Your SlideShare is downloading. ×
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Defcon 2011 network forensics 解题记录
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Defcon 2011 network forensics 解题记录

8,124

Published on

Published in: Technology, Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,124
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
34
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. DEFCON 2011 Network ForensicsAuthor: hip@insight-labs.org1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Madehttp://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round1/defcon2011contest-round1.htmlstrings Evidence01.pcap | grep -i company透过 grep 收寻 company 关键词Answer: Factory-Made-Winning-Pharmaceuticals2. DEFCON 2011 Network Forensics Puzzle: Inceptionhttp://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defcon2011contest-round2.html寄信可以猜 Subjecttcpflow -r Evidence02.pcap(-r: read packets from tcpdump output file)grep -a Subject * -a, --text equivalent to --binary-files=textforemost 文件还原工具 http://adityo.blog.binusian.org/?p=231http://www.irongeek.com/i.php?page=backtrack-3-man/foremosthttp://www.youtube.com/watch?v=TmWLsufNiUQcat /etc/foremost.conf
  • 2. foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080file 00000030.pcap列出封包内所有 hosttcpdump -nn -r 00000030.pcap -A -s0 port 80 | grep Host | sort | uniq
  • 3. tcpflow -r 00000030.pcap host 204.11.246.48grep GET *查看 responehead 204.011.246.048.00080-172.030.001.100.60176
  • 4. -c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T/gunzip -d 00000000.gzfirefox 00000000Answer: October 6-7, 2011
  • 5. NetworkMiner 快速解3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/defcon2011contest-round3.htmlNetworkMiner可以直接看到 File找不到 voip 所以无法继续下一步分析
  • 6. 改用 xplico , xplico GUI 不 workusage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module> -v version -c config file -h this help -i info of protocol prot -g display graph-tree of protocols -l print all log in the screen -m capture type module NOTE: parameters MUST respect this order!./xplico -m pcap -f /root/Desktop/Evidence03.pcap
  • 7. ip 74.125.127.126 是 google 的 所以可以猜到是用 googlechat voip call所以可以用 videosnarf 来解看看videosnarfhttp://ucsniff.sourceforge.net/videosnarf.htmlroot@bt:/usr/local/bin# videosnarf -hStarting videosnarf 0.63Usage: videosnarf [-i input pcap file] [-f filter expression]-i <input pcap file> (Mandatory) input pcap file-o <output file> (Optional) output base name file-f <filter expression> (Optional) pcap filter expression-k <g726 sample size> (Optional) G726 sameple size
  • 8. Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. Thedefault Kbit/s will be 32Note: If there are 802.1Q headers in the RTP packet capture, please dont set thefilter expressionExample Usage:videosnarf -i inputfile.pcapvideosnarf -i inputfile.pcap -f "udp dst port 25001"Answer: rom127#
  • 9. 4. DEFCON 2011 Network Forensics Puzzle: The HeistScrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson5. DEFCON 2011 Network Forensics Puzzle: The Heist Part 2http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round5/defcon2011contest-round5.htmluseonce@Opening the file, you can find the password : 8.4 oz- Red BullLinux 解tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
  • 10. tshark -r SMB.cap |grep "Create AndX Request"用 grep 找透过 SMB 建立档案提取檔案因为要提取的是 7z 檔 所以要先加入一段 7z 的 format 到 tcpxtract.confecho "p7z(100000000, x37x7axbcxafx27x1c);" > /etc/tcpxtract.confmv 00000000.p7z 00000000.7z接下来就是解压缩! Done

×