itb - network forensics investigation

Network Forensics Investigaton

Cyber Crime Investigation

Adjonyo .J. Noah

B00065764

Masters In Computing BN518: Network Security and Digital Forensics (Fulltime)

10-May 2013

2 Noah J. Adjonyo, Institute of Technology Blanchardstown

1. Analysis of portscan.cap file

1.1. What ports are open?

Method: With Networkminer the cap file is opened, and on the tabs was

displayed 65300 sessions, 5 Hosts and over 13000 frames.

~I opened the Session Tab and noticed the Source IP address

192.168.223.172

~Using the source IP address I decided to look for more details attached to

the 192.168.223.172 as a source.

~So many data to check under session tab and also the tab for frames

~ I opened the Host tab went to search for that host

~Under the IP address 192.168.223.172 is “Open TCP ports” are listed

5900 22 139 23 80 53 25 445 21 111 3306 6667 59563 512 513

1099 52878 6000 43607 8787 514 2049 8009 3632 5432 6697 8180

2121 1524 56166.

~Some of the port numbers are familiar; however, most were completely

strange so in other to understand how they function I looked up at IANA for

list of default port numbers.

Tools used: NetworkMiner

Answer: Open TCP Ports are; 5900 22 139 23 80 53 25 445 21 111 3306

6667 59563 512 513 1099 52878 6000 43607 8787 514 2049 8009 3632

5432 6697 8180 2121 1524 56166

Open TCP ports in Numerical order are as follows;

Port

Numbers

Port Name/Protocol Short description

1 21 FTP File Transfer Protocol

2 22 SSH Secure Shell

3 23 Telnet Telnet

4 25 SMTP Simple Mail Transfer

Protocol

5 53 DNS Domain Name System

6 80 HTTP Hyper Text Transfer

Protocol

7 111 SunRPC Sun Remote Procedure Call

8 139 Netbios-ssn Netbios Service Session

9 445 Microsoft-DS Microsoft-Directory Service

10 512 Exec=

Remote process execution

3 Noah J. Adjonyo, Institute of Technology Blanchardstown

Comsat=

Biff=

Used by mail system

11 513 Login=

Who=

Remote login.

Maintains database of Who

is logged in

12 514 Shell

13 1099 RMIregistry Remote Method Invocation Registry

14 1524 Ingreslock

15 2049 Shilp Nfs

Network file system

16 2121 SCIENTIA-SSDB

17 3306 MYSQL

18 3632 DISTCC

19 5432 PostgreSQL Database

20 5900 RFB Remote FrameBuffer

21 6000 X11 Windows system

22 6667 IRC Internet Relay Shat

23 6697 Unassigned Unofficially (IRC SSL)

24 8009 Unassigned SANS: Netware-rmgr

25 8180 Unassigned

26 8787 Msgsrvr Message Server

27 43607 Unassigned

28 52878 Dynamic and/or Private ports

(Xsan filesystems Access (Apple

29 56166 Dynamic and/or Private

ports

(Xsan filesystems Access

(Apple

30 59563 Dynamic and/or Private ports

(Xsan filesystems Access (Apple

There were 30 open ports

2. Analysis of deep.cap file

1.1. Opened the file on Wireshark

Method: Opened the file on wireshark and only 802.11 was displaying

and there was no way to understand which the specific protocols to

extract any file from.

4 Noah J. Adjonyo, Institute of Technology Blanchardstown

Having the protocol tab showing 802.11 for all 208428 frames

suggest that there is a likelihood the network card was used in

monitor mood and has possibly captured raw IEEE 802.11 traffic

encrypted.

On that revelation it was clear I needed to decrypt the file.

From previous knowledge Aircrack-ng was the best bet to decrypt

the capture.

Used Aircrack-ng to analyse the IVs and retrieve possible Key

“28:E6:6,B:E9:D3:B6:20:95:DD:E9:2F:BE:3” with the command

“aircrack ng deep.cap”

On retrieving the key I used

Airdecap-ng –w 28:E6:6,B:E9:D3:B6:20:95:DD:E9:2F:BE:37

deep.cap;

To open the pcap file and by so doing more information was

viewable in wireshark and networkminer;

On Network miner I checked the Files tab in search of any txt file I

could extract but not a single file was there in contrary to the task;

Also Networkminer was unable to provide me with any Hint on

what to look for and where to look at;

Went back to wireshark where which frame 8 told me of an unseen

segment;

5 Noah J. Adjonyo, Institute of Technology Blanchardstown

Frame 7 used source port 49510 (unassigned port number) for FTP

traffic to port 21, also shown is USER: joe ;

From the information around Frame 26, comes an Hints about

password and signals how close I am getting;

Frame 32 to 34 shows that port number 49510 to 49512 is affiliated

with an adobe service;

Open decaped file on Networkminer and on the files tab was no

file;

Meanwhile on the presumption that a file is still hidden prompted

me to use the command;

“Sudo tcpxtract –f deep-dec.cap –o tcpxtract/” and a zip file was

extracted which requested for a password to unzip;

When I followed Tcp stream of frame 32 the results showed a .txt

file named flag4.txtUT;

Attempted to save the file out into a .txt file, but when I opened it, it

read: could not open the file and also Character Encoding

automatically detected;

Used the filter “tcp.port >=49001” which means display port

numbers greater than 49001 (port number 49001 to are unassigned

or dynamic);

40 frames where displayed from applying the above filter including

the earlier mentioned frames but including frames with POP

protocol. What is a POP protocol doing here?

Used the filter “tcp.port >=49001&& pop” to also include POP

protocol in the filter and reduced it to 12 frames;

6 Noah J. Adjonyo, Institute of Technology Blanchardstown

One frame 49515 looked like a stranger in the party;

It had a IMF protocol and also had 712 of data length which seemed

big in comparison to the others displayed with the above filter;

An email address was seen [email protected] and

[email protected];

Under Content-Type is text/plain which is a great hint and strikes

the memory about the issue I faced earlier with Character encoding;

According to RFC 2045, 7bit Content-Transfer -Encoding is used to

encode other file types to send via normal mail;

dGhlIHBhc3N3b3JkIGlzIGJvc3Rvbk1BMTk3Nwo=\r\n seems to

look like a password or a file of some sort;

Tried it as a password to open the Zip file but to no avail;

7 Noah J. Adjonyo, Institute of Technology Blanchardstown

I begin an attempt to decode it in anticipation that it is the encoded

data;

Copied dGhlIHBhc3N3b3JkIGlzIGJvc3Rvbk1BMTk3Nwo=\r\n

placed it into a new .txt file specifying the encode type charset

which is ISO-8859-1. This enables the process reverse;

8 Noah J. Adjonyo, Institute of Technology Blanchardstown

Use the Base64 command to decode the string

“Base64 –d pword.txt” and behold a password was actually

retrieved: bostonMA1977;

On using it on the zip file earlier retrieved from tcpxtract a file

named flag4.txt unzipped;

Inside the file is another password bostonmarathon2012

So using the password bostonMA1977 I was able to access the file

flag4.txt to retrieve the hidden password bostonmarathon2012.

Tools used: NetworkMiner was used to analyse the packet for hint,

most importantly I tried using to check for files type. Wireshark was

used to view capture frame by frame, Tcpxtract was used to extract the

9 Noah J. Adjonyo, Institute of Technology Blanchardstown

file capture, Base64 command line was used to decode the password

from 7bit

References

1. Bejtlich, R., 2006. Network Forensic Traffic Reconstruction with Tcpxtract

[Blog] Available at http://taosecurity.blogspot.ie/2006/01/network-forensic-

traffic.html [Accessed 25 April 2013].

2. Maynard, C., 2009. ICMP and endian-ness issue. Wireshark –dev [online]

Available at http://www.wireshark.org/lists/wireshark-dev/200909/msg00224.html

[Accessed 10 April 2013].

3. Lyon, G., The Official Nmap Project Guide to Network Discovery and Security

Scanning. Nmap [online] Available at http://nmap.org/book/man-briefoptions.html

[Accessed 24 April 2013]

4. Oskar, A., 2006. Iptables Tutorial 1.2.1. Frozentux [online]. Available at

http://www.frozentux.net/iptables-tutorial/chunkyhtml/x281.html [Accessed 20

April 2013]. (seq = 0)

5. Thomas, J., n.a. Knowledgebase: TCP/IP. Omnisecu. [online]. Available at

http://www.omnisecu.com/tcpip/internet-control-message-protocol-icmp.htm

[Accessed 20 April 2013].

8. Techspot., 2013. Do I have a virus?. Techspot [Forum] Available at

http://www.techspot.com/community/topics/do-i-have-a-virus.189721/ [Accessed

25 April 2013]

9. IANA http://www.iana.org/assignments/service-names-port-numbers/service-

names-port-numbers.xml#P_V_Shivkumar

10. Tschabitscher, H., POP (Post Office Protocol), About.com. [Online]. Available

at Basics http://email.about.com/cs/standards/a/pop_basics.htm [Accessed 12 May

2013]

11. Freed, N., and Borenstein, N., 1996. MIME part 1: Format of Internet Message

Bodies, RFC 2045,. [Online] Available at http://www.ietf.org/rfc/rfc2045.txt

[Accessed 12 May 2013]

12. Josefsson, S., Base64-Unix, Linus Command, TutorialPoint [Online] Available

at: http://www.tutorialspoint.com/unix_commands/base64.htm [Accessed 13 May

2013]

10 Noah J. Adjonyo, Institute of Technology Blanchardstown

13. Geier, J., 2008. How to: Sniff Wireless Packets with Wireshark, Wi-Fi Planet.

[Online] Available at : http://www.wi-fiplanet.com/tutorials/article.php/3791421

/How-to-Sniff-Wireless-Packets-with-WireShark.htm [Accessed 13 May 2013]

14. Tech-Juice,. 2011. Wireshark: 802.11 Frame Display. [Online] Available at

http://www.tech-juice.org/2011/11/25/wireshark-wireless-display-filters/