much any data, if you depend on a utility to do it, you may have to wait for updates to it if/when things change.

Ultimately I just wanted to make sure I could do it and am happy that I got it done and answered correctly. I was more interested in it from fingerprinting stand point anyway and spent more of my time on seeing what else was on the network!

If anyone wants to do it, the puzzle and pcap files are still out there!

Here was my submission and all my notes (again I was interested in the rest of the network):


1. Sec558user1
2. Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
3. recipe.docx
4. 50 4B 03 04
5. 8350582774E1D4DBE1D61D64C89E0EA1
6. Recipe for Disaster:

1 serving
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

How I got there:

Tools Used:
Satori - - Passive OS Fingerprinting
NetworkMiner - - Network Forensic Analysis Tool, used for cookie stuff and a few other sanity checks
FrHed - - used to Hex Edit the file to remove the initial stuff prior to the magic number
Wireshark - - view and export pcap file
HashGenerator - - computer hashes
Google of course to find some of the other info

I started with 2 programs, one I wrote geared completely towards passive OS fingerprinting, Satori, and the other program NetworkMiner which I've worked with the developer on a little in the past. Using Satori I mapped out the machines identified in the packet capture and got an initial layout of the network. Determing which systems did what on the network. Then feeding the capture through NetworkMiner I was able to get some of the initial Clear Text information that was going on between clients. Once I had a better idea of what type of data was in the capture I started picking away at it with Wireshark.

Knowing Ann's IP it was easy to get started in wireshark with a simple filter of ( == With this in place and scanning through the packets for anything out of the ordinary in the hex window. Basically I knew there had to be some type of clear text conversation going on due to what NetworkMiner had seen. We see Ann's computer is talking to a ( Since it is an AOL server it is probably AIM being used, but I did not verify that. The information looks to be SSL based on the destination port, but ends up being in clear text. I assume this was an attempt to get past any egress filtering, but didn't dig into it since that wasn't requested at this time.

Identifying who she was talking to was fairly simple, and digging into whatever protocol the chat program she was using would have probably been a good idea. Based on other things I saw she appears to be comunicating with Sec558User1.

Eventually she transfers the file to the other user at computer, which appears to be a Windows XP box. Depending on your env this may be a dead give away that you are having issues. Looking at the other systems on this network they all appear to be Linux Boxes, so a new rogue XP box sticks out like a sore thumb. Something like packet fence which does DHCP fingerprinting may be useful to block computers like this off their network or at least make it a little harder for them to get a valid IP and use the network.

In packet 92 we see the beginning of the file transfer. Sending the file recipe.docx

The rest of the file transfer which starts in about packet 109 where we are able to right click on it and do "Follow TCP Stream". This shows both directions of traffic. Next we need to go to the bottom and filter by -->, getting just the data that Ann's computer is sending to the XP box. Select Raw and do a Save As. This will save "extra" info in the file, which we will need to remove based on some file carving next.

We now know, or appear to know the type of file it is based on the file name above. We need to look up that magic number. A docx file really is a zipped file so it has the same magic number which is: 50 4B 03 04 14 00 06 00

We now open up the file we saved in a hex editor and do a search for the above magic number. Once we find it we delete anything prior to it and resave the file. There is always the chance that there will be extra junk at the end too that may need carved off.

After that, we can open up the file with OpenOffice or Microsoft Word and see what the data is. We could also unzip it instead and look at the .xml files generated if we need to find out more about the initial file.

Run the file through your choice of md5sum programs and you should be good to go.


Below is the notes I took while I went through the system, typically wouldn't put them in a report, but there was a few interesting pieces of info in there I found.

Extra info and general notes on systems on the network and what they appear to do: - Linux 2.6 possibly, limited info, did what may have been a scan of Connected on port 80, but just did a handshake and said goodbye, no header info exchanged. - default gateway I assume - NTP Client Box, running SSH server ( connected to it) - running Samba 2.2.7 - 3.0.x client (actually 3.2.0, need to update Satori)
print queue
HTTP Server, or at least port 80 is open
Herbivore/SANS - Linux 2.4 or 2.6 box, packet 92 starts sending recipe.docx, packet 112 using cool filexfer sends it also
NTP Client
Talking to, most likely sec558user1
FTPs file to, syn comes in in packet 109 - Windows XP, 2000 or 2003 box (XP based on Web)
talking to
downloads zip file of smiley faces from
goes off to, requesting DNS info for them after download of resume.doc
pulled file (httpget) with: (removed since it was actually linking to the ad in this post!)
pulled file (httpget) with: (removed since it may have linked to ad also).
"username" on cookie: JEB2=4A839DDB6E65181C45921CB2F00016D8; ATTACID=a3Z0aWQ9MTU4NzdpYTAwYTh2Ymk=; ATTAC=a3ZzZWc9OTk5OTk6NTAyODA=; badsrfi=V0d710994e8ccb8db64a83a07939b2; atdemo=a3ZhZz1hbTM6dWEzOTtrdnVnPTE7; AxData=; atdses=0 appears to be "spyware/adware" based on a quick search

