Friday, 24 August 2012

Question #6 Where are Paul and John?

This post is to add some more detail to "Quesion #6 Where are Paul and John?" from my original post on Puzzle #10


6. Where are Paul and John? Report their GPS coordinates:a) Latitudeb) Longitude
BONUS. What is the name of the nearest bar?

Answer:  maps.google 
a) 6.421402
b) 3.441021
Bonus: Bar Baric 

To start with I created a c# console app to extract any exif GPS location data from JPG files, the code can be found here.

I opened pcap-from-surviving-hard-drive.pcap in WireShark and NetworkMiner to analyse the data. Initially done to extract images so I could check to see if there were any GPS coordinates in the exif data using the console app I created. None were found, this question was not going to be that easy.

Looking at the protocols in the pcap file I found some SMB transfers. NetworkMiner didn't appear to extract these files. I used WireShark “File, Export, Objects, SMB” Found 4 files all called larryeatswrt-with-secretsauce.jpg

This looks interesting! File 3 had a JPG header and was only about ¼ of a full image.
I used HxD to concatenate the files starting with the one with the JPG header FF D8 FF E0. After some trial and error I got the correct sequence. File 3->4->1->2. There was some corruption around the file joins, I took a look and started deleting data one byte at a time, 24 bytes later the first join was fixed. When I got to the second join I found it was a 24 byte overlap. (If I had only completely read the extremely well written narrative, or listened to the podcast before I started I could have save myself some time) anyhow, I removed the “twenty-four overlapping bites” from the joins. Ok check for GPS exif data. No luck. 

From analysing the PCAP data with WireShark and NetworkMiner, of interest were the web sites visited and Google / Bing searches:

Searches…
Google: how do i hide things in pictures
Bing: outguess.org

Stenography Sites and urls visited…

Other Excellent sites from the PCAP file…

I took a look at the method used from the instructables site and did not find any images encoded using that method. Also all jpg files had the correct FF D9 footer making this type of stenography unlikely for these files.

Downloading the only windows binary from the outguess website "Stegdetect 0.4 - Windows Binary" the 2 main executables were stegdetect and stegbreak 

stegdetect.exe

I copied the files I wanted to test into a temp directory
Then ran stegdetect.exe over the files in that directory

I used a dos, for in do loop http://ss64.com/nt/for.html as stegdetect would not process all files in a directory.

A good site for command line help is ss64 http://ss64.com not just for dos but bash, PowerShell, OS X and more.

I used the @ in front of the command so the command itself is not echoed to the console, this makes the output more readable. 

From the stegdetect help file.

-s Changes the sensitivity of the detection algorithms 
-q Only reports images that are likely to have steganographic content.
-n Enables checking of JPEG header information to suppress false positives.

Using the default sensitivity of 1 we get one possible file

c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -s1 "%f"
Corrupt JPEG data: 564 extraneous bytes before marker 0xd9
Corrupt JPEG data: 12 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
Corrupt JPEG data: 228 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
C:\Data\JPGs\paul2.jpg : jphide(*)
Corrupt JPEG data: premature end of data segment

Upping the sensitivity to 2 we get four possible files

c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -s2 "%f"
Corrupt JPEG data: 564 extraneous bytes before marker 0xd9
Corrupt JPEG data: 12 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
C:\Data\JPGs\larryeatswrt-with-secretsauce.jpg : jphide(*)
Corrupt JPEG data: 228 extraneous bytes before marker 0xd9
C:\Data\JPGs\Larry_zombie_cat.jpg : jphide(*)
Corrupt JPEG data: bad Huffman code
C:\Data\JPGs\paul2.jpg : jphide(**)
C:\Data\JPGs\Photo on 2011-03-11 at 20.43.jpg : jphide(*)
Corrupt JPEG data: premature end of data segment

Adding the -n option we get back to one possible file
c:\Data\stegdetect>for %f in (C:\Data\JPGs\*.*) do @stegdetect.exe -q -n -s2 "%f"
Corrupt JPEG data: 564 extraneous bytes before marker 0xd9
Corrupt JPEG data: 12 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
C:\Data\JPGs\larryeatswrt-with-secretsauce.jpg : jphide(*)
Corrupt JPEG data: 228 extraneous bytes before marker 0xd9
Corrupt JPEG data: bad Huffman code
Corrupt JPEG data: premature end of data segment

stegbreak.exe

Next I ran stegbreak over the files...
list.text just contained the one word dekankcah
I also used rockyou, cain and john word lists.


