{"id":13137,"date":"2021-07-25T09:40:14","date_gmt":"2021-07-25T14:40:14","guid":{"rendered":"https:\/\/rud.is\/b\/?p=13137"},"modified":"2021-07-25T09:40:14","modified_gmt":"2021-07-25T14:40:14","slug":"acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/","title":{"rendered":"Acoustic: Solving a CyberDefenders PCAP SIP\/RTP Challenge with R, Zeek, tshark (&#038; friends)"},"content":{"rendered":"<p>Hot on the heels of the previous <a href=\"https:\/\/rud.is\/b\/2021\/07\/20\/packet-maze-solving-a-cyberdefenders-pcap-puzzle-with-r-zeek-and-tshark\/\">CyberDefenders Challenge Solution<\/a> comes this <em>noisy<\/em> installment which solves their Acoustic challenge.<\/p>\n<p>You can find the source Rmd <a href=\"https:\/\/github.com\/hrbrmstr\/acoustic\/\">on GitHub<\/a>, but I&#8217;m also testing the limits of WP&#8217;s markdown rendering and putting it in-stream as well.<\/p>\n<p>No <a href=\"https:\/\/rud.is\/books\/packet-maze\/\">longer book expository<\/a> this time since much of the setup\/explanatory bits from it apply here as well).<\/p>\n<h1>Acoustic<\/h1>\n<ul>\n<li><a href=\"#convert-the-pcap\">Convert the PCAP<\/a><\/li>\n<li><a href=\"#examine-and-process-log.txt\">Examine and Process <code>log.txt<\/code><\/a><\/li>\n<li><a href=\"#process-zeek-logs\">Process Zeek Logs<\/a><\/li>\n<li><a href=\"#process-packet-summary\">Process Packet Summary<\/a><\/li>\n<li><a href=\"#what-is-the-transport-protocol-being-used\">What is the transport protocol being used?<\/a><\/li>\n<li><a href=\"#the-attacker-used-a-bunch-of-scanning-tools-that-belong-to-the-same-suite.-provide-the-name-of-the-suite.\">The attacker used a bunch of scanning tools that belong to the same suite. Provide the name of the suite.<\/a><\/li>\n<li><a href=\"#what-is-the-user-agent-of-the-victim-system\">\u201cWhat is the User-Agent of the victim system?\u201d<\/a><\/li>\n<li><a href=\"#which-tool-was-only-used-against-the-following-extensions-100-101-102-103-and-111\">Which tool was only used against the following extensions: 100, 101, 102, 103, and 111?<\/a><\/li>\n<li><a href=\"#which-extension-on-the-honeypot-does-not-require-authentication\">Which extension on the honeypot does NOT require authentication?<\/a><\/li>\n<li><a href=\"#how-many-extensions-were-scanned-in-total\">How many extensions were scanned in total?<\/a><\/li>\n<li><a href=\"#there-is-a-trace-for-a-real-sip-client.-what-is-the-corresponding-user-agent-two-words-once-space-in-between\">There is a trace for a real SIP client. What is the corresponding user-agent? (two words, once space in between)<\/a><\/li>\n<li><a href=\"#multiple-real-world-phone-numbers-were-dialed.-provide-the-first-11-digits-of-the-number-dialed-from-extension-101\">Multiple real-world phone numbers were dialed. Provide the first 11 digits of the number dialed from extension 101?<\/a><\/li>\n<li><a href=\"#what-are-the-default-credentials-used-in-the-attempted-basic-authentication-format-is-usernamepassword\">What are the default credentials used in the attempted basic authentication? (format is username:password)<\/a><\/li>\n<li><a href=\"#which-codec-does-the-rtp-stream-use-3-words-2-spaces-in-between\">Which codec does the RTP stream use? (3 words, 2 spaces in between)<\/a><\/li>\n<li><a href=\"#how-long-is-the-sampling-time-in-milliseconds\">How long is the sampling time (in milliseconds)?<\/a><\/li>\n<li><a href=\"#what-was-the-password-for-the-account-with-username-555\">What was the password for the account with username 555?<\/a><\/li>\n<li><a href=\"#which-rtp-packet-header-field-can-be-used-to-reorder-out-of-sync-rtp-packets-in-the-correct-sequence\">Which RTP packet header field can be used to reorder out of sync<br \/>\nRTP packets in the correct sequence?<\/a><\/li>\n<li><a href=\"#the-trace-includes-a-secret-hidden-message.-can-you-hear-it\">The trace includes a secret hidden message. Can you hear<br \/>\nit?<\/a><\/li>\n<\/ul>\n<p><a href=\"https:\/\/cyberdefenders.org\/labs\/46\">This challenge<\/a> takes us <em>\u201cinto the world of voice communications on the internet. VoIP is becoming the de-facto standard for voice communication. As this technology becomes more common, malicious parties have more opportunities and stronger motives to control these systems to conduct nefarious activities. This challenge was designed to examine and explore some of the attributes of the SIP and RTP protocols.\u201d<\/em><\/p>\n<p>We have two files to work with:<\/p>\n<ul>\n<li><code>log.txt<\/code> which was generated from an unadvertised, passive honeypot located on the internet such that any traffic destined to it must be nefarious. Unknown parties scanned the honeypot with a range of tools, and this activity is represented in the log file.\n<ul>\n<li>The IP address of the honeypot has been changed to \u201c<code>honey.pot.IP.removed<\/code>\u201d. In terms of geolocation, pick your favorite city.<\/li>\n<li>The MD5 hash in the authorization digest is replaced with \u201c<code>MD5_hash_removedXXXXXXXXXXXXXXXX<\/code>\u201d<\/li>\n<li>Some octets of external IP addresses have been replaced with an \u201cX\u201d<\/li>\n<li>Several trailing digits of phone numbers have been replaced with an \u201cX\u201d<\/li>\n<li>Assume the timestamps in the log files are UTC.<\/li>\n<\/ul>\n<\/li>\n<li><code>Voip-trace.pcap<\/code> was created by honeynet members for this forensic challenge to allow participants to employ network analysis skills in the VOIP context.<\/li>\n<\/ul>\n<p>There are 14 questions to answer.<\/p>\n<p>If you are not familiar with <a href=\"https:\/\/en.wikipedia.org\/wiki\/Session_Initiation_Protocol\">SIP<\/a> and\/or <a href=\"https:\/\/en.wikipedia.org\/wiki\/Real-time_Transport_Protocol\">RTP<\/a> you should do a bit of research first. A good place to start is <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3261.html\">RTC 3261<\/a> (for SIP) and <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc3550\">RFC 3550<\/a> (for RTC). Some questions may be able to be answered just by knowing the details of these protocols.