Monday, November 23, 2009

Network Forensic Challenge #2 - update

Ok, the submission date got extended an extra week, which ended yesterday. Erik put out version 0.90 of NetworkMiner in which he added support to pull out SMTP messages from captured data. He found a bug in 0.90 and released 0.91 yesterday, it can be found here.

My answers are here:
2. Password:558r00lz
4. fake passport and a bathing suit.
5. secretrendezvous.docx
6. 9E423E11DB88F01BBFF81172839E1923
7. Playa del Carmen, Mexico
8. AADEACE50997B1BA24B09AC2EF1940B7

I used the pcapcat perl script from NFC #1 to extract the initial data. The one thing I think is a bit unrealistic in these contests is the packet captures are too small, there isn't 100-500 MB of stuff to sift through, trying to decide what is needed/not. Due to download feeds and whatnot I understand why that is, but.... Feeding a 100 kb pcap file through makes life quite simple. Anyway, I emailed the author of pcapcat, for what we've seen in #1 and #2 that script works fine, but if any packets are resent, or out of order, pcapcat fails to take that into account and just puts the data in the output file in the order it was seen in the pcap file. I tried to make some changes to it to fix that, but it was beyond what i could figure out in a short enough time period. Sent my thoughts on to him and we'll see if it gets updated in a future release. We could have used tcpflow, wireshark, etc to get the initial conversation dumped out.

Anyway, however you get the raw data is up to you, dump to it a file and then for me, feed it through which will parse it into whatever attachments it may have, pull the username/password out and decode them. You'll still need to do an MD5Sum on the extracted file. My script was completely hacked together, no subs, just start to finish run and output. Not pretty, but functional!

Open up the extracted file and you'll see the location they are meeting at and because .docx files are just zipped up files you can do an unzip on the .docx file, browse around, find the image file and do an MD5Sum on it also.

I'm being a bit vague on this one because it has been well over a month since I did most of this, and I don't recall all the specifics anymore. Here is someone else's writeup on how they did it, goes into a bit more detail, but same idea. His smtpcat is of course different than mine.

Update: (ok had some time to run through this for those who may need some more info)

First lets see what conversations we have going on in evidence02.pcap:
C:\nft>perl -r evidence02.pcap
[1] TCP ->
[2] TCP ->

Lets dump each:
C:\nft>perl -r evidence02.pcap -w file1.txt -d 1
C:\nft>perl -r evidence02.pcap -w file2.txt -d 2

Pull up each file in notepad or your favorite text editor and you'll see file1.txt isn't what we want, but about canceling lunch with someone. File2.txt though appears to have an attachment. Looking through it we can see the answers to some of our questions and we can see what the attachment is:
Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

We could just copy/paste the attachment into a nice web form on google and get it to spit out the file, but that defeats the purpose the exercise (though that is what I did initially to get the answers).

So next we feed it through like this:
C:\nft>perl -r file2.txt -w dir2

it will create the directory dir2 if it doesn't already exist and drop the attachments found in file2.txt into it.

We also get the following output:
password: 558r00lz

Other info:
From: "Ann Dercover"

Subject: rendezvous

Attachments and other top level info:
Content-type: multipart/mixed
Effective-type: multipart/mixed
Body-file: NONE
Subject: rendezvous
Num-parts: 2
Content-type: multipart/alternative
Effective-type: multipart/alternative
Body-file: NONE
Num-parts: 2
Content-type: text/plain
Effective-type: text/plain
Body-file: dir2\msg-860-1.txt
Content-type: text/html
Effective-type: text/html
Body-file: dir2\msg-860-2.html
Content-type: application/octet-stream
Effective-type: application/octet-stream
Body-file: dir2\secretrendezvous.docx
Recommended-filename: secretrendezvous.docx

We now know her username, password, who the email was from and to, along with the subject and the # of parts and what it created. Since there were no suggested names for the plain and html parts it made some up for it.

The username/password were both base64 encrypted. The 2 types of Authentication that we can easily decode are AUTH LOGIN and AUTH PLAIN, both being base64 encrypted, just different formats of storing the data. will handle both, even though only one was needed for this.

Here is what we have in dir2:
Directory of C:\nft\dir2

11/28/2009 02:53 PM 87 msg-860-1.txt
11/28/2009 02:53 PM 402 msg-860-2.html
11/28/2009 02:53 PM 207,438 secretrendezvous.docx

Looking at the .txt or .html files (both the same info one just plain text, one html) Ann asks her sweetheart to bring their fake passport and bathing suit to the attached address. Guess we need to go look at the .docx file.

Opening up the .docx file in OpenOffice we see that it is a picture of google maps telling where to meet. Running an extraction on the .docx file we can go to the word\media directory and find the attached image called image1.png. Do an md5sum on that file and on the original .docx file to get the md5's for them.

Again could be cleaned up a bit to add more stuff and be written cleaner, but for what was needed here this worked great. Using worked in this example, but as noted before, it does not take into consideration out of order packets, retransmissions, etc, so something else may be needed in "real life", though I still really like it!