Network Forensics Puzzle #2 Solution

November 2, 2009

From Puzzle #2 – Ann Skips Bail

Answer written October 27, 2009. Not to be published before contest ends November 22, 2009.

Tools used: Wireshark, a Base 64 decoder, Xplico or base64.exe, fsum.exe and Word 2007.

Open the packet capture file (evidence02.pcap) in Wireshark.

Find the SMTP packet with the Info “334 VXNlcm5hbWU6“. This is the prompt for an email address. The response (c25lYWt5ZzMza0Bhb2wuY29t) requires a Base 64 decoder (

Find the SMTP packet with the Info “334 UGFzc3dvcmQ6“; this is the prompt for a password. The response (NTU4cjAwbHo=) requires a Base 64 decoder (558r00lz).

Selecting part of a multi-part SMTP message within Wireshark causes Wireshark to reassemble the data. This produces the email message and its header, but this will not decode MIME.

Selected the SMTP packet at 140, selected its data in the data window, double-clicked “reassembled DATA in frame: 557” and was able to view the text of the message. (That is, found that it was addressed to, “Hi sweetheart” and so forth, learned name of attached file.)

Found MIME data in the data frame; double-clicked to select it. Used File-> Export-> Selected Packet Bytes to an arbitrary file name: wireshark.raw. Used base64.exe to recreate secretrendezvous.docx.

base64 -d wireshark.raw secretrendezvous.docx

An alternate approach to carving out the email messages and their attachments would be to use Xplico Xplico (“the Internet Traffic Decoder”) can display the Internet traffic found in a pcap file. The Carlos Gacimartín image of Debian 5.0 with Xplico 0.5.2 installed and running worked fine.

Computed md5sum using fsum

fsum -md5 secretrendezvous.docx

Opened secretrendezvous.docx in Word 2007 and saved a copy as html. This produced image001.png; and I computed the MD5sum of this file.

1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
fake passport and bathing suit
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
Playa del Carmen, Mexico
8. What is the MD5sum of the image embedded in the document?

Note: Chaosreader quickly parsed the evidence02.pcap file into a set of sessions, but the results were inaccurate. Chaosreader would be a way to get a quick overview of the sessions.

C:\perl\bin\perl.exe chaosreader -v ..\evidence02.pcap

Security Patch Management

October 18, 2009

A standardized patch management process reduces the incremental costs of patch deployment. You can afford to deploy patches with hard-to-quantify risks when your patch management process is well-designed.

Recognize that there is a reluctance to deploy patches. Fight that reluctance by determining why it exists. The view may be “our testing wasn’t rigorous enough.” Then improve the acceptance test scripts. The view may be “it ain’t broke.” That’s simply denial, the belief that because no one has actively complained it doesn’t need attention. It is broke, it needs fixing, get on it.

There is a risk which increases when security patches are released. When security patches are released, expect them to be reverse engineered. If an exploit of the vulnerability is not already available, it soon will be. When reviewing the importance of a security patch, the question “is exploit code publicly available?” is not an interesting question. Act as if exploit code is available.

“Is this vulnerability wormable?” is not an interesting question, either.  Worms were dramatic and news worthy, but worms are rare. It makes very little sense to develop a worm; there’s no money in it. Worms make news, worms get addressed, and worms make no money.

Information gathering makes money. Unauthorized access to information is a significant risk. Disclosed information has no disaster recovery mechanism; it cannot be unseen. Information disclosure often goes undetected. Prevention is your most important consideration when faced with the possibility of information disclosure.

You want to know if your mission critical systems are in jeopardy. Can your data be stolen or corrupted? Where is your data? What would be required to reach it?

Know your environment, which includes knowing your vendors and your application owners and your system owners and your change control process.

Get notified of patch availability (vulnerabilities as well). For Microsoft, the patch notification process is straightforward. Subscribe to each vendor’s vulnerability and patch announcement mechanisms. Subscribe to the Secunia notifications as well.

Check the Open Source Vulnerability Database for additional information about the vulnerabilities being mitigated and their potential risks. Any software vulnerability should be addressed quickly.

