{"id":301,"date":"2015-12-23T21:12:18","date_gmt":"2015-12-23T21:12:18","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=301"},"modified":"2015-12-28T12:57:36","modified_gmt":"2015-12-28T12:57:36","slug":"sans-holiday-hack-challenge-part-i","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=301","title":{"rendered":"SANS Holiday Hack Challenge – Part I"},"content":{"rendered":"

I figured that I would try and attempt to do the annual SANS Holiday Hack Challenge<\/a> this year while things were slow at work (knock on wood). So after working on this for 2-3 days, I have managed to knock out the first of the questions:<\/p>\n

\t1) Which commands are sent across the Gnome\u2019s command-and-control channel?
\n \t2) What image appears in the photo the Gnome sent across the channel from the Dosis home?<\/p>\n

The way I got the answers for this first set of problems was not “creative” by any stretch of the imagination. If anything it was just manually plugging away at things and using the magic 8-ball called Google. Below is a summary of how I went about solving this set of problems.<\/p>\n

I obtained the PCAP from Josh and also the non-working script as well. Never having played with Scapy or Python, I figured that I would first sink my teeth into the PCAP and see if there was anything that I could figure out from it (since I feel more comfortable with a PCAP). Looking at it via Wireshark and the Protocol Hierarchy option, I could see that most of the traffic was split between 802.11 wireless management frames, and DNS. Filtering on just DNS, I could see all sorts of info in the TXT record of the response. <\/p>\n

I remembered that Tim mentioned that BURP could figure out different decoding schemes, and someone else in the town mentioned something about base64 (I think), so I took one line from the TXT response and decoded it. Seeing that it was all in base64, I needed a quick way of getting only the DNS TXT responses. Since I don’t know how to script or work with Python\/Scapy, I used ‘tshark’ instead. The filter that I used was ‘tshark -r Downloads\/giyh.pcap -T fields -e dns.txt > sans.log’. ***NOTE: When using Wireshark, if you click on something, take a look at the bottom left hand corner. That may give you an idea of what you can use as a filter in the PCAP as you can see below:<\/p>\n

\"Filter<\/a>

Filter for this in Wireshark<\/p><\/div>
\nThat gave me the responses in a text file that I could then decode via Notepad++.
\nThe following is the decoded part of the communication:<\/p>\n

