Network Forensics Investigaton

Cyber Crime Investigation

Adjonyo .J. Noah

B00065764
Masters In Computing BN518: Network Security and Digital Forensics (Fulltime)
10-May 2013

1. Analysis of portscan.cap file

1.1. What ports are open?
Method: With Networkminer the cap file is opened, and on the tabs was
displayed 65300 sessions, 5 Hosts and over 13000 frames.
~I opened the Session Tab and noticed the Source IP address
192.168.223.172
~Using the source IP address I decided to look for more details attached to
the 192.168.223.172 as a source.
~So many data to check under session tab and also the tab for frames
~ I opened the Host tab went to search for that host
~Under the IP address 192.168.223.172 is Open TCP ports are listed
5900 22 139 23 80 53 25 445 21 111 3306 6667 59563 512 513
1099 52878 6000 43607 8787 514 2049 8009 3632 5432 6697 8180
2121 1524 56166.
~Some of the port numbers are familiar; however, most were completely
strange so in other to understand how they function I looked up at IANA for
list of default port numbers.
Tools used: NetworkMiner
Answer: Open TCP Ports are; 5900 22 139 23 80 53 25 445 21 111 3306
6667 59563 512 513 1099 52878 6000 43607 8787 514 2049 8009 3632
5432 6697 8180 2121 1524 56166
Open TCP ports in Numerical order are as follows;
Port
Port Name/Protocol
Short description
Numbers
1
21
FTP
File Transfer Protocol
2
22
SSH
Secure Shell
3
23
Telnet
Telnet
4
25
SMTP
Simple Mail Transfer
Protocol
5
53
DNS
Domain Name System
6
80
HTTP
Hyper Text Transfer
Protocol
7
111
SunRPC
Sun Remote Procedure Call
8
139
Netbios-ssn
Netbios Service Session
9
445
Microsoft-DS
Microsoft-Directory Service
10 512
Exec=
Remote process execution

Noah J. Adjonyo, Institute of Technology Blanchardstown

Comsat=
Biff=
Login=
Who=

Used by mail system

11

513

Remote login.
Maintains database of Who
is logged in

12
13

514
1099

Shell
RMIregistry

14
15

1524
2049

Ingreslock
Shilp
Nfs
SCIENTIA-SSDB
MYSQL
DISTCC
PostgreSQL Database
RFB
X11
IRC
Unassigned
Unassigned
Unassigned
Msgsrvr
Unassigned
Dynamic and/or Private
ports

Remote Method Invocation

Registry
Network file system

16
17
18
19
20
21
22
23
24
25
26
27
28

2121
3306
3632
5432
5900
6000
6667
6697
8009
8180
8787
43607
52878

29

56166

Dynamic and/or Private (Xsan filesystems Access

ports
(Apple

30

59563

Dynamic and/or Private (Xsan filesystems Access

ports
(Apple

Remote FrameBuffer
Windows system
Internet Relay Shat
Unofficially (IRC SSL)
SANS: Netware-rmgr
Message Server
(Xsan filesystems Access
(Apple

There were 30 open ports

2. Analysis of deep.cap file
1.1. Opened the file on Wireshark
Method: Opened the file on wireshark and only 802.11 was displaying
and there was no way to understand which the specific protocols to
extract any file from.

Noah J. Adjonyo, Institute of Technology Blanchardstown

 Having the protocol tab showing 802.11 for all 208428 frames
suggest that there is a likelihood the network card was used in
monitor mood and has possibly captured raw IEEE 802.11 traffic
encrypted.
On that revelation it was clear I needed to decrypt the file.
From previous knowledge Aircrack-ng was the best bet to decrypt
the capture.
Used Aircrack-ng to analyse the IVs and retrieve possible Key
28:E6:6,B:E9:D3:B6:20:95:DD:E9:2F:BE:3 with the command
aircrack ng deep.cap

On retrieving the key I used

Airdecap-ng w 28:E6:6,B:E9:D3:B6:20:95:DD:E9:2F:BE:37
deep.cap;
To open the pcap file and by so doing more information was
viewable in wireshark and networkminer;
On Network miner I checked the Files tab in search of any txt file I
could extract but not a single file was there in contrary to the task;
Also Networkminer was unable to provide me with any Hint on
what to look for and where to look at;
Went back to wireshark where which frame 8 told me of an unseen
segment;

Noah J. Adjonyo, Institute of Technology Blanchardstown

 Frame 7 used source port 49510 (unassigned port number) for FTP
traffic to port 21, also shown is USER: joe ;
From the information around Frame 26, comes an Hints about
password and signals how close I am getting;
Frame 32 to 34 shows that port number 49510 to 49512 is affiliated
with an adobe service;
Open decaped file on Networkminer and on the files tab was no
file;
Meanwhile on the presumption that a file is still hidden prompted
me to use the command;
Sudo tcpxtract f deep-dec.cap o tcpxtract/ and a zip file was
extracted which requested for a password to unzip;