Encourage your vendors to adopt an announcement cycle. Don’t accept “when required” or “as needed” as responses. While vendors are caught by surprise when vulnerabilities are found, that unpredictability can be managed for their customers for all but the most troublesome of vulnerabilities. You want to be able to coordinate the availability of test teams.

Plan for the spikes that your support team will go through. For example, you may not know how many patches Microsoft will release on the second Tuesday of the month  but you know that patches will be released. Have support team resources ready.

When updating Java, be sure to uninstall old versions as well.

Pre-patch announcement tasks:

  1. Identify your mission critical applications.
  2. Baseline resource consumption of test environment.
  3. Assign a patch testing team to each mission critical application.
  4. Each patch testing team needs their own acceptance test script.

Patch announcement tasks:

  1. Does the patch effect resource consumption?
    1. Make sure your baseline of pre-installation resource consumption is current.
    2. Install patch.
    3. Review post-patch resource consumption.
  2. Set a deadline for a response; perhaps Friday 2:00pm of that week. For each patch testing team:
    1. Install the patch(es) on a test environment. The test environment should resemble the production environment. The test environment should not be the development environment.
    2. Step through the acceptance test script to determine application compatibility. Do expected results match observed results?
    3. Report pass or fail; either “no compatibility issue found” or “compatibility issue exists.” There is no “sort of” answer. There are no small or minor compatibility issues.

    The application acceptance testing task can be performed concurrent with resource consumption testing.

  3. When all patch testing teams report “no compatibility issue found,” follow your change control process. Your change control process includes:
    • Identify affected systems.
    • Is a restart required?
    • What is the roll-off, recovery or uninstall plan?
    • What is the time frame for this change, and has this time frame been communicated to affected parties? Identify any schedule conflicts.
  4. Deploy tested patches in stages. Deploy to a representative sample before broad deployment. While your acceptance testing should catch any problems, acceptance tests often need improvement.
  5. Report deployment status.Is your patch deployment process a success or failure? Use an independent tool.It is best to not rely upon reports from your deployment tool to evaluate your patch deployment status. You are measuring how effective your deployment is. Don’t rely upon the deployment tool to tell you how well it has done its job. If the deployment tool missed a target environment for deployment, expect it to miss the target environment for reporting as well. has a series of articles by Felicia Nicastro describing the security patch process:

Step by Step: Best practices for security patch testing and management

  1. Introduction
  2. How to prepare for security patch testing
  3. Security patch testing and deployment phase
  4. Security patch validation and verification

I prefer to begin testing before scheduling the deployment. You want to know that this mitigation measure is not detrimental to mission critical applications before committing to it as a mitigation measure. Testing in a test environment should be part of the patch evaluation.

Review your exposure. There will always be some exposure when mitigation would be more expensive. Patch installation should never be your only mitigation measure, but patch installation is always an important remediation measure.

Environments, platforms

How does your deployment mechanism scale? A slow distribution is not always a bad idea. Avoid saturating any network pipe. You don’t want to be taking the company out of business in an effort to prevent someone else from taking the company out of business.

Are there any organizational constraints which can effect your deployment mechanism design? For example, are there regional teams which want to do their own scheduling or want to be able to halt a distribution.

VMware Update Manager to patch ESX, VM Operating Systems, and many applications. VMware Update Manager takes a snapshot of the system before the patch is applied, providing you with a roll back mechanism.

A virtual host is as secure as its least secure guest environment. Do not think that patching the host environment replaces patching of guest environments.

The following is not an exhaustive list.

Linux tools:

  • Use the Linux distribution’s patches for packages such as OpenSSL and OpenSSH. Since Linux distributions will backport patches, your patch detection mechanism must be familiar with the version numbers implemented by the Linux distribution.
  • Cfengine, bcfg2, Puppet, Spacewalk for Fedora and CentOS.
  • Red Hat Satellite Server, Up2Date for Red Hat Enterprise Linux.
  • APT (Advanced Package Tool) for Debian and Ubuntu.
  • YaST for Novell SUSE.
  • YUM for AspLinux, Fedora, Yellow Dog, CentOS.

ScaleXtreme offers the first unified patch management solution for physical, virtual and public cloud servers. Your server can be behind a firewall or on Amazon EC2, our product can patch it and manage it.” For Windows and Linux servers.

