SANS Network Forensic Puzzle #4

Okay, it's overdue and I'm getting further and further behind my usual walk through of the SANS forensics puzzles (This may be the last as I'm loosing interest.).  So here it is!  Please feel free to contact me if you have any questions or corrections.

1. What was the IP address of Mr. X’s scanner?

Using Wireshark, navigate to Statistics and select IP Addresses... ignore the Filter dialog and just click Create Stat

In this sample we can easily identify the top talker...

Judging by the high count of packets being generated by 10.42.42.253 it is very likely the source of the scanning activity in this PCAP.

2. For the FIRST port scan that Mr. X conducted, what type of port scan was it?

(Note: the scan consisted of many thousands of packets.) Pick one:

* TCP SYN
* TCP ACK
* UDP
* TCP Connect
* TCP XMAS
* TCP RST

This is where (in my humble opinion) a command line tool excels - to confirm what type of scan we need to systematically run throught the possibilities:

If you are unfamiliar with Wireshark/Tshark display filter syntax, a 1 indicates that the bit is set (true) and a 0 indicates that it is not set (false).  See references links at the end of this article to brush up on TCP flags and their values.

TCP SYN (0x02)- Search for segments containing only SYN flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags.cwr == 0 && tcp.flags.ecn == 0 && tcp.flags.urg == 0 && tcp.flags.ack == 0 && tcp.flags.push == 0 && tcp.flags.reset == 0 &&  tcp.flags.syn == 1 && tcp.flags.fin == 0" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

...that's a mess.  You could try something more straight forward using the hexadecimal value for the SYN bit:

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x02" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 7414 matches - Not bad seems like this could be a SYN scan.


TCP ACK (0x10)- Search for segments containing only ACK flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 11 matches - Compared to the previous result this is not likely the scan we are looking for.


UDP - Search for large number of UDP packets from scanner

$ tshark -R "ip.src == 10.42.42.253 && udp" -Tfields -e frame -e ip.src -e ip.dst -e udp.dstport -r evidence04.pcap

Result: 8 matches - that's less than TCP ACK so the odds are not good that this is a UDP scan


TCP Connect (0x10)- The attributes of a TCP Connect scan are similar to a SYN scan so we cannot simply look for the SYN packets.  Unlike the SYN scan, the TCP Connect scan will complete the 3-way TCP handshake by sending the ACK packet back to the target if it receives a SYN/ACK.  The results of searching for segments with ACK flag sent from the scanner could be misleading if there were an ACK scan in progress.  We need more data!  Inspecting the previous packet in the sequence (note the addition of tcp.stream in the tshark fields list) it is possible to associate it with a SYN/ACK from the target thus confirming the presence of a TCP Connect scan.

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap

Output:

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x10" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap

Frame 791     10.42.42.253    10.42.42.50    139    0x10    390
Frame 4389     10.42.42.253    10.42.42.50    135    0x10    2235
Frame 13531     10.42.42.253    10.42.42.50    135    0x10    7413
Frame 13532     10.42.42.253    10.42.42.50    139    0x10    7414
Frame 13543     10.42.42.253    10.42.42.50    135    0x10    7415
Frame 13547     10.42.42.253    10.42.42.50    135    0x10    7415
Frame 13593     10.42.42.253    10.42.42.56    1    0x10    7425
Frame 13594     10.42.42.253    10.42.42.25    1    0x10    7426
Frame 13606     10.42.42.253    10.42.42.50    135    0x10    7431
Frame 13610     10.42.42.253    10.42.42.50    1    0x10    7433
Frame 13622     10.42.42.253    10.42.42.56    1    0x10    7425

(Note: I like to include the frame number for ease of locating the packet in Wireshark.)


Result: 11 matches - not too many - if this were an ACK scan there would be hundreds or thousands of ACK packets coming from the scanner.  In the output above, let's look at the first TCP stream identified as 390:

$ tshark -R "tcp.stream eq 390" -Tfields  -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -e tcp.stream -r evidence04.pcap

Frame 779     10.42.42.253    10.42.42.50    139    0x02    390
Frame 786     10.42.42.50    10.42.42.253    56257    0x12    390
Frame 791     10.42.42.253    10.42.42.50    139    0x10    390
Frame 821     10.42.42.253    10.42.42.50    139    0x14    390

The sequence above confirms that this is *not* a SYN scan since the scanner responded to the clients SYN/ACK (flag 0x12) with an ACK (flag 0x10).  In addition the lack of ACK packets does not indicate an ACK scan.  Given the evidence above, it appears that this first scan is a TCP Connect scan.