  \r\n \tNONE:\r\n\tNONE: NONE: NONE: NONE: NONE: NONE: EXEC:iwconfig\r\n\tEXEC:START_STATE  EXEC:wlan0     IEEE 802.11abgn  ESSID:"DosisHome-Guest"  \r\n\tEXEC:          Mode:Managed  Frequency:2.412 GHz  Cell: 7A:B3:B6:5E:A4:3F   \r\n\tEXEC:          Tx-Power=20 dBm   \r\n\tEXEC:          Retry short limit:7   RTS thr:off   Fragment thr:off\r\n\tEXEC:          Encryption key:off\r\n\tEXEC:          Power Management:off\r\n\tEXEC:          \r\n\tEXEC:lo        no wireless extensions.\r\n\tEXEC:\r\n\tEXEC:eth0      no wireless extensions.\r\n\tEXEC:STOP_STATENONE: NONE: NONE: EXEC:cat \/tmp\/iwlistscan.txt\r\n\tEXEC:START_STATE  EXEC:wlan0     Scan completed :\r\n\tEXEC:          Cell 01 - Address: 00:7F:28:35:9A:C7\r\n\tEXEC:                    Channel:1\r\n\tEXEC:                    Frequency:2.412 GHz (Channel 1)\r\n\tEXEC:                    Quality=29\/70  Signal level=-81 dBm  \r\n\tEXEC:                    Encryption key:on\r\n\tEXEC:                    ESSID:"CHC"\r\n\tEXEC:                    Bit Rates:1 Mb\/s; 2 Mb\/s; 5.5 Mb\/s; 11 Mb\/s; 6 Mb\/s\r\n\tEXEC:                              9 Mb\/s; 12 Mb\/s; 18 Mb\/s\r\n\tEXEC:                    Bit Rates:24 Mb\/s; 36 Mb\/s; 48 Mb\/s; 54 Mb\/s\r\n\tEXEC:                    Mode:Master\r\n\tEXEC:                    Extra:tsf=000000412e67cddf\r\n\tEXEC:                    Extra: Last beacon: 5408ms ago\r\n\tEXEC:                    IE: Unknown: 00055837335A36\r\n\tEXEC:                    IE: Unknown: 010882848B960C121824\r\n\tEXEC:                    IE: Unknown: 030101\r\n\tEXEC:                    IE: Unknown: 200100\r\n\tEXEC:                    IE: IEEE 802.11i\/WPA2 Version 1\r\n\tEXEC:                        Group Cipher : CCMP\r\n\tEXEC:                        Pairwise Ciphers (1) : CCMP\r\n\tEXEC:                        Authentication Suites (1) : PSK\r\n\tEXEC:                    IE: Unknown: 2A0100\r\n\tEXEC:                    IE: Unknown: 32043048606C\r\n\tEXEC:                    IE: Unknown: DD180050F2020101040003A4000027A4000042435E0062322F00\r\n\tEXEC:                    IE: Unknown: 2D1A8C131BFFFF000000000000000000000000000000000000000000\r\n\tEXEC:                    IE: Unknown: 3D1601080800000000000000000000000000000000000000\r\n\tEXEC:                    IE: Unknown: DD0900037F01010000FF7F\r\n\tEXEC:                    IE: Unknown: DD0A00037F04010000000000\r\n\tEXEC:                    IE: Unknown: 0706555320010B1B\r\n\tEXEC:          Cell 02 - Address: 48:5D:36:08:68:DC\r\n\tEXEC:                    Channel:6\r\n\tEXEC:                    Frequency:2.412 GHz (Channel 1)\r\n\tEXEC:                    Quality=59\/70  Signal level=-51 dBm  \r\n\tEXEC:                    Encryption key:on\r\n\tEXEC:                    ESSID:"DosisHome"\r\n\tEXEC:                    Bit Rates:1 Mb\/s; 2 Mb\/s; 5.5 Mb\/s; 11 Mb\/s; 18 Mb\/s\r\n\tEXEC:                              24 Mb\/s; 36 Mb\/s; 54 Mb\/s\r\n\tEXEC:                    Bit Rates:6 Mb\/s; 9 Mb\/s; 12 Mb\/s; 48 Mb\/s\r\n\tEXEC:                    Mode:Master\r\n\tEXEC:                    Extra:tsf=00000021701d828b\r\n\tEXEC:                    Extra: Last beacon: 4532ms ago\r\n\tEXEC:                    IE: Unknown: 000F736F6D657468696E67636C65766572\r\n\tEXEC:                    IE: Unknown: 010882848B962430486C\r\n\tEXEC:                    IE: Unknown: 030106\r\n\tEXEC:                    IE: Unknown: 0706555320010B1E\r\n\tEXEC:                    IE: Unknown: 2A0100\r\n\tEXEC:                    IE: Unknown: 2F0100\r\n\tEXEC:                    IE: IEEE 802.11i\/WPA2 Version 1\r\n\tEXEC:                        Group Cipher : CCMP\r\n\tEXEC:                        Pairwise Ciphers (1) : CCMP\r\n\tEXEC:                        Authentication Suites (1) : PSK\r\n\tEXEC:          Cell 03 - Address: 48:5D:36:08:68:DD\r\n\tEXEC:                    Channel:6\r\n\tEXEC:                    Frequency:2.412 GHz (Channel 1)\r\n\tEXEC:                    Quality=62\/70  Signal level=-49 dBm  \r\n\tEXEC:                    Encryption key:off\r\n\tEXEC:                    ESSID:"DosisHome-Guest"\r\n\tEXEC:                    Bit Rates:1 Mb\/s; 2 Mb\/s; 5.5 Mb\/s; 11 Mb\/s; 18 Mb\/s\r\n\tEXEC:                              24 Mb\/s; 36 Mb\/s; 54 Mb\/s\r\n\tEXEC:                    Bit Rates:6 Mb\/s; 9 Mb\/s; 12 Mb\/s; 48 Mb\/s\r\n\tEXEC:                    Mode:Master\r\n\tEXEC:                    Extra:tsf=00000021701d8913\r\n\tEXEC:                    Extra: Last beacon: 5936ms ago\r\n\tEXEC:                    IE: Unknown: 000F736F6D657468696E67636C65766572\r\n\tEXEC:                    IE: Unknown: 010882848B962430486C\r\n\tEXEC:                    IE: Unknown: 030106\r\n\tEXEC:                    IE: Unknown: 0706555320010B1E\r\n\tEXEC:                    IE: Unknown: 2A0100\r\n\tEXEC:                    IE: Unknown: 2F0100\r\n\tEXEC:STOP_STATENONE: NONE: NONE: NONE:\r\n\tFILE:\/root\/Pictures\/snapshot_CURRENT.jpg\r\n\tFILE:START_STATE,NAME=\/root\/Pictures\/snapshot_CURRENT.jpg\r\n\tFILE:STOP_STATE\r\n\tNONE: \r\n\tNONE: \r\n\tNONE:\r\n \t<\/pre>\n
In the middle of the this log file that I created was a large chunk of base64 encoded text. I took this and created a new file just with it and none of the other data that was decoded above. I tried to decode this but most of it was not decodable, with the exception of the first line which showed “JFIF,” and the occasional “FILE: ” found throughout the file. So not knowing what a normal JPEG would look like in a hex editor I downloaded a regular JPEG from Google and opened it. I then took the new file and opened it in a hex editor as well and compared the two against each other. Josh had made the comment about how the magic-bytes for a JPEG was “0xFFd8.” I looked for that in the new file, and deleted everything before it. I also did a search for the hex string of “46 49 4C 45 3A” (FILE:) and deleted all occurrences of it from the file. Once that was done, I saved the file and gave it the extension of JPG. Once that was done, I was able to see the image that the Gnome had taken (seen below).<\/p>\n
\"Gnome<\/a>
Gnome in the room<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
I figured that I would try and attempt to do the annual SANS Holiday Hack Challenge this year while things were slow at work (knock on wood). So after working on this for 2-3 days, I have managed to knock out the first of the questions: 1) Which commands are sent across the Gnome\u2019s command-and-control channel? 2) What image appears in the photo the Gnome sent across the channel from the Dosis home? The way I got the answers for this first set of problems was not “creative” by any stretch of the imagination. If anything it was just manually…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,4],"tags":[],"class_list":["post-301","post","type-post","status-publish","format-standard","hentry","category-challenges","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=301"}],"version-history":[{"count":4,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/301\/revisions"}],"predecessor-version":[{"id":306,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/301\/revisions\/306"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}