Friday, October 5, 2012

Network Forensics - How to get better at

Ok, I like to toy in the network forensics world, but it is hard to get any better at it when I have so little time to dedicate to it on top of everything else going on with life and work!

Lets digress a bit, I like to play a game on facebook, almost 2 years sunk into it when I have spare time, called Battle Pirates.  In trying to track down an issue way back when the game started I realized that it sent some info in the clear about what was going on.  JSON files would provide you with whose ship was going across the map, where it was going on how strong the fleet was.  They might have a simple ship as the lead ship, making it look weak, but seeing it was a lvl 40 fleet you knew it was a farce.  I also realized I could see bases under their fog of war.  At the initial time the only way to find someone was to scout, remove the fog of war and find their base, but by scanning around the map, even with the FOW there I could still see underneath it because the data was on the wire to read if you knew how.

Eventually they lifted the whole idea of the fog of war and I stopped paying much attention what I could pull until I got bored with the game and was about to quit.  I noticed that I could actually tell, based on the JSON files exactly what was on a fleet when it was launched.  Once it was on the water all I could do was get updates on where it was going, etc, but if I was "watching" when it was launched, I could get exactly what was on it.  Only problem was it was in code looking something like this:
...[["create","oid",999999,"level",7,"on","Some User","type",3,"minidata",{"hullid":30},"x",999999900,"y",58500,"fleetid",3]],"updated_at":"99999999.837","transitionid":"99999999","data":{"fleet":{"mpm":0,"ships":[{"weapons":[104,112],"hullID":30,"tacticalModules":[],"armors":[303,303],"actives":{"flt":3,"fltp":1,"hp":192,"bid":99999,"f":1,"rank":5,"id":14},"specials":[550]},{"weapons":[121,104],"hullID":30,"tacticalModules":[],"armors":[310,310],"actives":{"flt":3,"fltp":4,"hp":172,"bid":99999,"f":0,"rank":3,"id":15},"spels":[550]},{"weapons":[104,121],"hullID":30,"tacticalModules":[],"armors":[302,302],"actives":{"flt":3,"fltp":2,"hp":132,"bid":99999,"f":0,"rank":5,"id":13},"specials":[550]},{"weapons":[182,182],"hullID":45,"tacticalModules":[],"armors":[312],"actives":{"flt":3,"fltp":3,"hp":362,"bid":99999,"f":0,"rank":0,"id":27},"specials":[530]},{"weapons":[182,182],"hullID":45,"tacticalModules":[],"armors":[320],"actives":{"flt":3,"fltp":5,"hp":225,"bid":99999,"f":0,"rank":0,"id":28},"specials":[500]}],"fspd":55,"adstats":[],"fnum":1,"mcap":28613,"fid":3}}


It provided me with where it was launched from, the rank and HP on the ship, the armor, any specials, and any tact modules along with the type of ship.

Only problem was looking through what I could find to translate those numbers to actual useful info.

I never did find it in the swf file, but didn't look too hard there, instead, little by little I launched my fleets, compared what I had on them to what it reported and built out a list.

I rarely use the program except to try to spot new ships being launched that I may not have, or to identify new weapons, armor, etc and then ask the people if they are ones I know.

My latest trick was to notice that at the end of the battle you can see what was on the fleet you just battled.  With that in mind and the tweaks they made today to BP, I decided to list out what was on the new fleets.  This is subject to change, as just before this writing, most Drac fleets disappeared off the map as I believe Kixeye may be revamping them due to outcry from those that don't like today's changes, but I digress.  Here are the ones I've checked so far (had to do this manually via a packet capture and my list of numbers as it wasn't programmed into my program to disect this):

29:
1 - LightCruiser (HP:980)
specials[Sonar3,SFB1]
weapons:[D53C,D53M,D53R]
armors:[Unknown93,Unknown93]
2 - LightCruiser (HP:980)
specials:[Sonar3,AA2]
weapons:[D71N,D71L,D71A]
armors:[Unknown93,Unknown93]
3 - Battleship (HP:3188)
specials:[Sonar3,SFB2,Autoload3]
weapons:[D71N,D71L,D71A,D53C,D53M,D53R]
armors:[Unknown94,Unknown94]
4 - Battlecruiser (HP:1478)
specials:[Sonar3,Eng2,HB2]
weapons:[D33P,D33A,D33P,D33A]
armors:[Unknown92,Unknown92]
5 - LightCruiser (HP:642)
specials:[Sonar3,AA2]
weapons:[D35S,D35S]
armors:[Unknown93]


