Your SlideShare is downloading. ×
Defcon 2011 network forensics 解题记录
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Defcon 2011 network forensics 解题记录

8,053
views

Published on

Published in: Technology, Education

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,053
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
34
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. DEFCON 2011 Network ForensicsAuthor: hip@insight-labs.org1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Madehttp://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round1/defcon2011contest-round1.htmlstrings Evidence01.pcap | grep -i company透过 grep 收寻 company 关键词Answer: Factory-Made-Winning-Pharmaceuticals2. DEFCON 2011 Network Forensics Puzzle: Inceptionhttp://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defcon2011contest-round2.html寄信可以猜 Subjecttcpflow -r Evidence02.pcap(-r: read packets from tcpdump output file)grep -a Subject * -a, --text equivalent to --binary-files=textforemost 文件还原工具 http://adityo.blog.binusian.org/?p=231http://www.irongeek.com/i.php?page=backtrack-3-man/foremosthttp://www.youtube.com/watch?v=TmWLsufNiUQcat /etc/foremost.conf
  • 2. foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080file 00000030.pcap列出封包内所有 hosttcpdump -nn -r 00000030.pcap -A -s0 port 80 | grep Host | sort | uniq
  • 3. tcpflow -r 00000030.pcap host 204.11.246.48grep GET *查看 responehead 204.011.246.048.00080-172.030.001.100.60176
  • 4. -c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T/gunzip -d 00000000.gzfirefox 00000000Answer: October 6-7, 2011
  • 5. NetworkMiner 快速解3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/defcon2011contest-round3.htmlNetworkMiner可以直接看到 File找不到 voip 所以无法继续下一步分析
  • 6. 改用 xplico , xplico GUI 不 workusage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module> -v version -c config file -h this help -i info of protocol prot -g display graph-tree of protocols -l print all log in the screen -m capture type module NOTE: parameters MUST respect this order!./xplico -m pcap -f /root/Desktop/Evidence03.pcap
  • 7. ip 74.125.127.126 是 google 的 所以可以猜到是用 googlechat voip call所以可以用 videosnarf 来解看看videosnarfhttp://ucsniff.sourceforge.net/videosnarf.htmlroot@bt:/usr/local/bin# videosnarf -hStarting videosnarf 0.63Usage: videosnarf [-i input pcap file] [-f filter expression]-i <input pcap file> (Mandatory) input pcap file-o <output file> (Optional) output base name file-f <filter expression> (Optional) pcap filter expression-k <g726 sample size> (Optional) G726 sameple size
  • 8. Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. Thedefault Kbit/s will be 32Note: If there are 802.1Q headers in the RTP packet capture, please dont set thefilter expressionExample Usage:videosnarf -i inputfile.pcapvideosnarf -i inputfile.pcap -f "udp dst port 25001"Answer: rom127#
  • 9. 4. DEFCON 2011 Network Forensics Puzzle: The HeistScrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson5. DEFCON 2011 Network Forensics Puzzle: The Heist Part 2http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round5/defcon2011contest-round5.htmluseonce@Opening the file, you can find the password : 8.4 oz- Red BullLinux 解tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
  • 10. tshark -r SMB.cap |grep "Create AndX Request"用 grep 找透过 SMB 建立档案提取檔案因为要提取的是 7z 檔 所以要先加入一段 7z 的 format 到 tcpxtract.confecho "p7z(100000000, x37x7axbcxafx27x1c);" > /etc/tcpxtract.confmv 00000000.p7z 00000000.7z接下来就是解压缩! Done

×