Thursday, February 11, 2010

Ann's Bail -

After quite a long time I’m writing my next blog post. This time it’s around analyzing packets that was part of puzzle that was posted as a part of the Network Forensics contest in

Below are the questions that were raised as a part of the contest and the answers for those are found within the pcap file that was posted in the same site. Let’s try and find those answers as well! Quickly we load the pcap file onto Wireshark and we find that there is quite an amount of noise that distracts us. To answer the first question,

What is Ann’s email address?

We dig the pcap file deeper and find that there’s a connection that is established with an ESMTP server ( as below

This should clarify the first question that was asked, further digging deeper we find that there’s authentication that is happening with the ESMTP server on port 587 (Refer RFC 2476).

Quickly referring to the RFC 4954 regarding SMTP Service Extension for Authentication we can understand that the server sends 334 reply with the text part containing the BASE64 encoded string. Now we log on to our favorite site and convert the text returned by the server - VXNlcm5hbWU6. We find that the server is looking for a Username:. The user then inputs the value c25lYWt5ZzMza0Bhb2wuY29t which is converted to plain text as That answers our first question! Let’s move one, the next question is,

What is Ann’s email password?

We still follow the same TCP stream and get to a point where the server looks for a Password: by returning the BASE64 encoded string - UGFzc3dvcmQ6. The client (Ann) then types in her password which in the pcap file is BASE64 encoded as NTU4cjAwbHo= which resolves to plain text - 558r00lz which has answered the second question!

We move on to the next question,

What is Ann’s secret lover’s email address?

We continue digging into the pcap file and find a second session that has Ann has made with the ESMTP server. This time may be to send some information to her secret lover? Let’s find,

We could see the same kind of traffic that we encountered and then we could witness that Ann has specified the recipient address as that answers our 3rd question. Moving on….

What two items did Ann tell her secret lover to bring?

We drill into the details of the conversation between Ann and the server and we follow the TCP Stream and we find this

We could see that she has asked him to bring the fake passport and a bathing suit. We also could see that she has attached the address with the email. That answers the 4th question. Next question is a bit easy for which we seek the help of same Follow TCP Stream in Wireshark.

What is the NAME of the attachment Ann sent to her secret lover?

From the above figure we can understand the attached file to be secretrendezvous.docx. The next part is a bit tricky but an easy one if you have read the RFC that was pointed out earlier in this blog.

What is the MD5sum of the attachment Ann sent to her secret lover?

Beneath the filename (still in Follow TCP Stream) we notice a strange set of characters which is nothing but plain text encoded in BASE64 format. We copy all of them but them in our favorite converter and the result is a DOCX file. I use an online converter -

When we get the complete DOCX file we do an MD5sum of it and get the result

9e423e11db88f01bbff81172839e1923 *AnnSecretDoc.docx

And inside the DOC is the answer to the next question,

In what CITY and COUNTRY is their rendez-vous point?

We are still left with the last question,

What is the MD5sum of the image embedded in the document?

For this particular question we either carve the image out of the DOCX file or we use an automated tool that could do the job for us. In this case Foremost. We carve out the file using Foremost like,

Foremost AnnSecretDoc.docx

Which will result in a png file worth 189KB that has an MD5 hash aadeace50997b1ba24b09ac2ef1940b7.

That concludes this post in the blog. See you soon in another post, till then cya – binaryhax0r

No comments:

Post a Comment