I recently came across one of the old DefCon puzzle challenges from back in 2009. I hadn’t done this challenge before so I decided to give it a shot. This is the first of a series of network forensic challenges. Below is the background on the challenge:
Puzzle #1: Ann’s Bad AIM
Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.
Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.
“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”
You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:
- What is the name of Ann’s IM buddy?
- What was the first comment in the captured IM conversation?
- What is the name of the file Ann transferred?
- What is the magic number of the file you want to extract (first four bytes)?
- What was the MD5sum of the file?
- What is the secret recipe?
There are a plethora of open source tools you can use to complete this challenge. You can also create some of your own if you so desire. Below is a list of a few tools that would help you solve this challenge. The *starred* tools are the ones I used:
- *010 Editor (hex editor)*
- Sysinternal’s Strings
I started out the challenge by opening the pcap (evidence01.pcap) in Wireshark. When you open the file, here is what you’ll see:
Let’s tackle question 1: What is the name of Ann’s IM buddy? You pick up from the question that Ann is using some kind of Instant Messenger. If you look back at the name of the challenge, you’ll notice it’s called “Ann’s Bad AIM”, and quickly realize that she is probably using AIM as her Instant Messenger. First thing you’ll want to do in Wireshark is filter on Ann’s IP address (192.168.1.158) using the filter: ip.addr == 192.168.1.158. Once you filter on her IP address, you’ll see this:
You’ll notice a fair amount of SSL and TCP traffic once you have the pcap filtered on Ann’s IP address. AIM established a session using SSL, but lucky for us, Wireshark knows how to decode that. Highlighted on packet 23, right click and choose “Decode As…”. Then select “AIM” in the right hand column, click “Apply” then “OK”.
Wireshark has now decoded the SSL traffic into AIM Messaging traffic.
You’ll quickly notice in packet 25, “AIM Messaging, Outgoing to: Sec558user1”. You now have the answer to question 1, “Sec558user1”.
Moving on to question 2: What was the first comment in the captured IM conversation?
If you select the first “AIM Messaging” packet, number 25, you’ll see that since Wireshark was able to decode the SSL traffic, a dropdown for the “AIM Messaging, Outgoing” now exists. If you expand the “AIM Messaging, Outgoing” dropdown and then the “TLV: Message Block” dropdown, you’ll find the answer to number 2: “Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)”
Question 3: What is the name of the file Ann transferred? A quick Google search will show you that AIM uses port 5190 to transfer files. Input the following filter into Wireshark to obtain all the port 5190 traffic: tcp.port == 5190.
Once the TCP handshake has occurred, you’ll find the first packet that has any data transferred in it is packet 112, with 256 bytes transferred, and the “Data” dropdown will be shown. When selecting the Data dropdown, it will highlight what data is being transferred. You’ll be able to notice that it is transferring using the OFT2 protocol, and the answer to number 3 is “recipe.docx”:
Now let’s tackle question 4: What is the magic number of the file you want to extract (first four bytes)? First, we need to carve out the file from the packet capture. In packet 112, where you found the data being transferred, you’ll want to right click and “Follow TCP Stream”. Click the “Save As” button and save the file as “recipe.docx”. Now we will use 010 Editor to carve the file out of the stream.
Now you’ll need to find the file header and footer of the docx file. A quick google search will show you that the file header for a docx file is “PK”, then you’ll want to carve down to the end of the stream, which is colored in blue. From the screenshots below, you’ll find the file header, “PK”, is the start of the blue color.
Shown highlighted below, you’ll want to delete all the content before the “PK” file header:
You’ll want to carve to the end of the blue, shown in the screenshot below:
Highlighted below is the end of the blue stream that you’ll want to delete as well:
Once you have done this, save the file. You’ll now find that the magic number (first 4 bytes of the file), and the answer to question 4 is: 50 4B 03 04.
We can now use hashcalc to answer question 5: What was the MD5sum of the file? Simply drag and drop the recipe.docx file over top the hashcalc program and you’ll find that the MD5sum of recipe.docx is: 8350582774e1d4dbe1d61d64c89e0ea1
Now opening the file (recipe.docx), you’ll be able to answer question 6: What is the secret recipe? The secret recipe is:
This was a nice beginner/intermediate forensics challenge for anyone wanting to get into network forensics, or brushing back up on your skills. Below is the link to the original post with access to the packet capture and all needed details to do this challenge yourself:
I hope you enjoyed the walkthrough. Please ask questions if you have any and stay tuned for the next round.