The winner of the “Check It Out” Packet Challenge is Jamie Starkel (@jstarkel on Twitter) Here’s Jamie’s solution:
Jamie writes:
Given the sample packet beginning with 4500 tells us a few things. The first is that the first byte (45) means that it is an IPv4 packet, and the 5 is the Internet Header Length, which is actually 20, because the field is measured in 32-bit multiples.
So our working set of bytes is the first 20:
4500 0527 0001 4000 4006 0000 c0a8 0102
c0a8 0101
Putting alongside the binary value makes the calculations easier.
I ended up with a table like the following:
Hex Binary
4500 0100010100000000
0527 0000010100100111
0001 0000000000000001
4000 0100000000000000
4006 0100000000000110
0000 0000000000000000 <– the checksum is set to zero
c0a8 1100000010101000
0102 0000000100000010
c0a8 1100000010101000
0101 0000000100000001
We are going to take the binary value of the first two bytes and add them together. Then we’ll take that result and add it to the next two bytes, and so on. If we need to carry a bit, we’ll go ahead and do that but drop the extra bit when adding it to the next two bytes since we have to keep them as 16-bit words. Once we get the eighth and last result, we’ll have to take the ones complement of it and that will give us our final checksum.
So here we go:
0527 0000010100100111
4a27 0100101000100111 <– This is the 1st result.
4a27 0100101000100111 <– First result plus next 16-bit word.
0001 0000000000000001
4a28 0100101000101000 <– This is the 2nd result.
4a28 0100101000101000 <– Second result plus next 16-bit word.
4000 0100000000000000
8a28 1000101000101000 <– This is the 3rd result.
8a28 1000101000101000 <– Third result plus next 16-bit word.
4006 0100000000000110
ca2e 1100101000101110 <– This is the 4th result.
ca2e 1100101000101110 <–Fourth result plus next 16-bit word.
c0a8 1100000010101000
18ad6 11000101011010110 <– Fifth result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.
18ad6 11000101011010110
.8ad7 1000101011010111 <– This is the final 5th result
8ad7 1000101011010111 <– Final 5th result plus next 16-bit word
0102 0000000100000010
8bd9 1000101111011001 <– This is the 6th result
8bd9 1000101111011001 <– Sixth result plus next 16-bit word.
c0a8 1100000010101000
14c81 10100110010000001 <– Seventh result has a carry bit. Since we need to keep these in 16-bit words, we add the carry bit to the result.
14c81 10100110010000001
.4c82 0100110010000010 <– This is the final 7th result
4c82 0100110010000010 <– Seventh result plus last 16-bit word.
0101 0000000100000001
4d83 0100110110000011 <– Last result
4d83 0100110110000011
b27c 1011001001111100 <– Ones complement of last result is the checksum
So the final checksum of this packet is b27c.
Chris continues:
Congrats Jamie! Even though there are many cool tools that can do this work for you, it’s nice to know how the checksum is actually calculated. Speaking of cool tools, Thursday I’ll post a solution that was sent in using Scapy.
Also, did anyone take a look at the payload? 🙂
It’s time for another packet challenge. This time the challenge is to calculate the IP Header checksum of the following packet:
—
4500 0527 0001 4000 4006 0000 c0a8 0102
c0a8 0101 2b67 0014 0000 006f 0000 006f
5018 0200 aa32 0000 ffd8 ffe0 0010 4a46
4946 0001 0200 0064 0064 0000 ffec 0011
4475 636b 7900 0100 0400 0000 0a00 00ff
ee00 0e41 646f 6265 0064 c000 0000 01ff
db00 8400 1410 1019 1219 2717 1727 3226
1f26 322e 2626 2626 2e3e 3535 3535 353e
4441 4141 4141 4144 4444 4444 4444 4444
4444 4444 4444 4444 4444 4444 4444 4444
4444 4444 0115 1919 201c 2026 1818 2636
2620 2636 4436 2b2b 3644 4444 4235 4244
4444 4444 4444 4444 4444 4444 4444 4444
4444 4444 4444 4444 4444 4444 4444 4444
4444 4444 44ff c000 1108 004f 004f 0301
2200 0211 0103 1101 ffc4 0075 0000 0203
0101 0000 0000 0000 0000 0000 0000 0401
0305 0602 0101 0000 0000 0000 0000 0000
0000 0000 0000 1000 0201 0204 0403 0308
0b00 0000 0000 0001 0203 0011 2131 1204
4151 6105 8122 1371 9132 a1b1 e142 5262
72d2 c1d1 8292 a233 7393 1415 0611 0100
0000 0000 0000 0000 0000 0000 0000 00ff
da00 0c03 0100 0211 0311 003f 00ec e8a2
8a08 a5e7 df6d f6e4 2cd2 2213 c198 0aa7
72cf 3c83 6d19 2a00 0d23 2e76 37b2 8ea6
c71e 0075 156c 1b28 36ea 4468 0039 9e27
da4e 2683 da6e 6274 f515 d4a0 cd81 b8af
50cc 93a0 9232 191b 222b 13bf 47b5 dbed
a57f 8257 52ab a0e9 2c7a 81f1 0e77 bd87
2a5b fe65 a6dc 6d2c 252a aacc 2c14 13cf
337e 7ca8 3a9a 2926 dbce b8c7 31bf 2915
48f9 029a 9837 4598 c530 d122 8d59 f948
e6a7 e7e4 7c2e 0e51 5153 4054 1c2a 6b27
be6f 7fc6 db32 a8bc 8e19 5074 b5d8 f82d
cfb7 0a05 e0ef 1b78 e52a f706 521e ff00
56ed 8229 e44a a83e 3577 fb19 774d e96c
d6ce 3095 e41e 58cf d9fb cc39 0c38 deb8
5ee6 026f 24c0 140f 80e8 b97b c575 bff3
bbaf 5142 31b9 2194 fe28 ec2f e28c bfbb
eda0 d28f b444 11c4 a4c9 2480 abc8 ff00
158f 2fb2 3a0a 3b3f 6c1d b213 0ab6 abb1
6bda d4de eb72 bb58 ccaf 7205 be11 7389
b655 306e 239d 03c6 da94 d05d 58bd fe29
1a38 de00 0cca fa50 3006 faf0 e387 5f0a
d2dc eee2 db0d 5230 5be4 389f 60cc f852
d0c7 26e6 513c ca51 13f9 4873 b916 2cc3
81b6 0070 c49c 6d60 bbb7 c524 5085 9459
b3d3 7be9 e97e 9f45 3945 1405 5524 4925
8b00 48bd ae39 e06d ed15 6d14 1c07 77ed
13a3 8529 e41e 5f58 02c0 afd5 d400 2750
1e53 cec0 df9e b765 edfb 8450 ea74 841a
53d4 4b6b d56b 9b5f 5016 0a01 cce2 4819
5753 4506 5b4c 2571 b4dd 2697 61a9 0a9f
29d3 63e5 3810 c33e 99dc d67c 9db2 4138
8a19 003a 492e cbe6 0320 d704 5df8 5f97
c57c 2ecf 7585 f73b adbc 31b9 423d 472c
83cc a2d6 cfad edf2 d7a6 ed02 02bb 8819
9a74 fad2 393a c715 3c05 f9db 038d 031b
2ed3 06d0 eb03 5ca7 e295 f162 7f47 8568
d2db 3dca ee63 f517 0372 aca7 3561 983d
47d3 4cd0 1451 4501 4514 5015 141a cc59
7773 ab59 3d33 6c14 f3ea d8df f657 a5e8
16d9 6ecc 9dc2 60c3 062d 1c67 fa5a 6e3d
ec4f 8568 c339 79a5 85f0 29a1 97f0 b0fc
c1ab 9e48 f7bd b1e3 32a0 941f 2974 c717
7b9b 5ed6 66be 937c f020 e62b 5f60 93bc
cdb8 dc80 8ccb a123 e3a6 f7bb 75e8 3e1f
1a0f 7b70 21df 4a83 2915 2523 8061 e53e
fb0f 7569 d677 6f53 297d d3e7 21d2 8392
2e5e 24dc 9f6d 68d0 1451 4501 4514 5015
54d2 a408 6490 e955 cc9a b694 dec3 14d1
6995 b4ad d7cd 7b63 7f2e 7867 6fd5 40af
aafb e68f 446e b12b eb2e f65d 416f 6b2d
f562 6c71 030a 6771 0c8d 224b 115b a061
66fb d6e5 ecaf 036f ba53 e59c 11f7 e204
ff00 0b27 cd53 e9ee f8c9 1ff6 cfe7 a0ce
2dbc d90d 2b8a 8bb6 95b3 d85f ecd9 1ac3
a5cf 4ad0 da6e de56 f4e5 02e5 43a3 21ba
ba9e 38d8 8e17 1ee2 6978 f692 068c 34cb
e507 4e85 b310 73c4 b361 e1cb 2a6b 670e
da2b 8db9 5370 326d 474e 36e2 70ce dc28
1da2 8a28 3fff d9
—
As always, best explanation wins. Send your answers to chris (dot) christianson (at) gmail (dot) com.
