Forensicscontest.com Puzzle #2 & chaosreader

Há alguns dias, tentei resolver um dos desafios do site Forensicscontest.com, desta vez relativo ao Puzzle #2. No meu caso, foi uma experiência muito enriquecedora, pois além de estudar indiretamente para o exame GCIA, onde é exigido bom conhecimento a respeito de análise de logs de rede (pcaps), pude ter contato com diversas ferramentas, como é o caso do chaosreader, ferramenta da qual utilizei durante a resolução do problema.

Diferentemente da saída do tshark, tcpdump e afins, este script desenvolvido em Perl produz uma saída em HTML (ver abaixo), o que facilita bastante a análise de grandes diálogos cliente/servidor, inclusive, possibilitando a produção de saídas em formato raw e hex. Durante os testes, após algumas horas debugando o código, percebi que havia uma falha na rotina de parsing do payload de pacotes IP, contida na ferramenta. Essa rotina popula um array (%IP) com os bytes de cada segmento TCP, utilizando como índice o valor do timestamp (horário de captura) do pacote.

Saída gerada pelo script chaosreader

Dá pra imaginar o problema? Pacotes com timestamp iguais! Dessa forma, apesar de terem pouca probabilidade de ocorrência (são 6 casas decimais após os segundos), pacotes com o mesmo horário de captura serão indexados na mesma posição do array, o que ocasiona o armazenamento do conteúdo do último pacote –  apenas. Sendo assim, não há como garantir a integridade de qualquer dado IP produzido pela ferramenta.

Entrei em contato com o autor (Brendam Gregg) e escrevi um pequeno patch para o script, esta ação talvez tenha sido valorizada pelos autores do desafio visto que, praticamente, não desenvolvi código algum para automatizar o processamento das respostas, como todos os finalistas o fizeram, e mesmo assim, ainda consegui ficar entre os 15 semifinalistas. Aliás, vale a pena dar uma olhada em cada uma das resoluções finalistas, com scripts desenvolvidos em Perl, Ruby e Python.

Enfim, os vencedores do desafio foram anunciados ontem durante a transmissão do podcast de SI PaulDotCom. O prêmio oferecido ao vencedor era um netbook da Lenovo, diferente do prêmio anterior que era um treinamento do SANS. Os organizadores (instrutores do SANS) resolveram premiar 2 candidatos, cada um com um netbook.

Agora é aguardar o próximo desafio!

Segue abaixo o procedimento enviado por mim.

Name: Alexandre Teixeira
Date: 14th Oct 2009
Tools: Please read [4] References section

Narrative
-----------

[1] - Verifying Packet Capture Integrity

$ md5sum evidence02.pcap
cfac149a49175ac8e89d5b5b5d69bad3  evidence02.pcap

[2] - Network Sessions - Enumerate & Dump

2.1 - Verifying Network Connections

2.1.1 - TCPDUMP

$ tcpdump -r evidence02.pcap | less
$ tcpdump -r evidence02.pcap udp

With the second command above, we noted that UDP protocol is present.

2.2 - Using Chaosreader PCAP parser

I decided to use this tool because it decodes UDP sessions and show conversations in coloured HTML.

Parameters: -v (Verbose), -e (Create HTML 2-way & hex files for everything), -D (Output Dir)

$ chaosreader0.94 -v -e -D chaos_dump/ evidence02.pcap

Chaosreader ver 0.94

Opening, evidence02.pcap

Reading file contents,
100% (335144/335144)
Reassembling packets,
100% (542/542)

Creating files...
Num  Session (host:port <=> host:port)              Service
0007  192.168.1.159:1036,64.12.102.142:587           submission
0008  192.168.1.159:1038,64.12.102.142:587           submission
0002  192.168.1.10:123,192.168.1.255:123             ntp
0009  192.168.1.159:1025,192.168.1.30:514            syslog
0001  192.168.1.10:52111,192.168.1.30:514            syslog
0006  192.168.1.159:1026,10.1.1.20:53                domain
0005  192.168.1.10:123,192.168.1.30:123              ntp
0004  192.168.1.159:137,192.168.1.255:137            netbios-ns
0003  192.168.1.159:138,192.168.1.255:138            netbios-dgm

index.html created.

