Introduction

• When a Cyber Attack happens, in order to eliminate such sort of future attack, it’s very important to know how the security breach has had happened.
• This is done using Memory Forensics.

• The term bootstrap protocol (or boot protocol) comes from the idea of lifting yourself up by your own bootstraps, something that is obviously difficult to do.
• In other words, how does a client machine startup when it initially has neither an IP address nor an operating system?
• BOOTP makes this difficult task possible.
• BOOTP (Bootstrap Protocol) is the successor of RARP (Reverse ARP) and the predecessor of DHCP ( Dynamic Host Configuration Protocol ).
• BOOTP is a TCP/IP protocol and service that allows diskless workstations to obtain their IP address, other TCP/IP configuration information, and their boot image file from…

RARP

• RARP is a TCP/IP protocol that is responsible for the translation of a Physical Address (e.g. — Ethernet address) to be translated into an IP address.
• The RARP is on the Network Access Layer (i.e. the lowest layer of the TCP/IP protocol stack) and is thus a protocol used to send data between two points in a network.
• Each network participant has two unique addresses more or less: a logical address (the IP address) and a physical address (the MAC address).
• While the IP address is assigned by software, the MAC address is built into the hardware.
• You have already…

• Every computer in the network has to have an IP Address.
• There are two ways in which IP Addresses are assigned to the computers.

Static IP

Dynamic IP

Static IP

• In this method, the IP Address is assigned to the computer manually by the user.
• This was the original method that was done at the beginning of the networking.
• To do this, every time you have to open the computer’s network configuration page and manually type in the IP Address along with the Subnet mask, Default gateway, and DNS server.
• So each time when you want to add a computer to the…

Description

• Bob and Charlie were sending some messages among themselves,and I planned to intercept their messages and get something out of it, however, they are clever enough that no secret gets leaked.
• Please help me out to get the secret!!

Solution

• Download the PCAP file.
• Analyse it using Wireshark.
• Following the TCP stream gives some useful information.
• We shall get the Base64 Encoded text and the PGP message with a URL.

aGVsbG93b3JsZA-----BEGIN PGP MESSAGE-----
Version: OpenPGP v2.0.8
Comment: https://sela.io/pgp/wcBMA8fXP+32fyviAQf/T+NzsOgQ+ejW16GeK6h9WS9IDelAN9GLY5x5o9ilBlEL
G4IPati4/zqd+kyV5mmA7k2eKnNByRnxElpp0PoGULX0ykjBTcXuLtNXzGWcDsFF
xAkH8PduoPCcnNGWrCU6D8ZuWNtp7oeZ1krUZP+Kg9sfjjKfx0aUFhWs9SQH6mif
AlbJQwxKi2xXv0UsHvg4Mz4TpVstoO5XcN9d4V+gygc+wx0K61JwAFw96xptNi9y
hdMz/c7yW56JwBfwyiHvYmgLdWYJW9OEoQIj7Rwh1v8mD846vbvEDmagQ0Ra/K6q
lnxa37gBFE+4kYpSXP7yqr8QMhmGDpMROJoJqxYyY9JxAe6317HZ+UUEOmNR+0tB
EmPl/VVaoPc5q6RQ/cxwY4VhR4DtPsG9Gw237Sx+xSTAG5JbmtBf4KfQdVbeaXn1
PYPYBeCVL6nb6uPz6ZHBJ2SODWg9+Ssas+Gd5P7Q0zSA/35qYdamnAqUM/ujM2nN
k2U=
=+x+V…

Description

• The dimension of a playground is given as 1359x789.
• Can you find out the most important information hidden in this file using the given data?

Solution

• Download the file.
• We shall understand that there are some errors in the Hex values.
• So let’s correct it.

• After analyzing several packets we can conclude that there is something to be done with ICMP.
• So apply the ICMP filter and start analyzing.
• We can see that packets from the source = 192.168.1.200 has some ZIP Magic Numbers.
• In scapy there are lots of ways to extract the data.
• We can see that the hex values of the ZIP start from the hex position x002A in all ICMP packets.
• The Bytes Equivalent of Hex = x002A is 42 Bytes.
• So slice the rest of the chunks.
• It can be indentified by seeing the hex of the ZIP.

• While analysing the DNS we shall find that there is a PNG header.
• So the we shall understand that PNG image is being transmitted.
• Let’s write a scapy script to extract the necessary chunks to carve out the PNG.

from scapy.all import *p=rdpcap('dnscap.pcap') x=""
y=""
temp=""for i in p:
    if i in p[DNSQR] and i not in p[DNSRR]:   # To remove all the response packets from the requested packets we are using this condition.
 
        x=(i[DNSQR].qname)[18:-18]  # Here we are removing starting 18 bits of information since they are just scrap and the last 18 bits are .skulllabsec.org
        x=x.replace('.','')
        x=x.decode('hex') # Decode from Hex.
        if(x==temp): # To eliminate the retransmissions we check the current data with the previous data.
            continue  # If same then move to next iteration.
        y+=x
        temp=xf=open('final.png','w')
f.write(y[95:]) # First few contains just some description.
f.close()

• Finally we shall get the png image.