Patch

  • A patch, sometimes or a fix is a piece of programming designed to resolve functionality issues usually called bugs, improve security and add new features within an operating system or software program.
  • No software program is perfect and so patches are common, even years after a program has been released.
  • Throughout its lifetime, the software will have bugs and a patch is an immediate fix to those problems.
  • A collection of usually already-released patches is often called a service pack.

Service Pack

  • A service pack is a collection of updates and fixes, called patches, for an operating…


Introduction

  • When a Cyber Attack happens, in order to eliminate such sort of future attack, it’s very important to know how the security breach has had happened.
  • This is done using Memory Forensics.

Bootstrap Protocol

  • The term bootstrap protocol (or boot protocol) comes from the idea of lifting yourself up by your own bootstraps, something that is obviously difficult to do.
  • In other words, how does a client machine startup when it initially has neither an IP address nor an operating system?
  • BOOTP makes this difficult task possible.
  • BOOTP (Bootstrap Protocol) is the successor of RARP (Reverse ARP) and the predecessor of DHCP ( Dynamic Host Configuration Protocol ).
  • BOOTP is a TCP/IP protocol and service that allows diskless workstations to obtain their IP address, other TCP/IP configuration information, and their boot image file from…

Reverse Address Resolution Protocol

RARP

  • RARP is a TCP/IP protocol that is responsible for the translation of a Physical Address (e.g. — Ethernet address) to be translated into an IP address.
  • The RARP is on the Network Access Layer (i.e. the lowest layer of the TCP/IP protocol stack) and is thus a protocol used to send data between two points in a network.
  • Each network participant has two unique addresses more or less: a logical address (the IP address) and a physical address (the MAC address).
  • While the IP address is assigned by software, the MAC address is built into the hardware.
  • You have already…

Dynamic Host Configuration Protocol ( DHCP )

  • Every computer in the network has to have an IP Address.
  • There are two ways in which IP Addresses are assigned to the computers.

Static IP

  • In this method, the IP Address is assigned to the computer manually by the user.
  • This was the original method that was done at the beginning of the networking.
  • To do this, every time you have to open the computer’s network configuration page and manually type in the IP Address along with the Subnet mask, Default gateway, and DNS server.
  • So each time when you want to add a computer to the…

Description

  • Bob and Charlie were sending some messages among themselves,and I planned to intercept their messages and get something out of it, however, they are clever enough that no secret gets leaked.
  • Please help me out to get the secret!!

Solution

  • Download the PCAP file.
  • Analyse it using Wireshark.
  • Following the TCP stream gives some useful information.
  • We shall get the Base64 Encoded text and the PGP message with a URL.
aGVsbG93b3JsZA-----BEGIN PGP MESSAGE-----
Version: OpenPGP v2.0.8
Comment: https://sela.io/pgp/
wcBMA8fXP+32fyviAQf/T+NzsOgQ+ejW16GeK6h9WS9IDelAN9GLY5x5o9ilBlEL
G4IPati4/zqd+kyV5mmA7k2eKnNByRnxElpp0PoGULX0ykjBTcXuLtNXzGWcDsFF
xAkH8PduoPCcnNGWrCU6D8ZuWNtp7oeZ1krUZP+Kg9sfjjKfx0aUFhWs9SQH6mif
AlbJQwxKi2xXv0UsHvg4Mz4TpVstoO5XcN9d4V+gygc+wx0K61JwAFw96xptNi9y
hdMz/c7yW56JwBfwyiHvYmgLdWYJW9OEoQIj7Rwh1v8mD846vbvEDmagQ0Ra/K6q
lnxa37gBFE+4kYpSXP7yqr8QMhmGDpMROJoJqxYyY9JxAe6317HZ+UUEOmNR+0tB
EmPl/VVaoPc5q6RQ/cxwY4VhR4DtPsG9Gw237Sx+xSTAG5JbmtBf4KfQdVbeaXn1
PYPYBeCVL6nb6uPz6ZHBJ2SODWg9+Ssas+Gd5P7Q0zSA/35qYdamnAqUM/ujM2nN
k2U=
=+x+V


Description

  • The dimension of a playground is given as 1359x789.
  • Can you find out the most important information hidden in this file using the given data?

Solution

  • Download the file.
  • We shall understand that there are some errors in the Hex values.
  • So let’s correct it.

  • After analyzing several packets we can conclude that there is something to be done with ICMP.
  • So apply the ICMP filter and start analyzing.
  • We can see that packets from the source = 192.168.1.200 has some ZIP Magic Numbers.
  • In scapy there are lots of ways to extract the data.
  • We can see that the hex values of the ZIP start from the hex position x002A in all ICMP packets.
  • The Bytes Equivalent of Hex = x002A is 42 Bytes.
  • So slice the rest of the chunks.
  • It can be indentified by seeing the hex of the ZIP.

  • While analysing the DNS we shall find that there is a PNG header.
  • So the we shall understand that PNG image is being transmitted.
  • Let’s write a scapy script to extract the necessary chunks to carve out the PNG.
from scapy.all import *p=rdpcap('dnscap.pcap') x=""
y=""
temp=""
for i in p:
if i in p[DNSQR] and i not in p[DNSRR]: # To remove all the response packets from the requested packets we are using this condition.

x=(i[DNSQR].qname)[18:-18] # Here we are removing starting 18 bits of information since they are just scrap and the last 18 bits are .skulllabsec.org
x=x.replace('.','')
x=x.decode('hex') # Decode from Hex.
if(x==temp): # To eliminate the retransmissions we check the current data with the previous data.
continue # If same then move to next iteration.
y+=x
temp=x
f=open('final.png','w')
f.write(y[95:]) # First few contains just some description.
f.close()
  • Finally we shall get the png image.

  • After analysing several packets we can conclude that there is something to be done with ICMP.
  • So apply the ICMP filter and start analyzing.
  • We can see that packets from the source = 10.30.8.102 and destination = 192.168.42.83 has some ZIP Magic Numbers.
  • In scapy there are lots of ways to extract the data.
  • Here since the length is different for each packet we can easily extract the content.
  • Here to avoid he unwanted chunks apply some filter to slice them.
  • It can be indentified by seeing the hex of the ZIP.

S Abhishek

✨ Computer Science Undergraduate from Amrita Vishwa Vidyapeetham. 🧑‍💻 Member of security research & CTF team — @teambi0s. 🌱 I’m currently working on DFIR.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store