Saturday, September 26, 2009

Network Forensics Contest Results

A month or two ago started a nice little Network Forensic contest. It wasn't too hard and wasn't too easy. It gave me a chance to parse through some traffic and see what was going on. Then to carve a file out of a packet capture, using some of the SANS 508 stuff I learned awhile back before I picked up my GCFA cert.

The original puzzle can be found here and then again here when SANS decided to sponsor it and give an On-Demand course away for the winner.

Well happy to say I at least got everything right, though I didn't win, nor was I one of the finalists. All of the finalists scripted out a way to answer the questions, or had one program that did it all (or most of it). The results can be found here.

Erik Hjelmvik, author of NetworkMiner, who is using some of the tcp and dhcp fingerprinting stuff from Satori was one of the finalists and implemented some new stuff in 0.89 to become a finalist, though not a semifinalist since it wasn't all scripted out either. (When I used NetworkMiner to parse it out, it was only version 0.88, Erik hadn't released 0.89 until after I put my submission in).

From a straight Network Forensics standpoint I understand why they wanted it scripted out, but from understanding how to actually do it I'm glad I didn't depend on an automated program to do it (granted each of the finalists I believe had to write their own programs to do this). If you understand how to carve the data out then you can do this with pretty much any data, if you depend on a utility to do it, you may have to wait for updates to it if/when things change.

Ultimately I just wanted to make sure I could do it and am happy that I got it done and answered correctly. I was more interested in it from fingerprinting stand point anyway and spent more of my time on seeing what else was on the network!

If anyone wants to do it, the puzzle and pcap files are still out there!

Here was my submission and all my notes (again I was interested in the rest of the network):


1. Sec558user1
2. Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
3. recipe.docx
4. 50 4B 03 04
5. 8350582774E1D4DBE1D61D64C89E0EA1
6. Recipe for Disaster:

1 serving
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

How I got there:

Tools Used:
Satori - - Passive OS Fingerprinting
NetworkMiner - - Network Forensic Analysis Tool, used for cookie stuff and a few other sanity checks
FrHed - - used to Hex Edit the file to remove the initial stuff prior to the magic number
Wireshark - - view and export pcap file
HashGenerator - - computer hashes
Google of course to find some of the other info

I started with 2 programs, one I wrote geared completely towards passive OS fingerprinting, Satori, and the other program NetworkMiner which I've worked with the developer on a little in the past. Using Satori I mapped out the machines identified in the packet capture and got an initial layout of the network. Determing which systems did what on the network. Then feeding the capture through NetworkMiner I was able to get some of the initial Clear Text information that was going on between clients. Once I had a better idea of what type of data was in the capture I started picking away at it with Wireshark.

Knowing Ann's IP it was easy to get started in wireshark with a simple filter of ( == With this in place and scanning through the packets for anything out of the ordinary in the hex window. Basically I knew there had to be some type of clear text conversation going on due to what NetworkMiner had seen. We see Ann's computer is talking to a ( Since it is an AOL server it is probably AIM being used, but I did not verify that. The information looks to be SSL based on the destination port, but ends up being in clear text. I assume this was an attempt to get past any egress filtering, but didn't dig into it since that wasn't requested at this time.

Identifying who she was talking to was fairly simple, and digging into whatever protocol the chat program she was using would have probably been a good idea. Based on other things I saw she appears to be comunicating with Sec558User1.

Eventually she transfers the file to the other user at computer, which appears to be a Windows XP box. Depending on your env this may be a dead give away that you are having issues. Looking at the other systems on this network they all appear to be Linux Boxes, so a new rogue XP box sticks out like a sore thumb. Something like packet fence which does DHCP fingerprinting may be useful to block computers like this off their network or at least make it a little harder for them to get a valid IP and use the network.

In packet 92 we see the beginning of the file transfer. Sending the file recipe.docx

The rest of the file transfer which starts in about packet 109 where we are able to right click on it and do "Follow TCP Stream". This shows both directions of traffic. Next we need to go to the bottom and filter by -->, getting just the data that Ann's computer is sending to the XP box. Select Raw and do a Save As. This will save "extra" info in the file, which we will need to remove based on some file carving next.

