The first task was pretty straightforward. A client binary was provided, and some information about it was requested.
Task 1 – Information Gathering and Triage, Part 1
A military organization captured a laptop of a known explosives expert within a terrorist organization. Further analysis revealed that the laptop contained a debug version of the remote client interface that the individual used to communicate with the IEDs. To help detect other client programs in use, we are cataloging binary signatures and basic network signatures for every version of the IED software we find. To support these efforts, your task is to compute the SHA256 hash of the client binary and identify the source and destination TCP ports that it uses when connecting to an IED.
The client binary was provided as both a Windows and a Linux binary. There are a couple of ways to generate the SHA256 hash of the client binary. On Linux:
On Windows, I’m sure there’s a nice little tool to do this somewhere, but I just went to a website that generates SHA256 hashes of files. Its output:
The second part of Task 1 was to supply the ports the client binary used to communicate. There’s likely a better way to do this, as my method was pretty mundane. First, I ran the client:
Then I opened it in a hex editor and started looking for interesting strings. I started with a search for the string that had been output when it ran and was fortunate enough to find some really helpful text.
Not only are some commands specified, but it clearly had the ability to output the ports it utilized. Running client.exe with the -d option and we’ve found the ports we’re looking for.
And with that, both parts of Task 1 were completed and it was on to Task 2.