Microsoft WSUS or Microsoft SCCM for Windows environments, but you’ll still need to address the non-Microsoft applications (such as Sun Java and the Adobe products). SCCM can be used to update any Windows application, with sufficient effort. Bigfix may be more appropriate. Secunia (and its Corporate Software Inspector (CSI) software) offers patching of third-party applications through WSUS. Microsoft Attack Surface Analyzer can be part of your patch resource consumption testing.

Do not neglect your network equipment. Cisco Router Assessment Tool (RAT) or nipper.

Are there any embedded systems in scope? Embedded systems are often selected because they will require no update. Often they will require security patches. The organization will have no maintenance plan, so this becomes much more than a tool selection problem.

When budgeting, don’t neglect to include the database costs. It is not unusual for Windows solutions to include MSDE at no cost, but recommend SQL Server at a significant cost.

Report Phishing

October 6, 2009

Can you identify phishing? See the SonicWall Phishing and Spam IQ Quiz (formerly the MailFrontier Phishing IQ Test).

Report phishing by sending a saved copy of the email to


See US-CERT’s Report Phishing, FTC’s Phishing and Anti-Phishing Working Group (APWG), respectively. A copy of the email is preferred to forwarding the email, since forwarding loses source information.

Additional information can be found at and Spoofing – Who Did That Email Really Come From?.

There is also PhishTank, who would be interested in the URLs in the email (e.g., web advertising that collect personal information for redistribution).

Expect LogRhythm to release an open source phishing management (Automating Detection & Response to Phishing Attacks) system Phishing Intelligence Engine (PIE) for Office365 about October 11, 2017. Video recording: and slide deck:


Blocking Torrent and Instant Messenger Traffic

August 6, 2009

Among the reasons to block instant messenger traffic:

  • Information disclosure, leakage (“loose lips”)
  • Regulatory requirements and auditability. If you have email retention requirements, do they apply to other messages?
  • eDiscovery, if needed, will be expensive or incomplete

These concerns can be addressed with an instant messaging product that you manage, but other instant messaging traffic will need to be controlled.

Among the reasons to block file sharing traffic:

  • Information disclosure; intentional disclosure as well as granting access to personal files not intended to be shared
  • Copyright violations and illegal content liabilities
  • Network traffic congestion, bandwidth saturation
  • eDiscovery, if needed, will be incomplete

Again, there are reasons to share files but they should be shared through a managed environment. Other means should be controlled.

Among the reasons to block social media:

  • Information disclosure (“loose lips”)
  • eDiscovery, if needed, will be expensive

Among the reasons to block broadband media and streaming media:

  • Network traffic congestion

Make sure there is a written policy about instant messenger traffic, file sharing, social media and broadband and streaming media. Make sure that the policy is known, and have employees sign that they have been trained on and made aware of the policy. Make sure the written policy is consistently enforced; a signed Acceptable Use Policy is only one of the indices a court would review. Tolerance of policy violations nullifies any written policy.

Blocking traffic says “firewall” to me. The most common ports you need to block are 6881 through 6889. You would already be blocking those ports. If you have a problem with a specific destination, seriously consider configuring your firewall to “deny all” traffic to that destination. If you have a problem with a specific source, talk to them (or HR, or your manager).

Uninstall client software when use of the client software has been prohibited. “I only use it after hours” means training was ineffective. “I only use it from home” means training was ineffective. Update training, emphasize why these policies are in place.

Recognize that “portable” versions of these applications are available. Just because you do not see installed copies of the software does not mean the software isn’t being used.

With ISA Server, you can block the instant messenger and .torrent files (by extension) using ISA Security Filter. See the article Using ISA Server 2004’s HTTP Security Filter to block instant messengers and peer-to-peer applications, The introduction to the ISA Security Filter is SolutionBase: Overview of the HTTP security filter in ISA Server 2004.

Blocking ports, blocking destinations, and blocking files by extension are partial measures that will not discourage a determined person. If you must, there are approaches.  Supplement that measure with tools such as Nessus to detect the traffic (and make follow-up a personnel issue), or insert a traffic filter (such as a Linux box running L7 Filter). Sizing that traffic filter is the next problem. Alternately, install a product like exinda or MikroTik RouterOS to manage the traffic.

Note that if you block any web sites, be sure to also block the web sites that can be used to work around your block. That is, block access to web sites with proxy access to other web sites., for example, creates an encrypyted tunnel from the client machine to the web site. Your web site filter may not be aware of access to prohibited sites proxied by If your web filtering approach does not have a vendor maintained list of public web proxy servers or you wish to verify your vendor’s list and you wish to maintain a list manually, has a list you can use. (Should include SnoopBlocker, Guardster, s-tunnel, JAP,,

Note that if you block web sites (including public web proxies), access to content could still be possible through cached copies of web pages. Google, for example, may have a cached copy.

If the traffic is encrypted, your web site filter may not have visibility into the traffic. An encrypted tunnel is meant to prevent eavesdropping. However, devices such as the Blue Coat SG can be installed as a “man-in-the-middle” measure to enable eavesdropping.

Blue Coat SG SSL

How Blue Coat SSG can handle SSL traffic, when information must be monitored.

Busy Firewall Administrators Note

July 23, 2009

New job? Review how to restore services. E.g., how would you do a restore? How old is the (Windows) Automated System Recovery (ASR)?

NETALYZR for a snapshot of what your connection to the Internet is like (requires Java). Save links it creates for comparison with future results.

You drop inbound traffic for unnecessary protocols and ports. You drop inbound traffic with known malicious patterns or signatures. See “The Anomaly or Signature based intrusion detection: Do you need both?” [mp3] presentation by David Jacobs, Principal of The Jacobs Group for an overview.

You drop inbound email for malicious patterns or sources.

Visit SRI Malware Threat Center. See the list of Most Aggressive Malware Attack Source and Filters. Test the rules. Implement the rules. See the Most Prolific BotNet Command and Control Servers and Filters. Test the rules. Implement the rules.

Test the rules: Flint is a free, open source, web-based firewall rule scanner.

Visit DShield Top Ten Source IPs or SANS Top Ten Source IPs or StopBadware’s Top 50 IPs. Block access (In and Out, all ports).

No, this is not rigorous. You’re slashing out the alerts you don’t want to waste time investigating, so you can focus on the interesting alerts. You still need to review the logs and follow up. But look at what you’re doing. You tell your boss you finished this. These are measurable tasks, good for status reports. They are good work, too.

For an explanation of the steps you just skipped (because your boss should ask why he cares), a walk-through is in Chapter 4: Lifecycle of a Vulnerability from Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century by Ryan Trost.

Who forwards your network traffic? How do you get on the Internet? Tracert shows IP addresses, but what’s the network diagram?, friend. Look up your domain name. You can give your boss a network diagram. Again, good work!

ip information

In a jam, trying to figure out what’s going on? Robert Graham’s FAQ: Firewall Forensics (What am I seeing?) is a practical file to work from. Can’t connect to it? Various versions appear around the net, the latest I can find (from a reliable source) is version 0.4.0 (April 20, 2000) at and A version 1.2.0 (January 2003) can be found at

See also:

  • Spyware warrior’s firewall links
  • Configuring IP Access Lists Cisco’s Guide To Access Control Lists (ACLs)
  • Port numbers
  • Sanewall Linux firewall builder for IPv4 and IPv6
  • Linux firewalls and routing
  • Hakin9 04/2010 [pdf] with Firewalls for Beginners by Antonio Fanelli
  • Firewall leak testing
  • Firewall Builder firewall policy configuration and management
  • Firewall Auditor, a free firewall PCI assessment tool provided by FireMon
  • Center for Internet Security (CIS) Cisco Router Audit Tool (RAT) assesses target devices for conformance with the CIS Benchmarks for Cisco Router IOS and Cisco PIX firewalls. The installation package for the tool includes benchmark documents (PDF) for both Cisco IOS and Cisco ASA, FWSM, and PIX security settings.
    NOTE: CIS RAT is out of date with the current CIS Cisco Benchmarks. A new, updated version of the tool is under development. Until the new version is released, RAT will remain an unsupported tool. Check for updates.
  • Nipper assists security professionals and network system administrators to securely configure network infrastructure devices. Search for the phrase “Cisco Router Device Router Security Report” to see examples posted on the Internet. The Open Source version is no longer supported. An Open Source fork (nipper-ng) exists.
  • Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP. Webfwlog also supports logs saved in a database using the ULOG or NFLOG targets of the linux netfilter project, or any other database logs mapped with a view to the ulogd schema. Versions 1 and 2 of ulogd database schemas are supported.

