2015/03/11

Network Forensics – Round 1: Ann’s Bad AIM

by DFIRninja
Categories: Analysis, Network Forensics
Tags: , ,
Comments: 5 Comments

I recently came across one of the old DefCon puzzle challenges from back in 2009. I hadn’t done this challenge before so I decided to give it a shot. This is the first of a series of network forensic challenges. Below is the background on the challenge:

Puzzle #1: Ann’s Bad AIM

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

  1. What is the name of Ann’s IM buddy?
  2. What was the first comment in the captured IM conversation?
  3. What is the name of the file Ann transferred?
  4. What is the magic number of the file you want to extract (first four bytes)?
  5. What was the MD5sum of the file?
  6. What is the secret recipe?

There are a plethora of open source tools you can use to complete this challenge. You can also create some of your own if you so desire. Below is a list of a few tools that would help you solve this challenge. The *starred* tools are the ones I used:

  • *Wireshark*
  • *010 Editor (hex editor)*
  • *Hashcalc*
  • Notepad++
  • NetworkMiner
  • Sysinternal’s Strings

I started out the challenge by opening the pcap (evidence01.pcap) in Wireshark. When you open the file, here is what you’ll see:

First Opening Wireshark_1

Let’s tackle question 1: What is the name of Ann’s IM buddy? You pick up from the question that Ann is using some kind of Instant Messenger. If you look back at the name of the challenge, you’ll notice it’s called “Ann’s Bad AIM”, and quickly realize that she is probably using AIM as her Instant Messenger. First thing you’ll want to do in Wireshark is filter on Ann’s IP address (192.168.1.158) using the filter: ip.addr == 192.168.1.158. Once you filter on her IP address, you’ll see this:

Filter on Ann's IP_2

 You’ll notice a fair amount of SSL and TCP traffic once you have the pcap filtered on Ann’s IP address. AIM established a session using SSL, but lucky for us, Wireshark knows how to decode that. Highlighted on packet 23, right click and choose “Decode As…”. Then select “AIM” in the right hand column, click “Apply” then “OK”.

Decode As_3

Wireshark has now decoded the SSL traffic into AIM Messaging traffic.

AIM Messaging traffic_4

You’ll quickly notice in packet 25, “AIM Messaging, Outgoing to: Sec558user1”. You now have the answer to question 1, “Sec558user1”.

Moving on to question 2: What was the first comment in the captured IM conversation?

If you select the first “AIM Messaging” packet, number 25, you’ll see that since Wireshark was able to decode the SSL traffic, a dropdown for the “AIM Messaging, Outgoing” now exists. If you expand the “AIM Messaging, Outgoing” dropdown and then the “TLV: Message Block” dropdown, you’ll find the answer to number 2: “Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)”

question 2 first message_5

Question 3: What is the name of the file Ann transferred? A quick Google search will show you that AIM uses port 5190 to transfer files. Input the following filter into Wireshark to obtain all the port 5190 traffic: tcp.port == 5190.

port 5190_6

Once the TCP handshake has occurred, you’ll find the first packet that has any data transferred in it is packet 112, with 256 bytes transferred, and the “Data” dropdown will be shown. When selecting the Data dropdown, it will highlight what data is being transferred. You’ll be able to notice that it is transferring using the OFT2 protocol, and the answer to number 3 is “recipe.docx”:

Data_7

Now let’s tackle question 4: What is the magic number of the file you want to extract (first four bytes)? First, we need to carve out the file from the packet capture. In packet 112, where you found the data being transferred, you’ll want to right click and “Follow TCP Stream”. Click the “Save As” button and save the file as “recipe.docx”. Now we will use 010 Editor to carve the file out of the stream.

save_as

Now you’ll need to find the file header and footer of the docx file. A quick google search will show you that the file header for a docx file is “PK”, then you’ll want to carve down to the end of the stream, which is colored in blue. From the screenshots below, you’ll find the file header, “PK”, is the start of the blue color.

TCP stream_8

Shown highlighted below, you’ll want to delete all the content before the “PK” file header:

010 editor_1

You’ll want to carve to the end of the blue, shown in the screenshot below:

End of stream_10

Highlighted below is the end of the blue stream that you’ll want to delete as well:

010 editor_2

Once you have done this, save the file. You’ll now find that the magic number (first 4 bytes of the file), and the answer to question 4 is: 50 4B 03 04.

First 4 bytes_11

We can now use hashcalc to answer question 5: What was the MD5sum of the file? Simply drag and drop the recipe.docx file over top the hashcalc program and you’ll find that the MD5sum of recipe.docx is: 8350582774e1d4dbe1d61d64c89e0ea1

hashcalc

Now opening the file (recipe.docx), you’ll be able to answer question 6: What is the secret recipe? The secret recipe is:

Recipe

This was a nice beginner/intermediate forensics challenge for anyone wanting to get into network forensics, or brushing back up on your skills. Below is the link to the original post with access to the packet capture and all needed details to do this challenge yourself:

http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim

I hope you enjoyed the walkthrough. Please ask questions if you have any and stay tuned for the next round.


5 Comments »

  1. NWInvestigator says:

    As a new network forensic investigator I followed your tutorial exactly. However, when I copy the ascii values from the TCP stream and place it into 010 hex editor I get the following values where the file header should be.

    50 4B 2E 2E 2E 2E 2E 2E 2E …

    The 2E following the “PK” values should be 03 04 but are not. When I performed the hex editor in WireShark and it gave me the desired values for the header. Is this an indication that the file is still encrypted? Without the appropriate header values I cannot get the information in the recipe.docx file.

    • DFIRninja says:

      Hey NWInvestigator,

      The reason you are getting the 2E hex character is because you are copying and pasting from the TCP stream. In the TCP stream you see the PK file header, followed by multiple periods. The hex representation for a period is 2E. You need to click the “save as” button in the TCP stream and name the file “recipe.docx”. Then open that file in 010 editor and you’ll see the correct hex representation of the file. From there, you’ll be able to carve out the excess to get the exact hex representation of the recipe.docx file.

      • NWInvestigator says:

        I saved the file as you and the walkthrough stated. However, it still gives me the 2E hex value following the PK value. When in Wireshark, I can select show and save data as “Hex Dump” which shows the magic number but then following saving, it reverts back to 2E. :-? This is bewildering…

        • DFIRninja says:

          Did you save the TCP stream with the “raw” radio button selected? Works as intended and like how the article shows when I do that. Just re-did it right now to make sure.

          • NWInvestigator says:

            WOW! I managed to miss the “RAW” radio button in the images. I have the newest version of Wireshark so that option was under a drop down which I didn’t even think to select. Now it makes sense why I kept getting 2E. I was saving the ASCII version so those periods were going to alway show up. *face palm*.

            Thanks!!

Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Monday
2018/01/22