My friend Judy Novak made a .pcap puzzle for me to help market SANS Boston 2016 and SEC 503 Intrusion Detection. It was posted here. I did not look at it before the contest because I wanted "the contestant experience", (no I cannot compete). So, I went to the SANS website to download my .pcap and with El Capitan/Safari it did not work. I tried again and it did. For this blog post don't worry about why it didn't, I will bet a dollar, a whole US dollar, a load balancer is involved. Let's focus on why it did work. This packet is an HTTP redirect.
Complete packet with ethernet headers:
6c400891dd48e8de27b7935e080045000216612800003506e2bf42233bcac0a801650050d82cad6052398f2a41e28018003efe7d00000101080ad62766b82cb766c1485454502f312e3120333031204d6f766564205065726d616e656e746c790d0a446174653a205468752c203032204a756e20323031362030323a31333a323920474d540d0a5365727665723a204170616368650d0a4c6f636174696f6e3a2068747470733a2f2f7777772e73616e732e6f72672f752f696c380d0a436f6e74656e742d4c656e6774683a203233340d0a4b6565702d416c6976653a2074696d656f75743d31352c206d61783d3239390d0a436f6e6e656374696f6e3a204b6565702d416c6976650d0a436f6e74656e742d547970653a20746578742f68746d6c3b20636861727365743d69736f2d383835392d310d0a0d0a3c21444f43545950452048544d4c205055424c494320222d2f2f494554462f2f4454442048544d4c20322e302f2f454e223e0a3c68746d6c3e3c686561643e0a3c7469746c653e333031204d6f766564205065726d616e656e746c793c2f7469746c653e0a3c2f686561643e3c626f64793e0a3c68313e4d6f766564205065726d616e656e746c793c2f68313e0a3c703e54686520646f63756d656e7420686173206d6f766564203c6120687265663d2268747470733a2f2f7777772e73616e732e6f72672f752f696c38223e686572653c2f613e2e3c2f703e0a3c2f626f64793e3c2f68746d6c3e0a
45000216612800003506e2bf42233bcac0a801650050d82cad6052398f2a41e28018003efe7d00000101080ad62766b82cb766c1485454502f312e3120333031204d6f766564205065726d616e656e746c790d0a446174653a205468752c203032204a756e20323031362030323a31333a323920474d540d0a5365727665723a204170616368650d0a4c6f636174696f6e3a2068747470733a2f2f7777772e73616e732e6f72672f752f696c380d0a436f6e74656e742d4c656e6774683a203233340d0a4b6565702d416c6976653a2074696d656f75743d31352c206d61783d3239390d0a436f6e6e656374696f6e3a204b6565702d416c6976650d0a436f6e74656e742d547970653a20746578742f68746d6c3b20636861727365743d69736f2d383835392d310d0a0d0a3c21444f43545950452048544d4c205055424c494320222d2f2f494554462f2f4454442048544d4c20322e302f2f454e223e0a3c68746d6c3e3c686561643e0a3c7469746c653e333031204d6f766564205065726d616e656e746c793c2f7469746c653e0a3c2f686561643e3c626f64793e0a3c68313e4d6f766564205065726d616e656e746c793c2f68313e0a3c703e54686520646f63756d656e7420686173206d6f766564203c6120687265663d2268747470733a2f2f7777772e73616e732e6f72672f752f696c38223e686572653c2f613e2e3c2f703e0a3c2f626f64793e3c2f68746d6c3e0a
0x06 = TCP
485454502f312e3120333031204d6f766564205065726d616e656e746c790d0a446174653a205468752c203032204a756e20323031362030323a31333a323920474d540d0a5365727665723a204170616368650d0a4c6f636174696f6e3a2068747470733a2f2f7777772e73616e732e6f72672f752f696c380d0a436f6e74656e742d4c656e6774683a203233340d0a4b6565702d416c6976653a2074696d656f75743d31352c206d61783d3239390d0a436f6e6e656374696f6e3a204b6565702d416c6976650d0a436f6e74656e742d547970653a20746578742f68746d6c3b20636861727365743d69736f2d383835392d310d0a0d0a3c21444f43545950452048544d4c205055424c494320222d2f2f494554462f2f4454442048544d4c20322e302f2f454e223e0a3c68746d6c3e3c686561643e0a3c7469746c653e333031204d6f766564205065726d616e656e746c793c2f7469746c653e0a3c2f686561643e3c626f64793e0a3c68313e4d6f766564205065726d616e656e746c793c2f68313e0a3c703e54686520646f63756d656e7420686173206d6f766564203c6120687265663d2268747470733a2f2f7777772e73616e732e6f72672f752f696c38223e686572653c2f613e2e3c2f703e0a3c2f626f64793e3c2f68746d6c3e0a
HTTP/1.1 301 Moved Permanently
RFC 2616: The requested resource has been assigned a new permanent URI and any future references to this resource SHOULD use one of the returned URIs. Clients with link editing capabilities ought to automatically re-link references to the Request-URI to one or more of the new references returned by the server, where possible. This response is cacheable unless indicated otherwise.
The new permanent URI SHOULD be given by the Location field in the response. Unless the request method was HEAD, the entity of the response SHOULD contain a short hypertext note with a hyperlink to the new URI(s).
If the 301 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
  
3c703e54686520646f63756d656e7420686173206d6f766564203c6120687265663d2268747470733a2f2f7777772e73616e732e6f72672f752f696c38223e686572653c2f613e2e
Just tell me where to get the durned thing!
https://www.sans.org/u/il8
 
No comments:
Post a Comment