Tuesday, August 19, 2008

HeX 021: Resolving Ihack 2008 password.pcap

My friend ayoi has posted Ihack 2008: Defense Challenge here, I don't really have time to look into the whole game. However I have tried to give it a shot for password.pcap to figure out what's the passphrase.

I decide to use HeX liveCD for this quick challenge since chfl4gs_ has presented it in IHack. Initial look at the traffic -

shell>tcpdump -ttttnnr password.pcap
reading from file /home/analyzt/rp-Analysis/password.pcap, link-type EN10MB (Ethernet)
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:1879048192(0) win 512
2008-08-14 12:21:11.469524 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 1879048193 win 0
2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:872415232(0) win 512
2008-08-14 12:21:12.212549 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 3288334337 win 0
2008-08-14 12:21:12.959563 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 603979776:603979776(0) win 512
2008-08-14 12:21:12.959710 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack 3019898881 win 0
2008-08-14 12:21:13.656942 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 889192448:889192448(0) win 512

Output truncated .....

Initial view of the network traffic tells you that the network traffic contains no data transfer, and it is heavily crafted(port). It also hints you that the passphrase should be residing in the packet header. Therefore I start dig into the header by printing it in hex and ascii dump output.

shell>tcpdump -XXttttnnr password.pcap
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:
1879048192(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 5c00 0000 4006 bc3d 0a0a 037e 0a0a .(\...@..=...~..
0x0020: 4b01 0539 7a69 7000 0000 0000 0000 5002 K..9zip.......P.
0x0030: 0200 5bad 0000 ..[...

2008-08-14 12:21:11.469524 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack
1879048193 win 0
0x0000: 000c 2945 914a 000c 294b dcf1 0800 4500 ..)E.J..)K....E.
0x0010: 0028 0000 4000 4006 d83d 0a0a 4b01 0a0a .(..@.@..=..K...
0x0020: 037e 7a69 0539 0000 0000 7000 0001 5014 .~zi.9....p...P.
0x0030: 0000 5d9a 0000 ..]...

2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:8
72415232(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 2000 0000 4006 f83d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3400 0000 0000 0000 5002 K..9zi4.......P.
0x0030: 0200 97ad 0000 ......

2008-08-14 12:21:12.212549 IP 10.10.75.1.31337 > 10.10.3.126.1337: R 0:0(0) ack
3288334337 win 0
0x0000: 000c 2945 914a 000c 294b dcf1 0800 4500 ..)E.J..)K....E.
0x0010: 0028 0000 4000 4006 d83d 0a0a 4b01 0a0a .(..@.@..=..K...
0x0020: 037e 7a69 0539 0000 0000 3400 0001 5014 .~zi.9....4...P.
0x0030: 0000 999a 0000 ......


Output truncated .....

When comes to examing the packet header, it's best to look at the pattern, and realizing that some fields are usually static in this case helps you to identify the different, if we look at the 4 packets above, you may spot

10.10.3.126 -> 10.10.75.1 - tcp sequence number
10.10.75.1 -> 10.10.3.126 - tcp acknowledge number(tcp sequence number + 1)

So to get the answer, you can just print the connection from one side(from 10.10.3.126 to 10.10.75.1) -

shell>tcpdump -XXttttnnr password.pcap ip src 10.10.3.126
2008-08-14 12:21:11.469308 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 1879048192:
1879048192(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 5c00 0000 4006 bc3d 0a0a 037e 0a0a .(\...@..=...~..
0x0020: 4b01 0539 7a69 7000 0000 0000 0000 5002 K..9zip.......P.
0x0030: 0200 5bad 0000 ..[...

2008-08-14 12:21:12.212445 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 872415232:8
72415232(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 2000 0000 4006 f83d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3400 0000 0000 0000 5002 K..9zi4.......P.
0x0030: 0200 97ad 0000 ......

2008-08-14 12:21:12.959563 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 603979776:6
03979776(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 6200 0000 4006 b63d 0a0a 037e 0a0a .(b...@..=...~..
0x0020: 4b01 0539 7a69 2400 0000 0000 0000 5002 K..9zi$.......P.
0x0030: 0200 a7ad 0000 ......

2008-08-14 12:21:13.656942 IP 10.10.3.126.1337 > 10.10.75.1.31337: S 889192448:8
89192448(0) win 512
0x0000: 000c 294b dcf1 000c 2945 914a 0800 4500 ..)K....)E.J..E.
0x0010: 0028 8d00 0000 4006 8b3d 0a0a 037e 0a0a .(....@..=...~..
0x0020: 4b01 0539 7a69 3500 0000 0000 0000 5002 K..9zi5.......P.
0x0030: 0200 96ad 0000 ......


Output truncated .....

