BsidesSF 2017 - shattered (forensics, 200 pts)

Challenge Name: shattered
Type: Forensics
Points: 200 pts

We think we found how they're exfiltrating our data. One of the network engineers located a bizzare flow that looks designed to bypass our DLP system. Can you figure out what they were leaking this time?


The file we get is a packet capture file full of retransmitted packets, the traffic looks scrambled, and the sequence numbers are mixed up. There is a great tool called tcpflow that can be used to recontruct it. After loading the PCAP in Wireshark to convert it to a native tcpdump PCAP:

$ tcpflow -d2 -r shattered.pcap
tcpflow: retrying_open ::open(fn=,oflag=xc2,mask:x1b6)=5  
tcpflow: Open FDs at end of processing:      1  
tcpflow: demux.max_open_flows:               1  
tcpflow: Flow map size at end of processing: 1  
tcpflow: Flows seen:                         1  
tcpflow: Total flows processed: 1  
tcpflow: Total packets processed: 1821

$ file JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 564x572, frames 3  


Read more posts by this author.