Data exfiltration using ARP Request Mac Address (CTF challenge write-up)
Introduction:
In the past few days, I’ve been participating in AlphaCTF 3, a Capture The Flag (CTF) event organized by AlphabitClub. Within the forensics category, I came across a challenge named “exfiltration”.
The challenge says that :
So, I begin examining the pcap file by checking the different kinds of packets it contains.
this is was the statistics :
So, I’m attempting to find these specific message packet types using Wireshark’s filter.
I checked the DNS packets and noticed that the TransactionID (highlighted in the image) keeps changing:
But you’ll see that the query names in the DNS requests are for well-known websites on the internet. So, it’s unlikely that the data exfiltration occurred through any DNS packet because the recipient isn’t suspicious.
When examining the ICMP packets, you’ll observe that they’re encrypted. This could occur in situations where there’s a particular application protocol operating over ICMP, and that protocol utilizes TLS encryption for secure communication, as shown in the image below.
We will exclude the dns packets and icmp packets.
So, for the final attempt, I’ve tried using the ARP filter. When scrolling through the packets, you’ll notice that something is changing. It’s quite easy to read (highlighted in the image), like these three consecutive ARP packets:
The readable characters being sent through the network are “I am a”. The reason they’re readable is because of the sender MAC address within the ARP request (the attacker uses the mac address to send data).
I made a simple command using “tshark” which is the cli part of the wireshark software , the command is composed of 3 parts to find the part of the sender’s MAC address where the data is being sent out:
- Get the sender mac address:
tshark -r chall.pcapng -Y arp -T fields -e arp.src.hw_macThe result (part of) :
8e:4d:b0:5f:20:34
8e:4d:b0:20:63:20
8e:4d:b0:63:20:33
8e:4d:b0:20:70:20
8e:4d:b0:74:20:33
8e:4d:b0:20:44:20
8e:4d:b0:7d:49:20
8e:4d:b0:20:20:68
8e:4d:b0:20:6f:20
8e:4d:b0:70:20:65
8e:4d:b0:20:20:20
8e:4d:b0:79:20:6f
8e:4d:b0:20:75:20
8e:4d:b0:20:20:20
8e:4d:b0:61:20:72
8e:4d:b0:20:65:20
8e:4d:b0:20:20:61
8e:4d:b0:20:20:20You’ll see that the MAC address changes from the 4th part to the 6th, with the fixed part always being ‘8e:4d:b0’. To extract the variable part, we can use the ‘cut’ command, specifying ‘:’ as the delimiter, and extract from the 4th field to the 6th field. However, we need to concatenate the values into one line and remove the ‘:’ characters and new lines. We achieve this by piping the result again through ‘tr’.
tshark -r chall.pcapng -Y arp -T fields -e arp.src.hw_mac | cut -d ":" -f4-6 | tr -d ":" | tr -d "\n"Using cyberchef tool to decode the result of the command which is a hex value you will find :
Cleaining the output by removing white spaces and non readable character you will find the flag withing the text :
AlphaCTF{MaC_eXF1LTR4tioN_tHrOUGh_4rP_P4Ck3Ts_ch4ll3Nge_4cc3pt3D}Conclusion:
I hope my explanation was helpful and easy to follow, allowing you to grasp the concepts and techniques used in this challenge effectively.