If you want to see another side of the traffic, just tune the bpf filter to ip src 10.10.75.1, however for that you will need to look at the acknowledge number. You should have the answer now.

Anyway when comes to print certain field in the header, you can use tshark(part of wireshark), and force it to print certain field, for example -

shell>tshark -Tfields -e 'tcp.seq' -nr password.pcap -o tcp.relative_sequence_numbers:FALSE -R 'ip.src == 10.10.3.126'
1879048192
872415232
603979776
889192448
1996488704
805306368
1912602624
1677721600
536870912
822083584
889192448
536870912
822083584
838860800
855638016
167772160

That's your answer in decimal, you can convert the number to hex and from hex to ascii. Using pythong quickies -

Decimal to Hex -
shell>python -c 'print hex()'

HeX to Ascii
shell>python -c 'import binascii; print binascii.a2b_hex("")'

You should have the passphrase to unrar Questions.rar

shell>unrar e Questions.rar

Bump in the passphrase and you will be able to retrieve all the files you need.

During the challenge event, I don't see any participants use HeX for this purpose. And lot of them just use wireshark to examine, my opinion is using wireshark is not effective in this scenario as wireshark is great when you want to do per packet examination or dealing with network protocols you are not familiar with. However for this, I would say tcpdump and tshark are more effective tools to obtain the clue.

Enjoy (;])

8 comments:

FindMeIfUcaN said...

dude..

Why lar make ur life so difficult maaa..

I dont agree with u using this kinda HeX or whatever for this simple "task"..

"They" should have known these basic weapon when running *nix

Not need all the kira-kira decimal.. tsk.tsk.tsk wont help much in this case

just run basic *nix command would do..

"strings" Rulz.. adehhhh...

0x1A4 said...

strings and nsm-console r0x

C.S.Lee(geek00L) said...

hi findmeifucan,

I know the strings command work for this, but looking at the challenge, it is meant to examine the network traffic and figure out the passphrase.

Strings command works for this challenge, but may not for the other as network traffic based challenge is not going to be solved that easily and straightforward.

I would rather tell people the right thing to learn instead of going by shortcut.

Y0nd13 said...

@findmeifucan:

dude, from man strings.

print the strings of printable characters in files.

It's not the correct way to analyze a pcap file , but bro Ayoi is kind enough to store the password in a plain text from(mean it's not salted or encrypted in anyways). But yeah there are still people who don`t have any idea how to analyze it.

@geek00l:

Thanks for the wonderful guide, one more think bro i would like to ask how do we actually determine an OS fingerprint using from a pcap file?

C.S.Lee(geek00L) said...

hi y0nd13,

How do we actually fingerprint the OS from network traffic(pcap), you can ask yourself, if you want to fingerprint the application, where are you going to look at?

Application Fingerpriting - Application Layer

For example if you want to identify if it runs apache or iis, you should look at application layer. And if you want to identify which OS, look at the network stack that is generated by the OS, therefore you should look at layer 3(IP header) and 4(TCP/UDP header).

Take the simple example, the default ttl of windows is 128 but default ttl of linux is 64, if the packets are not routed, you can actually pretty much confirming which OS it is, however bear in mind that some people will just modify the network stack of OS to fool tools like p0f, that's also how low interaction honeypot works(look at honeyd).

However in the packet challenge, you can see it is quite obvious which OS generates the traffic. Of course you can run p0f to make your job simpler and confirm it with your own interpretation later.

Cheers!

FindMeIfUcaN said...

hi cslee,

Hahaha, my arguments was meant for this kinda challenge so call "ihack"..

it's a very simple task and while the clock is ticking, i dont think "the boys" would have to run all the "1337's" command just to find a plain txt passwd file and even if u look through all the q's, i guess simple command like strings and grep would do the job.

time is money maaaa.. if i were to participate in this kinda event, i dont think i ever gonna use such steps that u've shown..

when i was at the recent blackhat, everyone is "weaponed" with simple *nix command to do all the tasks given.

it would be nice if i could have tougher challenge.. perghhhh

-9-

Anonymous said...

geek00l...thanks for the nice tutorial..but i got this error while using tshark

C:\Program Files\Wireshark>tshark -Tfields -e 'tcp.seq' -nr password.pcap -o tcp
.relative_sequence_numbers:FALSE -R 'ip.src == 10.10.3.126'

tshark: Read filters were specified both with "-R" and with additional command-l
ine arguments

MASOKIS said...

wow.. i google the ihack about more than 3 week..hoping the google will index the real stuff of ihack..

but this blog not index... from 1 page to last page of google search based from keyword "ihack uitm"..

i find the post when searching about security in malaysia at security.org.my.. then some backlink to this page and hex live cd..wow :D