Network Forensics Puzzle Contest: Puzzle #4: The Curious Mr. X

Below are my answers for the Network Forensics Puzzle Contest: Puzzle #4: The Curious Mr. X. I didn't get to this till after the 3/18 deadline, so I wasn't able to officially submit it.

1. What was the IP address of Mr. X's scanner?

10.42.42.253

Look for source IPs sending SYNs:

$ tcpdump -lnr evidence04.pcap 'tcp[13] & 0x02 = 0x02' | cut -d ' ' -f 2 | awk -F '.' '{print $1 "." $2 "." $3 "." $4}' | sort | uniq -c | sort -nr
tcpdump: WARNING: snaplen raised from 116 to 65535
7416 10.42.42.253
27 10.42.42.50
12 10.42.42.25

Verify traffic looks like a scan:

$ tcpdump -lnr evidence04.pcap 'tcp[13] & 0x02 = 0x02' and src host 10.42.42.253 | more

2. For the FIRST port scan that Mr. X conducted, what type of port scan was it? (Note: the scan consisted of many thousands of packets.) Pick one:

TCP Connect - you can see the the full TCP 3-way handshake for open ports.

* TCP SYN - 2nd scan using static source port of 36020 - RST is sent as soon as a SYN/ACK is received for open ports
* TCP ACK - ACK scanning isn't really a portscan type, more of a "are you alive?"
* UDP - some UDP traffic, but not a scan
* TCP Connect - 1st scan using random source ports
* TCP XMAS - no XMAS packets, 'tcp[13] & 0xff = 0xff'
* TCP RST - no RST scanning, 'tcp[13] & 0x04 = 0x04'

3. What were the IP addresses of the targets Mr. X discovered?

sort/uniq out destination addresses:

$ tcpdump -lnr evidence04.pcap tcp and src host 10.42.42.253 | cut -d ' ' -f 4 | awk -F '.' '{print $1 "." $2 "." $3 "." $4}' | sort | uniq -c | sort -nr
3402 10.42.42.25
2041 10.42.42.50
2007 10.42.42.56

4. What was the MAC address of the Apple system he found?

00:16:cb:92:6e:dc

Determined via Wireshark's MAC Layer name resolution, confirmed via http://www.coffer.com/mac_find/?string=00%3A16%3Acb%3A92%3A6e%3Adc

5. What was the IP address of the Windows system he found?

10.42.42.50

Seeing NETBIOS broadcasts:

$ tcpdump -lnr evidence04.pcap udp
tcpdump: WARNING: snaplen raised from 116 to 65535
18:36:52.989943 10.42.42.50.137 > 10.255.255.255.137: udp 50

Seeing SYN/ACKS for normal windows ports of 135/139:

$ tcpdump -lnr evidence04.pcap 'tcp[13] & 0x12 = 0x12'
tcpdump: WARNING: snaplen raised from 116 to 65535
18:34:07.824240 10.42.42.50.139 > 10.42.42.253.56257: S 3796692784:3796692784(0) ack 3001813132 win 65535 (DF)
18:34:08.106871 10.42.42.50.135 > 10.42.42.253.42214: S 2938239898:2938239898(0) ack 2994045279 win 65535 (DF)

6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)

135
139

Look for SYN/ACKs sourcing from Windows system:

$ tcpdump -lnr evidence04.pcap 'tcp[13] & 0x12 = 0x12' and src host 10.42.42.50