Filed under: hping, nping, spoof, tcpdump | Tags: hping, nping, Packet Challenge, spoof
This is a follow up to the “Ping me!” packet challenge. In the previous post I asked how you could spoof MAC addresses using Nping and Hping. Here is the answer:
Using Nping
# nping –icmp -c 1 –icmp-type 0 –dest-ip 192.168.200.128 –source-ip 192.168.200.129 –icmp-id 0 –icmp-seq 555 –data-string ‘Ping me!’ –source-mac 00:0c:29:48:55:1f –dest-mac 00:0c:29:a6:5e:2f
Starting Nping 0.5.35DC1 ( http://nmap.org/nping ) at 2011-01-02 09:34 PSTSENT (0.0000s) ICMP 192.168.200.129 > 192.168.200.128 Echo reply (type=0/code=0) ttl=64 id=17243 iplen=36
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 1 (50B) | Rcvd: 0 (0B) | Lost: 1 (100.00%)
Tx time: 0.00083s | Tx bytes/s: 59952.04 | Tx pkts/s: 1199.04
Rx time: 0.99989s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 1.00 seconds
The following is the output from tcpdump:
# tcpdump -i en1 -e host 192.168.200.128
tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes21:31:24.609114 00:0c:29:48:55:1f (oui Unknown) > 00:0c:29:a6:5e:2f (oui Unknown), ethertype IPv4 (0x0800), length 50: 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 0, seq 555, length 16
Using Hping
Hping doesn’t have the ability to spoof MAC addresses, but that still doesn’t prevent us from working around it.
The MAC address of most *nix machines can be changed by doing something close to the following:
# ifconfig en1 ether 00:0c:29:48:55:1f
For instructions on how to change MAC addresses on other OSs see the following link:
Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X (Sometimes known as MAC spoofing)
That takes care of the source MAC address, but what about the destination MAC address? This can be spoofed by creating a static ARP entry:
arp -S 192.168.200.128 00:0c:29:a6:5e:2f
Now just run hping as demonstrated in the previous post.
Filed under: hping, Packet Challenge | Tags: hping, Packet Challenge, spoof
As promised here’s the solution to the “Ping me!” packet challenge using hping. The first example shows how to craft the reply using just the built-in command line options. As you will see, hping does have some limitations. The second example shows a way to overcome these limitations and craft a better reply.
Example #1 — Crafting a reply using Hping
# hping3 192.168.200.128 -a 192.168.200.129 -c 1 -1 -C 0 -e “Ping me”!
HPING 192.168.200.128 (en1 192.168.200.128): icmp mode set, 28 headers + 8 data bytes
[main] memlockall(): Resource busy
Warning: can’t disable memory paging!
— 192.168.200.128 hping statistic —
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Here is a break down of the command:
- 192.168.200.128 is the destination IP address.
- ‘-a 192.168.200.129’ spoofs the source IP address.
- ‘-c 1’ sends one packet.
- ‘-1’ specifies ICMP.
- ‘-C 0’ specifies ICMP Code 0 aka a echo reply.
The following is the output from tcpdump:
11:40:26.480933 IP 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 6699, seq 0, length 16
- 192.168.200.128 is the destination IP address.
- ‘-a 192.168.200.129’ spoofs the source IP address.
- ‘-c 1’ sends one packet.
- ‘-0’ specifies Raw IP mode.
- ‘-H 1’ set the protocol to ICMP when in Raw mode.
- ‘-E payload.bin’ is the payload.
- ‘-d 16’ is the length of the payload in bytes.
Here is a screenshot of payload.bin
The following is the output from tcpdump:
13:08:58.353552 IP 192.168.200.128 > 192.168.200.129: ICMP echo reply, id 0, seq 555, length 16
With scapy we were able to spoof the source MAC address. Bonus points to anyone who can tell me how we could do the same thing here?
References:
http://www.hping.org/manpage.html
Filed under: nping, Packet Challenge | Tags: nping, Packet Challenge, spoof
Jon Wohlberg (@jonw18 on Twitter) sent in a solution to the “Ping me!” packet challenge using nping:
Jon writes:
After opening the packet in tcpdump and wireshark, I immediately noticed that this was an icmp packet. Specifically, it is an icmp echo request or as it is better known as a ping request. According to the instructions we had to craft a packet that would reply to this packet.
Therefore, we need to craft an ICMP echo reply.
In order to craft a packet I could have choosen numerous programs including scapy, hping, and nemesis. However, for this task I choose nping, a packet crafter from the creators of nmap.
First we need to obtain all pertinent information from the packet provided.
1. Source IP (one initiating the echo request) –> 192.168.200.128
2. Destination IP (one receiving the request) –> 192.168.200.129
3. ICMP Type and Code (Stating that this is an echo request)
TYPE = 8
CODE = 0
4. ICMP Identifier –> 0
5. ICMP Sequence number –> 555
6. ICMP Data –> Ping me!
Now that we have all of the important information, we can craft a packet (an ICMP echo reply) to reply to this request. We will be replying with the following information:
1. Source IP (this is the machine responding) –> 192.168.200.129
2. Destination IP (One who originally initiated the request) –> 192.168.200.128
3. ICMP Type and Code (Stating that this is an echo reply)
TYPE = 0
CODE = 0
Per the ICMP rfc (RFC 792), it states that “The identifier and sequence number may be used by the echo sender to aid in matching the replies with the echo requests.” “The echoer returns these same values in the echo reply.”
Meaning the ICMP identifier and sequence number need to be the same.
4. ICMP Identifier –> 0
5. ICMP Sequence number –> 555
The rfc also states “The data received in the echo message must be returned in the echo reply message.”
Translations, the data sent in the echo request must be sent back in the echo reply.
6. ICMP Data –> Ping me!
Now that we have our echo reply values we can craft our packet with nping. The command I used is:
nping –icmp -c 1 –icmp-type 0 –icmp-code 0 –source-ip 192.168.200.129 –dest-ip 192.168.200.128 –icmp-id 555 –icmp-seq 0 –data-string ‘Ping me!’
This command and be broken down as follows:
1. nping –> name of the program
2. –icmp –> tells nping to use the ICMP protocol
3. -c 1 –> tells nping to send only one paket
4. –icmp-type 0 and –icmp-code 0 –> indicates an echo reply
5. –source-ip 192.168.200.129 –> states that this will be the
address replying to echo request. Where the reply originates from.
6. –dest-ip 192.168.200.128 –> where we are sending the reply. This
is the machine that initiated the conversation.
7. –icmp-id 555 –> we need to include the icmp identifier from the
echo request.
8. –icmp-seq 0–> the icmp sequence number from echo request
9. –data-string ‘Ping me!’ –> the data from the echo request that
must be included.
Once we crafted our packet we need to capture the results. This can be done with tcpdump. The command I used was:
tcpdump -vnnX -i eth0 -w 13_answer.pcap icmp
This tell tcpdump to listen in verbose mode, disable name and port resolution, print hex, use interface eth0, write the results to a file and filter on icmp traffic.
tcpdump captures the following echo reply
14:39:57.508501 IP (tos 0x0, ttl 64, id 18673, offset 0, flags [none],
proto ICMP (1), length 36)
192.168.200.129 > 192.168.200.128: ICMP echo reply, id 555, seq 0, length 16
0x0000: 4500 0024 48f1 0000 4001 1f95 c0a8 c881 E..$H…@…….
0x0010: c0a8 c880 0000 b975 022b 0000 5069 6e67 …….u.+..Ping
0x0020: 206d 6521 .me!
After viewing our results in wireshark, we confirmed a successful echo
reply to the challenge.
The capture file can be download from the I Smell Packets Google group at the following URL:
http://groups.google.com/group/ismellpackets
The filename is:
13_answer.pcap
Chris continues:
I hadn’t used nping until this. Pretty cool. Thanks for the write-up Jon. I’ll post a solution using hping tomorrow.
Filed under: Packet Challenge, scapy, spoof | Tags: Packet Challenge, scapy, spoof
The winner of The “Ping me!” Packet Challenge is Johannes Ullrich (@johullrich on Twitter) Here’s Johannes’ solution:
Johannes writes:
I used scapy to craft the response. Here is the scapy command line sequence with explanation:
e=Ether(dst=’00:0c:29:a6:5e:2f’, src=’00:0c:29:48:55:1f’, type=0x0800);
The ethernet header: Just reverse source and destination, but keep the type the same.
i=IP(version=4, ihl=5, tos=0, len=36, id=1234, flags=0, frag=0, ttl=64, proto=1, src=’192.168.200.129′,dst=’192.168.200.128′);
For the IP header:
– – we swap the source/destination, but keep everything else the same. TTL could of course be different but lets just assume that the receiving host also uses a Unix’isch starting TTL of 64. I picked a different IP ID just to make a point that it is not necessarily the same as the inbound one.