[3] - Answering Questions

3.1 - What is Ann’s email address?

In order to search for this answer, the protocols/services involved must be verified: NTP, Syslog, Submission, Domain and Netbios.

All of them are known, except 'Submission'. After some Google searching, I found that this protocol is used to submit email messages using 587 tcp port, as described in this RFC document:

http://www.faqs.org/rfcs/rfc2476.html

Furthermore, Submission is the only protocol that has to do with email. In this case, Ann's email address is likely to be there.

After investigating session 7 (clicking in HTML output link), I found the following network conversation:

submission: 192.168.1.159:1036 -> 64.12.102.142:587
File evidence02.pcap, Session 7

220 cia-mc06.mx.aol.com ESMTP mail_cia-mc06.1; Sat, 10 Oct 2009 15:35:16 -0400
EHLO annlaptop
250-cia-mc06.mx.aol.com host-69-140-19-190.static.comcast.net
250-AUTH=LOGIN PLAIN XAOL-UAS-MB
250-AUTH LOGIN PLAIN XAOL-UAS-MB
250-STARTTLS
250-CHUNKING
250-BINARYMIME
250-X-AOL-FWD-BY-REF
250-X-AOL-DIV_TAG
250-X-AOL-OUTBOX-COPY
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
c25lYWt5ZzMza0Bhb2wuY29t
334 UGFzc3dvcmQ6
NTU4cjAwbHo=
235 AUTHENTICATION SUCCESSFUL
MAIL FROM: <sneakyg33k@aol.com>

So, the answer is in the last line above: sneakyg33k@aol.com

3.2 - What is Ann’s email password?

To discover this information, the network conversation above must be interpreted. The following RFCs describe the user authentication
method used (SASL):

http://www.faqs.org/rfcs/rfc4422.html (obsoletes RFC 2222)
http://www.faqs.org/rfcs/rfc2554.html

The following abstract text describes how auth works:

C: Request authentication exchange
S: Initial challenge
C: Initial response
<additional challenge/response messages>
S: Outcome of authentication exchange with
additional data with success

This is equivalent to:

AUTH LOGIN
334 VXNlcm5hbWU6
c25lYWt5ZzMza0Bhb2wuY29t
334 UGFzc3dvcmQ6
NTU4cjAwbHo=
235 AUTHENTICATION SUCCESSFUL

Lines starting with a numeric code are from the server. Other ones are from Ann (or her client). The authentication exchange is explained in sections 'Challenges and Responses' of RFC 4422 and 'The AUTH command' from RFC 2554. To decode base64 strings I used 'base64' linux command:

$ echo -n VXNlcm5hbWU6 | base64 -d; echo
Username:

$ echo -n c25lYWt5ZzMza0Bhb2wuY29t | base64 -d; echo
sneakyg33k@aol.com

echo -n UGFzc3dvcmQ6 | base64 -d; echo
Password:

$  echo -n NTU4cjAwbHo= | base64 -d; echo
558r00lz

So the answer is: 558r00lz

The same password can be verified in session 8 content.

3.3 - What is Ann’s secret lover’s email address?

The address is likely to be the destination email address of session 8 because the following message body was verified:

"Hi sweetheart! Bring your fake passport and a bathing suit. Address attached. love, Ann"

So, the answer is: mistersecretx@aol.com

This is the value of 'RCPT TO' command as seen in session 8 content.

3.4 - What two items did Ann tell her secret lover to bring?

As already showed, the answer is: fake passport and a bathing suit

3.5 - What is the NAME of the attachment Ann sent to her secret lover?

Session 8 is about Ann's message to her 'secret lover'. This message has a document attached (docx) as seen in the HTML output generated by chaosreader perl script (session_0008.submission.html):

.filename="secretrendezvous.docx"

So, the answer is: secretrendezvous.docx

3.6 - What is the MD5sum of the attachment Ann sent to her secret lover?