External Hosts - - (dns requested info by (dns requested info by - no DNS entry, only talking to via SSL), downloaded a zipped file of smile faces and their manifest. - DNS server, NTP Server

Clear text data, ( to (owned by AOL, so possibly AIM traffic)
Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
Sec558user1..............J.H.........+..1n....+...O............J......a........X....< HTML >< BODY >< FONT FACE="Arial" SIZE=2 COLOR=#000000>thanks dude< /FONT>< /BODY>< /HTML >.
......+..1n....+...O.........*.V..".......*.............Sec558user1..*.V..........+.Q.....L.....Sec558user1..............J.H.........+..1n....+...O............J......s........j....< HTML >< BODY>< FONT FACE="Arial" SIZE=2 COLOR=#000000>can't wait to sell it on ebay< /FONT>< /BODY>< /HTML >
I5088496....Sec558user1..."................see you in hawaii!....*..f.".........J...........Sec558user1..*.V......

DOCX (zip) Magic Number:
50 4B 03 04 PK..
ZIP PKZIP archive file (Ref. 1 | Ref. 2)
Trailer: filename 50 4B 17 characters 00 00 00
Trailer: (filename PK 17 characters ...)
DOCX, PPTX, XLSX Microsoft Office Open XML Format Document
JAR Java archive; compressed file package for classes and data
SXC, SXD, SXI, SXW OpenOffice spreadsheet, drawing, presentation, and text files
WMZ Windows Media compressed skin file
XPI Mozilla Browser Archive
XPT eXact Packager Models

50 4B 03 04 14 00 06 00 PK......
DOCX, PPTX, XLSX Office 2007 documents

Use Follow TCP Stream, just get one side of converation. Save as Raw. Lookup "magic number"
Search for it in Saved file. Delete everything prior to that and resave, get:

Recipe for Disaster:
1 serving
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

Hash on the File is:


Shivlu Jain said...

The explanation is wonderful with the help of tools. I stuck when I saved the hex file and opened it in hex editor; remove the prior to magic number and saved the file in .docx extension. After that I was able to open the docx file but it is still not human readable format. Could you explain do we need to do anything more in it. Secondary how you find the md5 hash.

shivlu jain

xnih said...

Ok, so you've gone to packet 109 in wireshark, done the right click, follow TCP stream, filtered it to only the packets from 1.158, set it to Raw and done a Save As..

At this point you have the whole conversation, but you still have some header information from the Oscar File Transfer protocol.

I opened the file up in Frhed (free hex editor). I then searched for PK. PK = 50 4b since frhed doesn't appear to let you search for hex (or at least it isn't for me right now).

'PK' was found at offset 256 (assuming you are starting at 0). There is a lot of 00 00 00 in front of it.

So here is the first 258 bytes or so, 256 of which we are going to make go away (bh means hex value evidently when I did the copy/paste out of frhed):
OFT2[bh:01][bh:00][bh:01][bh:01][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:01][bh:00][bh:01][bh:00][bh:01][bh:00][bh:01][bh:00][bh:00].[bh:e8][bh:00][bh:00].[bh:e8][bh:00][bh:00][bh:00][bh:00][bh:b1]d[bh:00][bh:00][bh:ff][bh:ff][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:ff][bh:ff][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:ff][bh:ff][bh:00][bh:00]Cool FileXfer[bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00]recipe.docx[bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00][bh:00]PK

Everything prior to the PK needs deleted. So once we do that the file should start with 50 4b 03 04 14 00 06 00.

To do this with Frhed I just highlighted the first 256 bytes and hit delete. A window pops up and asks you what offset you want to start the delete at (x0) and what you want to end the delete at (xff).

Do a Save as and save it as a different name in case you had any issues so that you still have the original. Then open it up. I used Open Office 3 just fine.

MD5 Hash - pick any program capable of doing MD5 Hashes and tell that program to generate it. I used this program from a buddy of mines:
HashGenerator - - computer hashes

Hope that helps.

Shivlu Jain said...

really thanks a lot. I am beigner in security. Could you tell some material to start with it.

shivlu jain