The ICMP Header:
ic=ICMP(type=0, code=0, id=1, seq=555);
type and code is ‘0’ for an ICMP echo reply. The ID and sequence number have to be the same as in the request.
The payload is the same as the request (Ping me!).
So the complete packet:
p=e/i/ic/’Ping me!’
and then send it at layer 2: sendp(p) (optionally, we could specify the interface here).
Here is the packet as received by tcpdump using the ‘xx’ option to inspect the full ethernet header:
02:19:27.048612 IP 192.168.200.129 > 192.168.200.128: ICMP echo reply, id 1, seq 555, length 16
0x0000: 000c 29a6 5e2f 000c 2948 551f 0800 4500
0x0010: 0024 04d2 0000 4001 63b4 c0a8 c881 c0a8
0x0020: c880 0000 b974 0001 022b 5069 6e67 206d
0x0030: 6521
Chris continues:
Congrats Johannes! Of course if Johannes enters he’s going to win. 🙂 Honorable mention goes out to Jon Wohlberg who used Nping to craft the ICMP echo reply. I’ll post Jon’s solution tomorrow.
Yet another packet challenge for all of you to try. This time the challenge is to craft the best possible reply in response to the packet in this capture.
The capture file can be download from the I Smell Packets Google group at the following URL:
http://groups.google.com/group/ismellpackets
The filename is:
13.pcap
As always, best explanation wins. Send your answers to chris (dot) christianson (at) gmail (dot) com.
The results are in and the solution has been posted to the “The Spy Hunter” Packet Challenge. Go to Alec R Waters (@alecrwaters on twitter) blog at wirewatcher.wordpress.com for the whole story.
There has been an incident at Yellow Sun Heavy Industries, a government defense contractor. You have been called in to investigate. Do you think you have what it takes to solve the case?
Try the latest packet challenge from ismellpackets.com friend, Alec R Waters (@alecrwaters on twitter). The packet challenge is entitled, “The Spy Hunter.”
The capture file can be download from the I Smell Packets Google group located at the following URL:
http://groups.google.com/group/ismellpackets
The filenames are:
spyhunter-brief.pdf
spyhunter-irc.pcap
Best explanation wins their choice of a $15.00 Starbucks Gift Card or $15.00 iTunes Gift Card. Send your answers to chris (dot) christianson (at) gmail (dot) com.
****************************
Disclaimer: All characters in this challenge are fictitious. Any resemblance to real or virtual persons, living or dead, is purely coincidental.
At no point in this challenge should you attack any system. All tasks can be accomplished by performing simple analysis.
******************************
Filed under: NetworkMiner, Packet Challenge, pcap, Wireshark | Tags: NetworkMiner, Packet Challenge, pcap, Wireshark
The winner of the “Name that Tune” – Packet Challenge is Travis Lee (@eelsivart on Twitter) Here’s Travis’ solution:
Travis writes:
To analyze this packet capture, I will be opening this file in Wireshark.
In Packet 1, expand the Internet Protocol section. This is the IP Header information for this packet. To find the 8th byte of the IP header for this packet, click on Internet Protocol line. This is the line that also shows the source and destination IP addresses. After you click on this line, in the bottom frame in Wireshark, you will notice that a group of numbers is highlighted. These are the bytes (separated by spaces) that make up the IP header. When counting bytes in a packet, you must start counting with the number zero. Counting from the first highlighted byte, we will count until we reach byte eight and we see that it is 40. If you click on that byte on the bottom frame, you will see that the Time to live field is now highlighted. This is the 8th byte in the IP header. Notice that we are not using the number 64 because that is the value of the field and not the actual byte (hex) equivalent.
In Packet 4, expand the Transmission Control Protocol section. In here you will find the Flags field of the TCP Header. When you expand this section, you will see that this section contains eight, 1 bit flags. When an individual flag is set, the bit is set to 1. Since each individual flag is only 1 bit in length, when a flag is set, its value will be 1 in binary which is also 1 in decimal. Looking at the Acknowledgement (ACK) flag, we see that it is Set and its value is 1.
