Network2 400
Network Security personnel have found an unusual IPSEC connection during last two weeks. Prior to that they found traffic on the network which looks like an important piece of information to establish an IPSec tunnel.
rogue_tunnel.pcap
Can you decipher one of the passwords necessary to establish the connection?
Answer:
- *#VPNC1$c01p$3c#*
- We downloaded the .pcap file from the challenge website.
edfac85635ca29d4d43a853ef5f9265d283fec3c2c6f3b1b92eb30fbb7da8d46.pcap
- In the .pcap file, we found there was a HTTP object named "gw.pcf.gz".
- Saved the object and used gzip command to decompress it.
sp@simple-plan:~/Downloads$ gzip -d gw.pcf.gz
- Check the file content.
[main]
Description=Gateway-to-heaven
Host=6.6.6.6
AuthType=1
GroupName=hr.acmovers.com
GroupPwd=
enc_GroupPwd=EA5603DBE67AE109B4931CC0B4E98510CDA23490F65571C54CF900F396EEEFB822BE93EF6BDFEEB8387C0C5DE548E45509273B8053F1C15AABE9AAA46510163C
EnableISPConnect=0
ISPConnectType=0
ISPConnect=fortissl
ISPPhonebook=C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
ISPCommand=
Username=Bruce Wayne
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=1 - After this, we could use online tool to help us to decode the password.
Tool: http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode
enc: EA5603DBE67AE109B4931CC0B4E98510CDA23490F65571C54CF900F396EEEFB822BE93EF6BDFEEB8387C0C5DE548E45509273B8053F1C15AABE9AAA46510163C
clear: *#VPNC1$c01p$3c#* - We got it.
No comments:
Post a Comment