SlideShare a Scribd company logo

Defcon 2011 network forensics 解题记录

I
insight-labs

This document discusses network forensics puzzles from DEFCON 2011. It provides instructions and solutions for 5 puzzles involving analyzing packet captures to find hidden clues and passwords. Key steps included using tools like tcpdump, tcpflow, foremost, grep, and NetworkMiner to extract files and identify hosts, protocols, and network activity that revealed the solutions.

1 of 10
Download to read offline
DEFCON 2011 Network Forensics Author: hip@insight-labs.org 1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Made http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round1/defco n2011contest-round1.html strings Evidence01.pcap | grep -i company 透过 grep 收寻 company 关键词 Answer: Factory-Made-Winning-Pharmaceuticals 2. DEFCON 2011 Network Forensics Puzzle: Inception http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defco n2011contest-round2.html 寄信可以猜 Subject tcpflow -r Evidence02.pcap (-r: read packets from tcpdump output file ) grep -a Subject * -a, --text equivalent to --binary- files=text foremost 文件还原工具 http://adityo.blog.binusian.org/?p=231 http://www.irongeek.com/i.php?page=backtrack-3-man/foremost http://www.youtube.com/watch?v=TmWLsufNiUQ cat /etc/foremost.conf
foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080 file 00000030.pcap 列出封包内所有 host tcpdump -nn -r 00000030.pcap -A -s0 port 80 | grep Host | sort | uniq
tcpflow -r 00000030.pcap host 204.11.246.48 grep GET * 查看 respone head 204.011.246.048.00080-172.030.001.100.60176
-c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T / gunzip -d 00000000.gz firefox 00000000 Answer: October 6-7, 2011
NetworkMiner 快速解 3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training? http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/defco n2011contest-round3.html NetworkMiner 可以直接看到 File 找不到 voip 所以无法继续下一步分析
改用 xplico , xplico GUI 不 work usage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module> -v version -c config file -h this help -i info of protocol 'prot' -g display graph-tree of protocols -l print all log in the screen -m capture type module NOTE: parameters MUST respect this order! ./xplico -m pcap -f /root/Desktop/Evidence03.pcap
ip 74.125.127.126 是 google 的 所以可以猜到是用 googlechat voip call 所以可以用 videosnarf 来解看看 videosnarf http://ucsniff.sourceforge.net/videosnarf.html root@bt:/usr/local/bin# videosnarf -h Starting videosnarf 0.63 Usage: videosnarf [-i input pcap file] [-f filter expression] -i <input pcap file> (Mandatory) input pcap file -o <output file> (Optional) output base name file -f <filter expression> (Optional) pcap filter expression -k <g726 sample size> (Optional) G726 sameple size
Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. The default Kbit/s will be 32 Note: If there are 802.1Q headers in the RTP packet capture, please don't set the filter expression Example Usage: videosnarf -i inputfile.pcap videosnarf -i inputfile.pcap -f "udp dst port 25001" Answer: rom127#
4. DEFCON 2011 Network Forensics Puzzle: The Heist Scrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson 5. DEFCON 2011 Network Forensics Puzzle: The Heist Part 2 http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round5/defco n2011contest-round5.html useonce@ Opening the file, you can find the password : 8.4 oz- Red Bull Linux 解 tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
tshark -r SMB.cap |grep "Create AndX Request" 用 grep 找透过 SMB 建立档案 提取檔案 因为要提取的是 7z 檔 所以要先加入一段 7z 的 format 到 tcpxtract.conf echo "p7z(100000000, x37x7axbcxafx27x1c);" > /etc/tcpxtract.conf mv 00000000.p7z 00000000.7z 接下来就是解压缩! Done

Recommended

Streams for the Web
Streams for the WebStreams for the Web
Streams for the Web
Domenic Denicola
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Shinya Takamaeda-Y
 
Mod06 new development tools
Mod06 new development toolsMod06 new development tools
Mod06 new development tools
Peter Haase
 
Low Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPFLow Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPF
Akshay Kapoor
 
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
NECST Lab @ Politecnico di Milano
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
Andriy Berestovskyy
 
Demystify eBPF JIT Compiler
Demystify eBPF JIT CompilerDemystify eBPF JIT Compiler
Demystify eBPF JIT Compiler
Netronome
 

Recommended

Streams for the Web
Streams for the WebStreams for the Web
Streams for the Web
Domenic Denicola
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Shinya Takamaeda-Y
 
Mod06 new development tools
Mod06 new development toolsMod06 new development tools
Mod06 new development tools
Peter Haase
 
Low Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPFLow Overhead System Tracing with eBPF
Low Overhead System Tracing with eBPF
Akshay Kapoor
 
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
NECST Lab @ Politecnico di Milano
 
The Spectre of Meltdowns
The Spectre of MeltdownsThe Spectre of Meltdowns
The Spectre of Meltdowns
Andriy Berestovskyy
 
Demystify eBPF JIT Compiler
Demystify eBPF JIT CompilerDemystify eBPF JIT Compiler
Demystify eBPF JIT Compiler
Netronome
 
eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging Infrastructure
Netronome
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017
Andriy Berestovskyy
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
Kazushi Yamashina
 
Device-specific Clang Tooling for Embedded Systems
Device-specific Clang Tooling for Embedded SystemsDevice-specific Clang Tooling for Embedded Systems
Device-specific Clang Tooling for Embedded Systems
emBO_Conference
 
Happy porting x86 application to android
Happy porting x86 application to androidHappy porting x86 application to android
Happy porting x86 application to android
Owen Hsu
 
eBPF Debugging Infrastructure - Current Techniques
eBPF Debugging Infrastructure - Current TechniqueseBPF Debugging Infrastructure - Current Techniques
eBPF Debugging Infrastructure - Current Techniques
Netronome
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
 
Custard pi 7 user information
Custard pi 7 user informationCustard pi 7 user information
Custard pi 7 user information
Seggy Segaran
 
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
Kazushi Yamashina
 
Internet Archive Video Presentation
Internet Archive Video Presentation Internet Archive Video Presentation
Internet Archive Video Presentation
tracey jaquith
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
Virtual Machine for Regular Expressions
Virtual Machine for Regular ExpressionsVirtual Machine for Regular Expressions
Virtual Machine for Regular Expressions
Alexander Yakushev
 
Pipfile, pipenv, pip… what?!
Pipfile, pipenv, pip… what?!Pipfile, pipenv, pip… what?!
Pipfile, pipenv, pip… what?!
Ivan Chernoff
 
Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取
艾鍗科技
 
Crushing Latency with Vert.x
Crushing Latency with Vert.xCrushing Latency with Vert.x
Crushing Latency with Vert.x
Paulo Lopes
 
Root cause analysis with e bpf &amp; python
Root cause analysis with e bpf &amp; pythonRoot cause analysis with e bpf &amp; python
Root cause analysis with e bpf &amp; python
Pavel Rogovoy
 
Deploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuDeploying Prometheus stacks with Juju
Deploying Prometheus stacks with Juju
J.J. Ciarlante
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
Min-Yih Hsu
 
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
DevOpsDays Tel Aviv
 
tit
tittit
tit
Christian Heinrich
 

More Related Content

What's hot

eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging Infrastructure
Netronome
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017
Andriy Berestovskyy
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
Kazushi Yamashina
 
Device-specific Clang Tooling for Embedded Systems
Device-specific Clang Tooling for Embedded SystemsDevice-specific Clang Tooling for Embedded Systems
Device-specific Clang Tooling for Embedded Systems
emBO_Conference
 
Happy porting x86 application to android
Happy porting x86 application to androidHappy porting x86 application to android
Happy porting x86 application to android
Owen Hsu
 
eBPF Debugging Infrastructure - Current Techniques
eBPF Debugging Infrastructure - Current TechniqueseBPF Debugging Infrastructure - Current Techniques
eBPF Debugging Infrastructure - Current Techniques
Netronome
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
sanghwan ahn
 
