Há alguns dias, tentei resolver um dos desafios do site Forensicscontest.com, desta vez relativo ao Puzzle #2. No meu caso, foi uma experiência muito enriquecedora, pois além de estudar indiretamente para o exame GCIA, onde é exigido bom conhecimento a respeito de análise de logs de rede (pcaps), pude ter contato com diversas ferramentas, como é o caso do chaosreader, ferramenta da qual utilizei durante a resolução do problema.
Diferentemente da saída do tshark, tcpdump e afins, este script desenvolvido em Perl produz uma saída em HTML (ver abaixo), o que facilita bastante a análise de grandes diálogos cliente/servidor, inclusive, possibilitando a produção de saídas em formato raw e hex. Durante os testes, após algumas horas debugando o código, percebi que havia uma falha na rotina de parsing do payload de pacotes IP, contida na ferramenta. Essa rotina popula um array (%IP) com os bytes de cada segmento TCP, utilizando como índice o valor do timestamp (horário de captura) do pacote.
Saída gerada pelo script chaosreader
Dá pra imaginar o problema? Pacotes com timestamp iguais! Dessa forma, apesar de terem pouca probabilidade de ocorrência (são 6 casas decimais após os segundos), pacotes com o mesmo horário de captura serão indexados na mesma posição do array, o que ocasiona o armazenamento do conteúdo do último pacote - apenas. Sendo assim, não há como garantir a integridade de qualquer dado IP produzido pela ferramenta.
Entrei em contato com o autor (Brendam Gregg) e escrevi um pequeno patch para o script, esta ação talvez tenha sido valorizada pelos autores do desafio visto que, praticamente, não desenvolvi código algum para automatizar o processamento das respostas, como todos os finalistas o fizeram, e mesmo assim, ainda consegui ficar entre os 15 semifinalistas. Aliás, vale a pena dar uma olhada em cada uma das resoluções finalistas, com scripts desenvolvidos em Perl, Ruby e Python.
Enfim, os vencedores do desafio foram anunciados ontem durante a transmissão do podcast de SI PaulDotCom. O prêmio oferecido ao vencedor era um netbook da Lenovo, diferente do prêmio anterior que era um treinamento do SANS. Os organizadores (instrutores do SANS) resolveram premiar 2 candidatos, cada um com um netbook.
Agora é aguardar o próximo desafio!
Segue abaixo o procedimento enviado por mim.
Name: Alexandre Teixeira
Date: 14th Oct 2009
Tools: Please read [4] References section
Narrative
-----------
[1] - Verifying Packet Capture Integrity
$ md5sum evidence02.pcap
cfac149a49175ac8e89d5b5b5d69bad3 evidence02.pcap
[2] - Network Sessions - Enumerate & Dump
2.1 - Verifying Network Connections
2.1.1 - TCPDUMP
$ tcpdump -r evidence02.pcap | less
$ tcpdump -r evidence02.pcap udp
With the second command above, we noted that UDP protocol is present.
2.2 - Using Chaosreader PCAP parser
I decided to use this tool because it decodes UDP sessions and show conversations in coloured HTML.
Parameters: -v (Verbose), -e (Create HTML 2-way & hex files for everything), -D (Output Dir)
$ chaosreader0.94 -v -e -D chaos_dump/ evidence02.pcap
Chaosreader ver 0.94
Opening, evidence02.pcap
Reading file contents,
100% (335144/335144)
Reassembling packets,
100% (542/542)
Creating files...
Num Session (host:port <=> host:port) Service
0007 192.168.1.159:1036,64.12.102.142:587 submission
0008 192.168.1.159:1038,64.12.102.142:587 submission
0002 192.168.1.10:123,192.168.1.255:123 ntp
0009 192.168.1.159:1025,192.168.1.30:514 syslog
0001 192.168.1.10:52111,192.168.1.30:514 syslog
0006 192.168.1.159:1026,10.1.1.20:53 domain
0005 192.168.1.10:123,192.168.1.30:123 ntp
0004 192.168.1.159:137,192.168.1.255:137 netbios-ns
0003 192.168.1.159:138,192.168.1.255:138 netbios-dgm
index.html created.
