The aim of this paper to analyze a packet capture file with various tools and answer the questions provided. SANS have released the Holiday Hacking Challenge packet capture for the last ten years. It's run as a competition for people all around the world. The packet capture is quite challenging and will test the skills of the network analyzer to the limit. The tools that will be used to analyze the packet capture are: Wireshark, Ngrep, Foremost, and Network Miner.
2. Filter by Protocols
The packet capture is quite verbose and can be intimidating to know where to begin, or what methodology to use. The first protocol filtered was POP3 for email communication. The filter ...view middle of the document...
The email details that
A significant vulnerability in the Allen Bradley controller we are testing was just disclosed. This vulnerability may be a reason behind the power bridge outage. Don Sawyer deletes the message and downloads the exe file. This is still unclear so more investigation is needed. This information may prove useful at a later stage.
(See Figure 2.4 below).
Figure 2.4. Email about controller vulnerability.
Hyper Text Transfer Protocol (HTTP) is a high layer protocol that any investigator would use to filter a packet capture file. The packet capture revealed two PDF files of interest on packet numbers 16 and 54.
The packet at number 16 showed a PDF file with the heading 'TrafficSystemNetworkMap', and the packet at number 54 showed a PDF with the heading 'BedfordFallsTrainSystem'. (See Figure 2.5 below).
Figure 2.5. PDF details.
A 'Follow TCP Stream' of the traffic system and train system revealed pdf files encoded using flatdecode. The files were unreadable so a decoder was searched for to decode the files.
(See Figure 2.6 below).
Figure 2.6. PDF with Flatedecode.
Numerous attempts to decode the pdf proved fruitless, so other methods were used.
2.2. Decode Flatdecode PDF files.
A forensic carving tool like Foremost can be used to try to recover the pdf files.
The command to extract the files is :
# foremost -t gif -o RecoveredFiles -i /root/ForensicsAss3/sansholidayhack2013.
The first pdf file recovered show details of the Bedford Falls Transport System Network Map.
(See Figure 2.2-1).
Figure 2.2-1. Bedford Traffic Map PDF.
The pdf contains details of four street corner addresses and of a Traffic Grid Controller PLC. The traffic grid controller and the four street corners have IP addresses associated with them. The IP addresses can be used to filter the packet capture, which helps with large files.
The second pdf file recovered show details of the Bedford Falls Train Switching System Network Components.
(See Figure 2.2-2).
Figure 2.2-2. Bedford Train Switching PDF.
The pdf contains IP addresses associated with the Train Management Workstation and the Simatic S7-1200 PLC. The Simatic S7-1200 PLC was previously mentioned in an email sent from the head of security George Bailey to Don Sawyer. A fault with the Simatic appears to have caused the bridge to out. This may have been an unsuccessful attack Mr. Potter's goons attempted against Bedford Falls infrastructure. More investigation is needed to confirm this.
3. Carve out further information
Foremost can be used to extract more files from the packet capture. Instead of selecting specific types of information a full carving is performed which groups files into defined directories.
# foremost -o RecFiles -i /root/ForensicsAss3/sansholidayhack2013.
Foremost extracted an exe file that was shown in Figure 2.3 above, the exe file could not be opened. The htm directory contains information about the Cyber City Water Monitoring & Alarm...