Networking challenges for CSAW CTF 2012 reminded me of classic PCAP diving, and this one proved to be no different.
lemieux.pcap
Some dude I know is planning a party at some bar in New York! I really want to go but he's really strict about who gets let in to the party. I managed to find this packet capture of when the dude registered the party but I don't know what else to do. Do you think there's any way you can find out the secret password to get into the party for me? By the way, my favorite hockey player ever is mario lemieux.
Digging through the PCAP showed a lot of standard network traffic: HTTP, DNS, UPNP, DLNA, HTTPS, etc. Where to start? Since the user supposedly registered for a party, the likely candidate is some sort of HTTP transaction. Setting a Wireshark filter for "http" still yields A LOT of traffic. Using tshark, NetworkMiner, etc we can see which URLs are being requested.
tshark -r lemiuex.pcap -R "http" -Tfields -e http.host
This reduces the possibilities, but isn't the cleanest. Luckily, the last few lines show a server or "taproom307.com". Now that's an establishment I've heard of. If the user did register, there's hopefully a HTTP POST associated with it. Let's narrow our search:
tshark -r lemiuex.pcap -R 'http.request.method == "POST" and http.host == "www.taproom307.com"'
Yup. Since I'm lazy, I fired up the same request in Wireshark to view the actual HTTP contents. One of the POSTs shows a message being sent with a 'key phrase' of "brooklyn beat box".
No comments:
Post a Comment