Part 1- Packet Analysis Challenge
Part A: Preparation
Copy the evidence.pcap file into the root folder of Kali
Determine if the md5 has the value of the file to check its data integrity (i.e. you have downloaded the full file and no one has altered it). Determine 128-bit MD5 hash of evidence.pcap file using the md5sum tool in Kali.
Part B: Using tcpdump
Use tcpdump to determine if the traffic in the evidence.p cap is using IPv4 or IPv6? How can you tell?
Hint: #tcpdump –X –r evidence.pcap
Part C: Using Wireshark to gather Statistics
Open the evidence.p cap file in Wireshark
How many total packets were captured?
Hint: Statistics Summary
Or Statistics Capture File Properties
How many total bytes were captured?
How much time elapsed from when the first packet was captured till the last packet was captured?
List the 13 IP addresses that either sent or received packets as a part of this packet capture. (Hint: Summary EndPoints)
The Challenge: Ann’s Bad AIM
Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.
Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.
“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”
http://forensicscontest.com © Lake Missoula Group, LLC
Where should we start? Since we are mainly interested in Ann’s activities, let’s set with her traffic!
Using Wireshark, complete the following chart:
Conversation # of packets # of Bytes
192.168.1.158 239.255.255.250
192.168.1.158 192.168.1.159
64.12.24.50 192.168.1.158
192.168.1.10 192.168.1.158
TOTAL
The chart shows all the conversations of Ann’s IP address (192.168.1.158).
We can use a Wireshark filter to only view packets relating to Ann’s IP address. Set the following filter in Wireshark:
ip.host == 192.168.1.158
How many packets related to Ann’s IP address?
Now that we can see the traffic related to Ann, let’s start analyzing some packets.
What protocol is used in Frame 25?
What is the destination port of Frame 25?
Hint: Remember the destination port is located in the TCP header.
What protocol does Wireshark think this packet is?
Does the destination port and protocol Wireshark noted this frame was make sense?
If this is truly SSL traffic, the by definition, should it be encrypted or unencrypted?
Is the data in Frame #25 encrypted or unencrypted?
How can you tell?
What happened? Did Wireshark make a mistake?
Well, if it isn’t SSL traffic, what kind of traffic is it? Let’s find out.
To what IP address is Ann sending data to in Packet 25?
Perform a WHOIS lookup on the IP address that Ann is sending traffic. What did you find out?
root@kali:~# whois 64.12.24.50
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
#
# Query terms are ambiguous. The query is assumed to be:
# “n 64.12.24.50”
#
# Use “?” to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=64.12.24.50?showDetails=true&showARIN=false&
ext=netref2
#
NetRange: 64.12.0.0 – 64.12.255.255
CIDR: 64.12.0.0/16
OriginAS:
NetName: AOL-MTC
NetHandle: NET-64-12-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
RegDate: 1999-12-13
Updated: 2012-03-20
Ref: http://whois.arin.net/rest/net/NET-64-12-0-0-1
OrgName: America Online
OrgId: AOL
Address: 22000 AOL Way
City: Dulles
What do you know about the organization that owns 64.12.255.25? What popular software are do they own/are they associated with?
Wow! Now that we suspect the traffic to actually be AOL Instant Message (AIM) traffic, let’s tell Wireshark to decode these packets as AIM traffic and not SSL.
Right click on frame 25 and select “Decode As…” Set up the following rule (seen in image below).
Notice how Frame 25 has changed:
Before we decoded it:
After we set Wireshark to decode it as AIM traffic:
What is the name of Ann’s chat buddy?
Taking a look back at the unencrypted data in Frame 25, what does it appear Ann is sending her AIM buddy?
Let’s see if we can learn more about this AIM conversation she is having with her buddy.
Right click on Frame 25 and select “Follow TCP stream”. Analyze the stream content. What is the name and file extension of the file it appears that Ann sends to her AIM buddy?
Where are Ann and her buddy planning on selling the recipe?
It looks like Ann is up to no good!
It sure would be nice if we could open that recipe.docx file to make sure it is, in fact, the secret recipe that the security staff suspects Ann leaked out of the company. Hmm…
Use the Wireshark filter “frame contains recipe” to find all frames that include the word recipe.
Follow the TCP stream of Frame 112. What does it appear is happening?
Since you suspect Ann sent the recipe.docx file to her buddy, use the drop down box to select to only show conversations in which Ann (192.168.1.158) is the source IP. The 192.168.1.158:aol Option.
Click “Save As” and save this stream as “recipe.raw”.
[Make sure to note where you are saving your file]
Having the raw data for the file is a great start! Now we just need to use a data carving program to be able to view the .docx file.
I don’t want to ruin all the fun for you!
Use a hex editor to try to do this on your own.
Here is a hint: the first 4 bits of a .docx file are “50 4B”
What is the title of the recipe? Recipe for _______________________________!
What is the recipe? Where do you pour the liquid?
Challenge: What is the MD5 sum of the recipe file?
Part 11 – md5sum Recipe docx
I hope you enjoyed working through the complex analysis of Ann’s Bad AIM. If you carefully followed this case study, you got a close look at how complex and devious these hacks can be. The’ Lab 10.3 MD5 Sum’ below tests your understanding of the case study, and ends by asking you to carve out the RECIPE.RAW doc, and covert it to a WORD Docx – and MD5 hash.
Note: Scenarios like this are becoming more and more difficult due to the prevalence of https in Internet communications. Https brings up a whole new set of Intrusion analyses.
Note 2: All questions below refer to Part 1 of the Packet Analysis Challenge
1. What is the title of the recipe? Recipe for __________________________ (enter in the box below)
2. What is the recipe?
3. Where do you pour the liquid?
4. Paste a screen shot of the recipe.raw hex output. The first page or two is sufficient. You may use HxD, hexedit or bless. For credit, your name must appear in the screen shot (open a second terminal with your name. See Example)
Example:
5. Paste a screen shot of the MD5sum calculation showing the command used, and the MD5 result. For credit, your name must appear in the screen shot.
Example:
kali@kali:~/10mod$ md5sum recipe.docx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx recipe.docx
kali@kali:~/10mod$ echo Your Name (Must be shown)
Thanks – I hope you enjoyed the case study and analysis. It’s quite eye opening!