[3] - Answering Questions
3.1 - What is Ann’s email address?
In order to search for this answer, the protocols/services involved must be verified: NTP, Syslog, Submission, Domain and Netbios.
All of them are known, except 'Submission'. After some Google searching, I found that this protocol is used to submit email messages using 587 tcp port, as described in this RFC document:
http://www.faqs.org/rfcs/rfc2476.html
Furthermore, Submission is the only protocol that has to do with email. In this case, Ann's email address is likely to be there.
After investigating session 7 (clicking in HTML output link), I found the following network conversation:
submission: 192.168.1.159:1036 -> 64.12.102.142:587
File evidence02.pcap, Session 7
220 cia-mc06.mx.aol.com ESMTP mail_cia-mc06.1; Sat, 10 Oct 2009 15:35:16 -0400
EHLO annlaptop
250-cia-mc06.mx.aol.com host-69-140-19-190.static.comcast.net
250-AUTH=LOGIN PLAIN XAOL-UAS-MB
250-AUTH LOGIN PLAIN XAOL-UAS-MB
250-STARTTLS
250-CHUNKING
250-BINARYMIME
250-X-AOL-FWD-BY-REF
250-X-AOL-DIV_TAG
250-X-AOL-OUTBOX-COPY
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
c25lYWt5ZzMza0Bhb2wuY29t
334 UGFzc3dvcmQ6
NTU4cjAwbHo=
235 AUTHENTICATION SUCCESSFUL
MAIL FROM: <sneakyg33k@aol.com>
So, the answer is in the last line above: sneakyg33k@aol.com
3.2 - What is Ann’s email password?
To discover this information, the network conversation above must be interpreted. The following RFCs describe the user authentication
method used (SASL):
http://www.faqs.org/rfcs/rfc4422.html (obsoletes RFC 2222)
http://www.faqs.org/rfcs/rfc2554.html
The following abstract text describes how auth works:
C: Request authentication exchange
S: Initial challenge
C: Initial response
<additional challenge/response messages>
S: Outcome of authentication exchange with
additional data with success
This is equivalent to:
AUTH LOGIN
334 VXNlcm5hbWU6
c25lYWt5ZzMza0Bhb2wuY29t
334 UGFzc3dvcmQ6
NTU4cjAwbHo=
235 AUTHENTICATION SUCCESSFUL
Lines starting with a numeric code are from the server. Other ones are from Ann (or her client). The authentication exchange is explained in sections 'Challenges and Responses' of RFC 4422 and 'The AUTH command' from RFC 2554. To decode base64 strings I used 'base64' linux command:
$ echo -n VXNlcm5hbWU6 | base64 -d; echo
Username:
$ echo -n c25lYWt5ZzMza0Bhb2wuY29t | base64 -d; echo
sneakyg33k@aol.com
echo -n UGFzc3dvcmQ6 | base64 -d; echo
Password:
$ echo -n NTU4cjAwbHo= | base64 -d; echo
558r00lz
So the answer is: 558r00lz
The same password can be verified in session 8 content.
3.3 - What is Ann’s secret lover’s email address?
The address is likely to be the destination email address of session 8 because the following message body was verified:
"Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann"
So, the answer is: mistersecretx@aol.com
This is the value of 'RCPT TO' command as seen in session 8 content.
3.4 - What two items did Ann tell her secret lover to bring?
As already showed, the answer is: fake passport and a bathing suit
3.5 - What is the NAME of the attachment Ann sent to her secret lover?
Session 8 is about Ann's message to her 'secret lover'. This message has a document attached (docx) as seen in the HTML output generated by chaosreader perl script (session_0008.submission.html):
.filename="secretrendezvous.docx"
So, the answer is: secretrendezvous.docx
3.6 - What is the MD5sum of the attachment Ann sent to her secret lover?
To accomplish this, the attached file must be decoded. File parts are enclosed by the lines containing the following text:
------=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
(...)
[ data encoded in base64 ]
------=_NextPart_000_000D_01CA497C.9DEC1E70--
This parts can be verified in session_0008.submission.raw file.
Chaosreader version 0.94 (current) has a bug when parsing pcap files because it uses the time whithin the IP packet/fragment as an index in order to populate an array (%IP). I fixed it and attached the patched version (already sent to Brendan Gregg, the author).
The file 'session_0008.submission.raw' contains the session data we are looking for (attached file).
The following 'perl' one-liner shows the number of each line of that file/session:
$ perl -pe 'print ${.}." "' < chaos_dump/session_0008.submission.raw
After that, it's easy to note that the line 78 identifies the beginning of the base64 stream about the attached file and the last line is 3717, which contains the end of base64 stream.
The following command decodes the file, after removing spaces (\s regex) from the lines in the range 78-3717:
$ perl -ne 's/\s//g; print if (${.} >= 61 && ${.} <=3717);' < chaos_dump/session_0008.submission.raw | base64 -d > secretrendezvous.docx
The md5sum command is then used:
$ md5sum secretrendezvous.docx
9e423e11db88f01bbff81172839e1923 secretrendezvous.docx
Answer: 9e423e11db88f01bbff81172839e1923
3.7 - In what CITY and COUNTRY is their rendez-vous point?
Using 'file' command against the docx file, we have:
$ file secretrendezvous.docx
secretrendezvous.docx: Zip archive data, at least v2.0 to extract
Unziping the file we can access the file elements:
$ unzip secretrendezvous.docx
Archive: secretrendezvous.docx
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: word/_rels/document.xml.rels
inflating: word/document.xml
extracting: word/media/image1.png
inflating: word/theme/theme1.xml
inflating: word/settings.xml
inflating: word/webSettings.xml
inflating: word/styles.xml
inflating: docProps/core.xml
inflating: word/numbering.xml
inflating: word/fontTable.xml
inflating: docProps/app.xml
Using 'elinks' command line browser, we verify the contents of document.xml:
$ elinks -dump word/document.xml
Meet me at the fountain near the rendezvous point. Address below. I’m
bringing all the cash.
No luck here.
So we decided to investigate the PNG image which was dumped out of docx. I used 'zgv' console image viewer:
$ xzgv word/media/image1.png
The picture is a screen shot from Google Maps, which contains location data. So, the answer is:
City: Playa del Carmen
Country: Mexico
3.8 - What is the MD5sum of the image embedded in the document?
Simply issuing the command below will answer the question:
$ md5sum word/media/image1.png
aadeace50997b1ba24b09ac2ef1940b7 word/media/image1.png
Answer: aadeace50997b1ba24b09ac2ef1940b7
[4] References
- Base64 (de|en)coding
http://www.developer.com/java/other/article.php/3386271/Understanding-Base64-Data.htm
- SANS SIFT Workstation
https://computer-forensics2.sans.org/community/downloads/
- Chaosreader
http://chaosreader.sourceforge.net
http://www.brendangregg.com
Latest version: http://downloads.sourceforge.net/project/chaosreader/chaosreader/0.94/chaosreader0.94
Patch is attached. Diff follows:
[~]# diff -ab /usr/local/bin/chaosreader /root/Downloads/chaosreader0.94
730,731d729
< my %pkt_times; # store packet_fulltime
<
757,758d754
< $packet_timefull += 0.00001 if (defined $pkt_times{$packet_timefull}); # same time adds more
< $pkt_times{$packet_timefull} = 1; # store it
1011d1006
< undef(%pkt_times);
- Latest Unzip version
http://www.info-zip.org/UnZip.html
Alexandre Teixeira é profissional da área de Segurança da Informação. Possui as certificações CISSP, GCIA, GCIH e é pós-graduado em Computação Forense. Entre em contato por 
#1 by Sandro Süffert on 21 December, 2009 - 11:58 pm
Muito bom Alexandre, parabéns pela sua resposta – eu fui um pouco mais preguiçoso e matei as charadas mais uma vez com o NetWitness Investigator.. =)
#2 by foren6 on 22 December, 2009 - 9:12 am
NetWitness = push ONE button Network Forensics ;)