Traffic analysis of a packet capture with Wireshark

Hello everybody!!

Welcome to allhacked.com, for me, it is a pleasure to have been able to create this web page / blog; It has taken me a lot of effort to do it, mount it, edit it and try to make it robust and safe (at least I have tried with the knowledge I have).

This post is the first and opens allhacked, I have many pending issues to post here and the only thing I need is a little time, I always have things to do! 😆 I will try to do my best from here on, I hope you like it. Without further delay we go with the post.

Wireshark is nothing new, everybody knows it, but today I would like to be able to show you some features about Wireshark.

I am going to focus on a CTF of 2009. It is a puzzle used for a competition, where a real case is simulated in which a somewhat suspicious behavior has been detected in some employees. The statement is as follows:

Statement of puzzle.

They give us the packet capture that has been transmitted over the network. Let’s see what it looks like in Wireshark.

Evidence.pcap opened.

In case someone doesn’t know, the different colors that appear are to differentiate the protocol used in each package. These colors can be changed to your liking depending on the protocol in View -> Coloring Rules.

The statement tells us that Ann’s IP is 192.168.1.158, so, we’ll start by filtering the packets by Ann’s IP.

At first, it doesn’t matter if we filter by Source IP or by Destination IP. Applying the expression ip.dst == 192.168.1.158 or ip.src == 192.168.1.158. We can see that the first package is No. 23.

Filtering the packets by Ann's IP.

In any of the filtered packets we click-right -> Follow -> TCP Stream, to follow the message frame.

Follow stream.

Up to this point, you can see part of the message in plain text, but we need to go a little further. According to the statement, Ann is communicating by IM (Instant messaging), so probably, she is using some kind of instant messaging, the question is to know which. If we look for information about Instant messaging we can see that the most popular platforms were AIM and Windows Live Messenger, so we are going to try to decode the message frame to AIM.

In Analyze -> Decode as, the window where we will specify the following fields will open.

Decoding as AIM.

By accepting, the packet frame will be updated. Apparently, the decoding seems to have worked, so, let’s try to find out who Ann’s friend is.

Searching between packages, package 25 identifies the user that Ann’s friend uses. (First question)

First question.

In that same package, if we look at the value of the message block, the first message sent by Ann appears. (Second question)

Second question.

At this point, we can suspect what the name of the file that Ann has sent, but to make sure, we will have to locate the package where it is expressly indicated that name (and file) has been sent. If we look for AIM information, we can find out that the data port used for TCP traffic is 5190. Using the expression tcp.port == 5190 filters us the packets of the frame. Although we have all the packages that use TCP port 5190, only the first one that has a data length greater than 0 is useful, since it is the one that can provide us with some information, that is, pack 112 with Len = 256.

First data packet.

Looking closely at the data packet, specify that the file name is “recipe.docx“. To make sure, let’s find what kind of header is typical of the files with extension “docx”, that is, its signature. In the Signature Database shows us that the header of a docx is 50 4B 03 04 (hex) or 50 4B 03 04 14 00 06 00 (hex) corresponding to MS Office Open XML Format Document and MS Office 2007 documents respectively and both starting in ASCII by PK (indicative of this type of files). Let’s check that it really is like that; doing Follow Stream to the package in question (112) and showing the data in hexadecimal (Hex Dump) we have:

Beginning of the data frame.

Indeed, a file with the name recipe.docx has been sent (Third question) and where its header is 50 4B 03 04 14 00 06 00 where the first 4 bytes are 50 4B 03 04 (Fourth question).

For the last two questions, it is necessary to extract all the data from the sent file (to do the MD5 and to see the secret recipe! 😏)

For this, we will have to locate the first packet and the last one of the data. The first packet is where the header is 50 4B 03 … this packet is 119; if we go to the end of the data it tells us that it is packet 131. Next, we will do right-click -> Mark / Unmark packet in both packets and finally go to File -> Export Specified Packets where we will indicate “First to last marked” to export all data packets.

Data export.

Once all the data has been exported, we open it again with Wireshark and do Follow Stream to any package. When showing us the data, we select “Show and save data asRAW (it is necessary that it be saved as RAW but, the file will be corrupted); finally we keep as recipe.docx (important the extension) and ready, we have the most difficult fact.

Preview data in RAW.

If we are in Linux we will use the “md5sum” command to generate the MD5 of the file. If we are in Windows it will be necessary to download a Windows add-on (FCIV) and we will use the command “fciv -md5 <file>“. The MD5 is: 8350582774E1D4DBE1D61D64C89E0EA1. (Fifth question)

And most importantly … we have the secret recipe! (Sixth question)

Secret recipe.

We have completed the puzzle! (At last)

PS: Forgive so many images, but I wanted to be clear.

I hope I have explained myself clearly and I hope you liked it. See you in the next post! 😉

Happy Hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *