For Blackhat 2015, LogRhythm Labs had a forensics contest for analyzing a .pcap file and finding the secret missile launch code. Find the password and enter the contest to win one of these:
I really wanted to win this!
Analyzing the PCAP with WireShark
I downloaded the .pcap file and loaded it into wireshark. I begun by checking the Protocol Hierarchy under Statistics to get a view on the protocols used.
Hmm...telnet? I selected telnet as filter then followed the TCP stream, It was a star wars "movie" in ascii art:)
Moving on from the Jedi mind tricks, I needed to find a secret missile launch code. I checked other TCP communications, a lot of encrypted data from google docs, I moved on to HTTP to see if I could find any interesting stuff there.
I immediately found a POST request to 4shared.com which is a file sharing site. This meant someone probably uploaded something, could it be the launch codes?
Upon further investigation, I found a file called 1b.txt that was uploaded containing what seems to be assembly code.
0 INP 14 1 LDA 14 2 LDB 15 3 CMP 4 JLT 11
I know nothing about assembly, the only thing I found that could help me was this: http://www.slidefinder.net/s/sec5_1assemblyprograms/sec521assemblyprograms/27400919
Looks like the same type of assembly I found. I probably spent more time on this than I should have.
Moving on in my investigation, I wanted to see if there were any more POST requests. Using this simple filter
http.request.method eq POST I found two more POST requests to pastebin.com.
First request contained this string:
This is a test... hmmmmmm
Second request contained the following:
Binary code, perhaps this is what I am looking for.
If we convert this to ASCII we get:
What do we have here? At first I thought this was some kind of cipher but after spending to much time on this I realized that it actually could be base64. So by appending a
= at the end and converting, we get the following:
HTML entities, lets convert this as well and see what we get:
Secret Launch Code: 2g389a34!0297#