Network Forensics | Get in Gear for Black Hat 2014
A representative of Breeches Warehouse, a leading retailer of breeches and other apparel, has just given you a call. He sounds frantic. He explains that a phishing email slipped through the Breeches Warehouse spam filter and reached all staff inboxes. The email looked official and promised a free prize in exchange for downloading and filling out a survey. One staff member made the mistake of downloading the email attachment, which revealed that it was not a survey after all. Then Breeches Warehouse noticed an important file had been stolen. This mystery now lies in your hands, and you’ll need your network forensics savvy to solve it. Breeches Warehouse wants to know three things:
- The attacker’s IP address
- The time at which the transfer occurred
- The md5sum of the transferred file
Download and open up the packet capture to get started.
Packet capture: Breeches-Warehouse-mystery.pcap
If you want to solve the puzzle on your own, don’t click on the jump! If you need a hand or want to check your answers, our walkthrough after the jump will guide you through.
A devious hacker has gained access and stolen some of Breeches Warehouse’s sensitive information. It is now our job to tease out some information in the packet capture that was taken during the attack in order to solve the puzzle.
Part 1
The first step we should take is to open the capture in the packet analysis tool Wireshark. I like to begin by sorting the packets by protocol by clicking on the “Protocol” tab. This gives an easy visual of how frequently different protocols were used and which, if any, protocols were used to transfer data to and from machines on the network. Once the packets have been sorted, you can scroll down and see a section of FTP traffic starting at packet 6329. Since we are searching for stolen client information, this is a good place to start our analysis.
After a quick scan of this FTP transfer, we can see a request by an anonymous user to store a file called “Employee_Information.xls” on an FTP server in packet 6505. The destination IP of this transfer shows that the file is being sent to a machine located at the IP address 172.29.1.21. With this information, we can assume that this address belongs to the attacker or, at the very least, to the server on which the attacker is storing stolen information.
Part 2
Now that we have solved the first piece of the puzzle, we must find the time at which the transfer was made. This step is pretty straightforward once we find the packet in which the data transfer begins. If we examine the FTP traffic a little more closely, we will see a grouping of “FTP-DATA” protocol packets starting at packet 6510.
To find the time of the transfer, we will need to select packet 6510 and examine the packet details. Under the first tab labeled “Frame,” we will see a variable named “Arrival Time” with a date and time associated with it. With a simple conversion from the 24-hour clock, we can confidently say that the data was transferred on July 14, 2014 at 2:27 PM.
Part 3
Two answers down, one to go. Now we will take the final steps to extract the stolen file from the capture and verify the md5sum of the file. Luckily for us, carving data from FTP transfers is quite simple. First, right click on one of the packets using the “FTP-DATA” protocol or click on “Analyze” and select “Follow TCP Stream.” Once inside the stream, we come across what appears to be employee information written in plain text.
Extracting the file is as simple as selecting “Save As” and saving the raw stream as an Excel (.xls) file. Now that we have the file saved, we can get its md5sum. I like to use the “md5sum” command on the Linux command line. On a Mac, you can use the “openssl md5” command.
Hopefully you enjoyed this short little puzzle, and get ready for lots more where this came from at the Black Hat Network Forensics course. Good luck as you prepare for Black Hat, and we look forward to seeing you there!
