This assignment has two parts. It is due by 11/1/18 at 11:59PM.
There will be a late penalty of 5% per day late!
One of our network engineers recently discovered that hackers have been using an insecure channel on our server to communicate. We need to know what they're up to!
The hackers don't know that our network engineer saved all network traffic from the last time they were online. Can you analyze it for us and answer the following questions?
-
Did the hackers use the traceroute command on any websites? If so, list one.
-
What are the names used by the hackers?
-
What are the hackers' IP addresses, and where are they connecting from?
-
What port are they using to communicate on our server?
-
Did they mention their plans? When are they happening?
-
Did they send any files to each other? List any links or related information you found.
-
When do the hackers expect to see each other next?
After looking at the file that you discovered in #6 above, we were unable to identify its file type or any program that can open it. Fortunately, we found a specification sheet for this file type! Can you write a parser for us and tell us what their file contains?
We've uploaded the file's spec sheet here. Once you write the parser, report back with what you've found!
Perform the following tasks:
-
Develop the parser, using both the specification and
update.fpff
for reference. stub.py contains the beginnings of a Python parser, if you'd like to develop in Python. -
Parse
update.fpff
, and report the following information:- When was
update.fpff
generated? - Who authored
update.fpff
? - How many sections does
update.fpff
say it has? How many sections are there really? - List each section, giving us the data in it and its type.
- Report at least one flag hidden in
update.fpff
. Any other flag found will count as bonus points towards the competition portion of the syllabus.
- When was
Make sure to submit all of the code you write, even if based on stub.py
!
This assignment is worth 100 points, broken down between the pcap findings (25 points), and fpff parser (50 points) and question answering/analysis (25 points).
Remember to document your steps for maximum credit. We want to know how you approached and solved this challenge!
Look at the Forensics I and II slides for guidance.
If you're using Python, Ruby, or another scripting language, check out the pack
and unpack
methods:
- Python 2 -
struct
- Python 3 -
struct
- Ruby -
Array#pack
andString#unpack