CIT 485 Investigation: Ann's Bad

Home , AIM (software), Ngrep, Pcap, Wireshark

CIT 485 Investigation Ann’s Bad AIM

In this investigation, you will examine PCAP data and determine what happened during a security incident.

1S TUDENT LEARNING OUTCOMES

1. Investigate suspicious network data for malicious activity. 2. Write an incident report based on a network investigation.

2S CENARIO

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the companys prize asset, the secret recipe. Security staff are worried that Ann may try to leak the companys secret recipe. Security staff have been monitoring Anns activity for some time, but havent found anything suspicious–until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Anns computer, (192.168.1.158) sent IMs over the wireless network to this computer using AOL Instant Messenger (AIM). The rogue laptop disappeared shortly thereafter. The organization has captured the packets from the network activity in the file evidence01.pcap. When investigating suspicious network activity, you want to be able to determine 1. Who: who are the hosts performing most of the communication in this capture file. Identify the hosts by DNS name, IP address, and MAC address if possible. 2. When: when did the communication occur. Wireshark provides times as seconds from the start of the capture by default. You want to report times as 24-hour timestamps in Coordinated Universal Time (UTC). 3. What: what happened on the network during this capture. We want to know this at a high level, e.g. the attacker launched a password guessing attack, logged into user Xs account, and transferred the plans for our new product to a machine outside our network. 4. How: how did the attacker perform the attack. This is where you get into the details of how the attacker achieved the goals described above. Create a timeline of events as you identify them during your investigation. This will be useful in identifying the steps performed by the attacker during the incident. The organization also wants you to answer the following specific questions: 1. What is the name of Anns IM buddy? 2. What was the first comment in the captured IM conversation? 3. What is the name of the file Ann transferred? 4. What is the magic number (binary file header) of the file?

1 5. What was the MD5 sum of the ﬁle?

3H INTS

Here are some hints to help with the investigation. AIM is based on the OSCAR protocol. The AIM protocol is notorious for finding a way past firewalls, looking for widely used ports that are open in the firewall to find a way through. While Wireshark knows how to decode AIM, you will need to find which port has AIM data (look for cleartext chat in a TCP stream) then tell Wireshark to decode that port as AIM. AIM uses the OSCAR File Transfer (OFT) protocol to transfer files. OFT file transfer protocol packets cannot be decoded by Wireshark but do contain the string OFT2 inside the packet. You can search for this in Wireshark, being sure to select Packet Bytes as the data being searched or you can use another tool like ngrep. ngrep -I evidence01.pcap OFT2

The protocol will identify the file being transferred by name before including the contents. The secret recipe is stored in a Microsoft Office docx file. The magic number at the beginning of a docx file is 0x504B, which is the string PK in ASCII. To extract the file, the investigator will need to write the TCP stream to disk, then edit it in a hex editor like ghex. Everything before the string PK is OFT protocol data and not part of the file and so this data must be deleted. There will be additional OFT protocol packets after the file contents. These can be found by looking for the string OFT2 and must be removed to create a file readable by Microsoft Office. Once all the extraneous data has been deleted, save the edited TCP stream as docx file. Use the file command to check the file type. The file command uses a database of magic numbers and other file format information to identify file types. file recipe.docx

Depending on the version of the file command, it may tell you that recipe.docx is a zip file or a docx file. The zip file answer is fine, as docx files actually are zip archives that contain a set of XML files.

4D ELIVERABLES

By the end of class, each group needs to have created three documents: • A timeline showing each step of the attack, explaining what happened in as much detail as you can determine along with who are the parties involved in that step. • An answer sheet with answers to the 5 questions above. • The secret recipe as a word processor document or text ﬁle. These documents can be created in Google Drive or Ofﬁce 365 and groups must be able to share them with the instructor.

5F ILES

1. evidence01.pcap

2 6R EFERENCES

1. Berkeley Packet Filter (BPF) syntax. https://biot.com/capstats/bpf.html. 2. CISA. Analysis Report (AR20-268A). https://us-cert.cisa.gov/ncas/analysis-reports/ ar20-268a. 2020. 3. Sherri Davidoff and Jonathan Ham. Network Forensics: Tracking Hackers Through Cyberspace. Prentice Hall. 2012. 4. Gary Kessler. File Signatures. https://www.garykessler.net/library/file_sigs. html. 2020. 5. LMG. Ann’s Bad AIM. http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim. 2009. 6. TecMint. Ngrep. https://www.tecmint.com/ngrep-network-packet-analyzer-for-linux/. 7. Wireshark. Wireshark User’s Guide. https://www.wireshark.org/docs/.