CloudShark Blog

Training, webinars, and resources for network analysis

November 15, 2018

How we made the 2018 Halloween capture challenge

Written By
Tom, Zach, and Jason
Published
November 15, 2018
Share

Posted to:
News Capture Challenge

In depth on creating a capture challenge using custom built captures

Every so often we like to come up with a special capture challenge where people can use CloudShark to dive into some packet analysis and find the solution. But often the interesting story is about the methods we use to make the captures themselves - generating and capturing very specific packets to make the challenge interesting. Being packet geeks, it’s also really fun.

This year for Halloween we wanted to do something a little special and come up with a capture challenge where we would hide 5 “pumpkins” in a pcap file. Some of the best solutions were even written up into blog posts by our participants (spoilers if you plan on trying the challenge yourself):

Our good friend Chris Sereno:

https://chris.theserenos.com/blog/2018/11/02/cloudshark-2018-halloween-challenge/

Scott, Tony, and Sarandon from Sealing Tech:

https://sealingtech.org/2018/11/14/trick-or-treat-halloween-pcap-challenge-from-cloudshark/

Once we came up with a few ideas of where to hide pumpkins in a pcap file, Tom sat down to figure how to generate the packets. He uses a small lab setup with two virtual machines and a network tap from Garland to capture traffic going between them.

Garland Network Tap

Once ready to go, it was time to start generating some pumpkins in the data!

Pumpkin 1

This one was pretty simple. This pumpkin is hidden in the HTTP objects analysis tool. To hide this one, Tom downloaded a copy of our homepage, www.cloudshark.org, and replaced one of the images with our CloudShark jack-o-lantern. To keep everything in the lab and going through the TAP, he served this webpage up using nginx. On the second machine, Tom edited his ‘/etc/hosts’ file so that ‘www.cl0udshark.org’ would point to this server and captured the traffic sent by a browser going to this site.

We use HTTP Strict Transport Security on www.cloudshark.org. That means once your browser goes to www.cloudshark.org the server also tells the browser to only connect to this site using HTTPS. That’s why the hostname is ‘cl0udshark.org’ - otherwise the browser would try and connect over HTTPS and this pumpkin would be encrypted! Also, we hoped that seeing cl0udshark.org in the list of hostnames might be a hint to look deeper.

Pumpkin 2

What the heck is IFS?

IFS in this script stands for “internal field separator” and tells bash to use the newline character when iterating over the output of `cat`. It gives us the file line by line!

What the heck is IFS?

IFS in this script stands for “internal field separator” and tells bash to use the newline character when iterating over the output of `cat`. It gives us the file line by line!

For this pumpkin we used the http.host field of an HTTP request to hide an ascii art pumpkin. If you open the HTTP analysis tool you will see some really strange hostnames. To make this pumpkin Tom started with a file containing an ascii art pumpkin and wrote a script to send one HTTP request for each line in the ascii art file:

#!/bin/bash

file=${1}

IFS=$'\n'
for i in $(cat ${1})
do
  curl -m 1 -H "Host: ${i}" 192.168.1.10
done

To make sure these TCP connections succeeded, and were not rejected by the 192.168.1.10 machine, Tom used the Netcat tool with the command nc -l 80. We didn’t need a full web server for this pumpkin to appear. Netcat can be used to send or listen on arbitrary TCP/UDP ports so that each HTTP request went through without being reset during the 3-way handshake.

Pumpkin 3

This was another ascii art pumpkin that was sent between two machines using netcat. First on one machine Tom ran nc -l 666 to listen for a TCP connection on port 666. Then on another he ran cat <asciiart file> | nc <ip> 666 to send a text file containing an ascii art pumpkin.

This was probably the most straightforward one to hide. Using port 666 was another hint that something strange was going on here.

Pumpkin 4

This pumpkin is an audio stream of a familiar, family friendly, Halloween movie. Hint: it’s got pumpkin in the name.