Custard pi 7 user information
Custard pi 7 user informationCustard pi 7 user information
Custard pi 7 user information
Seggy Segaran
 
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
Kazushi Yamashina
 
Internet Archive Video Presentation
Internet Archive Video Presentation Internet Archive Video Presentation
Internet Archive Video Presentation
tracey jaquith
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshopjvehent
 
Virtual Machine for Regular Expressions
Virtual Machine for Regular ExpressionsVirtual Machine for Regular Expressions
Virtual Machine for Regular Expressions
Alexander Yakushev
 
Pipfile, pipenv, pip… what?!
Pipfile, pipenv, pip… what?!Pipfile, pipenv, pip… what?!
Pipfile, pipenv, pip… what?!
Ivan Chernoff
 
Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取
艾鍗科技
 
Crushing Latency with Vert.x
Crushing Latency with Vert.xCrushing Latency with Vert.x
Crushing Latency with Vert.x
Paulo Lopes
 
Root cause analysis with e bpf &amp; python
Root cause analysis with e bpf &amp; pythonRoot cause analysis with e bpf &amp; python
Root cause analysis with e bpf &amp; python
Pavel Rogovoy
 
Deploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuDeploying Prometheus stacks with Juju
Deploying Prometheus stacks with Juju
J.J. Ciarlante
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
Min-Yih Hsu
 

What's hot (20)

eBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging InfrastructureeBPF Tooling and Debugging Infrastructure
eBPF Tooling and Debugging Infrastructure
 
Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017Why my network does not work? Networking Quiz 2017
Why my network does not work? Networking Quiz 2017
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
 
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
FPGAを用いた処理のロボット向けコンポーネントの設計生産性評価
 
Device-specific Clang Tooling for Embedded Systems
Device-specific Clang Tooling for Embedded SystemsDevice-specific Clang Tooling for Embedded Systems
Device-specific Clang Tooling for Embedded Systems
 
Happy porting x86 application to android
Happy porting x86 application to androidHappy porting x86 application to android
Happy porting x86 application to android
 
eBPF Debugging Infrastructure - Current Techniques
eBPF Debugging Infrastructure - Current TechniqueseBPF Debugging Infrastructure - Current Techniques
eBPF Debugging Infrastructure - Current Techniques
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
 
Custard pi 7 user information
Custard pi 7 user informationCustard pi 7 user information
Custard pi 7 user information
 
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component cReComp : Automated Design Tool for ROS-Compliant FPGA Component
cReComp : Automated Design Tool for ROS-Compliant FPGA Component
 
Internet Archive Video Presentation
Internet Archive Video Presentation Internet Archive Video Presentation
Internet Archive Video Presentation
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
Virtual Machine for Regular Expressions
Virtual Machine for Regular ExpressionsVirtual Machine for Regular Expressions
Virtual Machine for Regular Expressions
 
Pipfile, pipenv, pip… what?!
Pipfile, pipenv, pip… what?!Pipfile, pipenv, pip… what?!
Pipfile, pipenv, pip… what?!
 
Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取Raspberry Pi I/O控制與感測器讀取
Raspberry Pi I/O控制與感測器讀取
 
Crushing Latency with Vert.x
Crushing Latency with Vert.xCrushing Latency with Vert.x
Crushing Latency with Vert.x
 
Root cause analysis with e bpf &amp; python
Root cause analysis with e bpf &amp; pythonRoot cause analysis with e bpf &amp; python
Root cause analysis with e bpf &amp; python
 
Deploying Prometheus stacks with Juju
Deploying Prometheus stacks with JujuDeploying Prometheus stacks with Juju
Deploying Prometheus stacks with Juju
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
[COSCUP 2021] LLVM Project: The Good, The Bad, and The Ugly
 

Similar to Defcon 2011 network forensics 解题记录

Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
DevOpsDays Tel Aviv
 
tit
tittit
tit
Christian Heinrich
 
Software Quality Assurance Tooling 2023
Software Quality Assurance Tooling 2023Software Quality Assurance Tooling 2023
Software Quality Assurance Tooling 2023
Henry Schreiner
 