c:\Data\stegdetect>stegbreak -r rules.ini -f list.txt -t opj c:\Data\JPGs
Corrupt JPEG data: 564 extraneous bytes before marker 0xd9
--SNIP--
Corrupt JPEG data: premature end of data segment
Loaded 13 files...
c:\Data\JPGs/haxorthematrix-has-a-posse.jpg : outguess[v0.13b](9dekankcah)[binary Computer Graphics Metafile][.)RN49..BY..IK9T]
c:\Data\JPGs/superstrand.jpg : negative
c:\Data\JPGs/Photo on 2011-03-11 at 20.43.jpg : negative
c:\Data\JPGs/!SC01033.jpg : negative
c:\Data\JPGs/paul2.jpg : negative
c:\Data\JPGs/x_marks_the_spot.jpg : negative
c:\Data\JPGs/ohnoeswrt.jpg : negative
c:\Data\JPGs/larryeatswrt.jpg : negative
c:\Data\JPGs/LarryPlus40.jpg : negative
c:\Data\JPGs/!SC01033.jpg : negative
c:\Data\JPGs/Larry_zombie_cat.jpg : negative
c:\Data\JPGs/larryeatswrt-with-secretsauce.jpg : negative
c:\Data\JPGs/dogfortstrand.jpg : negative
c:\Data\JPGs/dogfortstrand.jpg : negative
c:\Data\JPGs/strandbunny.jpg : negative
c:\Data\JPGs/haxorthematrix-has-a-posse.jpg : negative
c:\Data\JPGs/larryeatswrt-with-secretsauce.jpg : negative
c:\Data\JPGs/larryeatswrt.jpg : negative
c:\Data\JPGs/LarryPlus40.jpg : negative
c:\Data\JPGs/Larry_zombie_cat.jpg : negative
c:\Data\JPGs/Larry_zombie_cat.jpg : negative
c:\Data\JPGs/ohnoeswrt.jpg : negative
c:\Data\JPGs/paul2.jpg : negative
c:\Data\JPGs/Photo on 2011-03-11 at 20.43.jpg : negative
c:\Data\JPGs/strandbunny.jpg : negative
c:\Data\JPGs/superstrand.jpg : negative
c:\Data\JPGs/x_marks_the_spot.jpg : negative
c:\Data\JPGs/x_marks_the_spot.jpg : negative
Processed 13 files, found 1 embeddings.
Time: 2 seconds: Cracks: 1364,    682.0 c/s

outguess

With no windows binaries available I started up an Ubuntu install I had in VirtualBox.

Installing out guess was a simple process using the "Ubuntu Software Centre" You simply type outguess into the search box, and click Install

You then start Terminal and run outguess.

I first ran outguess on haxorthematrix-has-a-posse.jpg with a key of 9dekankcah (from stegbreak) and dekankcah (answer to question #5). This failed "Extracted datalen is to long:"

Next, based on the file name "larryeatswrt-with-secretsauce.jpg" and the fact you had to reconstruct the file based on hints in the narrative (note to self, read all the narrative before starting the puzzle) and that this is the last question and you haven't used the reconstructed file yet. I ran outguess on "larryeatswrt-with-secretsauce.jpg"
outguess -t -r -kdekankcah larryeatswrt-with-secretsauce.jpg /home/me/data.txt
Reading larryeatswrt-with-secretsauce.jpg....
Extracting usable bits:   16713 bits
Steg retrieve: seed: 10, len: 171
cat /home/me/data.txt 

Gone fishing, back in 2 weeks.

Hugs,
Paul & John

P.S.  We aren't sure what happened to Larry. 

P.P.S.  We're at a bar near here if you want to hang:  6.421402,3.441021


I checked the location on Google maps and found Bar Baric with this review...
“This bar was good, but there were some rowdy guys who would shout "WE'RE THE WORLDS #1 HACKERS" and then laugh loudly. No one understood why it was funny, but they were nice and bought the whole place many rounds of drinks.”

I cracked open a beer, and submitted my answers...

