Defcon 2011 network forensics 解题记录

8,957
-1

Published on

Published in: Technology, Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
8,957
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
42
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Defcon 2011 network forensics 解题记录

  1. 1. DEFCON 2011 Network ForensicsAuthor: hip@insight-labs.org1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Madehttp://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round1/defcon2011contest-round1.htmlstrings Evidence01.pcap | grep -i company透过 grep 收寻 company 关键词Answer: Factory-Made-Winning-Pharmaceuticals2. DEFCON 2011 Network Forensics Puzzle: Inceptionhttp://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defcon2011contest-round2.html寄信可以猜 Subjecttcpflow -r Evidence02.pcap(-r: read packets from tcpdump output file)grep -a Subject * -a, --text equivalent to --binary-files=textforemost 文件还原工具 http://adityo.blog.binusian.org/?p=231http://www.irongeek.com/i.php?page=backtrack-3-man/foremosthttp://www.youtube.com/watch?v=TmWLsufNiUQcat /etc/foremost.conf
  2. 2. foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080file 00000030.pcap列出封包内所有 hosttcpdump -nn -r 00000030.pcap -A -s0 port 80 | grep Host | sort | uniq
  3. 3. tcpflow -r 00000030.pcap host 204.11.246.48grep GET *查看 responehead 204.011.246.048.00080-172.030.001.100.60176
  4. 4. -c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T/gunzip -d 00000000.gzfirefox 00000000Answer: October 6-7, 2011
  5. 5. NetworkMiner 快速解3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/defcon2011contest-round3.htmlNetworkMiner可以直接看到 File找不到 voip 所以无法继续下一步分析
  6. 6. 改用 xplico , xplico GUI 不 workusage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module> -v version -c config file -h this help -i info of protocol prot -g display graph-tree of protocols -l print all log in the screen -m capture type module NOTE: parameters MUST respect this order!./xplico -m pcap -f /root/Desktop/Evidence03.pcap
  7. 7. ip 74.125.127.126 是 google 的 所以可以猜到是用 googlechat voip call所以可以用 videosnarf 来解看看videosnarfhttp://ucsniff.sourceforge.net/videosnarf.htmlroot@bt:/usr/local/bin# videosnarf -hStarting videosnarf 0.63Usage: videosnarf [-i input pcap file] [-f filter expression]-i <input pcap file> (Mandatory) input pcap file-o <output file> (Optional) output base name file-f <filter expression> (Optional) pcap filter expression-k <g726 sample size> (Optional) G726 sameple size
  8. 8. Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. Thedefault Kbit/s will be 32Note: If there are 802.1Q headers in the RTP packet capture, please dont set thefilter expressionExample Usage:videosnarf -i inputfile.pcapvideosnarf -i inputfile.pcap -f "udp dst port 25001"Answer: rom127#
  9. 9. 4. DEFCON 2011 Network Forensics Puzzle: The HeistScrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson5. DEFCON 2011 Network Forensics Puzzle: The Heist Part 2http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round5/defcon2011contest-round5.htmluseonce@Opening the file, you can find the password : 8.4 oz- Red BullLinux 解tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
  10. 10. tshark -r SMB.cap |grep "Create AndX Request"用 grep 找透过 SMB 建立档案提取檔案因为要提取的是 7z 檔 所以要先加入一段 7z 的 format 到 tcpxtract.confecho "p7z(100000000, x37x7axbcxafx27x1c);" > /etc/tcpxtract.confmv 00000000.p7z 00000000.7z接下来就是解压缩! Done

×