<\/p>\n<h2>Convert the PCAP<\/h2>\n<pre><code class=\"language-r\">library(stringi)\nlibrary(tidyverse)\n<\/code><\/pre>\n<p>We\u2019ll pre-generate Zeek logs. The <code>-C<\/code> tells Zeek to not bother with checksums, <code>-r<\/code> tells it to read from a file and the <code>LogAscii::use_json=T<\/code> means we want JSON output vs the default delimited files. JSON gives us data types (the headers in the delimited files do as well, but we\u2019d have to write something to read those types then deal with it vs get this for free out of the box with JSON).<\/p>\n<pre><code class=\"language-r\">system(\"ZEEK_LOG_SUFFIX=json \/opt\/zeek\/bin\/zeek -C -r src\/Voip-trace.pcap LogAscii::use_json=T HTTP::default_capture_password=T\")\n<\/code><\/pre>\n<p>We process the PCAP twice with <code>tshark<\/code>. Once to get the handy (and small) packet summary table, then dump the whole thing to JSON. We may need to run <code>tshark<\/code> again down the road a bit.<\/p>\n<pre><code class=\"language-r\">system(\"tshark -T tabs -r src\/Voip-trace.pcap &gt; voip-packets.tsv\")\nsystem(\"tshark -T json -r src\/Voip-trace.pcap &gt; voip-trace\")\n<\/code><\/pre>\n<h2>Examine and Process <code>log.txt<\/code><\/h2>\n<p>We aren\u2019t told what format <code>log.txt<\/code> is in, so let\u2019s take a look:<\/p>\n<pre><code class=\"language-r\">cd_sip_log &lt;- stri_read_lines(\"src\/log.txt\")\n\ncat(head(cd_sip_log, 25), sep=\"\\n\")\n## Source: 210.184.X.Y:1083\n## Datetime: 2010-05-02 01:43:05.606584\n## \n## Message:\n## \n## OPTIONS sip:100@honey.pot.IP.removed SIP\/2.0\n## Via: SIP\/2.0\/UDP 127.0.0.1:5061;branch=z9hG4bK-2159139916;rport\n## Content-Length: 0\n## From: \"sipvicious\"&lt;sip:100@1.1.1.1&gt;; tag=X_removed\n## Accept: application\/sdp\n## User-Agent: friendly-scanner\n## To: \"sipvicious\"&lt;sip:100@1.1.1.1&gt;\n## Contact: sip:100@127.0.0.1:5061\n## CSeq: 1 OPTIONS\n## Call-ID: 845752980453913316694142\n## Max-Forwards: 70\n## \n## \n## \n## \n## -------------------------\n## Source: 210.184.X.Y:4956\n## Datetime: 2010-05-02 01:43:12.488811\n## \n## Message:\n<\/code><\/pre>\n<p>These look <em>a bit<\/em> like <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Messages\">HTTP server responses<\/a>, but we know we\u2019re working in SIP land and if you perused the RFC you\u2019d have noticed that SIP is an HTTP-like ASCII protocol. While some HTTP response parsers <em>might<\/em> work on these records, it\u2019s pretty straightforward to whip up a bespoke pseudo-parser.<\/p>\n<p>Let\u2019s see how many records there are by counting the number of \u201c<code>Message:<\/code>\u201d lines (we\u2019re doing this, primarily, to see if we should use the <code>{furrr}<\/code> package to speed up processing):<\/p>\n<pre><code class=\"language-r\">cd_sip_log[stri_detect_fixed(cd_sip_log, \"Message:\")] %&gt;%\n  table()\n## .\n## Message: \n##     4266\n<\/code><\/pre>\n<p>There are many, so we\u2019ll avoid parallel processing the data and just use a single thread.<\/p>\n<p>One way to tackle the parsing is to look for the stop and start of each record, extract fields (these have similar formats to HTTP headers), and perhaps have to extract content as well. We know this because there are \u201c<code>Content-Length:<\/code>\u201d fields. <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3261.html#section-20.14\">According to the RFC<\/a> they are supposed to exist for every message. Let\u2019s first see if any \u201c<code>Content-Length:<\/code>\u201d header records are greater than 0. We\u2019ll do this with a little help from the <a href=\"https:\/\/github.com\/BurntSushi\/ripgrep\"><code>ripgrep<\/code><\/a> utility as it provides a way to see context before and\/or after matched patterns:<\/p>\n<pre><code class=\"language-r\">cat(system('rg --after-context=10 \"^Content-Length: [^0]\" src\/log.txt', intern=TRUE), sep=\"\\n\")\n## Content-Length: 330\n## \n## v=0\n## o=Zoiper_user 0 0 IN IP4 89.42.194.X\n## s=Zoiper_session\n## c=IN IP4 89.42.194.X\n## t=0 0\n## m=audio 52999 RTP\/AVP 3 0 8 110 98 101\n## a=rtpmap:3 GSM\/8000\n## a=rtpmap:0 PCMU\/8000\n## a=rtpmap:8 PCMA\/8000\n## --\n## Content-Length: 330\n## \n## v=0\n## o=Zoiper_user 0 0 IN IP4 89.42.194.X\n## s=Zoiper_session\n## c=IN IP4 89.42.194.X\n## t=0 0\n## m=audio 52999 RTP\/AVP 3 0 8 110 98 101\n## a=rtpmap:3 GSM\/8000\n## a=rtpmap:0 PCMU\/8000\n## a=rtpmap:8 PCMA\/8000\n## --\n## Content-Length: 330\n## \n## v=0\n## o=Zoiper_user 0 0 IN IP4 89.42.194.X\n## s=Zoiper_session\n## c=IN IP4 89.42.194.X\n## t=0 0\n## m=audio 52999 RTP\/AVP 3 0 8 110 98 101\n## a=rtpmap:3 GSM\/8000\n## a=rtpmap:0 PCMU\/8000\n## a=rtpmap:8 PCMA\/8000\n## --\n## Content-Length: 330\n## \n## v=0\n## o=Zoiper_user 0 0 IN IP4 89.42.194.X\n## s=Zoiper_session\n## c=IN IP4 89.42.194.X\n## t=0 0\n## m=audio 52999 RTP\/AVP 3 0 8 110 98 101\n## a=rtpmap:3 GSM\/8000\n## a=rtpmap:0 PCMU\/8000\n## a=rtpmap:8 PCMA\/8000\n<\/code><\/pre>\n<p>So,we <em>do<\/em> need to account for content. It\u2019s still pretty straightforward (explanatory comments inline):<\/p>\n<pre><code class=\"language-r\">starts &lt;- which(stri_detect_regex(cd_sip_log, \"^Source:\"))\nstops &lt;- which(stri_detect_regex(cd_sip_log, \"^----------\"))\n\nmap2_dfr(starts, stops, ~{\n\n  raw_rec &lt;- stri_trim_both(cd_sip_log[.x:.y]) # target the record from the log\n  raw_rec &lt;- raw_rec[raw_rec != \"-------------------------\"] # remove separator\n\n  msg_idx &lt;- which(stri_detect_regex(raw_rec, \"^Message:\")) # find where \"Message:\" line is\n  source_idx &lt;- which(stri_detect_regex(raw_rec, \"^Source: \")) # find where \"Source:\" line is\n  datetime_idx &lt;- which(stri_detect_regex(raw_rec, \"^Datetime: \")) # find where \"Datetime:\" line is\n  contents_idx &lt;- which(stri_detect_regex(raw_rec[(msg_idx+2):length(raw_rec)], \"^$\"))[1] + 2 # get position of the \"data\"\n\n  source &lt;- stri_match_first_regex(raw_rec[source_idx], \"^Source: (.*)$\")[,2] # extract source\n  datetime &lt;- stri_match_first_regex(raw_rec[datetime_idx], \"^Datetime: (.*)$\")[,2] # extract datetime\n  request &lt;- raw_rec[msg_idx+2] # extract request line\n\n  # build a matrix out of the remaining headers. header key will be in column 2, value will be in column 3\n  tmp &lt;- stri_match_first_regex(raw_rec[(msg_idx+3):contents_idx], \"^([^:]+):[[:space:]]+(.*)$\")\n  tmp[,2] &lt;- stri_trans_tolower(tmp[,2]) # lowercase the header key\n  tmp[,2] &lt;- stri_replace_all_fixed(tmp[,2], \"-\", \"_\") # turn dashes to underscores so we can more easily use the keys as column names\n\n  contents &lt;- raw_rec[(contents_idx+1):length(raw_rec)]\n  contents &lt;- paste0(contents[contents != \"\"], collapse = \"\\n\")\n\n  as.list(tmp[,3]) %&gt;% # turn the header values into a list\n    set_names(tmp[,2]) %&gt;% # make their names the tranformed keys\n    append(c(\n      source = source, # add source to the list (etc)\n      datetime = datetime,\n      request = request,\n      contents = contents\n    ))\n\n}) -&gt; sip_log_parsed\n<\/code><\/pre>\n<p>Let\u2019s see what we have:<\/p>\n<pre><code class=\"language-r\">sip_log_parsed\n## # A tibble: 4,266 x 18\n##    via     content_length from    accept  user_agent to     contact cseq  source\n##    &lt;chr&gt;   &lt;chr&gt;          &lt;chr&gt;   &lt;chr&gt;   &lt;chr&gt;      &lt;chr&gt;  &lt;chr&gt;   &lt;chr&gt; &lt;chr&gt; \n##  1 SIP\/2.\u2026 0              \"\\\"sip\u2026 applic\u2026 friendly-\u2026 \"\\\"si\u2026 sip:10\u2026 1 OP\u2026 210.1\u2026\n##  2 SIP\/2.\u2026 0              \"\\\"342\u2026 applic\u2026 friendly-\u2026 \"\\\"34\u2026 sip:34\u2026 1 RE\u2026 210.1\u2026\n##  3 SIP\/2.\u2026 0              \"\\\"172\u2026 applic\u2026 friendly-\u2026 \"\\\"17\u2026 sip:17\u2026 1 RE\u2026 210.1\u2026\n##  4 SIP\/2.\u2026 0              \"\\\"adm\u2026 applic\u2026 friendly-\u2026 \"\\\"ad\u2026 sip:ad\u2026 1 RE\u2026 210.1\u2026\n##  5 SIP\/2.\u2026 0              \"\\\"inf\u2026 applic\u2026 friendly-\u2026 \"\\\"in\u2026 sip:in\u2026 1 RE\u2026 210.1\u2026\n##  6 SIP\/2.\u2026 0              \"\\\"tes\u2026 applic\u2026 friendly-\u2026 \"\\\"te\u2026 sip:te\u2026 1 RE\u2026 210.1\u2026\n##  7 SIP\/2.\u2026 0              \"\\\"pos\u2026 applic\u2026 friendly-\u2026 \"\\\"po\u2026 sip:po\u2026 1 RE\u2026 210.1\u2026\n##  8 SIP\/2.\u2026 0              \"\\\"sal\u2026 applic\u2026 friendly-\u2026 \"\\\"sa\u2026 sip:sa\u2026 1 RE\u2026 210.1\u2026\n##  9 SIP\/2.\u2026 0              \"\\\"ser\u2026 applic\u2026 friendly-\u2026 \"\\\"se\u2026 sip:se\u2026 1 RE\u2026 210.1\u2026\n## 10 SIP\/2.\u2026 0              \"\\\"sup\u2026 applic\u2026 friendly-\u2026 \"\\\"su\u2026 sip:su\u2026 1 RE\u2026 210.1\u2026\n## # \u2026 with 4,256 more rows, and 9 more variables: datetime &lt;chr&gt;, request &lt;chr&gt;,\n## #   contents &lt;chr&gt;, call_id &lt;chr&gt;, max_forwards &lt;chr&gt;, expires &lt;chr&gt;,\n## #   allow &lt;chr&gt;, authorization &lt;chr&gt;, content_type &lt;chr&gt;\n<\/code><\/pre>\n<pre><code class=\"language-r\">glimpse(sip_log_parsed)\n## Rows: 4,266\n## Columns: 18\n## $ via            &lt;chr&gt; \"SIP\/2.0\/UDP 127.0.0.1:5061;branch=z9hG4bK-2159139916;r\u2026\n## $ content_length &lt;chr&gt; \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \u2026\n## $ from           &lt;chr&gt; \"\\\"sipvicious\\\"&lt;sip:100@1.1.1.1&gt;; tag=X_removed\", \"\\\"34\u2026\n## $ accept         &lt;chr&gt; \"application\/sdp\", \"application\/sdp\", \"application\/sdp\"\u2026\n## $ user_agent     &lt;chr&gt; \"friendly-scanner\", \"friendly-scanner\", \"friendly-scann\u2026\n## $ to             &lt;chr&gt; \"\\\"sipvicious\\\"&lt;sip:100@1.1.1.1&gt;\", \"\\\"3428948518\\\"&lt;sip:\u2026\n## $ contact        &lt;chr&gt; \"sip:100@127.0.0.1:5061\", \"sip:3428948518@honey.pot.IP.\u2026\n## $ cseq           &lt;chr&gt; \"1 OPTIONS\", \"1 REGISTER\", \"1 REGISTER\", \"1 REGISTER\", \u2026\n## $ source         &lt;chr&gt; \"210.184.X.Y:1083\", \"210.184.X.Y:4956\", \"210.184.X.Y:51\u2026\n## $ datetime       &lt;chr&gt; \"2010-05-02 01:43:05.606584\", \"2010-05-02 01:43:12.4888\u2026\n## $ request        &lt;chr&gt; \"OPTIONS sip:100@honey.pot.IP.removed SIP\/2.0\", \"REGIST\u2026\n## $ contents       &lt;chr&gt; \"Call-ID: 845752980453913316694142\\nMax-Forwards: 70\", \u2026\n## $ call_id        &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ max_forwards   &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ expires        &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ allow          &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ authorization  &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ content_type   &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n<\/code><\/pre>\n<p>Looks ?, but IRL there are edge-cases we\u2019d have to deal with.<\/p>\n<h2>Process Zeek Logs<\/h2>\n<p>Because they\u2019re JSON files, and the names are reasonable, we can do some magic incantations to read them all in and shove them into a list we\u2019ll call <code>zeek<\/code>:<\/p>\n<pre><code class=\"language-r\">zeek &lt;- list()\n\nlist.files(\n  pattern = \"json$\",\n  full.names = TRUE\n) %&gt;%\n  walk(~{\n    append(zeek, list(file(.x) %&gt;% \n      jsonlite::stream_in(verbose = FALSE) %&gt;%\n      as_tibble()) %&gt;% \n        set_names(tools::file_path_sans_ext(basename(.x)))\n    ) -&gt;&gt; zeek\n  })\n\nstr(zeek, 1)\n## List of 7\n##  $ conn         : tibble [97 \u00d7 18] (S3: tbl_df\/tbl\/data.frame)\n##  $ dpd          : tibble [1 \u00d7 9] (S3: tbl_df\/tbl\/data.frame)\n##  $ files        : tibble [38 \u00d7 16] (S3: tbl_df\/tbl\/data.frame)\n##  $ http         : tibble [92 \u00d7 24] (S3: tbl_df\/tbl\/data.frame)\n##  $ packet_filter: tibble [1 \u00d7 5] (S3: tbl_df\/tbl\/data.frame)\n##  $ sip          : tibble [9 \u00d7 23] (S3: tbl_df\/tbl\/data.frame)\n##  $ weird        : tibble [1 \u00d7 9] (S3: tbl_df\/tbl\/data.frame)\n<\/code><\/pre>\n<pre><code class=\"language-r\">walk2(names(zeek), zeek, ~{\n  cat(\"File:\", .x, \"\\n\")\n  glimpse(.y)\n  cat(\"\\n\\n\")\n})\n## File: conn \n## Rows: 97\n## Columns: 18\n## $ ts            &lt;dbl&gt; 1272737631, 1272737581, 1272737669, 1272737669, 12727376\u2026\n## $ uid           &lt;chr&gt; \"Cb0OAQ1eC0ZhQTEKNl\", \"C2s0IU2SZFGVlZyH43\", \"CcEeLRD3cca\u2026\n## $ id.orig_h     &lt;chr&gt; \"172.25.105.43\", \"172.25.105.43\", \"172.25.105.43\", \"172.\u2026\n## $ id.orig_p     &lt;int&gt; 57086, 5060, 57087, 57088, 57089, 57090, 57091, 57093, 5\u2026\n## $ id.resp_h     &lt;chr&gt; \"172.25.105.40\", \"172.25.105.40\", \"172.25.105.40\", \"172.\u2026\n## $ id.resp_p     &lt;int&gt; 80, 5060, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80\u2026\n## $ proto         &lt;chr&gt; \"tcp\", \"udp\", \"tcp\", \"tcp\", \"tcp\", \"tcp\", \"tcp\", \"tcp\", \u2026\n## $ service       &lt;chr&gt; \"http\", \"sip\", \"http\", \"http\", \"http\", \"http\", \"http\", \"\u2026\n## $ duration      &lt;dbl&gt; 0.0180180073, 0.0003528595, 0.0245900154, 0.0740420818, \u2026\n## $ orig_bytes    &lt;int&gt; 502, 428, 380, 385, 476, 519, 520, 553, 558, 566, 566, 5\u2026\n## $ resp_bytes    &lt;int&gt; 720, 518, 231, 12233, 720, 539, 17499, 144, 144, 144, 14\u2026\n## $ conn_state    &lt;chr&gt; \"SF\", \"SF\", \"SF\", \"SF\", \"SF\", \"SF\", \"SF\", \"SF\", \"SF\", \"S\u2026\n## $ missed_bytes  &lt;int&gt; 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\u2026\n## $ history       &lt;chr&gt; \"ShADadfF\", \"Dd\", \"ShADadfF\", \"ShADadfF\", \"ShADadfF\", \"S\u2026\n## $ orig_pkts     &lt;int&gt; 5, 1, 5, 12, 5, 6, 16, 6, 6, 5, 5, 5, 5, 5, 5, 5, 6, 5, \u2026\n## $ orig_ip_bytes &lt;int&gt; 770, 456, 648, 1017, 744, 839, 1360, 873, 878, 834, 834,\u2026\n## $ resp_pkts     &lt;int&gt; 5, 1, 5, 12, 5, 5, 16, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, \u2026\n## $ resp_ip_bytes &lt;int&gt; 988, 546, 499, 12865, 988, 807, 18339, 412, 412, 412, 41\u2026\n## \n## \n## File: dpd \n## Rows: 1\n## Columns: 9\n## $ ts             &lt;dbl&gt; 1272737798\n## $ uid            &lt;chr&gt; \"CADvMziC96POynR2e\"\n## $ id.orig_h      &lt;chr&gt; \"172.25.105.3\"\n## $ id.orig_p      &lt;int&gt; 43204\n## $ id.resp_h      &lt;chr&gt; \"172.25.105.40\"\n## $ id.resp_p      &lt;int&gt; 5060\n## $ proto          &lt;chr&gt; \"udp\"\n## $ analyzer       &lt;chr&gt; \"SIP\"\n## $ failure_reason &lt;chr&gt; \"Binpac exception: binpac exception: string mismatch at\u2026\n## \n## \n## File: files \n## Rows: 38\n## Columns: 16\n## $ ts             &lt;dbl&gt; 1272737631, 1272737669, 1272737676, 1272737688, 1272737\u2026\n## $ fuid           &lt;chr&gt; \"FRnb7P5EDeZE4Y3z4\", \"FOT2gC2yLxjfMCuE5f\", \"FmUCuA3dzcS\u2026\n## $ tx_hosts       &lt;list&gt; \"172.25.105.40\", \"172.25.105.40\", \"172.25.105.40\", \"17\u2026\n## $ rx_hosts       &lt;list&gt; \"172.25.105.43\", \"172.25.105.43\", \"172.25.105.43\", \"17\u2026\n## $ conn_uids      &lt;list&gt; \"Cb0OAQ1eC0ZhQTEKNl\", \"CFfYtA0DqqrJk4gI5\", \"CHN4qA4UUH\u2026\n## $ source         &lt;chr&gt; \"HTTP\", \"HTTP\", \"HTTP\", \"HTTP\", \"HTTP\", \"HTTP\", \"HTTP\",\u2026\n## $ depth          &lt;int&gt; 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0\u2026\n## $ analyzers      &lt;list&gt; [], [], [], [], [], [], [], [], [], [], [], [], [], []\u2026\n## $ mime_type      &lt;chr&gt; \"text\/html\", \"text\/html\", \"text\/html\", \"text\/html\", \"te\u2026\n## $ duration       &lt;dbl&gt; 0.000000e+00, 8.920908e-03, 0.000000e+00, 0.000000e+00,\u2026\n## $ is_orig        &lt;lgl&gt; FALSE, FALSE, FALSE, FALSE, FALSE, TRUE, FALSE, FALSE, \u2026\n## $ seen_bytes     &lt;int&gt; 479, 11819, 479, 313, 17076, 55, 50, 30037, 31608, 1803\u2026\n## $ total_bytes    &lt;int&gt; 479, NA, 479, 313, NA, 55, 50, NA, NA, NA, 58, 313, 50,\u2026\n## $ missing_bytes  &lt;int&gt; 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0\u2026\n## $ overflow_bytes &lt;int&gt; 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0\u2026\n## $ timedout       &lt;lgl&gt; FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE,\u2026\n## \n## \n## File: http \n## Rows: 92\n## Columns: 24\n## $ ts                &lt;dbl&gt; 1272737631, 1272737669, 1272737669, 1272737676, 1272\u2026\n## $ uid               &lt;chr&gt; \"Cb0OAQ1eC0ZhQTEKNl\", \"CcEeLRD3cca3j4QGh\", \"CFfYtA0D\u2026\n## $ id.orig_h         &lt;chr&gt; \"172.25.105.43\", \"172.25.105.43\", \"172.25.105.43\", \"\u2026\n## $ id.orig_p         &lt;int&gt; 57086, 57087, 57088, 57089, 57090, 57091, 57093, 570\u2026\n## $ id.resp_h         &lt;chr&gt; \"172.25.105.40\", \"172.25.105.40\", \"172.25.105.40\", \"\u2026\n## $ id.resp_p         &lt;int&gt; 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, \u2026\n## $ trans_depth       &lt;int&gt; 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1\u2026\n## $ method            &lt;chr&gt; \"GET\", \"GET\", \"GET\", \"GET\", \"GET\", \"GET\", \"GET\", \"GE\u2026\n## $ host              &lt;chr&gt; \"172.25.105.40\", \"172.25.105.40\", \"172.25.105.40\", \"\u2026\n## $ uri               &lt;chr&gt; \"\/maint\", \"\/\", \"\/user\/\", \"\/maint\", \"\/maint\", \"\/maint\u2026\n## $ referrer          &lt;chr&gt; \"http:\/\/172.25.105.40\/user\/\", NA, NA, \"http:\/\/172.25\u2026\n## $ version           &lt;chr&gt; \"1.1\", \"1.1\", \"1.1\", \"1.1\", \"1.1\", \"1.1\", \"1.1\", \"1.\u2026\n## $ user_agent        &lt;chr&gt; \"Mozilla\/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9)\u2026\n## $ request_body_len  &lt;int&gt; 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0\u2026\n## $ response_body_len &lt;int&gt; 479, 0, 11819, 479, 313, 17076, 0, 0, 0, 0, 0, 0, 0,\u2026\n## $ status_code       &lt;int&gt; 401, 302, 200, 401, 301, 200, 304, 304, 304, 304, 30\u2026\n## $ status_msg        &lt;chr&gt; \"Authorization Required\", \"Found\", \"OK\", \"Authorizat\u2026\n## $ tags              &lt;list&gt; [], [], [], [], [], [], [], [], [], [], [], [], [],\u2026\n## $ resp_fuids        &lt;list&gt; \"FRnb7P5EDeZE4Y3z4\", &lt;NULL&gt;, \"FOT2gC2yLxjfMCuE5f\", \u2026\n## $ resp_mime_types   &lt;list&gt; \"text\/html\", &lt;NULL&gt;, \"text\/html\", \"text\/html\", \"tex\u2026\n## $ username          &lt;chr&gt; NA, NA, NA, NA, \"maint\", \"maint\", \"maint\", \"maint\", \u2026\n## $ password          &lt;chr&gt; NA, NA, NA, NA, \"password\", \"password\", \"password\", \u2026\n## $ orig_fuids        &lt;list&gt; &lt;NULL&gt;, &lt;NULL&gt;, &lt;NULL&gt;, &lt;NULL&gt;, &lt;NULL&gt;, &lt;NULL&gt;, &lt;NU\u2026\n## $ orig_mime_types   &lt;list&gt; &lt;NULL&gt;, &lt;NULL&gt;, &lt;NULL&gt;, &lt;NULL&gt;, &lt;NULL&gt;, &lt;NULL&gt;, &lt;NU\u2026\n## \n## \n## File: packet_filter \n## Rows: 1\n## Columns: 5\n## $ ts      &lt;dbl&gt; 1627151196\n## $ node    &lt;chr&gt; \"zeek\"\n## $ filter  &lt;chr&gt; \"ip or not ip\"\n## $ init    &lt;lgl&gt; TRUE\n## $ success &lt;lgl&gt; TRUE\n## \n## \n## File: sip \n## Rows: 9\n## Columns: 23\n## $ ts                &lt;dbl&gt; 1272737581, 1272737768, 1272737768, 1272737768, 1272\u2026\n## $ uid               &lt;chr&gt; \"C2s0IU2SZFGVlZyH43\", \"CADvMziC96POynR2e\", \"CADvMziC\u2026\n## $ id.orig_h         &lt;chr&gt; \"172.25.105.43\", \"172.25.105.3\", \"172.25.105.3\", \"17\u2026\n## $ id.orig_p         &lt;int&gt; 5060, 43204, 43204, 43204, 43204, 43204, 43204, 4320\u2026\n## $ id.resp_h         &lt;chr&gt; \"172.25.105.40\", \"172.25.105.40\", \"172.25.105.40\", \"\u2026\n## $ id.resp_p         &lt;int&gt; 5060, 5060, 5060, 5060, 5060, 5060, 5060, 5060, 5060\n## $ trans_depth       &lt;int&gt; 0, 0, 0, 0, 0, 0, 0, 0, 0\n## $ method            &lt;chr&gt; \"OPTIONS\", \"REGISTER\", \"REGISTER\", \"SUBSCRIBE\", \"SUB\u2026\n## $ uri               &lt;chr&gt; \"sip:100@172.25.105.40\", \"sip:172.25.105.40\", \"sip:1\u2026\n## $ request_from      &lt;chr&gt; \"\\\"sipvicious\\\"&lt;sip:100@1.1.1.1&gt;\", \"&lt;sip:555@172.25.\u2026\n## $ request_to        &lt;chr&gt; \"\\\"sipvicious\\\"&lt;sip:100@1.1.1.1&gt;\", \"&lt;sip:555@172.25.\u2026\n## $ response_from     &lt;chr&gt; \"\\\"sipvicious\\\"&lt;sip:100@1.1.1.1&gt;\", \"&lt;sip:555@172.25.\u2026\n## $ response_to       &lt;chr&gt; \"\\\"sipvicious\\\"&lt;sip:100@1.1.1.1&gt;;tag=as18cdb0c9\", \"&lt;\u2026\n## $ call_id           &lt;chr&gt; \"61127078793469957194131\", \"MzEwMmYyYWRiYTUxYTBhODY3\u2026\n## $ seq               &lt;chr&gt; \"1 OPTIONS\", \"1 REGISTER\", \"2 REGISTER\", \"1 SUBSCRIB\u2026\n## $ request_path      &lt;list&gt; \"SIP\/2.0\/UDP 127.0.1.1:5060\", \"SIP\/2.0\/UDP 172.25.10\u2026\n## $ response_path     &lt;list&gt; \"SIP\/2.0\/UDP 127.0.1.1:5060\", \"SIP\/2.0\/UDP 172.25.10\u2026\n## $ user_agent        &lt;chr&gt; \"UNfriendly-scanner - for demo purposes\", \"X-Lite B\u2026\n## $ status_code       &lt;int&gt; 200, 401, 200, 401, 404, 401, 100, 200, NA\n## $ status_msg        &lt;chr&gt; \"OK\", \"Unauthorized\", \"OK\", \"Unauthorized\", \"Not fo\u2026\n## $ request_body_len  &lt;int&gt; 0, 0, 0, 0, 0, 264, 264, 264, 0\n## $ response_body_len &lt;int&gt; 0, 0, 0, 0, 0, 0, 0, 302, NA\n## $ content_type      &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, \"application\/sdp\", NA\n## \n## \n## File: weird \n## Rows: 1\n## Columns: 9\n## $ ts        &lt;dbl&gt; 1272737805\n## $ id.orig_h &lt;chr&gt; \"172.25.105.3\"\n## $ id.orig_p &lt;int&gt; 0\n## $ id.resp_h &lt;chr&gt; \"172.25.105.40\"\n## $ id.resp_p &lt;int&gt; 0\n## $ name      &lt;chr&gt; \"truncated_IPv6\"\n## $ notice    &lt;lgl&gt; FALSE\n## $ peer      &lt;chr&gt; \"zeek\"\n## $ source    &lt;chr&gt; \"IP\"\n<\/code><\/pre>\n<h2>Process Packet Summary<\/h2>\n<p>We won\u2019t process the big JSON file <code>tshark<\/code> generated for us util we really have to, but we can read in the packet summary table now:<\/p>\n<pre><code class=\"language-r\">packet_cols &lt;- c(\"packet_num\", \"ts\", \"src\", \"discard\", \"dst\", \"proto\", \"length\", \"info\")\n\nread_tsv(\n  file = \"voip-packets.tsv\",\n  col_names = packet_cols,\n  col_types = \"ddccccdc\"\n) %&gt;%\n  select(-discard) -&gt; packets\n\npackets\n## # A tibble: 4,447 x 7\n##    packet_num       ts src      dst     proto length info                       \n##         &lt;dbl&gt;    &lt;dbl&gt; &lt;chr&gt;    &lt;chr&gt;   &lt;chr&gt;  &lt;dbl&gt; &lt;chr&gt;                      \n##  1          1  0       172.25.\u2026 172.25\u2026 SIP      470 Request: OPTIONS sip:100@1\u2026\n##  2          2  3.53e-4 172.25.\u2026 172.25\u2026 SIP      560 Status: 200 OK |           \n##  3          3  5.03e+1 172.25.\u2026 172.25\u2026 TCP       74 57086 \u2192 80 [SYN] Seq=0 Win\u2026\n##  4          4  5.03e+1 172.25.\u2026 172.25\u2026 TCP       74 80 \u2192 57086 [SYN, ACK] Seq=\u2026\n##  5          5  5.03e+1 172.25.\u2026 172.25\u2026 TCP       66 57086 \u2192 80 [ACK] Seq=1 Ack\u2026\n##  6          6  5.03e+1 172.25.\u2026 172.25\u2026 HTTP     568 GET \/maint HTTP\/1.1        \n##  7          7  5.03e+1 172.25.\u2026 172.25\u2026 TCP       66 80 \u2192 57086 [ACK] Seq=1 Ack\u2026\n##  8          8  5.03e+1 172.25.\u2026 172.25\u2026 HTTP     786 HTTP\/1.1 401 Authorization\u2026\n##  9          9  5.03e+1 172.25.\u2026 172.25\u2026 TCP       66 80 \u2192 57086 [FIN, ACK] Seq=\u2026\n## 10         10  5.03e+1 172.25.