Description: Our research center has evolved during this last time. However, they are having some problems while intercepting communications... Help our investigators to decode the following transmission.
In this challenge, the file 'capture.pcap' is provided. We open it with Wireshark and see lots of traffic between several IP addresses.
There is one traffic wich seems of particular interest starting on packet 590 (tcp.stream eq 33): a passive FTP transfer between 192.168.10.132 and 192.168.10.100.
Filtering out the TCP stream 33 and using the 'Follow TCP stream' on Wireshark reveals the following:
We see that the file 'master.log.0' has been transferred to the server (STOR master.log.0), so now we are interested in extracting this file. Before the transference took place, the user issued the 'PASV' command to activate the passive FTP mode.
Searching again through the packets, we see that the transfer took place precisely in the packet 638 (FTP-DATA), in the TCP stream 35. Using the 'Follow TCP stream' function again reveals the contents of the file transferred:
Now we perform some OSINT to see what kind of data contains this file and find the following:
So we conclude that this file is a Mozilla Network Security Services (NSS) Key Log file, with contents of the following kind:
NSS is a develover tool and this file contains the master secret keys used in SSL transmissions, so we wonder whether they may be of use to decypher some TLS traffic also present in other streams our pcap. In order to check that, we configure Wireshark to use those keys we just grabbed. We put the contents of the captured transmission in a file named 'master.txt' and load it in the SSL preferences section of Wireshark:
If we try to see the TCP sequence 32 with 'Follow TCP stream' we just get garbage because it is a TLSv1.2 transmission. However, once the keys have been loaded, we can use 'Follow SSL stream' instead to see the contents. Now we are able to see at least the HTTP headers within the TLS transmission.
In order to extract the contents of the transmission, we select the packet 501 in the main pane:
And then use 'Follow HTTP stream' to see its contents: