DEFCON 2011 Network Forensics

Author: hip@insight-labs.org

1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Made

http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round1/defco

n2011contest-round1.html

strings Evidence01.pcap | grep -i company

透过 grep收寻 company关键词

Answer: Factory-Made-Winning-Pharmaceuticals

2. DEFCON 2011 Network Forensics Puzzle: Inception

http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defco

n2011contest-round2.html

寄信可以猜 Subject

tcpflow -r Evidence02.pcap

(-r: read packets from tcpdump output file

)

grep -a Subject *

-a, --text equivalent to --binary-

files=text

foremost 文件还原工具 http://adityo.blog.binusian.org/?p=231

http://www.irongeek.com/i.php?page=backtrack-3-man/foremost

http://www.youtube.com/watch?v=TmWLsufNiUQ

cat /etc/foremost.conf

foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080

file 00000030.pcap

列出封包内所有 host

tcpdump -nn -r 00000030.pcap -A -s0 port 80 | grep Host | sort | uniq

tcpflow -r 00000030.pcap host 204.11.246.48

grep GET *

查看 respone

head 204.011.246.048.00080-172.030.001.100.60176

-c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T

/

gunzip -d 00000000.gz

firefox 00000000

Answer: October 6-7, 2011

NetworkMiner 快速解

3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?

http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/defco

n2011contest-round3.html

NetworkMiner

可以直接看到 File

找不到 voip所以无法继续下一步分析

改用 xplico , xplico GUI 不 work

usage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module>

-v version

-c config file

-h this help

-i info of protocol 'prot'

-g display graph-tree of protocols

-l print all log in the screen

-m capture type module

NOTE: parameters MUST respect this order!

./xplico -m pcap -f /root/Desktop/Evidence03.pcap

ip 74.125.127.126 是 google的 所以可以猜到是用 googlechat voip call

所以可以用 videosnarf 来解看看

videosnarf

http://ucsniff.sourceforge.net/videosnarf.html

root@bt:/usr/local/bin# videosnarf -h

Starting videosnarf 0.63

Usage: videosnarf [-i input pcap file] [-f filter expression]

-i <input pcap file> (Mandatory) input pcap file

-o <output file> (Optional) output base name file

-f <filter expression> (Optional) pcap filter expression

-k <g726 sample size> (Optional) G726 sameple size

Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. The

default Kbit/s will be 32

Note: If there are 802.1Q headers in the RTP packet capture, please don't set the

filter expression

Example Usage:

videosnarf -i inputfile.pcap

videosnarf -i inputfile.pcap -f "udp dst port 25001"

Answer: rom127#

4. DEFCON 2011 Network Forensics Puzzle: The Heist

Scrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson

5. DEFCON 2011 Network Forensics Puzzle: The Heist Part 2

http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round5/defco

n2011contest-round5.html

useonce@

Opening the file, you can find the password : 8.4 oz- Red Bull

Linux 解

tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445

tshark -r SMB.cap |grep "Create AndX Request"

用 grep找透过 SMB建立档案

提取檔案

因为要提取的是 7z檔 所以要先加入一段 7z的 format到 tcpxtract.conf

echo "p7z(100000000, \x37\x7a\xbc\xaf\x27\x1c);" > /etc/tcpxtract.conf

mv 00000000.p7z 00000000.7z

接下来就是解压缩! Done