Network Forensics – Round 7: Ann’s Dark Tangent
The Puzzle: Ann’s Dark Tangent (DEFCON 2010)
Ann has arranged a rendezvous with Dark Tangent. You are the forensic investigator. Can you figure out their destination?
Again for this challenge I utilized the same tools as the other rounds to accomplish the above tasks. There are always other commercial and open source tools that you could utilize for this challenge, but the below *starred* tools are what I used:
- 010 Editor
- Aircrack Suite
After confirming the integrity of the pcap and matching up the MD5 with the one given in the description (7c416421a626600f86e3702df0cac8ef), it’s time to begin the challenge. For starters, the packet capture has WEP-encrypted traffic, so you won’t be able to do very much with it in its current state. We will need to decrypt the traffic. But how can we decrypt it without a WEP key? Well, we will need to crack the key.
Utilizing a Virtual Machine, or any other platform you have the aircrack suite installed (I utilized Backtrack5R3 at the time), run the following command to attempt to crack the WEP key: aircrack-ng evidence-defcon2010.pcap.
Now that we have the WEP key in our possession, we need to run the following commnand to decrypt the WEP encrypted traffic: airdecap-ng -w 4A:7D:B5:08:CD evidence-defcon2010.pcap. Running that command should show you the output that is in Figure 2, as well as create a new file called evidence-defcon2010-dec.pcap, which will be the WEP decrypted traffic.
Now that we have the traffic decrypted, we need to open the new decrypted pcap in Wireshark. With the pcap open, go to Statistics –> Protocol Hierarchy. Looking through the protocol hierarchy, I noticed there was just a little bit of SMTP traffic which caught by eye and got me curious, so I decided to look more into it. To view the SMTP traffic, right click on it and select Apply as Filter –> Selected. After the traffic has been filtered, right click and select follow tcp stream on the first packet. You should see an email message that was sent, followed by an attachment. Email attachments are Base64 encoded, and they also tell you that in the tcp stream: Content-Transfer-Encoding: base64.
Carve out the base64 encoded image and paste it into Notepad++. To decode the base64 data, make sure you have the MIME tools plugin installed. Go to Plugins à MIME tools à Base64 Decode. Afdter selecting that, you should see the decoded data. At the top of the file, you will notice the GIF89a file header. Save the file with whatever filename you want, and save it as a .gif. Open the new .gif file to view the contents. The contents are below:
The attached picture in the email gives you some new things to search for. Lets walk through how to obtain the needed information.
The first item on the list wants us to find: App Store – App Name. Let’s start out by looking at all the HTTP traffic. Apply the filter “http” to the filter bar in wireshark. Only a few packets down, you’ll see they searched for the term “solitare” in the app store.
The second item we are searching for is a Podcast Title. You could run grep against the pcap for podcast, then search through the pcap based off the grep output to find this answer.
- grep -a podcast ‘/evidence-defcon2010-dec.pcap’
The Podcast title you are looking for is “onion-radio-news-for-kids” and can be found in packet 161882. Below is a screenshot of the grep output:
Next, we are looking for a YouTube Video Title. Similar to the last scenario, just grep search for youtube and you’ll be able to find the title “Cry For Help – Risk Astley”. You can also find a youtube link in an email from firstname.lastname@example.org that points to this video.
Now we are looking for a Google Earth City Name. I did the easy thing of just doing ctrl-f for “google-earth”. The first and only hit, follow the tcp stream (tcp stream 93) and you’ll find a search for Hacker Valley, WV.
The final item in the list we are after is an AIM Buddy Name. Grep or ctrl-f for “aim” will find you what you want for this. If you Grep for “aim” you will get a few results, one being a GET request with the AIM name at the end of “inter0pt1c.
So, how we have five random answers, what do we do with them? If you line up the answers, one per line, you’ll see the first letter in each answer spells out “SOCHI” and that is the final answer of their destination.
- Cry For Help
- Hacker Valley, WV