To accomplish this, the attached file must be decoded. File parts are enclosed by the lines containing the following text:

------=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
(...)
[ data encoded in base64 ]
------=_NextPart_000_000D_01CA497C.9DEC1E70--

This parts can be verified in session_0008.submission.raw file.

Chaosreader version 0.94 (current) has a bug when parsing pcap files because it uses the time whithin the IP packet/fragment as an index in order to populate an array (%IP). I fixed it and attached the patched version (already sent to Brendan Gregg, the author).

The file 'session_0008.submission.raw' contains the session data we are looking for (attached file).

The following 'perl' one-liner shows the number of each line of that file/session:

$ perl -pe 'print ${.}." "' < chaos_dump/session_0008.submission.raw

After that, it's easy to note that the line 78 identifies the beginning of the base64 stream about the attached file and the last line is 3717, which contains the end of base64 stream.

The following command decodes the file, after removing spaces (\s regex) from the lines in the range 78-3717:

$ perl -ne 's/\s//g; print if (${.} >= 61 && ${.} <=3717);' < chaos_dump/session_0008.submission.raw | base64  -d > secretrendezvous.docx

The md5sum command is then used:

$ md5sum secretrendezvous.docx
9e423e11db88f01bbff81172839e1923  secretrendezvous.docx

Answer: 9e423e11db88f01bbff81172839e1923

3.7 - In what CITY and COUNTRY is their rendez-vous point?

Using 'file' command against the docx file, we have:

$ file secretrendezvous.docx
secretrendezvous.docx: Zip archive data, at least v2.0 to extract

Unziping the file we can access the file elements:

$ unzip secretrendezvous.docx
Archive:  secretrendezvous.docx
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: word/_rels/document.xml.rels
inflating: word/document.xml
extracting: word/media/image1.png
inflating: word/theme/theme1.xml
inflating: word/settings.xml
inflating: word/webSettings.xml
inflating: word/styles.xml
inflating: docProps/core.xml
inflating: word/numbering.xml
inflating: word/fontTable.xml
inflating: docProps/app.xml

Using 'elinks' command line browser, we verify the contents of document.xml:

$ elinks -dump word/document.xml
Meet me at the fountain near the rendezvous point. Address below. I’m
bringing all the cash.

No luck here.
So we decided to investigate the PNG image which was dumped out of docx. I used 'zgv' console image viewer:

$ xzgv word/media/image1.png

The picture is a screen shot from Google Maps, which contains location data. So, the answer is:

City: Playa del Carmen
Country: Mexico

3.8 - What is the MD5sum of the image embedded in the document?

Simply issuing the command below will answer the question:

$ md5sum word/media/image1.png
aadeace50997b1ba24b09ac2ef1940b7  word/media/image1.png

Answer: aadeace50997b1ba24b09ac2ef1940b7

[4] References

- Base64 (de|en)coding
http://www.developer.com/java/other/article.php/3386271/Understanding-Base64-Data.htm

- SANS SIFT Workstation
https://computer-forensics2.sans.org/community/downloads/

- Chaosreader
http://chaosreader.sourceforge.net
http://www.brendangregg.com
Latest version: http://downloads.sourceforge.net/project/chaosreader/chaosreader/0.94/chaosreader0.94
Patch is attached. Diff follows:

[~]# diff -ab /usr/local/bin/chaosreader /root/Downloads/chaosreader0.94
730,731d729
<    my %pkt_times;                     # store packet_fulltime
<
757,758d754
<                 $packet_timefull += 0.00001 if (defined $pkt_times{$packet_timefull}); # same time adds more
<                 $pkt_times{$packet_timefull} = 1; # store it
1011d1006
<    undef(%pkt_times);

- Latest Unzip version
http://www.info-zip.org/UnZip.html

3 thoughts on “Forensicscontest.com Puzzle #2 & chaosreader

Comments are closed.