NSA Codebreaker 2018 - Part 0

Background

DISCLAIMER - The following is a FICTITIOUS story meant for providing realistic context for the Codebreaker Challenge and is not tied in any way to actual events.

A new strain of ransomware has managed to penetrate several critical government networks and NSA has been called upon to assist in remediating the infection to prevent massive data losses. For each infected machine, an encrypted copy of the key needed to decrypt the ransomed files has been stored in a smart contract on the Ethereum blockchain* and is set to only be unlocked upon receipt of the ransom payment. Your mission is to ultimately (1) find a way to unlock the ransomware without giving in to the attacker’s demands and (2) figure out a way to recover all of the funds already paid by other victims. Are YOU up to the challenge?

  • for the purposes of this challenge, a private blockchain has been created with no real monetary value associated with the Ether. See http://www.ethdocs.org/en/latest/ for more information about Ethereum.

Problem Statement

Task 0 - Warm Up - (Network Traffic Analysis)

We have acquired a packet capture (PCAP) file showing network traffic between a newly infected victim computer and the attacker’s listening post (LP). The LP is simply a server that is listening for incoming connections on a certain port. To get started, analyze the network capture and submit the IP address of the attacker’s LP.

Analysis & Solution

Wireshark displays the following when the provided PCAP is opened:

Wireshark PCAP

Looking at the source and destination IP addresses, there are 2 IP addresses involved: 10.98.36.224 and 172.28.57.176. Which one is the attacker? Looking at the protocol, they are all communicating over TCP. Then we look at the ports and see that 43242 and 9999 are inovlved. If we look at port 43242 online then we come to this Port 43242 Information, so it can be assumed that this port is safe for TCP to use. However, port 9999 is suspcious because it is commonly involved in cryptocurrency ports. So it seems reasonably that any PCAP line that goes from 43242 -> 9999 will point you to the attacker IP. In this case, the first line’s destination IP, 172.28.57.176, is the attacker..