37:
1 - LightCruiser (HP:980)
specials:[Sonar3,SFB2]
weapons:[D53C,D53M,D53R]
armors:[Armor93,Armor93]
2 - Battlecruiser (HP:1732)
specials:[Sonar3,HB2]
weapons:[D33P,D33A,D33P,D33A]
armors:[Armor93,Armor93]
3 - Dreadnought (HP:8749)
specials:[Sonar3,AA3,SFB3,Laser3]
weapons:[D53C,D53M,D53R,D53C,D93M,D93R,D33P,D33X]
armors:[Armor95,Armor95,Armor95,Armor95]
4 - Battlecruiser (HP:1732)
specials:[Sonar3,HB2,Eng2]
weapons:[D33P,D33A,D33P,D33A]
armors:[Armor93,Armor93]
5 - LightCruiser (HP:642)
specials:[Sonar3,SFB2]
weapons:[D53C,D53M,D53R]
armors:[Armor93]


45:
1 - Battlecruiser (HP:2546)
specials:[Sonar3,SFB3,AA2]
weapons:[D51L,D51A,D53M,D53R]
armors:[Armor95,Armor95]
2 - Battlecruiser (HP:2586)
specials:[Sonar3,AA2,HB3]
weapons:[D71N,D71L,D71A,D33P]
armors:[Armor95,Armor95]
3 - Battleship (HP: 5220)
specials:[RA3,Eng3,HB3]
weapons:[D35S,D35S,D35S,D35X,D35X,D35X]
armors:[Armor95,Armor96,Armor95]
4 - Battleship (HP:4515)
specials:[AA3,HB3,HES3]
weapons:[D33X,D33P,D33A,D71N,D71L,D71A]
armors:[Armor96,Armor95]
5 - Battleship (HP:4874)
specials:[AA3,SFB3,Laser3]
weapons:[D53C,D53M,D53M,unknown,D71A]
armors:[Armor96,Armor96]


55:
(1) - Battleship (hp:6378)
specials[Sonar3,AA3,HES3]
weapons:D71L,D71L,D71L,D71L,D33P,D33A]
armors:[Unknown96,Unknown96,Unknown96]
(2) - Battleship (hp:6258)
specials:[Sonar3,AA3,SFB3]
weapons:[D71L,D71L,D53C,D53C,D53M,D53R]
armors:[Unknown96,Unknown96,Unknown96]
(3) - Battleship (hp:6578)
specials:[Eng3,HB3,AA3]
weapons:[D33X,D33X,D33P,D33P,D33A,D33A]
armors:[Unknown96,Unknown96,Unknown96]
(4) - Battleship (hp:6258)
specials:[Sonar3,AA3,SFB3]
weapons:D53C,D53M,D53R,D71L,D71L,D93C]
armors:[Unknown96,Unknown96,Unknown96]
(5) - Battleship (hp:6258)
specials:[HB3,Eng3,unknown],
weapons:D35L,D35L,D35S,D35S,D35X,D35X]
armors:[Unknown96,Unknown96,Unknown96]


One thing I've noticed of late is the armor on the drac fleets is different than what we as players have access to.  Also all the drac hull's, while named the same, are different ID's so they may have different specs than the ones players have.  The weapons and specials, for the most part though all seem to be the same as what we have access to except for some of the weapons and tacticals that were in the last 2 raids. 

Ok, so what does all this have to do with Network Forensics?  Only that you have to get comfortable with looking at tons of packet captures and be willing to go back over them afterwards, because you never know what you may have missed in the past!  The fact that I could see launched fleets and killed fleets was there from my packet captures a year ago, but up until recently I hadn't see it because I was filtering it down to what I thought I wanted to see and missing what I really wanted in the process!