PCAP Analysis of the Nitroba Incident¶
The following is a pcap analysis walkthrough for a course on network traffic analysis. Without the pcap file, this post will not make much sense. The purpose of the post is really just for class amusement. Much like the emails, it will self destruct over the weekend.
Scenario¶
Someone connecting to a wifi router in the dorms sent harrassing and threatening emails to a professor. The students who had physical possession of the router allowed a wire tap to be placed on the router to capture traffic after the first message was sent. The task is to analyze the pcap from this after the second message was received to find forensic evidence that may indicate who was responsible for sending the messages.
Export Objects¶
First, there was quite a bit of traffic to sift through and with the specific transgressions in mind, I decided to first export objects.
HTML > search "www.willselfdestruct.com" Examined associated packets: 84366. User Agent looked suspicious. Looked at MAC address. MAC address from source indicates Apple computer (does not jive with the UA String). Note: I later learned that this was not really significant due to where the sniffer was. Nonetheless, the process did not lead me in a wrong direction.
Source MAC:¶
eth.addr == 00:17:f2:e2:c0:ce
Attacker IP address:¶
192.168.15.4
Attacker User Agent:¶
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
willselfdestruct.com IP:¶
69.25.94.22
MAC Address & POST Requests¶
Filtered all pcap for MAC address and look for a POST request that may show a user logging into something.
eth.addr == 00:17:f2:e2:c0:ce && http.request.method=="POST"
Results¶
Found Johnny Coach logging into GMAIL with jcoachj@gmail.com using the MAC address noted from the www.willselfdestruct website.
Gmail IP¶
74.125.19.17
Google Cookies for the Session¶
Cookie: GX=DQAAAG8AAAAAm2oW8LqM60qoQ5w2jVJ-zHIfuyAQ3GUkvcv4N9vQ6lWuLpVMCmw1Jhmlm9_P3qZbyTWkIWDo5cnuJHuMxySQ3a5_HduypckaYwOo-HSktrUCM8z2caTi0C7NMWnqJdfJa63rj2FKElFpHQqf52we; S=gmail=L5hb7hHJ9B97n6StWA4FvA:gmail_yj=-OoenmU7qTeuQ1
Cookie pair: GX=DQAAAG8AAAAAm2oW8LqM60qoQ5w2jVJ-zHIfuyAQ3GUkvcv4N9vQ6lWuLpVMCmw1Jhmlm9_P3qZbyTWkIWDo5cnuJHuMxySQ3a5_HduypckaYwOo-HSktrUCM8z2caTi0C7NMWnqJdfJa63rj2FKElFpHQqf52we
Cookie pair: S=gmail=L5hb7hHJ9B97n6StWA4FvA:gmail_yj=-OoenmU7qTeuQ1dsN3B1kg:gmproxy=6uatNcZZmB8:gmproxy_yj=FRV17ZyWnh8:gmproxy_yj_sub=bzgoWOybARA
Cookie pair: GMAIL_AT=xn3j32oktf2a0q6oa3k9sfr6d09yzf
Cookie pair: gmailchat=jcoachj@gmail.com/475090
Cookie pair: PREF=ID=8fc081df5e738a3c:TM=1210743469:LM=1216706486:GM=1:S=vvxeHX0oIXNyR8Zj
Cookie pair: NID=13=tJ7LtEc6z12iH4BP_IPyV0gGhi4aLcZoJcjAf7l-9JQ2AeoD8oWG9NJtOp7T5tuskkNgEKMRAn9P49vI4Easp6NpBuJWaDr5pEv4yh6XE0UboY5r3KgJSFshpsI-TfmV
Cookie pair: __utmx=173272373.00000983192309928271:2:
Cookie pair: __utmxx=173272373.00000983192309928271:1216706401:2592000
Cookie pair: SID=DQAAAGwAAACH8Y_j5izp1fdbDJzwdRFDGtU3aaeZKWgZ7DwUjYpLoqH7F1_E-X5taC4l0uvzXtrVeE6Zq1gcoQt50MC7lgQFv5YtK9GsvrNTKTTB36PHXZM_goWkl-6JXuYxw0Vx0dtx3GeHiG9jMFjCFOgqNK0f
Cookie pair: TZ=-60
Cookie pair: GMAIL_HELP=hosted:0
Activity Using Email Address¶
Grabbed his email address and searched frames for additional traffic where his email may have come up:
frame contains "jcoachj@gmail.com"
74.125.19.104
Think Like the Perp¶
Within those results, I then decided he probably would have done a Google search looking for ways to send those anonymous emails so I thought of what sort of search terms might have been used:
tcp.stream eq 1603 && frame contains "anonymous"
Smoking Gun¶
Packet 80545: While logged into the same session as the gmail session for jcoachj@gmail.com, the user did a google search for "send anonymous email" thus tying the gmail account's user to the willselfdestruct.com email.
Cookie pair: utmx=173272373.00000983192309928271:2:
Cookie pair: utmxx=173272373.00000983192309928271:1216706401:2592000
Contributors¶
I'd like to thank Lily for bringing this issue to our attention; the dorm ladies who let us put the tap on the router in their dorm; and perhaps most of all, I'd like to thank Google for their diligent and creepy tracking of everything and everyone.