Friday, June 12, 2009

Scratching an itch

Every now and then, I need to scratch a technical itch. Fortunately, Chris Christianson had the good taste to post Ceasar's Challenge just as it manifested itself.

The challenge was the following:

4500 00c8 21c4 4000 8006 dee4 c0a8 3c01
c0a8 3c35 0014 0841 ea5d efe1 32e0 3fa1
5018 ffff 2c6d 0000 1f8b 0808 d92d 074a
0203 6669 6c65 005d 8ecb 9104 210c 43ef
1385 4210 fe01 e1b8 7ae8 fc43 1871 d8cb
faa0 924b cf82 4812 6419 3aaa e5b4 2e8e
81fd ec8d 87bd e00f c79f f344 767d 41a3
098e 034f f31b 0c39 3f88 9e89 3a46 18dd
af28 706f f8f0 82f7 5db7 d2d0 fc17 634c
54d6 914c 43ed 72c4 532f 6a72 c329 4925
48cb db9c 8564 2cc4 1baf b81c 7a5c cde9
b7af f4b5 5882 c5f9 45c4 852e 62b1 3f3f
c173 e305 f500 0000

After looking at this for a while, it became obvious that this is a IPv4 packet. The first few bytes (4500) are a dead giveaway. Using the SANS TCP/IP cheat sheet, I was able to confirm that this was indeed an IPv4 packet.

First order of business: get this in a workable format. I started with dumping this in a file (challenge.1) and converting it to binary:

xxd -r -p challenge.1 challenge.2

Opening challenge.2 in a hex editor gave me a little more insight into what I was doing. I used hexedit on Linux and notepad++ on Windows.

The payload of the TCP packet started after 20 bytes (5*32/8), or at offset 0x14. Repeating the process of copying the payload into challenge.3 and making it binary using xxd, I got a resulting file challenge.4. The Linux command-line file challenge.4 told me that it was gzip'ed data.

Copying challenge.4 to challenge.5.gz and gunzipping the file yielded challenge.5, which after viewing it in a hex editor turned out to be another IP packet. This time the packet contained a UDP payload going from source port 23149 to destination port 514 on the same two hosts. The payload of the UDP packet looked like syslog, and that is confirmed by the port numbers:

<15>Jun  3 13:16:19 DDDDDDDD GenericLog    0    VWRS VPHOOLQJ SDFNHW SOHDVH

Remember the title of the challenge? Exactly, a Ceasarian shift. Fortunately, it took not too long to figure out that the offset was '3', which resulted in the answer: STOP SMELLING PACKET PLEASE.



No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.