Busy network administrators may wish to turn to for tech support answers from Cisco professionals.

Diagram your network, perhaps using CADE, Dia, Diagram Designer, Gliffy or yEd.


May 26, 2009

Erica’s CWNA Study Guide PWO-100

AirMagnet web site provides product-independent background information and offers the AirWise Community Forum.

Troubleshooting tip: Fluke Networks’ new AirCheck™ Wi-Fi Tester was designed to quickly and easily troubleshoot 802.11 a/b/g/n Wi-Fi networks – all in a dedicated hand-held tester [flash interactive demo].

AirMagnet WiFi Analyzer:

  • Provides “root-cause” for reported Wi-Fi problems
  • Maximize 802.11n efficiencies and investment
  • Complete visibility of all Wi-Fi traffic
  • Never miss any rogue device or security threat
  • Independent ROI analysis of WLAN Infrastructure options
  • Audit-ready compliance status
  • Audit tool to verify network connectivity and application performance

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It can sniff 802.11b; 802.11a, 802.11g, and 802.11n traffic and supports raw monitoring system and plug-ins which allow sniffing other media.

TamoSoft’s CommView for WiFi is available as an evaluation version.

MetaGeek’s inSSIDer is an open source wireless network scanner.

Azulstar’s Wireless Wizard “improves the use and reliability of any WiFi, LTE, Wireless Fiber, 3G, or 2G wireless networks. It allows you to aim your wireless adapter, measure network performance and quickly identify and fix wireless broadband problems. The Wizard includes a Wi-Fi analyzer to easily identify the best channel and resolve interference issues.”

Bench Software’s Wireless Key Generator “Encrypting your wireless internet access requires an encryption key, and Wireless Key Generator not only can provide you with this it can save your key to a text file ready for storing on a usb memory stick or CD. Giving you a simple means of entering your key on each wireless device requiring a secure internet access. Although Wired Equivalent Privacy (WEP) is supported it is no longer recommended due to the number of programs available that can crack and determine the encryption key within seconds. So Wi-Fi Protected Access (WPA/WPA2) should be used if possible on all wireless access points and routers.”

WeFi helps you locate free wireless hotspots throughout the world. “WeFi app eliminates the need of manually selecting and trying out every WiFi networks. Instead, Through WeFi, you’re Wi-Fi enabled device will automatically locate a strong Wi-Fi spot and connect you to it, no questions asked.” (sic) Android, PC/Netbook and Symbian

Change from WEP to WPA, but use strong keys as well.

Problem: You enabled WPA2 using strong pre-shared keys (PSK, or WPA2-Personal). You can copy your strong key to a USB drive and use the USB drive to paste it to your other computing devices. You then learn that entering these strong keys on your mobile phone or other wireless-capable device is difficult to impossible. Do you choose to use weaker keys and expose yourself to a simple dictionary attack, or do you struggle with entering the difficult key?

Anyone can upload a packet capture to WPA CRACKER and have it return the WPA pre-shared key (PSK) in about 20 minutes for $17. Compare with $1,199 for “Elcomsoft Wireless Security Auditor allows network administrators to verify how secure a company’s wireless network is by executing an audit of accessible wireless networks. Featuring patent-pending cost-efficient GPU acceleration technologies, Elcomsoft Wireless Security Auditor attempts to recover the original WPA/WPA2-PSK text passwords in order to test how secure your wireless environment is.” Weak keys are the failure point in any encryption scheme. Get a strong key using Steve Gibson’s free password generator. Don’t worry that you cannot recall such a password; you rarely re-enter it. You rarely change it as well, which is another reason to use a very strong password (and another reason to think that there must be a better solution).

Do not advertise your SSID. Some things you do not advertise. You know your SSID and your key.

Discover hidden SSIDs (and perform many un-neighborly attacks) with MDK3. Watch on Vimeo.

Turn off your wireless access point when it is not in use.

WirelessKeyView recovers all wireless network keys (WEP/WPA) stored in your computer by the ‘Wireless Zero Configuration’ service of Windows XP and by the ‘WLAN AutoConfig’ service of Windows Vista.

Do not leave plug-and-play enabled on your wireless router. Do not configure your wireless router to be in transparent mode. Do not configure your wireless router (and your firewall) to enable peer-to-peer file sharing. Too often people enable unsolicited network traffic to reach the end device. Too often the wireless router is breached and the firewall is breached because they are someone has configured them to leave little protection.

Is this a corporate, not home implementation? Have a concern about your perimeter? Don’t like the idea of someone sitting in your parking lot, sniffing your traffic? You’ve implemented WPA with strong encryption AND strong keys (because an easily guessed password defeats any encryption) and you’re not broadcasting your SSID, so you should be safe. Just in case, though, take that old b/g router and put it a little way into the parking lot, just far enough that eavesdroppers get this router; just far enough that it has the strongest signal. While rogue access points may be considered “evil twins” when the evil-doer has inserted them, you can turn that idea to your advantage. These “tar pit routers” would be configured like production routers. They get power but they don’t get a network drop. Don’t put these “tar pit routers” on your corporate network.

The trick you’re exploiting is: eavesdroppers cannot choose the device they connect to; they get these nearby “tar pit router” devices. When connect successfully (because they’re disgruntled ex-employees, perhaps), they cannot get interesting information. They get stuck on these “tar pit routers”.

Now you need a way to protect these “tar pit routers” from being disconnected from power or stolen. They will be discovered. Alarm them and include them within the range of your security cameras. Do not give in to the temptation of connecting them to the facility network to send an alert when they go off-line. Do not give eavesdroppers a way to acquire more information.

For additional considerations, see:

Have a b/g router? (performance tip) Bear in mind that when an 802.11b device connects (at up to 11 Mbps), the 802.11g devices operate at reduced throughput (up to 11 Mbps, not the desired 54 Mbps). Get rid of your 802.11b devices and switch the router to 802.11g only.

Better yet: Move your wireless network to the 802.11a (5 GHz frequency) and get out of the crowded unregulated 2.4 GHz frequency that 802.11b/g/n, garage door openers, handsets, appliances and other consumer devices use.

Wireless Access Point (WAP) tools

  • Ekahau HeatMapper, a free Wi-Fi coverage mapping site survey tool.
  • Xirrus WiFi tools. Ultra-geeky, and very useful information. Xirrus WiFi Inspector Xirrus Wi-Fi Inspector and Xirrus Wi-Fi Monitor Gadgets/Widgets to troubleshoot 802.11 and detect rogue access points.
  • MetaGeek’s free InSSIDer 2 open-source Wi-Fi scanning software. Inspect your WLAN and surrounding networks to troubleshoot competing access points (replacing NetStumbler).

Infrastructure components/elements in mobile IP networks:

  • GGSN
  • SGSN
  • PDSN
  • HA
  • FA
  • VLR
  • HLR
  • RNC
  • MSC
  • MGW
  • NodeB
  • BSC
  • PCF

Interfaces in mobile IP networks:

  • A8
  • 89
  • A10/A11
  • R-P
  • P-I
  • AAA
  • Gn
  • Gi
  • Gb

Services/applications in mobile IP networks:

  • WAP
  • MMS
  • LBS
  • AAA
  • UMTS
  • GPRS
  • 1XRTT
  • EVDO

AirPatrol Wireless Threat Management products

AirMagnet – Enterprise Wireless Network Security and Troubleshooting

With Karmetasploit [tar.gz] the attacker is a fake access point which responds to any discovery request by wireless clients and announce it self with the SSID of the request. In this way it intercepts and manipulate all traffic. See PaulDotCom Security Weekly episode 208.

In Linksys WAP610N, a SOHO wireless accessing point, unauthenticated remote textual administration console has been found that allow an attacker to run system command as root user. This vulnerability can be exploited by using telnet1111 client.