To be thorough the XMAS and RST scans are examined next.

TCP XMAS (0x31) - Search for FIN, PSH, and URG flags from scanner

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x31" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 0 matches


TCP RST (0x04) - Search for RST segments from SRC

$ tshark -R "ip.src == 10.42.42.253 && tcp.flags == 0x04" -Tfields -e frame -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -r evidence04.pcap

Result: 10 matches - the output of this contains one destination IP so it is not a host enumeration scan.

Side Note: Here is a little exercise that will extract the flag values and create a list counting the frequency of each type.  Step 1: Extract SRC IP, DST IP, DST Port and TCP Flags field and save it to a CSV file: $ tshark -R "ip.src == 10.42.42.253" -Tfields -e ip.src -e ip.dst -e tcp.dstport -e tcp.flags -E separator=, -r evidence04.pcap >> output.txt Now, although you could just extract the header field above, I extracted additional fields so I can reuse it to analyze ports and target IPs. So, now just need to pluck the TCP Flags from output.txt $ cat output.txt | awk -F, '{print $4}' | sort -u > list.txt Should look something like this: $ cat  list.txt  0x00 0x02 0x04 0x10 0x11 0x14 0x18 0x29 0x2b 0xc2 Step 2.  That give you a distinct list of all the TCP flag values in hexadecimal format.  Now let's generate a count of each with this Bash loop: $ for i in `cat list.txt`; do echo -n "TCP Flag: $i, Count: " ; grep -c $i output.txt; done TCP Flag: 0x00, Count: 1 TCP Flag: 0x02, Count: 7414 TCP Flag: 0x04, Count: 10 TCP Flag: 0x10, Count: 11 TCP Flag: 0x11, Count: 3 TCP Flag: 0x14, Count: 2 TCP Flag: 0x18, Count: 3 TCP Flag: 0x29, Count: 4 TCP Flag: 0x2b, Count: 1 TCP Flag: 0xc2, Count: 1 Using this information alone the answer to this challenge would be inaccurate.

3. What were the IP addresses of the targets Mr. X discovered?

With this command you can quickly find a distinct list of targets (DST IP)

tshark -R "ip.dst" -Tfields -e ip.dst -r evidence04.pcap | sort -t "." -k1,1 -k2,2 -k3,3 -k4,4 | sort -u

10.255.255.255

10.42.42.25

10.42.42.253

10.42.42.50

10.42.42.56

So throwing out the broadcast and the known source (scanner) you can identify the targets 10.42.42.25, 10.42.42.50, and 10.42.42.56.

4. What was the MAC address of the Apple system he found?

Borrowing the command line foo from Puzzle #3 the MAC OUI Vendors can be extracted like this:

$ for i in `tshark -R eth.src -Tfields -e eth.src -r evidence04.pcap  | sort -u`; do echo -n "$i OUI Vendor: "; VALUE=`echo $i | awk -F":" '{print $1 ":" $2 ":"  $3}'`; grep -i $VALUE oui.txt | awk '{print $2}';done

00:16:cb:92:6e:dc OUI Vendor: AppleCompu

00:23:8b:82:1f:4a OUI Vendor: QuantaComp

00:26:22:cb:1e:79 OUI Vendor: CompalInfo

70:5a:b6:51:d7:b2 OUI Vendor: CompalInfo

5. What was the IP address of the Windows system he found?

By elimination, known IP addresses are:

10.255.255.255 - Broadcast

10.42.42.25 - Apple Macintosh

10.42.42.253 - Scanning System

10.42.42.50 - ?

10.42.42.56 - ?

Do either of these unidentified hosts respond to the SYN probes?  Wireshark display filter for SYN+ACK from specific SRC IP addresses can reveal what services responded... Well known Microsoft specific services can indicate that a Windows machine is responding to the probe.

Try either the .50 or .56 hosts in the 'ip.src==' filter below

ip.src == 10.42.42.50 && tcp.flags.ack ==1 && tcp.flags.syn == 1

Only .50 replys with both the SYN+ACK TCP flags set which reveals that the port is open and something acknowledged the SYN - presumably a windows service on this well known port (MS-RPC on port 135).

