Network-forensics:Cas-pratique-2
Network Forensics Puzzle Contest - Puzzle #2: Ann Skips Bail
Introduction
The objective of this puzzle is to decrypt the evidence02.pcap file to discover what is happening with Ann, who is suspected of beeing a spy. For resolving that case, I have worked on a Linux system: Ubuntu 9.04.
The first step consists of downloading the capture file. This could be done by issuing
$ wget http://forensicscontest.com/contest02/evidence02.pcap
A good practise is to ensure that file integrity is preserved. md5sum evidence02.pcap gives me cfac149a49175ac8e89d5b5b5d69bad3, so we can carry on.
General Information
Before we start to answer the questions, let's have a look at the capture file (evidence02.pcap). Argus (qosient.com) and its associated clients (ra*) provide some interesting information. Let's start by converting initial file in argus format (Script 1.).
$ argus -r evidence02.pcap -w evidence02.ra
--Script 1. Conversion of pcap file in argus format
We analyze the file with rahosts to detect hosts implied in the conversation. As we can see on Script 2, Ann's computer (192.168.1.159) communicates with an external computer which seems to be from AOL network (Script 3).
$ rahosts -r evidence02.ra
192.168.1.2: (1) 192.168.1.159
192.168.1.10: (3) 192.168.1.30, 192.168.1.159, 192.168.1.255
192.168.1.30: (1) 192.168.1.10
192.168.1.159: (5) 10.1.1.20, 64.12.102.142, 192.168.1.10, 192.168.1.30,
192.168.1.255
--Script 2. Identification of implied hosts with rahosts
$ whois -h whois.cymru.com 64.12.102.142 AS | IP | AS Name 1668 | 64.12.102.142 | AOL-ATDN - AOL Transit Data Network
--Script 3. ASN of 64.12.102.142
In addition, the flows to 64.12.102.142 represent an important amount of data, as we can see on Script 4.
$ racluster -M norep -m saddr daddr -nr evidence.ra -w - \
| rasort -L0 -m bytes -s saddr daddr pkts bytes
SrcAddr DstAddr TotPkts TotBytes
192.168.1.159 64.12.102.142 490 314771
192.168.1.10 192.168.1.30 28 6680
192.168.1.159 192.168.1.255 16 2007
192.168.1.10 192.168.1.30 18 756
192.168.1.159 192.168.1.30 2 519
192.168.1.159 10.1.1.20 2 371
192.168.1.10 192.168.1.255 4 360
192.168.1.159 192.168.1.10 8 336
192.168.1.2 192.168.1.159 2 84
192.168.1.159 192.168.1.30 2 84
--Script 4. Flow volumes with racluster
Email addresses, login and password (questions #1-#3)
As we have seen in previous section, important flows are originating from Ann's computer. To quickly focus on these flows, we will use tcpflow as shown on Script 5.
$ tcpflow -r evidence02.pcap $ ls -lhS 280K 2009-10-14 19:24 192.168.001.159.01038-064.012.102.142.00587 1,5K 2009-10-14 19:24 192.168.001.159.01036-064.012.102.142.00587 507 2009-10-14 19:24 064.012.102.142.00587-192.168.001.159.01036 507 2009-10-14 19:24 064.012.102.142.00587-192.168.001.159.01038
--Script 5. Result of splitting operation with tcpflow
To answer the first question (What is Ann’s email address?), we edit the most important file (192.168.001.159.01038-064.012.102.142.00587): see Script 6.
# cat 192.168.001.159.01038-064.012.102.142.00587 | head -n 12 EHLO annlaptop AUTH LOGIN c25lYWt5ZzMza0Bhb2wuY29t NTU4cjAwbHo= MAIL FROM: <[email protected]> RCPT TO: <[email protected]> DATA Message-ID: <001101ca49ae$e93e45b0$9f01a8c0@annlaptop> From: "Ann Dercover" <[email protected]> To: <[email protected]> Subject: rendezvous Date: Sat, 10 Oct 2009 07:38:10 -0600
--Script 6. Extract of 192.168.001.159.01038-064.012.102.142.00587 file
The From: "Ann Dercover" section indicates [email protected] which corresponds to Ann's email address. She sends a mail to [email protected] (To:), her pretended lover.
In addition (Script 7), the "c25lYWt5ZzMza0Bhb2wuY29t" and "NTU4cjAwbHo=" strings, between AUTH LOGIN and DATA sections respectively correspond to Ann's login ([email protected]) and password (558r00lz), both base64-encrypted, as specified in rfc4954 ("A server challenge is sent as a 334 reply with the text part containing the [BASE64] encoded string supplied by the SASL mechanism. This challenge MUST NOT contain any text other than the BASE64 encoded challenge"). We know authentication is correct since we obtain a 235 AUTHENTICATION SUCCESSFUL message (Script 8).
$ echo 'c25lYWt5ZzMza0Bhb2wuY29t' | base64 -d - [email protected] $ echo 'NTU4cjAwbHo=' | base64 -d - 558r00lz
--Script 7. Login and password decrypted with base64
$ xxd evidence02.pcap | more 00029e0: 18fa f052 8300 0032 3335 2041 5554 4845 ...R...235 AUTHE 00029f0: 4e54 4943 4154 494f 4e20 5355 4343 4553 NTICATION SUCCES 0002a00: 5346 554c 0d0a a38d d04a 7dd2 0800 5700 SFUL.....J}...W.