\u2026 172.25\u2026 TCP       66 57086 \u2192 80 [ACK] Seq=503 A\u2026\n## # \u2026 with 4,437 more rows\n<\/code><\/pre>\n<pre><code class=\"language-r\">glimpse(packets)\n## Rows: 4,447\n## Columns: 7\n## $ packet_num &lt;dbl&gt; 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, \u2026\n## $ ts         &lt;dbl&gt; 0.000000, 0.000353, 50.317176, 50.317365, 50.320071, 50.329\u2026\n## $ src        &lt;chr&gt; \"172.25.105.43\", \"172.25.105.40\", \"172.25.105.43\", \"172.25.\u2026\n## $ dst        &lt;chr&gt; \"172.25.105.40\", \"172.25.105.43\", \"172.25.105.40\", \"172.25.\u2026\n## $ proto      &lt;chr&gt; \"SIP\", \"SIP\", \"TCP\", \"TCP\", \"TCP\", \"HTTP\", \"TCP\", \"HTTP\", \"\u2026\n## $ length     &lt;dbl&gt; 470, 560, 74, 74, 66, 568, 66, 786, 66, 66, 66, 66, 74, 74,\u2026\n## $ info       &lt;chr&gt; \"Request: OPTIONS sip:100@172.25.105.40 |\", \"Status: 200 OK\u2026\n<\/code><\/pre>\n<h2>What is the transport protocol being used?<\/h2>\n<p>SIP can use TCP or UDP and which transport it uses will be specified in the <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3261.html#section-8.1.1.7\"><code>Via:<\/code> header<\/a>. Let\u2019s take a look:<\/p>\n<pre><code class=\"language-r\">head(sip_log_parsed$via)\n## [1] \"SIP\/2.0\/UDP 127.0.0.1:5061;branch=z9hG4bK-2159139916;rport\"\n## [2] \"SIP\/2.0\/UDP 127.0.0.1:5087;branch=z9hG4bK-1189344537;rport\"\n## [3] \"SIP\/2.0\/UDP 127.0.0.1:5066;branch=z9hG4bK-2119091576;rport\"\n## [4] \"SIP\/2.0\/UDP 127.0.0.1:5087;branch=z9hG4bK-3226446220;rport\"\n## [5] \"SIP\/2.0\/UDP 127.0.0.1:5087;branch=z9hG4bK-1330901245;rport\"\n## [6] \"SIP\/2.0\/UDP 127.0.0.1:5087;branch=z9hG4bK-945386205;rport\"\n<\/code><\/pre>\n<p>Are they <em>all<\/em> UDP? We can find out by performing some light processing<br \/>\non the <code>via<\/code> column:<\/p>\n<pre><code class=\"language-r\">sip_log_parsed %&gt;% \n  select(via) %&gt;% \n  mutate(\n    transport = stri_match_first_regex(via, \"^([^[:space:]]+)\")[,2]\n  ) %&gt;% \n  count(transport, sort=TRUE)\n## # A tibble: 1 x 2\n##   transport       n\n##   &lt;chr&gt;       &lt;int&gt;\n## 1 SIP\/2.0\/UDP  4266\n<\/code><\/pre>\n<p>Looks like they\u2019re all UDP. Question 1: \u2705<\/p>\n<h2>The attacker used a bunch of scanning tools that belong to the same suite. Provide the name of the suite.<\/h2>\n<p>Don\u2019t you, now, wish you had listen to your parents when they were telling you about the facts of SIP life when you were a wee pup?<\/p>\n<p>We\u2019ll stick with the SIP log to answer this one and <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3261.html#section-20.41\">peek back at the RFC<\/a> to see that there\u2019s a \u201c<code>User-Agent:<\/code>\u201d field which contains information about the client originating the request. Most scanners written by defenders identify themselves in <code>User-Agent<\/code> fields when those fields are available in a protocol exchange, and a large percentage of naive malicious folks are too daft to change this value (or leave it default to make you think they\u2019re not behaving badly).<\/p>\n<p>If you are a regular visitor to SIP land, you likely know the common SIP scanning tools. These are a few:<\/p>\n<ul>\n<li><a href=\"https:\/\/nmap.org\/nsedoc\/lib\/sip.html\">Nmap\u2019s SIP library<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/meliht\/Mr.SIP\">Mr.SIP<\/a>, a \u201cSIP-Based Audit and Attack Tool\u201d<\/li>\n<li><a href=\"https:\/\/github.com\/EnableSecurity\/sipvicious\">SIPVicious<\/a>, a \u201cset of security tools that can be used to audit SIP based VoIP systems\u201d<\/li>\n<li><a href=\"https:\/\/github.com\/Pepelux\/sippts\">Sippts<\/a>, a \u201cset of tools to audit SIP based VoIP Systems\u201d<\/li>\n<\/ul>\n<p>(There are <a href=\"https:\/\/github.com\/search?q=sip+audit\">many more<\/a>.)<\/p>\n<p>Let\u2019s see what user-agent was used in this log extract:<\/p>\n<pre><code class=\"language-r\">count(sip_log_parsed, user_agent, sort=TRUE)\n## # A tibble: 3 x 2\n##   user_agent           n\n##   &lt;chr&gt;            &lt;int&gt;\n## 1 friendly-scanner  4248\n## 2 Zoiper rev.6751     14\n## 3 &lt;NA&gt;                 4\n<\/code><\/pre>\n<p>The overwhelming majority are <code>friendly-scanner<\/code>. Let\u2019s look at a few of those log entries:<\/p>\n<pre><code class=\"language-r\">sip_log_parsed %&gt;% \n  filter(\n    user_agent == \"friendly-scanner\"\n  ) %&gt;% \n  glimpse()\n## Rows: 4,248\n## Columns: 18\n## $ via            &lt;chr&gt; \"SIP\/2.0\/UDP 127.0.0.1:5061;branch=z9hG4bK-2159139916;r\u2026\n## $ content_length &lt;chr&gt; \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \"0\", \u2026\n## $ from           &lt;chr&gt; \"\\\"sipvicious\\\"&lt;sip:100@1.1.1.1&gt;; tag=X_removed\", \"\\\"34\u2026\n## $ accept         &lt;chr&gt; \"application\/sdp\", \"application\/sdp\", \"application\/sdp\"\u2026\n## $ user_agent     &lt;chr&gt; \"friendly-scanner\", \"friendly-scanner\", \"friendly-scann\u2026\n## $ to             &lt;chr&gt; \"\\\"sipvicious\\\"&lt;sip:100@1.1.1.1&gt;\", \"\\\"3428948518\\\"&lt;sip:\u2026\n## $ contact        &lt;chr&gt; \"sip:100@127.0.0.1:5061\", \"sip:3428948518@honey.pot.IP.\u2026\n## $ cseq           &lt;chr&gt; \"1 OPTIONS\", \"1 REGISTER\", \"1 REGISTER\", \"1 REGISTER\", \u2026\n## $ source         &lt;chr&gt; \"210.184.X.Y:1083\", \"210.184.X.Y:4956\", \"210.184.X.Y:51\u2026\n## $ datetime       &lt;chr&gt; \"2010-05-02 01:43:05.606584\", \"2010-05-02 01:43:12.4888\u2026\n## $ request        &lt;chr&gt; \"OPTIONS sip:100@honey.pot.IP.removed SIP\/2.0\", \"REGIST\u2026\n## $ contents       &lt;chr&gt; \"Call-ID: 845752980453913316694142\\nMax-Forwards: 70\", \u2026\n## $ call_id        &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ max_forwards   &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ expires        &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ allow          &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ authorization  &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n## $ content_type   &lt;chr&gt; NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA, NA,\u2026\n<\/code><\/pre>\n<p>Those <code>from<\/code> and <code>to<\/code> fields have an interesting name in them: \u201c<code>sipviscious<\/code>\u201d. You\u2019ve seen that before, right at the beginning of this section.