Upload
insight-labs
View
7.755
Download
4
Embed Size (px)
DESCRIPTION
Citation preview
DEFCON 2011 Network Forensics
Author: [email protected]
1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Made
http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round1/defco
n2011contest-round1.html
strings Evidence01.pcap | grep -i company
透过 grep收寻 company关键词
Answer: Factory-Made-Winning-Pharmaceuticals
2. DEFCON 2011 Network Forensics Puzzle: Inception
http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defco
n2011contest-round2.html
寄信可以猜 Subject
tcpflow -r Evidence02.pcap
(-r: read packets from tcpdump output file
)
grep -a Subject *
-a, --text equivalent to --binary-
files=text
foremost 文件还原工具 http://adityo.blog.binusian.org/?p=231
http://www.irongeek.com/i.php?page=backtrack-3-man/foremost
http://www.youtube.com/watch?v=TmWLsufNiUQ
cat /etc/foremost.conf
foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080
file 00000030.pcap
列出封包内所有 host
tcpdump -nn -r 00000030.pcap -A -s0 port 80 | grep Host | sort | uniq
tcpflow -r 00000030.pcap host 204.11.246.48
grep GET *
查看 respone
head 204.011.246.048.00080-172.030.001.100.60176
-c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T
/
gunzip -d 00000000.gz
firefox 00000000
Answer: October 6-7, 2011
NetworkMiner 快速解
3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?
http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/defco
n2011contest-round3.html
NetworkMiner
可以直接看到 File
找不到 voip所以无法继续下一步分析
改用 xplico , xplico GUI 不 work
usage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module>
-v version
-c config file
-h this help
-i info of protocol 'prot'
-g display graph-tree of protocols
-l print all log in the screen
-m capture type module
NOTE: parameters MUST respect this order!
./xplico -m pcap -f /root/Desktop/Evidence03.pcap
ip 74.125.127.126 是 google的 所以可以猜到是用 googlechat voip call
所以可以用 videosnarf 来解看看
videosnarf
http://ucsniff.sourceforge.net/videosnarf.html
root@bt:/usr/local/bin# videosnarf -h
Starting videosnarf 0.63
Usage: videosnarf [-i input pcap file] [-f filter expression]
-i <input pcap file> (Mandatory) input pcap file
-o <output file> (Optional) output base name file
-f <filter expression> (Optional) pcap filter expression
-k <g726 sample size> (Optional) G726 sameple size
Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. The
default Kbit/s will be 32
Note: If there are 802.1Q headers in the RTP packet capture, please don't set the
filter expression
Example Usage:
videosnarf -i inputfile.pcap
videosnarf -i inputfile.pcap -f "udp dst port 25001"
Answer: rom127#
4. DEFCON 2011 Network Forensics Puzzle: The Heist
Scrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson
5. DEFCON 2011 Network Forensics Puzzle: The Heist Part 2
http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round5/defco
n2011contest-round5.html
useonce@
Opening the file, you can find the password : 8.4 oz- Red Bull
Linux 解
tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
tshark -r SMB.cap |grep "Create AndX Request"
用 grep找透过 SMB建立档案
提取檔案
因为要提取的是 7z檔 所以要先加入一段 7z的 format到 tcpxtract.conf
echo "p7z(100000000, \x37\x7a\xbc\xaf\x27\x1c);" > /etc/tcpxtract.conf
mv 00000000.p7z 00000000.7z
接下来就是解压缩! Done