Curiously .50 is also talking to the Apple system on TCP/139 (NetBIOS/SMB - File and Printer Sharing) which the attacker also probed.

Answer: 10.42.42.50

6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)

TCP/135

TCP/139

X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Can you reconstruct the output from the tool, roughly the way Mr. X would have seen it?

It's everyone's favorite scanner nmap of course! To do this answer justice it would be another week before I finish so I will just recommend reading this article (http://www.aldeid.com/index.php/Network-forensics/Puzzle4#Tools) which is extremely informative on the topic..

References:

0. Wikipedia http://en.wikipedia.o/wiki/Transmission_Control_Protocol#TCP_segment_structure
1. http://danielmiessler.com/study/tcpflags/
2. http://www.wireshark.org/docs/dfref/t/tcp.html
3. http://www.parkenet.com/apl/HexDecConverter.html

SANS Forensics Puzzle #3 - Ann’s AppleTV

SANS Network Forensic Puzzle #3

The contest strives for participants to create new tools to solve the challenge.  Rather than create yet another specialized tool, I took this an an opportunity to hone my tshark skills.  Never heard of tshark?  It's the terminal (i.e.) command line companion of Wireshark.  As a side note, this article contains some crazy awking and bash foo... just how I like it.  In the end, I searched high and low for something simple to extract PLIST key/values with and faced the question of learning python or just giving in to manually extracting the value from the "XML".  I chose the latter.

1. What is the MAC address of Ann’s AppleTV?

$ tshark -R eth.src -Tfields -e eth.src -r evidence03.pcap  | sort -u
for i in `tshark -R eth.src -Tfields -e eth.src -r evidence03.pcap  | sort -u`; do echo -n "$i OUI Vendor: "; VALUE=`echo $i | awk -F":" '{print $1 ":" $2 ":"  $3}'`; grep -i $VALUE oui.txt | awk '{print $2}';done

Output:
-------
00:23:69:ad:57:7b OUI Vendor: Cisco-Link
00:25:00:fe:07:c4 OUI Vendor: Apple

What's going on here?  If you are new to tshark, I recommend spending time with the man page.  In the above command the Read filter is pulling ethernet src frames and extracting the etherenet src field from evidence03.pcap.

The output is then sorted/uniqed and the first three octets are matched with a reference text file (wget standards.ieee.org/regauth/oui/oui.txt) containing all known manufacturers OUI.

The output shows the manufacturer of all the devices on the network - not just the AppleTV.

2. What User-Agent string did Ann’s AppleTV use in HTTP requests?

$ tshark -R http.user_agent -Tfields -e http.user_agent  -r evidence03.pcap  | sort -u

Output:
-------
AppleTV/2.4

3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?

$ tshark -R "http.request.uri contains search" -Tfields -e http.request.uri  -r evidence03.pcap | awk -F"=" '{print $NF}'

Output:
-------
h
ha
hac
hack
s
sn
sne
sneb
snea
sneak
i
ik
ikn
ikno
iknow
iknowy
iknowyo
iknowyou
iknowyour
iknowyoure
iknowyourew
iknowyourewa
iknowyourewat
iknowyourewatc
iknowyourewatch
iknowyourewatchi
iknowyourewatchin
iknowyourewatching
iknowyourewatchingm
iknowyourewatchingme

Wow... that was neat.  The tshark command goes way beyond the first search term but what what is going on here?  It looks like iTunes sends each keystroke across the wire to search in real time.  Reminds me of a keystroke logger.

4. What was the title of the first movie Ann clicked on?

$ tshark -R "http.request.uri contains viewMovie" -Tfields -e http.request.uri  -r evidence03.pcap

/WebObjects/MZStore.woa/wa/viewMovie?id=333441649&s=143441
/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Hackers-Iain%20Softley-333441649&pccr=true&h5=appleitmsnatv%2Cappleitmsustv&ch=Movie%20Page&g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D333441649%26s%3D143441
/WebObjects/MZStore.woa/wa/viewMovie?id=283963264&s=143441
/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Sneakers-Phil%20Alden%20Robinson-283963264&pccr=true&h5=appleitmsnatv%2Cappleitmsustv&ch=Movie%20Page&g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D283963264%26s%3D143441

This tshark filter will display four URI's from the sample PCAP.  The first two are related to the first movie that Ann clicked on (Hackers) - The second to relate to the second movie (Sneakers).