To generate this one, Tom used a program called gstreamer on CentOS 7 to send a WAV file as audio via RTP. The command to send the stream was:

gst-launch-1.0 filesrc location="greatpumpkin.wav" ! wavparse ! audioconvert
! audioresample ! alawenc !  rtppcmapay  ! udpsink host=192.168.1.10 port=1313

This RTP stream was sent over UDP rather than TCP like the HTTP example above. Since there is no 3-way handshake in UDP there was no need to run something like netcat to make sure gstreamer would send these packets. We can just blast them out onto the network.

Sensing a theme with our port numbers yet?

Pumpkin 5

This is a 2 part puzzle. Tom once again used nginx to serve up an ascii art pumpkin. Then he configured nginx to compress any text file that it serves by adding the following to the configuration file:

# Enable compression
gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1;

This alone would hide it from human eyes looking at the TCP stream, but CloudShark has the ability to unzip HTTP bodies and we wanted to hide it even deeper! Tom configured nginx to enable TLS encryption (HTTPS) so we could serve the file over an encrypted connection. So how do we make it even possible find? Tom used curl to download the pumpkin but followed our guide explaining how to save the SSL Client Keylog. This gave him the keys used to decrypt the traffic later. In order to hide the decryption keys in the pcap for you to find, we put them in an SMTP e-mail message. Tom says, “My brother and I love scary movies this time of year and I wanted to sprinkle in a reference to our favorite one, too.”

Tom came across a program called smtp-sink which can be used to test e-mail clients by simulating an SMTP server. He ran this command to start the fake mailserver:

smtp-sink -h themyershouse -u nobody 192.168.1.10:25 1000

Surprisingly, curl can also send emails! . Tom wrote up an e-mail in a text file and sent it off with curl:

curl --url 'smtp://themyershouse' --mail-from loomis@smithgrovesanitarium \
  --mail-rcpt 'laurie@themyershouse' --upload-file e-mail.txt

Now if you read that email you’ll have the keys needed to decrypt the final pumpkin. CloudShark’s built-in SSL Decryption tool can take a KEYLOG just like this one to decrypt HTTPS. Don’t forget, we compressed this one too so to view the pumpkin you need to use the Follow HTTP analysis tool.

Putting it all together

Armed with individual pcaps containing each of the hidden pumpkins, we wanted to hide them within a single larger capture. We found a capture of random traffic from a SANS Forensics Challenge (nitroba.pcap), and Tom exported a portion of it. Using editcap and the -t option, Tom shifted all of the packets, making the capture start at midnight on halloween:

-t

Sets the time adjustment to use on selected packets. If the -t flag is used to specify a time adjustment, the specified adjustment will be applied to all selected packets in the capture file. The adjustment is specified as [-]seconds[.fractional seconds]. For example, -t 3600 advances the timestamp on selected packets by one hour while -t -0.5 reduces the timestamp on selected packets by one-half second.

The pcaps containing the pumpkins were each shifted so that they started at some point during this pcap. Unfortunately, all of the pcaps generated have the same two IP addresses of the VMs used. That would be a dead giveaway after finding the first few pumpkins and we couldn’t make it that easy!

TraceWrangler to the rescue

One of our favorite blogs is blog.packet-foo.com. Jasper’s talks at Sharkfest are always great! His tool TraceWrangler is designed to sanitize and anonymize capture before sharing them and one of the features is to replace and randomize IP address. Perfect! After running these pcaps through TraceWrangler they are much easier to hide alongside the traffic from the SANS capture!

With all the pcaps ready Tom uploaded them all to CloudShark and merged them into a single capture for the 2018 Halloween capture challenge!

We love making cool challenges!

We hope that you had as much fun searching for the pumpkins as we did hiding them! We try to build all of our capture challenges so that you can solve them entirely with CloudShark. Getting a behind the scenes look at how to generate such specific packet data can teach a lot about networks and how packets really are the best resource for analyzing them. If you want to try the challenge yourself, we’ll always take new submissions! Thanks to those who participated and always check back on our blog for more challenges like this.


Want more great stuff from CloudShark?

We regularly publish in-depth articles on technical topics to show how packet captures are your most valuable network resource. Sign up for our newsletter to get them delivered to you!

About Us

CloudShark is made by QA Cafe, a technology company based in Portsmouth, NH. Our passion for packet captures has grown out of our other product CDRouter.

Get in touch via our Contact us page or by following us on your favorite service: