Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DEFCON 2011 Network ForensicsAuthor: hip@insight-labs.org1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Madehttp://for...
foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080file 00000030.pcap列出封包内所有 hosttcpdump -nn -r ...
tcpflow -r 00000030.pcap host 204.11.246.48grep GET *查看 responehead 204.011.246.048.00080-172.030.001.100.60176
-c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T/gunzip -d 00000000.gzfirefox 00000000Ans...
NetworkMiner 快速解3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?http://forensicscontest.com/contest09/s...
改用 xplico , xplico GUI 不 workusage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module>    -v ver...
ip 74.125.127.126 是 google 的 所以可以猜到是用 googlechat voip call所以可以用 videosnarf 来解看看videosnarfhttp://ucsniff.sourceforge.net/vi...
Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. Thedefault Kbit/s will be 32Note: If there ...
4. DEFCON 2011 Network Forensics Puzzle: The HeistScrolling down to the 16th line inside the XLS file, you get the answer:...
tshark -r SMB.cap |grep "Create AndX Request"用 grep 找透过 SMB 建立档案提取檔案因为要提取的是 7z 檔 所以要先加入一段 7z 的 format 到 tcpxtract.confecho...
Upcoming SlideShare
Loading in …5
×

Defcon 2011 network forensics 解题记录

10,074 views

Published on

Published in: Technology, Education
  • Be the first to comment

Defcon 2011 network forensics 解题记录

  1. 1. DEFCON 2011 Network ForensicsAuthor: hip@insight-labs.org1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Madehttp://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round1/defcon2011contest-round1.htmlstrings Evidence01.pcap | grep -i company透过 grep 收寻 company 关键词Answer: Factory-Made-Winning-Pharmaceuticals2. DEFCON 2011 Network Forensics Puzzle: Inceptionhttp://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defcon2011contest-round2.html寄信可以猜 Subjecttcpflow -r Evidence02.pcap(-r: read packets from tcpdump output file)grep -a Subject * -a, --text equivalent to --binary-files=textforemost 文件还原工具 http://adityo.blog.binusian.org/?p=231http://www.irongeek.com/i.php?page=backtrack-3-man/foremosthttp://www.youtube.com/watch?v=TmWLsufNiUQcat /etc/foremost.conf
  2. 2. foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080file 00000030.pcap列出封包内所有 hosttcpdump -nn -r 00000030.pcap -A -s0 port 80 | grep Host | sort | uniq
  3. 3. tcpflow -r 00000030.pcap host 204.11.246.48grep GET *查看 responehead 204.011.246.048.00080-172.030.001.100.60176
  4. 4. -c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T/gunzip -d 00000000.gzfirefox 00000000Answer: October 6-7, 2011
  5. 5. NetworkMiner 快速解3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/defcon2011contest-round3.htmlNetworkMiner可以直接看到 File找不到 voip 所以无法继续下一步分析
  6. 6. 改用 xplico , xplico GUI 不 workusage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module> -v version -c config file -h this help -i info of protocol prot -g display graph-tree of protocols -l print all log in the screen -m capture type module NOTE: parameters MUST respect this order!./xplico -m pcap -f /root/Desktop/Evidence03.pcap
  7. 7. ip 74.125.127.126 是 google 的 所以可以猜到是用 googlechat voip call所以可以用 videosnarf 来解看看videosnarfhttp://ucsniff.sourceforge.net/videosnarf.htmlroot@bt:/usr/local/bin# videosnarf -hStarting videosnarf 0.63Usage: videosnarf [-i input pcap file] [-f filter expression]-i <input pcap file> (Mandatory) input pcap file-o <output file> (Optional) output base name file-f <filter expression> (Optional) pcap filter expression-k <g726 sample size> (Optional) G726 sameple size
  8. 8. Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. Thedefault Kbit/s will be 32Note: If there are 802.1Q headers in the RTP packet capture, please dont set thefilter expressionExample Usage:videosnarf -i inputfile.pcapvideosnarf -i inputfile.pcap -f "udp dst port 25001"Answer: rom127#
  9. 9. 4. DEFCON 2011 Network Forensics Puzzle: The HeistScrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson5. DEFCON 2011 Network Forensics Puzzle: The Heist Part 2http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round5/defcon2011contest-round5.htmluseonce@Opening the file, you can find the password : 8.4 oz- Red BullLinux 解tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
  10. 10. tshark -r SMB.cap |grep "Create AndX Request"用 grep 找透过 SMB 建立档案提取檔案因为要提取的是 7z 檔 所以要先加入一段 7z 的 format 到 tcpxtract.confecho "p7z(100000000, x37x7axbcxafx27x1c);" > /etc/tcpxtract.confmv 00000000.p7z 00000000.7z接下来就是解压缩! Done

×