--Script 8. 235 code meaning authentication is successful
Following the same logic, we can notice that the file 192.168.001.159.01036- 064.012.102.142.00587 gives us indication about Ann's activity. In this mail (sent to [email protected]), she postpones a lunch for next week (Script 9).
From: "Ann Dercover" <[email protected]> To: <[email protected]> Subject: lunch next week Date: Sat, 10 Oct 2009 07:35:30 -0600 ... (truncated) ... ... (truncated) ... Sorry-- I can't do lunch next week after all. Heading out of town. = Another time! -Ann
--Script 9. Ann won't be available for lunch !
What does Ann ask her lover to bring? (Question #4)
To answer question #4, just edit 192.168.001.159.01038-064.012.102.142.00587 (Script 10).
$ cat 192.168.001.159.01038-064.012.102.142.00587 | more From: "Ann Dercover" <[email protected]> To: <[email protected]> Subject: rendezvous Date: Sat, 10 Oct 2009 07:38:10 -0600 ... (truncated) ... ... (truncated) ... Hi sweetheart! Bring your fake passport and a bathing suit. Address = attached. love, Ann
--Script 10. Ann plans to escape !
As we can see, Ann postponed the lunch with her colleague to meet her lover. This latest is asked to bring his fake passport and a bathing suit. But where are they going ?
Where do they meet and where do they plan to go ? (Questions #5-#8)
As we can see on Script 11, the mail contains an attachment, which is likely to be a docx file, named "secretrendezvous.docx".
$ cat 192.168.001.159.01038-064.012.102.142.00587 | more
------=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
name="secretrendezvous.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="secretrendezvous.docx"
UEsDBBQABgAIAAAAIQDleUAGfwEAANcFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0
VMluwjAQvVfqP0S+VsTQQ1VVBA5dji1S6QcYexKsepNttr/vOEBEKQSpwCVSPH7LPI/dHy61yubg
g7SmIL28SzIw3AppqoJ8jd86jyQLkRnBlDVQkBUEMhzc3vTHKwchQ7QJBZnG6J4oDXwKmoXcOjBY
Ka3XLOKvr6hj/JtVQO+73QfKrYlgYicmDjLov0DJZipmr0tcXjtxpiLZ83pfkiqI1Amf1ulBhAcV
... (truncated) ...
... (truncated) ...
AHdvcmQvd2ViU2V0dGluZ3MueG1sUEsBAi0AFAAGAAgAAAAhADVKHsm+CgAALFoAAA8AAAAAAAAA
AAAAAAAAew8DAHdvcmQvc3R5bGVzLnhtbFBLAQItABQABgAIAAAAIQCQUuGobwEAANcCAAARAAAA
AAAAAAAAAAAAAGYaAwBkb2NQcm9wcy9jb3JlLnhtbFBLAQItABQABgAIAAAAIQAXVdHWCQQAAMsZ
AAASAAAAAAAAAAAAAAAAAAwdAwB3b3JkL251bWJlcmluZy54bWxQSwECLQAUAAYACAAAACEAu6G5
NXECAACGCAAAEgAAAAAAAAAAAAAAAABFIQMAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgA
AAAhAKVR8wbYAQAA2QMAABAAAAAAAAAAAAAAAAAA5iMDAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAA
AA0ADQBEAwAA9CYDAAAA
------=_NextPart_000_000D_01CA497C.9DEC1E70--
.
QUIT
--Script 11. What does mail contain ? An attachment ?
To decrypt it, we are going to segregate the string that is corresponding to the attachment (UEsDBBQ ..... AwAA9CYDAAAA) and decrypt the string with the base64 function (Content-Transfer-Encoding: base64). See Script 12.
### Extracts attachment string from flow (tail, head) ### and recompose string on a unique line (tr) cat tmp/192.168.001.159.01038-064.012.102.142.00587 \ | head -n 3700 | tail -n 3640 \ | tr -d "\r\n"> tmp/evidence.encoded ### We know encoding: Content-Transfer-Encoding: base64 ### This decodes extracted string base64 -d tmp/evidence.encoded > tmp/evidence.docx ### Dumps file MD5sum md5sum tmp/evidence.docx
--Script 12. What does mail contain ? An attachment ?
Once the attached docx file has been recomposed, we can easily calculate its MD5sum: 9e423e11db88f01bbff81172839e1923. When we open the file, we are pleased to discover that it contains a text ("Meet me at the fountain near the rendezvous point. Address below. I’m bringing all the cash.") and a map that is an indication about the meeting point (Playa Del Carmen, in Mexico). Hopefully they'll have nice weather !
To extract the embedded map, we must understand this type of format (docx).
By looking more further for information on the Internet, I discovered that this format is understood as an archive by unzip. Script 13 shows how to extract information contained in the document (picture).
### Deflates (quiet mode) docx content and displays MD5sum unzip -q tmp/evidence.docx -d tmp/ md5sum tmp/word/media/image1.png
--Script 13. docx contains a picture ? A map.
Once extracted, a word/media/ directory has been created and contains our map. Its MD5sum is: aadeace50997b1ba24b09ac2ef1940b7.
Conclusions
I really enjoyed doing this challenge. It brought many knowledges to me, it was an excellent exercise to practise and learn about docx files. My only regret has been not to know the end of this story. But I'm sure we will be fixed in a next challenge...