Sunday, August 23, 2009

How I spent my Saturday Night...

I'm a geek. I know it. Being broke doesn't help matters much.

For fun tonight I played with the Network Forensics Puzzle that was on ISC.SANS.ORG earlier this week.

I'm no expert, some stuff was beyond my skills tonight before I started. In fact I only started playing, not doing the contest, because someone in a forum posted what tool to use to extract the data. Here is a quick walk through of what I did, without giving to much away I hope.

Downloaded the pcap file and checked the md5sum
They matched so I moved on.

I knew how to load a pcap file into 2 different programs, so I ran it in both, filtering on just the ip address I needed (the user's ip address).

I then looked through the data, using what I knew of layout to get the username of who the spy was talking too.

Then I found the first comment. Using the same method (reading), I found the name of the file being transferred.

Then I extracted the data that was transferred from the stream. If I knew the magic number, the only part I wasn't able to find, it might have been easier. I used tcpxtract for that bit of magic.

At fist I was thinking what was extracted was more like rar files you can find online. Where you unrar the first file, and the rest are used to build the first. While I was eating I realized that might not be the case, and there may have been 37 different files that were actually transferred. It was a case of having just learned to use tcpxtract.

Once I realized that, I found the files that would open with Ark, and which ones didn't. The ones that didn't I ignored. I then tried to extract the others. Only 2 extracted. Again the others I ignored. One was a manifest file, the other the file I wanted. I looked up the document in the file and got the recipe.

Then after bashing my head around some, I figured out, based on comments others had made and how the file is really stored, to change the un-extracted file's name to the right name, and tried opening it with Open Office. it worked. Grabbed the md5sum off that.

Out of the 6.5 requests in the challenge, I did 5 of them. I never found the magic number. :( and I didn't bother to try to script it (computer program) to do the work for me. Because I never found the magic number, and I don't think my programing skills are sharp enough. Although, I didn't think my computer forensics skills were sharp enough at the beginning either.

No comments: