ANZ Cyber Security Management Experience Program at Forage.
This virtual was cyber security experience entailed two different tasks into technical (Social Engineering)and non-technical (using Wireshark) aspects of cyber security:
The first was a Social Engineering Investigation entailing investigating emails sent in and report suspicious items, which this write up will not be talking about on this. The second task was a Digital Investigation of a Packet Capture file using Wireshark and Hexeditor to identify and investigate potential threats.
Packet Capture Analysis:
I analyzed the provided packet capture file gotten from the resource section using the free network analysis tool Wireshark.
I was able to put “http” into the filter field in order to filter the network traffic to only see HTTP packets.
This view let me see some interesting http GET requests, which indicate that the user specifically requests information such as images, pdf, txt and Microsoft word documents, including one how to commit crimes, Lol.
Sub-task 1:
· anz-logo.jpg and bank-card.jpg are two images that show up in the user’s network traffic.
· Extract these images from the pcap file and attach them to your report.
To investigate these files received or download further, I viewed its TCP stream to see what I could find.
Looking through the data in the TCP stream showed that this GET request first downloaded two images, as the data contained two headers and two footers for a .jpg image. The header/footer is FFD8 — FFD9 in hex and the images are also recognizable in ASCII by the string ‘JFIF’ near the start.
The ASCII view converted to Raw view shows that the second image is called bank-card.jpg.
The next step taken was carving out the images from the tcp stream, which I did by taking all the hex from FFD8 to FFD9 and copying it into the hex editor program HxD. I then saved the file as a jpg and opened it, resulting in the images below.
Sub-task 2:
· The network traffic for the images “ANZ1.jpg” and “ANZ2.jpg” is more than it appears.
· Extract the images, include them and mention what is different about them in your report.
For this task, I had little challenge of using the TCP Stream and Hex Editor hence I exported the image as an HTTP object.
The images saved (extracted) through this means are:
Sub-task 3:
· The user downloaded a suspicious document called “how-to-commit-crimes.docx”
· Find the contents of this file and include it in your report.
Well, going through the TCP stream page in ASCII mode, a note was found, not in .docx anyway and it reads:
Step 1: Find target
Step 2: Hack them
This is a suspicious document.
Sub-task 4:
· The user accessed 3 pdf documents: ANZ_Document.pdf, ANZ_Document2.pdf, evil.pdf
· Extract and view these documents. Include images of them in your report.
The same process was followed through for viewing the TCP Stream and then in order for me to identify the header and footer of the RAW Data of each .pdf documents. I had to google a table of Hex file signatures https://sceweb.sce.uhcl.edu/abeysekera/itec3831/labs/FILE%20SIGNATURES%20TABLE.pdf:
Below are the images acquired:
Sub-task 5:
· The user also accessed a file called “hiddenmessage2.txt”
· What are the contents of this file? Include it in your report
Same procedures was applied in just saving the file as .jpg
Sub-task 6:
· The user accessed an image called “atm-image.jpg”
· Identify what is different about this traffic and include everything in your report.
Sub-task 7:
· The network traffic shows that the user accessed the image “broken.png”
· Extract and include the image in your report.
Assessing the TCP stream of this data traffic revealed that the ASCII data has been encoded to Base 64 having the “==” padding at the end of the data.
Funny enough, I went though an unnecessary procedure of Decoding the Base 64 string to plain text which was giving out gibberish. Not until after the frustration, I got a flash thought knowing that the Hexeditor accepts Hexadecimal input and not plain text characters. Hence, I went for the Base 64 to Hexadecimal Convertor: https://base64.guru/converter/decode/hex
Inputting the new Hexadecimal data to the Hexeditor and following same procedures will give the image below, Lol:
Sub-task 8:
· The user accessed one more document called securepdf.pdf
· Access this document include an image of the pdf in your report. Detail the steps to access it.
In Conclusion, the process was worth it, more like a challenge exposing you to key techniques and concept of Wireshark and Hexeditor.
Thanks for reading!