<\/p>\n<p>Let\u2019s do a quick check <a href=\"https:\/\/github.com\/EnableSecurity\/sipvicious\/search?q=friendly-scanner\">over at the SIPvicious repo<\/a> just to make sure.<\/p>\n<pre><code class=\"language-r\">count(sip_log_parsed, user_agent)\n## # A tibble: 3 x 2\n##   user_agent           n\n##   &lt;chr&gt;            &lt;int&gt;\n## 1 friendly-scanner  4248\n## 2 Zoiper rev.6751     14\n## 3 &lt;NA&gt;                 4\n<\/code><\/pre>\n<h2>\u201cWhat is the User-Agent of the victim system?\u201d<\/h2>\n<p>We only have partial data in the text log so we\u2019ll have to look elsewhere (the PCAP) for this information. The \u201cvictim\u201d is whatever was the target of a this SIP-based attack and we can look for SIP messages, user agents, and associated IPs in the PCAP thanks to <code>tshark<\/code>\u2019s <a href=\"https:\/\/www.wireshark.org\/docs\/dfref\/s\/sip.html\">rich SIP filter library<\/a>:<\/p>\n<pre><code class=\"language-r\">system(\"tshark -Q -T fields -e ip.src -e ip.dst -e sip.User-Agent -r src\/Voip-trace.pcap 'sip.User-Agent'\")\n<\/code><\/pre>\n<p>That first exchange is all we really need. We see our rude poker talking to <code>172.25.105.40<\/code> and it responding right after.<\/p>\n<h2>Which tool was only used against the following extensions: 100, 101, 102, 103, and 111?<\/h2>\n<p>The question is a tad vague and is assuming \u2014 since we now know the SIPvicious suite was used \u2014 that we also know to provide the <a href=\"https:\/\/github.com\/EnableSecurity\/sipvicious\/tree\/master\/sipvicious\">name of the Python script in SIPvicious<\/a> that was used. There are five tools:<\/p>\n<ul>\n<li><code>svmap<\/code>: this is a sip scanner. When launched against ranges of ip address space, it will identify any SIP servers which it finds on the way. Also has the option to scan hosts on ranges of ports. Usage: <a href=\"https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVMap-Usage\">https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVMap-Usage<\/a><\/li>\n<li><code>svwar<\/code>: identifies working extension lines on a PBX. A working extension is one that can be registered. Also tells you if the extension line requires authentication or not. Usage: <a href=\"https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVWar-Usage\">https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVWar-Usage<\/a><\/li>\n<li><code>svcrack<\/code>: a password cracker making use of digest authentication. It is able to crack passwords on both registrar servers and proxy servers. Current cracking modes are either numeric ranges or words from dictionary files. Usage: <a href=\"https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVCrack-Usage\">https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVCrack-Usage<\/a><\/li>\n<li><code>svreport<\/code>: able to manage sessions created by the rest of the tools and export to pdf, xml, csv and plain text. Usage: <a href=\"https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVReport-Usage\">https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVReport-Usage<\/a><\/li>\n<li><code>svcrash<\/code>: responds to <code>svwar<\/code> and <code>svcrack<\/code> SIP messages with a message that causes old versions to crash. Usage: <a href=\"https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVCrash-FAQ\">https:\/\/github.com\/EnableSecurity\/sipvicious\/wiki\/SVCrash-FAQ<\/a><\/li>\n<\/ul>\n<p>The <code>svcrash<\/code> tool is something defenders can use to help curtail scanner activity. We can cross that off the list. The <code>svreport<\/code> tool is for working with data generated by <code>svmap<\/code>, <code>svwar<\/code> and\/or <code>svcrack<\/code>. One more crossed off. We also know that the attacker scanned the SIP network looking for nodes, which means <code>svmap<\/code> and <code>svwar<\/code> are likely not exclusive tool to the target extensions. (We <em>technically<\/em> have enough information right now to answer the question especially if you look carefully at the answer box on the site but that\u2019s cheating).<\/p>\n<p>The SIP request line and header field like <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3261.html#section-8.1.1.2\">\u201c<code>To:<\/code>\u201d<\/a> destination information in the form of a <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3261.html#section-19.1\">SIP URI<\/a>. Since we only care about the extension component of the URI for this question, we can use a regular expression to isolate them.<\/p>\n<p>Back to the SIP log to see if we can find the identified extensions. We\u2019ll also process the \u201c<code>From:<\/code>\u201d header just in case we need it.