In Packet 8, expand the Internet Protocol section. This section contains the IP Header for the packet. Part of the IP Header contains the Time to live (TTL) field for the packet. We see that the TTL for this packet is 128, but this is in decimal form. The quickest way to get the hex equivalent for this value is to click on the “Time to live” line, and look at the bottom frame in Wireshark. You will see that a number is highlighted in the bottom section. This is the hex value for that field in the packet. We see that the number is 80.
The next question is asking for the number of bytes in the 8th IP Datagram. The term datagram is usually synonymous with the term packet and since all the data in this capture have been transmitted over TCP/IP, we can say that the 8th IP datagram is the 8th packet. To find the number of bytes in this IP datagram, we will select Packet 8 and expand the Internet Protocol section. This is where we will find the Total Length field in the IP Header. The Total Length field defines the entire datagram size, which includes the header and data in bytes. We see that this number is 113.
In Packet 10, we see that the destination IP address is 192.168.94.128. IPv4 addresses are represented by 32 bits and are split into four parts, separated by dots, each of which is represented by 8 bits. A grouping of 8 bits is called an octet. When we look at this IP address, we see that the last octet is 128. Now we need to convert this number into binary. First we need to list the powers of two in a base 2 table from right to left. Since an octet is 8 bits, we will list eight elements.
128 64 32 16 8 4 2 1 (base 2 table)
Then we need to find what the greatest power of two from this table that will go into our decimal that we are converting, 128. 128 is the greatest power of two that goes into our number 128. Easy! We will then write a 1 underneath 128 in our base 2 table. We will now write a 0 under all the other numbers because none of the other base 2 numbers go into 128.
128 64 32 16 8 4 2 1 (base 2 table)
——————————————————————————-
1 0 0 0 0 0 0 0 (binary)
We see that the number after conversion to binary is 10000000.
In Packet 12, expand the Internet Protocol section. In here you will find the Flags field of the IP Header. When you expand this section you will see that this section contains three, 1 bit flags. When an individual flag is set, the bit is set to 1. Since each flag is only 1 bit in length, when a flag is set, its value will be 1 in binary which is also 1 in decimal. Looking at the Don’t fragment flag, we see that it is Set and its value is 1.
Now what do we do with this number? This doesn’t look like it is a “phrase that pays.” Unless that’s the amount of money you win on this challenge? Probably not… J
Let’s look further into this packet capture to see if there is anything else that might lead us to an answer.
We can see that this is a capture of FTP traffic according to the Protocol field in Wireshark. Looking at the Info field, we see that a user is connecting to a FTP site, logging in, and downloading a file named File.rar. Let’s find out what that file is and what it contains.
To figure out what this file contains, we need to extract the file from the packet capture. To do this, we need to first find the packets where the data transfer is taking place. Looking at Packet 33, the protocol is FTP-DATA and the size is 112 bytes. This is a good place to start. To find other packets associated this, we will right-click on Packet 33 and select Follow TCP Stream. Looking at the raw packet data, we see that this is possibly a RAR archive with a file named File.txt in it. This might be what we are looking for!! We want to make sure that the only data we extract is the data that the FTP server is sending back to the client. To do this, in the Follow TCP Stream window, there is a drop down box near the bottom of the window. We will select the part of the conversation that is from the server (192.168.94.152) to the client (192.168.94.128), which is 112 bytes in size. We will also make sure that the radio button next to Raw is selected as we want the data its original raw format. Then click Save As and select the directory to save it to and a name for the file. Since this looks like a RAR file, we will save it as File.rar.
Now let’s try opening this file. Since I am on Windows, I am using a program called WinRAR to try to extract the file(s) in File.rar. File.rar opens in WinRAR and shows that there is a file named File.txt contained in it. As we try to extract File.txt, we notice that it is protected by a password. Let’s try using the solution that we came up with during the challenge (10000235). It worked!!
When you open File.txt, you see that there is a phrase that says “Too Many Secrets”.
Chris continues:
Congrats Travis! Well done. Thanks to everyone who sent in entries. Honorable mention goes out to Aaron Lundell, who also submitted a very good write-up. Another cool tool I thought I would mention in case you’ve never heard of it is NetworkMiner. It is great for extracting files from pcaps.
Here is a screenshot:
NetworkMiner can be downloaded from the following URL:
http://networkminer.sourceforge.net/
If you’d like to submit a challenge to http://www.ismellpackets.com contact me at chris (dot) christianson (at) gmail (dot) com.
I Smell Packets 