Step1:
You can start off by importing the pcap file with wireshark and then put a display filter for the smtp protocol. Observation showed that Ann sent two Emails. The first is not relevant to the puzzle, but the second one is. You have to right click on any packet (thats part of the second email, not the first. Pay close attention so you dont accidentaly start a display filter on the wrong stream) and click on 'follow tcp stream'. By observation, you can determine that Ann's email is sneakyg33k@aol.com and her secret lover's email is mistersecretx@aol.com. Further analysis shows the text that was sent in the email and the contents that she told him to bring ("fake passport and a bathing suit"). We also see the name of the document being transfered is "secretrendeviuz.docx"
Just to recap some of the answers we already found:
- sneakyg33k@aol.com
- mistersecretx@aol.com
- fake passport and a bathing suit
- secretrendevouz.docx
First we seperate the tcp streams:
# tcpflow -r evidence02.pcap
Then we already identified the necessary src and dst IP's in wireshark for the communication of the document over the network. Its the largest file that tcpflow outputs (# ls -lh, to see file sizes in folder). To make things easier, since tcpflow output a bunch of files wiht confusing names, lets rename the necessary file to "file1". (mv 192.168.....etc. file1). Dont actually put '..etc', the actual filename was just too long for me to bother to type it out. Next we analyze that file with 'xxd' utility. We want to look for or estimate the starting bytes of the file. We see that the secretredevouz.docx is being transfered using base64 encoding. This means that we wont be able to find the usual magic starting hex bytes of .docx files, which is '504B0304'. What i did was encode another docx file in base64 and see what its starting bytes was.
# base64 test.docx > test.docx.base64
I then used 'xxd' to see what the magic bytes were for the base64 encrypted file.
# xxd -l 4 test.docx.base ans: "55457344"
Bingo. The next few commands i used to extract the docx file from the tcp stream.
# xxd -ps file1 > file2
i then opened the file in a text editor, did a search for the magic bytes '55457344', then when it was found. i deleted all the bytes before that. I saved the file then converted the file back into its raw binary format with the following command.
# xxd -ps -r file2 > secretrendevouz.docx.base64
We now have the file in base64 encoding. All we have to do now is decode it.
# base64 -d secretrendevouz.docx.base64 > secretrendevouz.docx
I then got the MD5 hash
#md5sum secretrendevouz.docx
Then i opened the document in Microsoft word on a windows machine and extracted the rest of the information required for the puzzle.
Rendez-vous point: Playa del Carmen, Mexico
MDDSum of PIC: aadeace50997b1ba24b09ac2ef1940b7
Unfortunatly i couldn't find the password, its mostly lazyness on my part to do the relevant research for a tool that extracts smtp passwords. I figured ettercap or dsniff would have those abilities but had no success with them. Ill update the blog whenever i do figure out how to do so.
UPDATE:
Finally figured out how to get the password. It turns out that the password is encoded in base64 format. All thats needed is the encoded base64 pass string and feed it into the base64 program for decoding. This is the commands that i used to get the password:
# echo "NTU4cjAwbHo=" | base64 -di -558r00lz
#
I got the "NTU4cjAwbHo=" from anaylzing the smtp communication stream in wireshark
hmmm.. it seems cool,, btw I'm new to BT but i would like to learn from your blog,, the article seems like the detective game I wish I can learn analyzing just like you.. nice post.. ^^
ReplyDeleteThanks for the kind words. Its not too hard to learn this once you get the big picture. Then knowing which tools to use for a given scenario becomes second nature.
ReplyDelete