Packet Madness 200
Summary
Question
These folks speak a different language. Join their site and translate the key for us.
Files
Summary
Wireshark has shiny buttons
Flag
The pcap has a single TCP stream in it, so follow it by right-clicking in Wireshark. Looks like gibberish, but if you click all of the buttons in the stream window, you'll find that it's EBCDIC. Contents ASCIIfied below: (packets from the server were NUL terminated)
For help at any time enter: ? cmd : ? a - new user l - login n - news m - maintenance q - quit ? - print this message cmd : a New user id: marsddtek New user password: ilovesheep Again: ilovesh33p Passwords do not match. cmd : a New user id: mars.ddtek New user password: ilovesh33p Again: ilovesh33p Welcome mars.ddtek, we hope you enjoy our bbs You may now login cmd : l User: administrator Password: password Invalid user. cmd : l User: admin Password: pass Invalid user. cmd : l User: root Password: root Invalid user. cmd : m Please log in to use maintenance mode. cmd : n Please log in to read the news. cmd : l User: mars.ddtek Password: ilovesh33p Welcome backmars.ddtek. cmd : m Insufficient privileges. cmd : l User: Admin Password: admin Invalid user. cmd : l User: Admin Password: 12345 Invalid user. cmd : ? a - new user l - login n - news m - maintenance q - quit ? - print this message cmd : q
Looks like we'd better log into the server that this dump is from, using the mars.ddtek account and connecting in EBCDIC with a simple one-liner:
$ dd bs=1 conv=ebcdic | nc 192.41.96.121 8686 | dd bs=1 conv=ascii
About the only thing we didn't see in the pcap was news, so we read that, and the key was obviously indicated in of the news entries. Sadly, we didn't save the log.