Saturday, 11 August 2012

Packet capture analysis in SQL Server with C5 SIGMA and Regex


I have been looking to get pcap data into a database to do some aggregation and analysis for some time now. A few days ago I came across C5 SIGMA from Command Five

C5 SIGMA takes network packet capture (pcap) data as input and produces a structured relational database that can be used for analysis and reporting using SQL queries.
This software automates TShark (a component of the free network protocol analysis tool Wireshark) to produce structured XML metadata about the packets within a collection of pcap files. The metadata is then stored in a relational database using a database schema automatically derived from the XML

I ran the pcap file from Puzzle #10 through C5 SIGMA using a SQL Server 2012 Database. Running SIGMA from source code in the Visual Studio debugger with no filters and a local SQL Server instance all running from a laptop it took about 5 minutes to process.

SIGMA displayed 20 warnings while processing the data, 4 about SQL column type incompatibility, the code gracefully modifies the database column data type to accept the value if required. The other warnings were to do with data truncation due to the nvarchar(4000) limit, I will have a look at adding an option to allow nvarchar(max). The SQL Server (max) datataypes have become a less restrictive over the versions and especially so with SQL Server 2012.

For now I am just going to look at how you could use C5 SIGMA to help with Puzzle #10 

Below is just the HTTP subset of tables.
I wanted to be able to do all my analysis from the SQL Server 2012 Management Studio however SQL Server 2012 does not have a Regex function, but it does have the ability to create CLR Functions in C# that can be called from SQL.

As the built in "CLR Database Project" for VS 2010 only supports SQL Server 2005 and 2008 I had to install Microsoft SQL Server Data Tools first. Then I could create a new "SQL Server Database Project" from "Other Languages" in Visual Studio. 

I created some Inline functions with Regex to parse a single parameter value from a full URI and one to remove anything past a ?, =, &, or ; from a full URI.

Now we can run queries to filter on the parameter 'q' used by most search boxes on web pages, not just Google and Bing
You will even see Google instant results for whatever the user typed. 

Depending on what you are looking for, you could run something like this to get list of URLs visited. 

It is possible to do way more then just http analysis e.g. simple arp enumeration

Take a look at C5 SIGMA yourself and have a play.

Thursday, 9 August 2012

Puzzle #10: PaulDotCom Goes Off the Air


My solution to Puzzle #10 "PaulDotCom Goes Off the Air"


I started by downloading the evidence file and verifying the SHA256 hash.
Extract the files from the archive

Opened “quarter-SDHC-snippet.dd” with FTK Imager (a free tool from AccessData)

Created AD1 custom content image from the deleted files found on “quarter-SDHC-snippet.dd”
Mounted the AD1 image as a logical, file system, read only.
The AD1 container was created because if I just mounted the dd image I would still have to deal with the deleted files. I could have just exported the deleted files but they could get intentionality modified, "cleaned" by AV etc.. Mounting the AD1 image as Read Only via FTK Imager allows me to work on the files without risk of modifying the evidence.

1. In his conversation with juniorkeyy, how old does Larry initially say he is?

Answer: 4

Looked through chatlog files on the mounted image file to get the answer.
From “chatlog1.txt “ “2:38:17 PM Larry Pesce: I'm 4.”

2. What was the filename of the file that had the following SHA256 sum:

Answer: e56931935bc60ac4c994eabd89b003a7ae221d941f1b026b05a7947a48dc9366


I hacked up a C# tool called SHATool using System.Security.Cryptography.SHA256Managed to find and compute SHA256 hash values. The slightly cleaned up code can be found here. It was quicker for me to hack together a simple console app in c# then to Google for a tool to calculate SHA256 hashes that would most likely not have had the ability to search for files with a specific hash. 


I ran SHATool over the mounted image file and found the file “superstrand.jpg” matched the hash value.

3. What is the SHA256sum of the photo from the “dd” image that shows Larry taking a bite out of a wireless router?

Answer: 1bdfd9d7445d38fdb7ba5acbb58669cf31c7c568c7aa6e6fcf0c961628f4c32e


Two files have Larry taking a bite out of a router
haxorthematrix-has-a-posse.jpg
e4e2fac9fc41546239d4e534bfe6588e4796f3799befc09b2787f5ad6c75faca
larryeatswrt.jpg
1bdfd9d7445d38fdb7ba5acbb58669cf31c7c568c7aa6e6fcf0c961628f4c32e
The way the question is worded I chose the hash for larryeatswrt.jpg as the same “picture” (the files are not identical) appears in the pcap data. 

