Network Forensic — SMUX Protocol
This topic come from one of the digital forensics category challenges held by Autobahn Security. This time I will discuss the category of network forensics. This challenge completed a few days after the competition is over :(
The brief of this challenge is as follows.
We captured a lot of suspicious HTTP requests last month on one of our websites which hasn’t been maintained since end of 2022. Unfortunately, the website is no longer accessible at this time. Can you analyze what happened?
Given a pcapng file, which contains dump traffic. With another approach Im trying to read the file using binwalk, might be able to find interesting files there. and right, feeling there is hope this way.
binwalk -ev chall.pcapng
Target File: /mnt/e/cybersecurity/ctf/autobahn/chall.pcapng
MD5 Checksum: 4a35d3d43922a9cddc8e92825f58a9a3
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
916 0x394 JPEG image data, JFIF standard 1.01
361424 0x583D0 JPEG image data, JFIF standard 1.01
727664 0xB1A70 JPEG image data, JFIF standard 1.01
1488544 0x16B6A0 JPEG image data, JFIF standard 1.01
2315784 0x235608 JPEG image data, JFIF standard 1.01
2935624 0x2CCB48 JPEG image data, JFIF standard 1.01
3387360 0x33AFE0 JPEG image data, JFIF standard 1.01
3848028 0x3AB75C JPEG image data, JFIF standard 1.01
4234312 0x409C48 JPEG image data, JFIF standard 1.01
4729320 0x4829E8 JPEG image data, JFIF standard 1.01Try to force extract all this jpeg file. But there’s only broken image like this
So the next step is identifying the general information that occurs in the traffic. This can be done using wireshark or its cli version, tshark.
From the information found, it appears that most packets originate from tcp port 3000
Other information was also found when identifying the hex value of the packet, the SMUX string was seen in the packet. After searching for references related to the SMUX string, it is known that smux is one of SNMP, or another name is SNMP Multiplexing. Also based on the reference, SMUX peers, such as gated, when started, will establish the connection to TCP 199 and will initialize the SMUX association.
Because the description initiates a connection with tcp, we try mapping the traffic data on smux to the tcp payload.
After that we try to extract the tcp payload. This can be done by selecting all smux-filtered packets, and limiting the length of tcp.payload above 116.
Save in tcpdump format, and use tcpdump to extract in raw form.
tcpdump -r smux.pcapng -w extract2 -s 0Alternatively, we can use tshark to do the extraction.
tshark -r chall.pcapng -d 'tcp.port==3000,smux' -Y'smux and frame.len>116'
-Tfields -e tcp.payload | xxd -r -p > extract2try to read the file, look at the signature jpeg file there. try using foremost, or binwalk. and see if the data corresponds to the flag we are looking for.
binwalk extract2
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
8 0x8 JPEG image data, JFIF standard 1.01
355498 0x56CAA JPEG image data, JFIF standard 1.01
715733 0xAEBD5 JPEG image data, JFIF standard 1.01
1464827 0x1659FB JPEG image data, JFIF standard 1.01
2278105 0x22C2D9 JPEG image data, JFIF standard 1.01
2887518 0x2C0F5E JPEG image data, JFIF standard 1.01
3331011 0x32D3C3 JPEG image data, JFIF standard 1.01
3783789 0x39BC6D JPEG image data, JFIF standard 1.01
4163921 0x3F8951 JPEG image data, JFIF standard 1.01
4651008 0x46F800 JPEG image data, JFIF standard 1.01it turns out that the flag was found in one of the successfully extracted images.
thanks to the organizers for providing an understanding of the need for protocol insight and the ability to read documentation, foresight in reading and identifying is also important.
References:
How the SMUX protocol works (sco.com)
https://www.ietf.org/rfc/rfc1227.txt
chat.openai.com
