itb - network forensics investigation
Post on 31-Jan-2016
223 Views
Preview:
DESCRIPTION
Transcript
Network Forensics Investigaton
Cyber Crime Investigation
Adjonyo .J. Noah
B00065764
Masters In Computing BN518: Network Security and Digital Forensics (Fulltime)
10-May 2013
2 Noah J. Adjonyo, Institute of Technology Blanchardstown
1. Analysis of portscan.cap file
1.1. What ports are open?
Method: With Networkminer the cap file is opened, and on the tabs was
displayed 65300 sessions, 5 Hosts and over 13000 frames.
~I opened the Session Tab and noticed the Source IP address
192.168.223.172
~Using the source IP address I decided to look for more details attached to
the 192.168.223.172 as a source.
~So many data to check under session tab and also the tab for frames
~ I opened the Host tab went to search for that host
~Under the IP address 192.168.223.172 is “Open TCP ports” are listed
5900 22 139 23 80 53 25 445 21 111 3306 6667 59563 512 513
1099 52878 6000 43607 8787 514 2049 8009 3632 5432 6697 8180
2121 1524 56166.
~Some of the port numbers are familiar; however, most were completely
strange so in other to understand how they function I looked up at IANA for
list of default port numbers.
Tools used: NetworkMiner
Answer: Open TCP Ports are; 5900 22 139 23 80 53 25 445 21 111 3306
6667 59563 512 513 1099 52878 6000 43607 8787 514 2049 8009 3632
5432 6697 8180 2121 1524 56166
Open TCP ports in Numerical order are as follows;
Port
Numbers
Port Name/Protocol Short description
1 21 FTP File Transfer Protocol
2 22 SSH Secure Shell
3 23 Telnet Telnet
4 25 SMTP Simple Mail Transfer
Protocol
5 53 DNS Domain Name System
6 80 HTTP Hyper Text Transfer
Protocol
7 111 SunRPC Sun Remote Procedure Call
8 139 Netbios-ssn Netbios Service Session
9 445 Microsoft-DS Microsoft-Directory Service
10 512 Exec=
Remote process execution
3 Noah J. Adjonyo, Institute of Technology Blanchardstown
Comsat=
Biff=
Used by mail system
11 513 Login=
Who=
Remote login.
Maintains database of Who
is logged in
12 514 Shell
13 1099 RMIregistry Remote Method Invocation Registry
14 1524 Ingreslock
15 2049 Shilp Nfs
Network file system
16 2121 SCIENTIA-SSDB
17 3306 MYSQL
18 3632 DISTCC
19 5432 PostgreSQL Database
20 5900 RFB Remote FrameBuffer
21 6000 X11 Windows system
22 6667 IRC Internet Relay Shat
23 6697 Unassigned Unofficially (IRC SSL)
24 8009 Unassigned SANS: Netware-rmgr
25 8180 Unassigned
26 8787 Msgsrvr Message Server
27 43607 Unassigned
28 52878 Dynamic and/or Private ports
(Xsan filesystems Access (Apple
29 56166 Dynamic and/or Private
ports
(Xsan filesystems Access
(Apple
30 59563 Dynamic and/or Private ports
(Xsan filesystems Access (Apple
There were 30 open ports
2. Analysis of deep.cap file
1.1. Opened the file on Wireshark
Method: Opened the file on wireshark and only 802.11 was displaying
and there was no way to understand which the specific protocols to
extract any file from.
4 Noah J. Adjonyo, Institute of Technology Blanchardstown
Having the protocol tab showing 802.11 for all 208428 frames
suggest that there is a likelihood the network card was used in
monitor mood and has possibly captured raw IEEE 802.11 traffic
encrypted.
On that revelation it was clear I needed to decrypt the file.
From previous knowledge Aircrack-ng was the best bet to decrypt
the capture.
Used Aircrack-ng to analyse the IVs and retrieve possible Key
“28:E6:6,B:E9:D3:B6:20:95:DD:E9:2F:BE:3” with the command
“aircrack ng deep.cap”
On retrieving the key I used
Airdecap-ng –w 28:E6:6,B:E9:D3:B6:20:95:DD:E9:2F:BE:37
deep.cap;
To open the pcap file and by so doing more information was
viewable in wireshark and networkminer;
On Network miner I checked the Files tab in search of any txt file I
could extract but not a single file was there in contrary to the task;
Also Networkminer was unable to provide me with any Hint on
what to look for and where to look at;
Went back to wireshark where which frame 8 told me of an unseen
segment;
5 Noah J. Adjonyo, Institute of Technology Blanchardstown
Frame 7 used source port 49510 (unassigned port number) for FTP
traffic to port 21, also shown is USER: joe ;
From the information around Frame 26, comes an Hints about
password and signals how close I am getting;
Frame 32 to 34 shows that port number 49510 to 49512 is affiliated
with an adobe service;
Open decaped file on Networkminer and on the files tab was no
file;
Meanwhile on the presumption that a file is still hidden prompted
me to use the command;
“Sudo tcpxtract –f deep-dec.cap –o tcpxtract/” and a zip file was
extracted which requested for a password to unzip;
When I followed Tcp stream of frame 32 the results showed a .txt
file named flag4.txtUT;
Attempted to save the file out into a .txt file, but when I opened it, it
read: could not open the file and also Character Encoding
automatically detected;
Used the filter “tcp.port >=49001” which means display port
numbers greater than 49001 (port number 49001 to are unassigned
or dynamic);
40 frames where displayed from applying the above filter including
the earlier mentioned frames but including frames with POP
protocol. What is a POP protocol doing here?
Used the filter “tcp.port >=49001&& pop” to also include POP
protocol in the filter and reduced it to 12 frames;
6 Noah J. Adjonyo, Institute of Technology Blanchardstown
One frame 49515 looked like a stranger in the party;
It had a IMF protocol and also had 712 of data length which seemed
big in comparison to the others displayed with the above filter;
An email address was seen metalman@carolinacon8.com and
crashman@carolinacon8.com;
Under Content-Type is text/plain which is a great hint and strikes
the memory about the issue I faced earlier with Character encoding;
According to RFC 2045, 7bit Content-Transfer -Encoding is used to
encode other file types to send via normal mail;
dGhlIHBhc3N3b3JkIGlzIGJvc3Rvbk1BMTk3Nwo=\r\n seems to
look like a password or a file of some sort;
Tried it as a password to open the Zip file but to no avail;
7 Noah J. Adjonyo, Institute of Technology Blanchardstown
I begin an attempt to decode it in anticipation that it is the encoded
data;
Copied dGhlIHBhc3N3b3JkIGlzIGJvc3Rvbk1BMTk3Nwo=\r\n
placed it into a new .txt file specifying the encode type charset
which is ISO-8859-1. This enables the process reverse;
8 Noah J. Adjonyo, Institute of Technology Blanchardstown
Use the Base64 command to decode the string
“Base64 –d pword.txt” and behold a password was actually
retrieved: bostonMA1977;
On using it on the zip file earlier retrieved from tcpxtract a file
named flag4.txt unzipped;
Inside the file is another password bostonmarathon2012
So using the password bostonMA1977 I was able to access the file
flag4.txt to retrieve the hidden password bostonmarathon2012.
Tools used: NetworkMiner was used to analyse the packet for hint,
most importantly I tried using to check for files type. Wireshark was
used to view capture frame by frame, Tcpxtract was used to extract the
9 Noah J. Adjonyo, Institute of Technology Blanchardstown
file capture, Base64 command line was used to decode the password
from 7bit
References
1. Bejtlich, R., 2006. Network Forensic Traffic Reconstruction with Tcpxtract
[Blog] Available at http://taosecurity.blogspot.ie/2006/01/network-forensic-
traffic.html [Accessed 25 April 2013].
2. Maynard, C., 2009. ICMP and endian-ness issue. Wireshark –dev [online]
Available at http://www.wireshark.org/lists/wireshark-dev/200909/msg00224.html
[Accessed 10 April 2013].
3. Lyon, G., The Official Nmap Project Guide to Network Discovery and Security
Scanning. Nmap [online] Available at http://nmap.org/book/man-briefoptions.html
[Accessed 24 April 2013]
4. Oskar, A., 2006. Iptables Tutorial 1.2.1. Frozentux [online]. Available at
http://www.frozentux.net/iptables-tutorial/chunkyhtml/x281.html [Accessed 20
April 2013]. (seq = 0)
5. Thomas, J., n.a. Knowledgebase: TCP/IP. Omnisecu. [online]. Available at
http://www.omnisecu.com/tcpip/internet-control-message-protocol-icmp.htm
[Accessed 20 April 2013].
8. Techspot., 2013. Do I have a virus?. Techspot [Forum] Available at
http://www.techspot.com/community/topics/do-i-have-a-virus.189721/ [Accessed
25 April 2013]
9. IANA http://www.iana.org/assignments/service-names-port-numbers/service-
names-port-numbers.xml#P_V_Shivkumar
10. Tschabitscher, H., POP (Post Office Protocol), About.com. [Online]. Available
at Basics http://email.about.com/cs/standards/a/pop_basics.htm [Accessed 12 May
2013]
11. Freed, N., and Borenstein, N., 1996. MIME part 1: Format of Internet Message
Bodies, RFC 2045,. [Online] Available at http://www.ietf.org/rfc/rfc2045.txt
[Accessed 12 May 2013]
12. Josefsson, S., Base64-Unix, Linus Command, TutorialPoint [Online] Available
at: http://www.tutorialspoint.com/unix_commands/base64.htm [Accessed 13 May
2013]
10 Noah J. Adjonyo, Institute of Technology Blanchardstown
13. Geier, J., 2008. How to: Sniff Wireless Packets with Wireshark, Wi-Fi Planet.
[Online] Available at : http://www.wi-fiplanet.com/tutorials/article.php/3791421
/How-to-Sniff-Wireless-Packets-with-WireShark.htm [Accessed 13 May 2013]
14. Tech-Juice,. 2011. Wireshark: 802.11 Frame Display. [Online] Available at
http://www.tech-juice.org/2011/11/25/wireshark-wireless-display-filters/
top related