When I followed Tcp stream of frame 32 the results showed a .txt

file named flag4.txtUT;
Attempted to save the file out into a .txt file, but when I opened it, it
read: could not open the file and also Character Encoding
automatically detected;
Used the filter tcp.port >=49001 which means display port
numbers greater than 49001 (port number 49001 to are unassigned
or dynamic);
40 frames where displayed from applying the above filter including
the earlier mentioned frames but including frames with POP
protocol. What is a POP protocol doing here?
Used the filter tcp.port >=49001&& pop to also include POP
protocol in the filter and reduced it to 12 frames;

Noah J. Adjonyo, Institute of Technology Blanchardstown

 One frame 49515 looked like a stranger in the party;

It had a IMF protocol and also had 712 of data length which seemed
big in comparison to the others displayed with the above filter;
An email address was seen metalman@carolinacon8.com and
crashman@carolinacon8.com;
Under Content-Type is text/plain which is a great hint and strikes
the memory about the issue I faced earlier with Character encoding;
According to RFC 2045, 7bit Content-Transfer -Encoding is used to
encode other file types to send via normal mail;
dGhlIHBhc3N3b3JkIGlzIGJvc3Rvbk1BMTk3Nwo=\r\n seems to
look like a password or a file of some sort;

Tried it as a password to open the Zip file but to no avail;

6

Noah J. Adjonyo, Institute of Technology Blanchardstown

 I begin an attempt to decode it in anticipation that it is the encoded

data;
Copied
dGhlIHBhc3N3b3JkIGlzIGJvc3Rvbk1BMTk3Nwo=\r\n
placed it into a new .txt file specifying the encode type charset
which is ISO-8859-1. This enables the process reverse;

Noah J. Adjonyo, Institute of Technology Blanchardstown

 Use the Base64 command to decode the string

Base64 d pword.txt and behold a password was actually
retrieved: bostonMA1977;
On using it on the zip file earlier retrieved from tcpxtract a file
named flag4.txt unzipped;
Inside the file is another password bostonmarathon2012

So using the password bostonMA1977 I was able to access the file

flag4.txt to retrieve the hidden password bostonmarathon2012.
Tools used: NetworkMiner was used to analyse the packet for hint,
most importantly I tried using to check for files type. Wireshark was
used to view capture frame by frame, Tcpxtract was used to extract the

Noah J. Adjonyo, Institute of Technology Blanchardstown

file capture, Base64 command line was used to decode the password
from 7bit

References
1. Bejtlich, R., 2006. Network Forensic Traffic Reconstruction with Tcpxtract
[Blog] Available at http://taosecurity.blogspot.ie/2006/01/network-forensictraffic.html [Accessed 25 April 2013].
2. Maynard, C., 2009. ICMP and endian-ness issue. Wireshark dev [online]
Available at http://www.wireshark.org/lists/wireshark-dev/200909/msg00224.html
[Accessed 10 April 2013].
3. Lyon, G., The Official Nmap Project Guide to Network Discovery and Security
Scanning. Nmap [online] Available at http://nmap.org/book/man-briefoptions.html
[Accessed 24 April 2013]

4. Oskar, A., 2006. Iptables Tutorial 1.2.1. Frozentux [online]. Available at

http://www.frozentux.net/iptables-tutorial/chunkyhtml/x281.html [Accessed 20
April 2013]. (seq = 0)
5. Thomas, J., n.a. Knowledgebase: TCP/IP. Omnisecu. [online]. Available at
http://www.omnisecu.com/tcpip/internet-control-message-protocol-icmp.htm
[Accessed 20 April 2013].
8. Techspot., 2013. Do I have a virus?. Techspot [Forum] Available at
http://www.techspot.com/community/topics/do-i-have-a-virus.189721/ [Accessed
25 April 2013]
9. IANA http://www.iana.org/assignments/service-names-port-numbers/servicenames-port-numbers.xml#P_V_Shivkumar
10. Tschabitscher, H., POP (Post Office Protocol), About.com. [Online]. Available
at Basics http://email.about.com/cs/standards/a/pop_basics.htm [Accessed 12 May
2013]
11. Freed, N., and Borenstein, N., 1996. MIME part 1: Format of Internet Message
Bodies, RFC 2045,. [Online] Available at http://www.ietf.org/rfc/rfc2045.txt
[Accessed 12 May 2013]
12. Josefsson, S., Base64-Unix, Linus Command, TutorialPoint [Online] Available
at: http://www.tutorialspoint.com/unix_commands/base64.htm [Accessed 13 May
2013]

Noah J. Adjonyo, Institute of Technology Blanchardstown

13. Geier, J., 2008. How to: Sniff Wireless Packets with Wireshark, Wi-Fi Planet.
[Online] Available at : http://www.wi-fiplanet.com/tutorials/article.php/3791421
/How-to-Sniff-Wireless-Packets-with-WireShark.htm [Accessed 13 May 2013]
14. Tech-Juice,. 2011. Wireshark: 802.11 Frame Display. [Online] Available at
http://www.tech-juice.org/2011/11/25/wireshark-wireless-display-filters/

10

Noah J. Adjonyo, Institute of Technology Blanchardstown