Acoustic Blue Team Challenge Walkthrough Write-Up

BY: AHMED NASSER

Category : Network Forensics

LEVEL : Medium

Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/46

Instructions:

Uncompress the challenge (pass: cyberdefenders.org)

This challenge takes you into the world of voice communications on the internet. VoIP is becoming the de-facto standard for voice communication. As this technology becomes more common, malicious parties have more opportunities and stronger motives to control these systems to conduct nefarious activities. This challenge was designed to examine and explore some of the attributes of the SIP and RTP protocols.

Challenge Files:

• “log.txt” was generated from an unadvertised, passive honeypot located on the internet such that any traffic destined to it must be nefarious. Unknown parties scanned the honeypot with a range of tools, and this activity is represented in the log file.
• The IP address of the honeypot has been changed to “honey.pot.IP.removed”. In terms of geolocation, pick your favorite city.
• The MD5 hash in the authorization digest is replaced with “MD5_hash_removedXXXXXXXXXXXXXXXX”
• Some octets of external IP addresses have been replaced with an “X”
• Several trailing digits of phone numbers have been replaced with an “X”
• Assume the timestamps in the log files are UTC.
• “Voip-trace.pcap” was created by honeynet members for this forensic challenge to allow participants to employ network analysis skills in the VOIP context.

As a soc analyst, analyze the artifacts and answer the questions.

Tools:

• BrimSecurity
• Wireshark

Q1-What is the transport protocol being used?

• Open The PCAP file with Wireshark and go to “ statistics > protocol hierarchy “ :

• You will notice 2 main protocols SIP , RTP which use UDP protocol .

THE Answer : UDP

Q2-The attacker used a bunch of scanning tools that belong to the same suite. Provide the name of the suite.

• open the log file which provided with challenge files .
• You will notice a huge number of requests from IP 210.184.X.Y
• now look at user agent you will find the name of scanning tools :

log.txt

• to make sure i go to google and search for friendly-scanner :

friendly-scanner

THE Answer : SIPVicious

Q3-What is the User-Agent of the victim system?

• Go to the first packet and follow UDP stream :

udp.stream eq 0

THE Answer : Asterisk PBX 1.6.0.10-FONCORE-r40

Q4-Which tool was only used against the following extensions: 100,101,102,103, and 111?

• Check sipvicious repository in GitHub https://github.com/EnableSecurity/sipvicious/tree/master/sipvicious
• Now check the source code of the tools ,You have to read each tool

• after some search and from the hint (Focus on “makerequest()” function calls) :
• i checked svcrack.py code and found that :

• and form “/libs/svhelper.py :

THE Answer : svcrack.py

Q5-Which extension on the honeypot does NOT require authentication?

• Go to first SIP packet and follow UDP stream :

udp.stream eg 0

• You will notice that The UDP stream contains the request to 100 extension with 200 response without any authentication .

THE Answer : 100

Q6-How many extensions were scanned in total?

• I used grep command to get the answer quickly :

└─$ cat log.txt| grep "User-Agent: friendly-scanner" -A2 | grep Contact | uniq -u  | grep honey |cut -d " " -f2 |wc -l

THE Answer : 2652

Q7-There is a trace for a real SIP client. What is the corresponding user-agent? (two words, once space in between)

• Easy , just grep the user agent form log.txt file :

└─$ cat log.txt| grep -i "User-Agent:" |uniq

THE Answer : Zoiper rev.6751

Q8-Multiple real-world phone numbers were dialed. Provide the first 11 digits of the number dialed from extension 101?

• The hints says that, Check log.txt and search for invite requests , so i grep the file with invite :

└─$ cat log.txt| grep -i "invite" -A3 |grep sip

log.txt

THE Answer : 00112524021

Q9-What are the default credentials used in the attempted basic authentication? (format is username:password)

• Check the HTTP post method :

http.request.method==POST

• Now go to packet 427 and look at authentication section :

THE Answer : maint:password

Q10-Which codec does the RTP stream use? (3 words, 2 spaces in between)

• filter the PCAP with RTP protocol and look at payload type section :

RTP PROTOCOL

THE Answer : ITU-T G.711 PCMU

Q12-How long is the sampling time (in milliseconds)?

• Form first hint , i go to “G.711” Wikipedia page https://en.wikipedia.org/wiki/G.711 and get sample rate :

• Now we can get Sample time form this equation :

Sample time = 1 / sample rate = 1/8000 = 0.125 ms

THE Answer : 0.125 ms

Q13-What was the password for the account with username 555?

• I filtered the PCAP with username=555 :

frame contains "username=555"

• now follow TCP stream and search for 555 :

tcp.stream eq 91

THE Answer : 1234

Q14-Which RTP packet header field can be used to reorder out of sync RTP packets in the correct sequence?

• filter the PCAP with RTP protocol and look at the details :

RTP PROTOCOL

THE Answer : timestamp

Q15-The trace includes a secret hidden message. Can you hear it?

filter the PCAP with RTP Protocol and go to :

Telephony > RTP > RTP Player and click play , now listen to the message you will hear the answer :

THE Answer : MEXICO

THE END

BY : Ahmed Nasser