Saturday, February 20, 2010

Xplico and SANS Forensic Challenge #2

So after installing Xplico I wanted to give it a shot and do a forensic investigation using it. I chose this puzzle since at the time I was playing with this it had just wrapped up and the answers were available to check against. Now in order to complete this thing I will have to use more tools than Xplico but I will try and use it wherever possible.

So let's log in and create a new case. We shall call it SANS Puzzle 2:



Now click on the case so we can create a new session. We shall call it "Let's Rock This":



OK... Click on the session. You should get a purty screen that looks like this:



Time to upload the pcap file. All the cool kids md5sum the evidence file so we know we are working with the right stuff here. It should be:

cfac149a49175ac8e89d5b5b5d69bad3 evidence02.pcap

Give it a few moments (depending on your puter) and let it do it's thing. You should get a screen that looks like this:



Now let's look at the questions from the contest. Question #1 What is Ann's email?

So normally you could fire up Wireshark on this mug and find the SMTP packets and get the info. Who wants to do that though when you can click email on the left hand side and see all the emails contained in the pcap? :)



We click the first email listed and what can one say? Scandalous! Here is the email:



So we can answer question #1. Ann's email is Ann Dercover sneakyg33k@aol.com

Now we need her password which is question #2. This is a pretty nice feature with Xplico. Hover over the info.xml and save the pcap.

Open the pcap in Wireshark and cruise down to packet #14 to grab the Base64 encoded password.



Ann really should think about using an email provider that doesn't pass credentials in the clear. Cruise over to here and paste the password in there (NTU4cjAwbHo= is what you paste but you already knew that) and you hit decode and PLOW!!!! Ann's password is 558r00lz

Question #3: What is Ann's "Lover's" email? mistersecretx@aol.com is in the email we looked at above.

Question #4: What items is mistersecretx supposed to bring with him? Again look in the email above and we can see that he is supposed to bring his bootleg passport and a speedo. (Technically the answer is a fake passport and a bathing suit)

Question #5: What is the name of the attachment? Easy one again with Xplico. Look at the email and you see it right there. secretrendezvous.docx

Question #6: What is the MD5 sum of the attachment? On this one you have to do a little massaging for ease of use later. When I save the attachment in the email it saves it as "3". I renamed it so that the name was right then pumped it through md5sum:

9e423e11db88f01bbff81172839e1923 secretrendezvous.docx

Question #7: In what CITY and COUNTRY is their rendez-vous point? Since we renamed it to the correct extension openoffice opened it right up and here is what it looks like:


VIVA LA MEXICO!!!!! The answer is: Playa del Carmen, Mexico

Question #8: What is the MD5 sum of the embedded picture? Xplico doesn't really help here except for getting us the attachment to work with. So in a terminal run the following commands:

$unzip secretrendezvous.docx
$cd word
$cd media
$md5sum image1.png

aadeace50997b1ba24b09ac2ef1940b7 image1.png

That's it as far as the contest is concerned. This thing has a ton of capabilities and I plan on exploring them further by doing some of the other challenges so check back. When I originally tried this challenge I used tcpdump and wireshark to get a lot of these answers but it was very time consuming. When time is of the essence it is nice to have tools that make things easy. Looking at the forums I see that this is actively being improved and I am very impressed overall by the tool.

There are some gaps with this tool though. I recently did the Honeynet Challenge #1 and Xplico doesn't help at all really. You can see some of the FTP information but other than that there really isn't anything there. It does look promising for the Honeynet Challenge #2 though :)

3 comments:

  1. Looks useful. I was surprised about having to export an XML back into Wireshark to grab the encoded password. I would have expected this type of info (not necessarily the password, but at least the EHLO, and other SMTP commands, and email headers) would be a more immediate feature of a forensic tool.

    ReplyDelete
  2. The info.xml only contains the stream info. I shall paste it in the bottom of this comment. I would also like to mention that it took me about 5 minutes using this tool to complete the challenge. I did it by hand in wireshark/tcpdump and it took over an hour. I think for this type of scenario this tool was excellent. As promised here are the contents of the info.xml:

    --- Decoding info: stream 0 ---

    tcp

    tcp.srcport
    1038


    tcp.dstport
    587


    tcp.clnt
    1


    tcp.lost
    0



    ip

    ip.proto
    6


    ip.src
    192.168.1.159


    ip.dst
    64.12.102.142



    eth

    eth.type
    2048



    pol

    pol.layer1
    1


    pol.count
    113


    pol.file
    /opt/xplico/pol_1/sol_1/decode/evidence02.pcap


    pol.sesid
    1


    pol.polid
    1

    ReplyDelete
  3. Hi TOoSmOotH,
    nice post.
    The info.xml file contains all the information to retrieve the flows (from pcap) that generate data extracted, also in the case of distinct flows like facebook chat.
    To build the pcap you can use the link (pcap) in the XI or script xml2pcap.php.
    For Honeynet Challenge #1 the problem is the data corrupted (checksum error) if you disable the checksum verification you can extract more data (but not all).

    Ciao.
    Gianluca

    ReplyDelete