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
InfluxData
 
Software development practices in python
Software development practices in pythonSoftware development practices in python
Software development practices in python
Jimmy Lai
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
lcplcp1
 
Systemtap
SystemtapSystemtap
SystemtapFeng Yu
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Rust & Python : Python WA October meetup
Rust & Python : Python WA October meetupRust & Python : Python WA October meetup
Rust & Python : Python WA October meetup
John Vandenberg
 
Prepare for PHP Test Fest 2009
Prepare for PHP Test Fest 2009Prepare for PHP Test Fest 2009
Prepare for PHP Test Fest 2009
PHPBelgium
 
OSN days 2019 - Open Networking and Programmable Switch
OSN days 2019 - Open Networking and Programmable SwitchOSN days 2019 - Open Networking and Programmable Switch
OSN days 2019 - Open Networking and Programmable Switch
Chun Ming Ou
 
Node Interactive Debugging Node.js In Production
Node Interactive Debugging Node.js In ProductionNode Interactive Debugging Node.js In Production
Node Interactive Debugging Node.js In Production
Yunong Xiao
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Herokuronnywang_tw
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
faker1842002
 
BioMake BOSC 2004
BioMake BOSC 2004BioMake BOSC 2004
BioMake BOSC 2004
Chris Mungall
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
emBO_Conference
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and DevelopmentBeyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Zach Pfeffer
 
Mcollective introduction
Mcollective introductionMcollective introduction
Mcollective introduction
Javier Turégano Molina
 
Princeton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance ToolingPrinceton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance Tooling
Henry Schreiner
 

Similar to Defcon 2011 network forensics 解题记录 (20)

Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
Pcapy and dpkt - tcpdump on steroids - Ran Leibman - DevOpsDays Tel Aviv 2018
 
tit
tittit
tit
 
Software Quality Assurance Tooling 2023
Software Quality Assurance Tooling 2023Software Quality Assurance Tooling 2023
Software Quality Assurance Tooling 2023
 
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
 
Software development practices in python
Software development practices in pythonSoftware development practices in python
Software development practices in python
 
Performance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux KernelPerformance Analysis Tools for Linux Kernel
Performance Analysis Tools for Linux Kernel
 
Systemtap
SystemtapSystemtap
Systemtap
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
 
Rust & Python : Python WA October meetup
Rust & Python : Python WA October meetupRust & Python : Python WA October meetup
Rust & Python : Python WA October meetup
 
Prepare for PHP Test Fest 2009
Prepare for PHP Test Fest 2009Prepare for PHP Test Fest 2009
Prepare for PHP Test Fest 2009
 
OSN days 2019 - Open Networking and Programmable Switch
OSN days 2019 - Open Networking and Programmable SwitchOSN days 2019 - Open Networking and Programmable Switch
OSN days 2019 - Open Networking and Programmable Switch
 
Node Interactive Debugging Node.js In Production
Node Interactive Debugging Node.js In ProductionNode Interactive Debugging Node.js In Production
Node Interactive Debugging Node.js In Production
 
2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku2012 coscup - Build your PHP application on Heroku
2012 coscup - Build your PHP application on Heroku
 
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdfPentesting111111 Cheat Sheet_OSCP_2023.pdf
Pentesting111111 Cheat Sheet_OSCP_2023.pdf
 
BioMake BOSC 2004
BioMake BOSC 2004BioMake BOSC 2004
BioMake BOSC 2004
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and DevelopmentBeyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
Beyond printk: Efficient Zynq UltraScale+ MPSoC Linux Debugging and Development
 
Mcollective introduction
Mcollective introductionMcollective introduction
Mcollective introduction
 
Princeton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance ToolingPrinceton Wintersession: Software Quality Assurance Tooling
Princeton Wintersession: Software Quality Assurance Tooling
 

Recently uploaded

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

Defcon 2011 network forensics 解题记录

  • 1. DEFCON 2011 Network Forensics Author: hip@insight-labs.org 1. DEFCON 2011 Network Forensics Puzzle: A Deal Is Made http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round1/defco n2011contest-round1.html strings Evidence01.pcap | grep -i company 透过 grep 收寻 company 关键词 Answer: Factory-Made-Winning-Pharmaceuticals 2. DEFCON 2011 Network Forensics Puzzle: Inception http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round2/defco n2011contest-round2.html 寄信可以猜 Subject tcpflow -r Evidence02.pcap (-r: read packets from tcpdump output file ) grep -a Subject * -a, --text equivalent to --binary- files=text foremost 文件还原工具 http://adityo.blog.binusian.org/?p=231 http://www.irongeek.com/i.php?page=backtrack-3-man/foremost http://www.youtube.com/watch?v=TmWLsufNiUQ cat /etc/foremost.conf
  • 2. foremost -c /etc/foremost.conf -i 172.030.001.100.51805-205.188.192.001.00080 file 00000030.pcap 列出封包内所有 host tcpdump -nn -r 00000030.pcap -A -s0 port 80 | grep Host | sort | uniq
  • 3. tcpflow -r 00000030.pcap host 204.11.246.48 grep GET * 查看 respone head 204.011.246.048.00080-172.030.001.100.60176
  • 4. -c /usr/local/etc/foremost.conf -i 204.011.246.048.00080-172.030.001.100.60176 -T / gunzip -d 00000000.gz firefox 00000000 Answer: October 6-7, 2011
  • 5. NetworkMiner 快速解 3. DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training? http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round3/defco n2011contest-round3.html NetworkMiner 可以直接看到 File 找不到 voip 所以无法继续下一步分析
  • 6. 改用 xplico , xplico GUI 不 work usage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i <prot>] -m <capute_module> -v version -c config file -h this help -i info of protocol 'prot' -g display graph-tree of protocols -l print all log in the screen -m capture type module NOTE: parameters MUST respect this order! ./xplico -m pcap -f /root/Desktop/Evidence03.pcap
  • 7. ip 74.125.127.126 是 google 的 所以可以猜到是用 googlechat voip call 所以可以用 videosnarf 来解看看 videosnarf http://ucsniff.sourceforge.net/videosnarf.html root@bt:/usr/local/bin# videosnarf -h Starting videosnarf 0.63 Usage: videosnarf [-i input pcap file] [-f filter expression] -i <input pcap file> (Mandatory) input pcap file -o <output file> (Optional) output base name file -f <filter expression> (Optional) pcap filter expression -k <g726 sample size> (Optional) G726 sameple size
  • 8. Note: sample size could be either 2, 3, 4, 5 bits for 16,24,32 and 40 kbits/s. The default Kbit/s will be 32 Note: If there are 802.1Q headers in the RTP packet capture, please don't set the filter expression Example Usage: videosnarf -i inputfile.pcap videosnarf -i inputfile.pcap -f "udp dst port 25001" Answer: rom127#
  • 9. 4. DEFCON 2011 Network Forensics Puzzle: The Heist Scrolling down to the 16th line inside the XLS file, you get the answer: Jason Wilson 5. DEFCON 2011 Network Forensics Puzzle: The Heist Part 2 http://forensicscontest.com/contest09/spoilers/2011-Defcon-Contest-Round5/defco n2011contest-round5.html useonce@ Opening the file, you can find the password : 8.4 oz- Red Bull Linux 解 tcpdump -s0 -r Evidence05.pcap -w SMB.cap port 445
  • 10. tshark -r SMB.cap |grep "Create AndX Request" 用 grep 找透过 SMB 建立档案 提取檔案 因为要提取的是 7z 檔 所以要先加入一段 7z 的 format 到 tcpxtract.conf echo "p7z(100000000, x37x7axbcxafx27x1c);" > /etc/tcpxtract.conf mv 00000000.p7z 00000000.7z 接下来就是解压缩! Done