4. What is the SHA256sum of the image that shows zombie Larry taking a bite out of a cat?

Answer: 9c0a8bc6c3baa2ad7f390ef4e41c3edf3d98a543f492afb50a4bab8700af5766 (Larry_zombie_cat.jpg)

5. What is Larry saying as he rocks back and forth? (No spaces or capital letters.) 

Answer: dekankcah


Used QuickTime player to play the video trapped.mp4 backwards by using the key shortcut Ctrl + Left Arrow. Larry says "Hack Naked, Hack Naked"
I answered this question based on how it was worded + the hint in the narrative.

6. Where are Paul and John? Report their GPS coordinates:a) Latitudeb) Longitude
BONUS. What is the name of the nearest bar?

Answer:  maps.google 
a) 6.421402
b) 3.441021
Bonus: Bar Baric 

To start with I created a c# console app to extract any exif GPS location data from JPG files, the code can be found here.

I opened pcap-from-surviving-hard-drive.pcap in WireShark and NetworkMiner to analyse the data. Initially done to extract images so I could check to see if there were any GPS coordinates in the exif data using the console app I created. None were found, this question was not going to be that easy.

Looking at the protocols in the pcap file I found some SMB transfers. NetworkMiner didn't appear to extract these files. I used WireShark “File, Export, Objects, SMB” Found 4 files all called larryeatswrt-with-secretsauce.jpg

This looks interesting! File 3 had a JPG header and was only about ¼ of a full image.
I used HxD to concatenate the files starting with the one with the JPG header FF D8 FF E0. After some trial and error I got the correct sequence. File 3->4->1->2. There was some corruption around the file joins, I took a look and started deleting data one byte at a time, 24 bytes later the first join was fixed. When I got to the second join I found it was a 24 byte overlap. (If I had only completely read the extremely well written narrative, or listened to the podcast before I started I could have save myself some time) anyhow, I removed the “twenty-four overlapping bites” from the joins. Ok check for GPS exif data. No luck. 

From analysing the PCAP data with WireShark and NetworkMiner, of interest were the web sites visited and Google / Bing searches:

Searches…
Google: how do i hide things in pictures
Bing: outguess.org

Stenography Sites and urls visited…

Other Excellent sites from the PCAP file…

I took a look at the method used from the instructables site and did not find any images encoded using that method. Also all jpg files had the correct FF D9 footer making this type of stenography unlikely for these files.

I then downloaded stegdetect (windows binary) and ran it over the dd image files and larryeatswrt-with-secretsauce.jpg 
It detected 
paul2.jpg : jphide(*)
Used jpseek.exe with key dekankcah no luck.

I ran stegbreak over the same files using dekankcah in my word list and found…
haxorthematrix-has-a-posse.jpg : outguess[v0.13b](9dekankcah)[binary Computer Graphics Metafile][.)RN49..BY..IK9T]
I had a look at Binary Computer Graphics Metafile files. That file format is messed up, good luck data carving for it.

I couldn’t find an outguess binary for windows so I fired up Ubuntu in VirtualBox, and installed the outguess package.
outguess on haxorthematrix-has-a-posse.jpg failed "Extracted datalen is to long:"

outguess -t -r -kdekankcah larryeatswrt-with-secretsauce.jpg /home/me/data.txt
Reading larryeatswrt-with-secretsauce.jpg....
Extracting usable bits:   16713 bits
Steg retrieve: seed: 10, len: 171
cat /home/me/data.txt 

Gone fishing, back in 2 weeks.

Hugs,
Paul & John

P.S.  We aren't sure what happened to Larry. 

P.P.S.  We're at a bar near here if you want to hang:  6.421402,3.441021


I checked the location on Google maps and found Bar Baric with this review...
“This bar was good, but there were some rowdy guys who would shout "WE'RE THE WORLDS #1 HACKERS" and then laugh loudly. No one understood why it was funny, but they were nice and bought the whole place many rounds of drinks.”

I cracked open a beer, and submitted my answers...