We now know, or appear to know the type of file it is based on the file name above. We need to look up that magic number. A docx file really is a zipped file so it has the same magic number which is: 50 4B 03 04 14 00 06 00

We now open up the file we saved in a hex editor and do a search for the above magic number. Once we find it we delete anything prior to it and resave the file. There is always the chance that there will be extra junk at the end too that may need carved off.

After that, we can open up the file with OpenOffice or Microsoft Word and see what the data is. We could also unzip it instead and look at the .xml files generated if we need to find out more about the initial file.

Run the file through your choice of md5sum programs and you should be good to go.


Below is the notes I took while I went through the system, typically wouldn't put them in a report, but there was a few interesting pieces of info in there I found.

Extra info and general notes on systems on the network and what they appear to do: - Linux 2.6 possibly, limited info, did what may have been a scan of Connected on port 80, but just did a handshake and said goodbye, no header info exchanged. - default gateway I assume - NTP Client Box, running SSH server ( connected to it) - running Samba 2.2.7 - 3.0.x client (actually 3.2.0, need to update Satori)
print queue
HTTP Server, or at least port 80 is open
Herbivore/SANS - Linux 2.4 or 2.6 box, packet 92 starts sending recipe.docx, packet 112 using cool filexfer sends it also
NTP Client
Talking to, most likely sec558user1
FTPs file to, syn comes in in packet 109 - Windows XP, 2000 or 2003 box (XP based on Web)
talking to
downloads zip file of smiley faces from
goes off to, requesting DNS info for them after download of resume.doc
pulled file (httpget) with: (removed since it was actually linking to the ad in this post!)
pulled file (httpget) with: (removed since it may have linked to ad also).
"username" on cookie: JEB2=4A839DDB6E65181C45921CB2F00016D8; ATTACID=a3Z0aWQ9MTU4NzdpYTAwYTh2Ymk=; ATTAC=a3ZzZWc9OTk5OTk6NTAyODA=; badsrfi=V0d710994e8ccb8db64a83a07939b2; atdemo=a3ZhZz1hbTM6dWEzOTtrdnVnPTE7; AxData=; atdses=0 appears to be "spyware/adware" based on a quick search

External Hosts - - (dns requested info by (dns requested info by - no DNS entry, only talking to via SSL), downloaded a zipped file of smile faces and their manifest. - DNS server, NTP Server

Clear text data, ( to (owned by AOL, so possibly AIM traffic)
Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)
Sec558user1..............J.H.........+..1n....+...O............J......a........X....< HTML >< BODY >< FONT FACE="Arial" SIZE=2 COLOR=#000000>thanks dude< /FONT>< /BODY>< /HTML >.
......+..1n....+...O.........*.V..".......*.............Sec558user1..*.V..........+.Q.....L.....Sec558user1..............J.H.........+..1n....+...O............J......s........j....< HTML >< BODY>< FONT FACE="Arial" SIZE=2 COLOR=#000000>can't wait to sell it on ebay< /FONT>< /BODY>< /HTML >
I5088496....Sec558user1..."................see you in hawaii!....*..f.".........J...........Sec558user1..*.V......

DOCX (zip) Magic Number:
50 4B 03 04 PK..
ZIP PKZIP archive file (Ref. 1 | Ref. 2)
Trailer: filename 50 4B 17 characters 00 00 00
Trailer: (filename PK 17 characters ...)
DOCX, PPTX, XLSX Microsoft Office Open XML Format Document
JAR Java archive; compressed file package for classes and data
SXC, SXD, SXI, SXW OpenOffice spreadsheet, drawing, presentation, and text files
WMZ Windows Media compressed skin file
XPI Mozilla Browser Archive
XPT eXact Packager Models

50 4B 03 04 14 00 06 00 PK......
DOCX, PPTX, XLSX Office 2007 documents

Use Follow TCP Stream, just get one side of converation. Save as Raw. Lookup "magic number"
Search for it in Saved file. Delete everything prior to that and resave, get:

Recipe for Disaster:
1 serving
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove the saucepan from heat. Allow to cool completely. Pour into gas tank. Repeat as necessary.

Hash on the File is:

Thursday, September 24, 2009

Updated Fingerprint Programs

Jeff has done a great job making it easy to update the different xml files I use in Satori, along with the ability to have an underlying repository that helps keep everything the same across all of the files! He's also written a nice DHCP Fingerprinting program himself. These can be found at Devonic Delphi Page

DHCP Fingerprint Manager: imports text-based Wireshark traces to populate and fingerprint systems. Basically, you take a pcap file, parse out just the DHCP packets and export to a text file. You then dump that in and dhcp fingerprint the systems.

It is a lot faster than Satori and it gives you a lot of nice features after you are done. The Statistics is a wonderful little chunk of it you can do after reading in a file. I may have to steal some ideas from him on this! In the statistics area it breaks down % of End Systems by MAC Vendors, Fingerprint Names, Fingerprint Match Scores, OS Names, OS Classes OS Vendors, Device Types, Device Vendors, and then the Authors of the individual Fingerprints.

Fingerprint Editor: The program I use all the time these days to modify the different xml files that Satori and these different programs are using. I used to always do it by hand, but inevitably I always missed updating something. It was nice to have this to help keep things in sync, update the time stamps, etc! If you are creating fingerprints to send me, and not just sending me the raw data, this is the perfect program to use!

There is also DEF File Editor that modifies the definition files the programs above use.

He has quite a few other nice programs out there, and if any of you are delphi programs check out his Delphi Components page. I used a few pieces from there myself.

Friday, September 11, 2009

Gaining ground?

2 blogs talking about DHCP fingerprinting in 2 days, not bad. The 2nd one may have been inspired by the first since it links to it, but it also has a link to my BH briefing, so hey, I can't complain.

Meraki did the first one yesterday. (I love Google Alerts) I've tried to contact Hans about what they are doing (option55 data only, or more like I'm doing with the dhcp.xml file), so far I haven't heard anything back, but it was a Friday. We'll see if I get any response or not. If anyone has a POC for Meraki maybe check into it for me.

The second blog was from They have a link to David and my Blackhat Presentation from 2007 for those that haven't looked at it before. He mentions a product CoovaRADIUS which I hadn't heard of before (nor had I heard of Meraki for that matter). It appears CoovaRADIUS can do dhcp fingerprinting via CoovaChilli. They appear to be using the packetfence data, so just option55 without taking into account if it is a Request/Discover/Offer/Inform/etc packet. May have to try to get a hold of the developer there too and see if they are interested in trying to use the dhcp.xml file. Always good to get more people using it, thereby expanding the database as more people have access to more devices.

Monday, September 7, 2009

Great Dataset to parse through by ITOC

ITOC has a great set of data to parse through for those that are interested:

Just over 8 GB of data between inside/outside captures.

They also have a blog setup:

I'm hoping for some more information on exact OS's being released so that I can take the data that Satori spit out and use that to extend the fingerprints on FreeBSD and possibly some of the other OS's seen on the network. I'd hate to just take and put it under the generic FreeBSD if we can tell for sure it was 7.0 or whatever.

Satori already has ID'd the systems, quite well from their initial diagram, but it would be nice to know for sure that it is correct before extending some of the fingerprints!

One problem I'm having it is takes forever to go through 1 GB files with Satori. Some of it has to do with the amount of "stuff" I've added to it, but that is just a lot of data to parse too! Oh well, 1-2 hours per file, come back, see if it blew up, etc. (Update: Make that 1-2 hours on the 100 MB files, not sure how many days to get through the 1 GB files!) This data set at least gave me some new packets that I hadn't seen before that caused some problems, so I updated a few of the dlls to handle vlan traffic in them. I was feeding it in, just not parsing it correctly!