Bir onceki bolumde Ann’in gizli asigi olan Mr.X’e gonderdigi mesaji gormustuk. Mesajda buyuk miktarda nakit ile birlikte Meksika kiyilarina kacma planlari yapilmaktaydi. Ote yandan ogrenilen son bilgiler kahramanimiz SOME icin tam bir hayalkirikligi niteligi tasimaktaydi. Zira SOME, linkedin resminden vuruldugu bu hatuna yurume derdindeydi. Her sisman analist gibi, evinden cikmadan, internet uzerinden armut pis agzima dus seklinde bir iliskinin oluru pesindeydi. Bu noktada gizli asiga gonderilen mesaj SOME’nin umutlarini bir nebze olsun kirmis ama armutun da sapi var diyerekten, Polisle is birligi yapmaya devam etme karari almisti.
Evet malum gizli bilgiler ifsa oldugundan olay polise aksetmisti. Polis Ann ile Mr.X’in kullandigi bi eve baskin duzenledi ve Ev icerisinde Ann’a ait oldugu dusunulen bir Apple TV ele gecirildi. Apple TV’ye ait trafik dosyasi uzerinden Ann ve Mr.X hakkinda bir bilgi edinilebilir mi incelenmesi icin yine SOME gorevdeydi.
SOME yine resmin buyugunu gormek adina ilk once adi gecen protokollere bir goz atmak istedi.
[arq@darkarq puzzle 2]$ tshark -r evidence03.pcap -zio,phs
===================================================================
Protocol Hierarchy Statistics
Filter:
eth frames:1778 bytes:1508750
ip frames:1778 bytes:1508750
udp frames:28 bytes:6102
dns frames:28 bytes:6102
tcp frames:1750 bytes:1502648
http frames:232 bytes:139658
xml frames:35 bytes:32584
tcp.segments frames:17 bytes:11732
image-gif frames:33 bytes:21202
image-jfif frames:46 bytes:34175
tcp.segments frames:46 bytes:34175
media frames:2 bytes:562
tcp.segments frames:2 bytes:562
===================================================================Enteresan bir protokol goremeyen SOME network icerisindeki gurultu duzeyini inceleyerek analizine devam etti
[arq@darkarq puzzle 3]$ tcpdump -tnr evidence03.pcap | awk -F '.' '{print $1"."$2"."$3"."$4}'|sort|uniq -c |sort -n |tailreading from file evidence03.pcap, link-type EN10MB (Ethernet)
15 IP 8.18.65.88
20 IP 8.18.65.89
28 IP 8.18.65.32
36 IP 8.18.65.67
39 IP 8.18.65.27
55 IP 66.235.132.121
129 IP 8.18.65.58
285 IP 8.18.65.10
518 IP 8.18.65.82
642 IP 192.168.1.10Bu noktada tek bir yerel IP adresini olusturan 192.168.1.10 buyuk ihtimalle Apple TV cihazinin adresiydi, fakat yine de bunu dogrulamasi gerekecekti. Bir analist daima supheci olmali diye gecirdi aklindan. Bunun icin oncelikle IP ve MAC ikililerini listelemek istedi.
[arq@darkarq puzzle 3]$ tshark -r evidence03.pcap -T fields -e eth.src -e ip.src |sort|uniq
00:23:69:ad:57:7b 4.2.2.1
00:23:69:ad:57:7b 66.235.132.121
00:23:69:ad:57:7b 8.18.65.10
00:23:69:ad:57:7b 8.18.65.27
00:23:69:ad:57:7b 8.18.65.32
00:23:69:ad:57:7b 8.18.65.58
00:23:69:ad:57:7b 8.18.65.67
00:23:69:ad:57:7b 8.18.65.82
00:23:69:ad:57:7b 8.18.65.88
00:23:69:ad:57:7b 8.18.65.89
00:25:00:fe:07:c4 192.168.1.10Peki bu MAC adresi gercekten Apple TV’ye mi aitti? Bunun icin 00:25::00 kisminin google aranmasi yeterliydi.
SOME protokol listesinde gordugu HTTP protokolu uzerinden giden trafik icin user-agent bilgisini sorgulamak istedi. Bu trafigin Apple TV tarafindan yapildigini tahmin etse de dogrulamak istiyordu.
[arq@darkarq puzzle 3]$ tshark -Tfields -e http.user_agent -r evidence03.pcap | sort -u
AppleTV/2.User-Agent sonucunda trafigin cihazdan geldigini dogrulamis oldu. Bu noktadan sonra merak ettigi sey HTTP protokolu uzerinden gonderilen isteklerin uri’leri oldugundan, genel goz atmak maksatiyla yapilan isteklere bakti.
[arq@darkarq puzzle 3]$ tshark -Y "http.request.uri" -Tfields -e http.request.uri -r evidence03.pcap | head
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dh&pageName=Movies-Search%20Hints-US&v2=h&h5=appleitmsnatv%2Cappleitmsustv&c2=h
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dha&pageName=Movies-Search%20Hints-US&v2=ha&h5=appleitmsnatv%2Cappleitmsustv&c2=ha
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dhac&pageName=Movies-Search%20Hints-US&v2=hac&h5=appleitmsnatv%2Cappleitmsustv&c2=hac
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dhack&pageName=Movies-Search%20Hints-US&v2=hack&h5=appleitmsnatv%2Cappleitmsustv&c2=hack
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Ds&pageName=Movies-Search%20Hints-US&v2=s&h5=appleitmsnatv%2Cappleitmsustv&c2=s
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dsn&pageName=Movies-Search%20Hints-US&v2=sn&h5=appleitmsnatv%2Cappleitmsustv&c2=sn
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dsne&pageName=Movies-Search%20Hints-US&v2=sne&h5=appleitmsnatv%2Cappleitmsustv&c2=sne
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dsneb&pageName=Movies-Search%20Hints-US&v2=sneb&h5=appleitmsnatv%2Cappleitmsustv&c2=sneb
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dsnea&pageName=Movies-Search%20Hints-US&v2=snea&h5=appleitmsnatv%2Cappleitmsustv&c2=snea
/b/ss/applesuperglobal/1/G.6--NS?pccr=true&ch=Movies-Search&g=http%3A%2F%2Fax.search.itunes.apple.com%2FWebObjects%2FMZSearch.woa%2Fwa%2FincrementalSearch%3Fmedia%3Dmovie%26q%3Dsneak&pageName=Movies-Search%20Hints-US&v2=sneak&h5=appleitmsnatv%2Cappleitmsustv&c2=sneakYapilan istekleri incelediginde belirli bir pattern oldugunu gormesi gec olmadi. Normal HTTP isteklerinin tamaminda %2FWebObjects%2FMZSearch.woa%2Fwa%2F pathini gordugunden kucuk bir python scripti ile ilgili kismi trafik dosyasi icerisinden cekmek istedi.
#!/usr/bin/python
import pcapy
import impacket.ImpactDecoder as Decoders
reader = pcapy.open_offline("evidence03.pcap")
(header, payload) = reader.next()
while payload!='':
try:
decoder = Decoders.EthDecoder()
eth = decoder.decode(payload)
ip = eth.child()
tcp = ip.child()
data = tcp.get_data_as_string()
arrline = data.split('\x0d\x0a')
for line in arrline:
if line.startswith("GET /WebObjects"):
line = line.replace('GET /WebObjects/MZStore.woa/wa/', '')
line = line.replace('GET /WebObjects/MZSearch.woa/wa/', '')
print line
(header, payload) = reader.next()
except:
breakPython scriptini calistirdiginda
viewGrouping?id=39 HTTP/1.1
incrementalSearch?media=movie&q=h HTTP/1.1
incrementalSearch?media=movie&q=ha HTTP/1.1
incrementalSearch?media=movie&q=hac HTTP/1.1
incrementalSearch?media=movie&q=hack HTTP/1.1
viewMovie?id=333441649&s=143441 HTTP/1.1
relatedItemsShelf?ct-id=3&id=333441649&storeFrontId=143441&mt=6 HTTP/1.1
incrementalSearch?media=movie&q=s HTTP/1.1
incrementalSearch?media=movie&q=sn HTTP/1.1
incrementalSearch?media=movie&q=sne HTTP/1.1
incrementalSearch?media=movie&q=sneb HTTP/1.1
incrementalSearch?media=movie&q=snea HTTP/1.1
incrementalSearch?media=movie&q=sneak HTTP/1.1
viewMovie?id=283963264&s=143441 HTTP/1.1
relatedItemsShelf?ct-id=3&id=283963264&storeFrontId=143441&mt=6 HTTP/1.1
incrementalSearch?media=movie&q=i HTTP/1.1
incrementalSearch?media=movie&q=ik HTTP/1.1
incrementalSearch?media=movie&q=ikn HTTP/1.1
incrementalSearch?media=movie&q=ikno HTTP/1.1
incrementalSearch?media=movie&q=iknow HTTP/1.1
incrementalSearch?media=movie&q=iknowy HTTP/1.1
incrementalSearch?media=movie&q=iknowyo HTTP/1.1
incrementalSearch?media=movie&q=iknowyou HTTP/1.1
incrementalSearch?media=movie&q=iknowyour HTTP/1.1
incrementalSearch?media=movie&q=iknowyoure HTTP/1.1
incrementalSearch?media=movie&q=iknowyourew HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewa HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewat HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewatc HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewatch HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewatchi HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewatchin HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewatching HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewatchingm HTTP/1.1
incrementalSearch?media=movie&q=iknowyourewatchingme HTTP/1.1sonucuna ulasti. Bu noktada kendisine neden python scripti yazdigini sordu ve gulumsedi. Zira ayni ciktiyi tshark ve awk kullanarak da elde edebilirdi diye dusundu. Dogrulamak icin ilgili komutu calistirdi
[arq@darkarq puzzle 3]$ tshark -Y "http.request.uri contains search" -Tfields -e http.request.uri -r evidence03.pcap | awk -F"=" '{print $NF}'
h
ha
hac
hack
s
sn
sne
sneb
snea
sneak
i
ik
ikn
ikno
iknow
iknowy
iknowyo
iknowyou
iknowyour
iknowyoure
iknowyourew
iknowyourewa
iknowyourewat
iknowyourewatc
iknowyourewatch
iknowyourewatchi
iknowyourewatchin
iknowyourewatching
iknowyourewatchingm
iknowyourewatchingmeCikti artik daha sadeydi ve gozlerine inanamadi. Siradan bir calisan olarak dusundugu Ann’a ait Apple TV’de Ann ona mesaj birakmisti. Ve izlendiginden haberdardi. Izlendiginden haberdar olmasi normaldi ancak asil SOME’yi sasirtan sey, Ann’in olasi yapilacak bir forensics investigation sirasinda bu mesajlari okunabilecegini tahmin etmesiydi. Mesajda iknowyourewatchingme yaziyordu.
Bu noktada SOME, karsisindaki kadinin aslinda siradan bir calisandan ziyade belirli teknik konulara temel duzeyde bilgi sahibi olan bir kadin oldugunu farketti. Cok sasirmisti. Zira SOME, klavyede on parmak yazi yazan kadinlari bile cekici bulurken, bu duzeyde bilgi sahibi olan bir kadin SOME’nin gozunde cok daha anlamli bir yere gelmisti bile.
Butun bunlar kafasindan gecerken Apptle TV uzerinde Ann’in bir sey izleyip izlemedigi sorusu aklina geldi. Buna bakmak icin arama kriterini biraz daha daraltarak Apple Tv nin karakteristigi olan viewMovie sayfasina istek olup olmadigini inceledi.
[arq@darkarq puzzle 3]$ tshark -Y "http.request.uri contains viewMovie" -Tfields -e http.request.uri -r evidence03.pcap
/WebObjects/MZStore.woa/wa/viewMovie?id=333441649&s=143441
/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Hackers-Iain%20Softley-333441649&pccr=true&h5=appleitmsnatv%2Cappleitmsustv&ch=Movie%20Page&g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D333441649%26s%3D143441
/WebObjects/MZStore.woa/wa/viewMovie?id=283963264&s=143441
/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Sneakers-Phil%20Alden%20Robinson-283963264&pccr=true&h5=appleitmsnatv%2Cappleitmsustv&ch=Movie%20Page&g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D283963264%26s%3D143441Hackers ve Sneakers isimli iki videonun izlendigini gordu. Bu videolar aslinda Ann ve gizli sevgilisinin Hack kavramini gundelik mesaisi icinde de gecirdigini dolayisi ile dusunuldugunden daha fazla mesai harcadiklarini anlamis oldu.
Polis Ann ve sevgilisini elinden kacirmisti. SOME “simdi meksika’da olmalilar” diye aklindan gecirdi. Polis ise evi guvenlik cemberine alarak olay yeri inceleme ekiplerinin tam bir arama yapmalarini beklemeye baslamisti.