5. What was the full URL to the movie trailer (defined by “preview-url”)?

The filter "xml.cdata contains preview-url" points to frame 312 which contains reassembled segments from frames 309, 310, and 312.

Preview URL: http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v

Preview required!

6. What was the title of the second movie Ann clicked on?

(See answer to question 4.) Sneakers...

7. What was the price to buy it (defined by “price-display”)?

Wireshark lacks the ablitlity to programatically process PLIST files so I had to cheat on this answer and use a display filter "xml.cdata contains price-display" to find the two instances for each of the two movies.

Answer: $9.99

8. What was the last full term Ann searched for?

This is found in the answer to question 3. (iknowyourewatchingme)

SANS Network Forensic Puzzle #1 Howto

SANS Network Forensic Puzzle #1 Howto from pstutz on Vimeo. This is a quick demonstration of how I approached the first SANS Network Forensic Challenge. Tools used were Wireshark, Frhed, md5sum, Word 2007 Viewer, and Vim32. (Please play this demonstration in full screen mode for optimal viewing.)

SANS Forensics Puzzle #2 - Ann Skips Bail

SANS Forensics Puzzle #2

Disclaimer: This is not intended to be elegant... only addressing the "mechanics" of answering the questions in a strait forward manner.

Step 0... acquire the sample

1. What is Ann’s email address?

Answer: sneakyg33k@aol.com

How: By reviewing the PCAP one can see that there is a ESMTP conversation
taking place in stream 2 (Display Filter tcp.stream eq 2). Selecting packet 53
with Follow TCP Stream it is plain obvious what Ann's email address is.

2. What is Ann’s email password?

Answer: NTU4cjAwbHo= (558r00lz)

The mail server (still looking at tcp.stream eq 2) has indicated to the client that it supports PLAIN SMTP
authentication which means that the credentials are base64 encoded plain text.
(Ref: http://www.technoids.org/saslmech.html)

Simple command line Perl script to decode encoded strings:

use MIME::Base64;

print "Enter Base64 encoded string and press enter: ";

$encoded = ;
chomp $encoded;
$decoded = MIME::Base64::decode($encoded);

print "The Base64 encoded string [ $encoded ] translates to [ $decoded ]\r\n";

3. What is Ann’s secret lover’s email address?

Answer: mistersecretx@aol.com

How: The recipent in TCP stream 2 does not relate well to a secret lover so looking at the next
couple of streams we see something more rousing. The content found in tcp.stream eq 3 is more fitting with a secret lovers message. The SMTP dialog shows that RCPT TO is mistersecretx@aol.com.

4. What two items did Ann tell her secret lover to bring?

Answer: fake passport and a bathing suit

How: These are found by reading the plain text email message in tcp.stream eq 3.

5. What is the NAME of the attachment Ann sent to her secret lover?

Answer: secretrendezvous.docx

How: Looking at the plain text conversations in tcp.stream eq 3 there appears a multi-part message:

------=_NextPart_000_000D_01CA497C.9DEC1E70
Content-Type: application/octet-stream;
.name="secretrendezvous.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
.filename="secretrendezvous.docx"

6. What is the MD5sum of the attachment Ann sent to her secret lover?

Answer: 9e423e11db88f01bbff81172839e1923 *secretrendezvous.docx

How: First one has to extract the Base64 encoded text from the stream. This output saved as "attachment-encoded.txt" can easily be decoded using freely available decoders (http://www.fourmilab.ch/webtools/base64/) and the output redirected to stdout ($ ./base64 -d attachment-encoded.txt secretrendezvous.docx). Generate the checksum value against the resultant file:

C:\tmp\challenge02>md5sum secretrendezvous.docx
9e423e11db88f01bbff81172839e1923 *secretrendezvous.docx

7. In what CITY and COUNTRY is their rendez-vous point?

Answer: Playa del Carmen, Mexico

How: Open the Word 2007 document and view the contents.

8. What is the MD5sum of the image embedded in the document?

Answer: aadeace50997b1ba24b09ac2ef1940b7 *image1.png

How: To extract the image rename the file to a .zip extension. Extract the zip archive and locate the image1.png file.
Generate the checksum value against the images file:

C:\tmp\challenge02\secretrendezvous\word\media>md5sum image1.png
aadeace50997b1ba24b09ac2ef1940b7 *image1.png