SANS Forensics Puzzle #2
Disclaimer: This is not intended to be elegant... only addressing the "mechanics" of answering the questions in a strait forward manner.Step 0... acquire the sample
1. What is Ann’s email address?
Answer: sneakyg33k@aol.com
How: By reviewing the PCAP one can see that there is a ESMTP conversation
taking place in stream 2 (Display Filter tcp.stream eq 2). Selecting packet 53
with Follow TCP Stream it is plain obvious what Ann's email address is.
2. What is Ann’s email password?
Answer: NTU4cjAwbHo= (558r00lz)
The mail server (still looking at tcp.stream eq 2) has indicated to the client that it supports PLAIN SMTP
authentication which means that the credentials are base64 encoded plain text.
(Ref: http://www.technoids.org/saslmech.html)
Simple command line Perl script to decode encoded strings:
use MIME::Base64;
print "Enter Base64 encoded string and press enter: ";
$encoded =
chomp $encoded;
$decoded = MIME::Base64::decode($encoded);
print "The Base64 encoded string [ $encoded ] translates to [ $decoded ]\r\n";
3. What is Ann’s secret lover’s email address?
Answer: mistersecretx@aol.com
How: The recipent in TCP stream 2 does not relate well to a secret lover so looking at the next
couple of streams we see something more rousing. The content found in tcp.stream eq 3 is more fitting with a secret lovers message. The SMTP dialog shows that RCPT TO is mistersecretx@aol.com.
4. What two items did Ann tell her secret lover to bring?
Answer: fake passport and a bathing suit
How: These are found by reading the plain text email message in tcp.stream eq 3.
5. What is the NAME of the attachment Ann sent to her secret lover?
Answer: secretrendezvous.docx
How: Looking at the plain text conversations in tcp.stream eq 3 there appears a multi-part message:
------=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
.name="secretrendezvous.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
.filename="secretrendezvous.docx"
6. What is the MD5sum of the attachment Ann sent to her secret lover?
Answer: 9e423e11db88f01bbff81172839e1923 *secretrendezvous.docx
How: First one has to extract the Base64 encoded text from the stream. This output saved as "attachment-encoded.txt" can easily be decoded using freely available decoders (http://www.fourmilab.ch/webtools/base64/) and the output redirected to stdout ($ ./base64 -d attachment-encoded.txt secretrendezvous.docx). Generate the checksum value against the resultant file:
C:\tmp\challenge02>md5sum secretrendezvous.docx
9e423e11db88f01bbff81172839e1923 *secretrendezvous.docx
7. In what CITY and COUNTRY is their rendez-vous point?
Answer: Playa del Carmen, Mexico
How: Open the Word 2007 document and view the contents.
8. What is the MD5sum of the image embedded in the document?
Answer: aadeace50997b1ba24b09ac2ef1940b7 *image1.png
How: To extract the image rename the file to a .zip extension. Extract the zip archive and locate the image1.png file.
Generate the checksum value against the images file:
C:\tmp\challenge02\secretrendezvous\word\media>md5sum image1.png
aadeace50997b1ba24b09ac2ef1940b7 *image1.png
Posts