<\/p>\n<pre><code class=\"language-r\">sip_log_parsed %&gt;% \n  mutate_at(\n    vars(request, from, to),\n    ~stri_match_first_regex(.x, \"sip:([^@]+)@\")[,2]\n  ) %&gt;% \n  select(request, from, to)\n## # A tibble: 4,266 x 3\n##    request    from       to        \n##    &lt;chr&gt;      &lt;chr&gt;      &lt;chr&gt;     \n##  1 100        100        100       \n##  2 3428948518 3428948518 3428948518\n##  3 1729240413 1729240413 1729240413\n##  4 admin      admin      admin     \n##  5 info       info       info      \n##  6 test       test       test      \n##  7 postmaster postmaster postmaster\n##  8 sales      sales      sales     \n##  9 service    service    service   \n## 10 support    support    support   \n## # \u2026 with 4,256 more rows\n<\/code><\/pre>\n<p>That worked! We can now see what <code>friendly-scanner<\/code> attempted to authenticate only to our targets:<\/p>\n<pre><code class=\"language-r\">sip_log_parsed %&gt;%\n  mutate_at(\n    vars(request, from, to),\n    ~stri_match_first_regex(.x, \"sip:([^@]+)@\")[,2]\n  ) %&gt;% \n  filter(\n    user_agent == \"friendly-scanner\",\n    stri_detect_fixed(contents, \"Authorization\")\n  ) %&gt;% \n  distinct(to)\n## # A tibble: 4 x 1\n##   to   \n##   &lt;chr&gt;\n## 1 102  \n## 2 103  \n## 3 101  \n## 4 111\n<\/code><\/pre>\n<p>While we\u2019re missing <code>100<\/code> that\u2019s likely due to it not requiring authentication (<code>svcrack<\/code> will <code>REGISTER<\/code> first to determine if a target requires authentication and not send cracking requests if it doesn\u2019t).<\/p>\n<h2>Which extension on the honeypot does NOT require authentication?<\/h2>\n<p>We know this due to what we found in the previous question. Extension <code>100<\/code> does not require authentication.<\/p>\n<h2>How many extensions were scanned in total?<\/h2>\n<p>We just need to count the distinct <code>to<\/code>\u2019s where the user agent is the scanner:<\/p>\n<pre><code class=\"language-r\">sip_log_parsed %&gt;% \n  mutate_at(\n    vars(request, from, to),\n    ~stri_match_first_regex(.x, \"sip:([^@]+)@\")[,2]\n  ) %&gt;% \n  filter(\n    user_agent == \"friendly-scanner\"\n  ) %&gt;% \n  distinct(to)\n## # A tibble: 2,652 x 1\n##    to        \n##    &lt;chr&gt;     \n##  1 100       \n##  2 3428948518\n##  3 1729240413\n##  4 admin     \n##  5 info      \n##  6 test      \n##  7 postmaster\n##  8 sales     \n##  9 service   \n## 10 support   \n## # \u2026 with 2,642 more rows\n<\/code><\/pre>\n<h2>There is a trace for a real SIP client. What is the corresponding user-agent? (two words, once space in between)<\/h2>\n<p>We only need to look for user agent\u2019s that aren\u2019t our scanner:<\/p>\n<pre><code class=\"language-r\">sip_log_parsed %&gt;% \n  filter(\n    user_agent != \"friendly-scanner\"\n  ) %&gt;% \n  count(user_agent)\n## # A tibble: 1 x 2\n##   user_agent          n\n##   &lt;chr&gt;           &lt;int&gt;\n## 1 Zoiper rev.6751    14\n<\/code><\/pre>\n<h2>Multiple real-world phone numbers were dialed. Provide the first 11 digits of the number dialed from extension 101?<\/h2>\n<p>Calls are <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc3261.html#section-13\">\u201c<code>INVITE<\/code>\u201d requests<\/a><\/p>\n<pre><code class=\"language-r\">sip_log_parsed %&gt;% \n  mutate_at(\n    vars(from, to),\n    ~stri_match_first_regex(.x, \"sip:([^@]+)@\")[,2]\n  ) %&gt;% \n  filter(\n    from == 101,\n    stri_detect_regex(cseq, \"INVITE\")\n  ) %&gt;% \n  select(to) \n## # A tibble: 3 x 1\n##   to              \n##   &lt;chr&gt;           \n## 1 900114382089XXXX\n## 2 00112322228XXXX \n## 3 00112524021XXXX\n<\/code><\/pre>\n<p>The challenge answer box provides hint to what number they want. I\u2019m not sure but I suspect it may be randomized, so you\u2019ll have to match the pattern they expect with the correct digits above.<\/p>\n<h2>What are the default credentials used in the attempted basic authentication? (format is username:password)<\/h2>\n<p>This question wants us to look at the HTTP requests that require authentication. We can get he credentials info from the <code>zeek$http<\/code> log:<\/p>\n<pre><code class=\"language-r\">zeek$http %&gt;% \n  distinct(username, password)\n## # A tibble: 2 x 2\n##   username password\n##   &lt;chr&gt;    &lt;chr&gt;   \n## 1 &lt;NA&gt;     &lt;NA&gt;    \n## 2 maint    password\n<\/code><\/pre>\n<h2>Which codec does the RTP stream use? (3 words, 2 spaces in between)<\/h2>\n<p>\u201cCodec\u201d refers to the algorithm used to encode\/decode an audio or video stream. The RTP RFC uses the term <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc3550#page-71\">\u201cpayload type\u201d<\/a> to refer to this during exchanges and even has a link to <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc3551\">RFC 3551<\/a> which provides further information on these encodings.<\/p>\n<p>The summary packet table that <code>tshark<\/code> generates helpfully provides summary <code>info<\/code> for RTP packets and part of that info is <code>PT=\u2026<\/code> which indicates the payload type.<\/p>\n<pre><code class=\"language-r\">packets %&gt;% \n  filter(proto == \"RTP\") %&gt;% \n  select(info)\n## # A tibble: 2,988 x 1\n##    info                                                       \n##    &lt;chr&gt;                                                      \n##  1 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6402, Time=126160\n##  2 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6403, Time=126320\n##  3 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6404, Time=126480\n##  4 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6405, Time=126640\n##  5 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6406, Time=126800\n##  6 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6407, Time=126960\n##  7 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6408, Time=127120\n##  8 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6409, Time=127280\n##  9 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6410, Time=127440\n## 10 PT=ITU-T G.711 PCMU, SSRC=0xA254E017, Seq=6411, Time=127600\n## # \u2026 with 2,978 more rows\n<\/code><\/pre>\n<h2>How long is the sampling time (in milliseconds)?<\/h2>\n<ul>\n<li><code>1<\/code> Hz = <code>1,000<\/code> ms<\/li>\n<li><code>1<\/code> ms = <code>1,000<\/code> Hz<\/li>\n<\/ul>\n<p><code>(1\/8000) * 1000<\/code><\/p>\n<h2>What was the password for the account with username 555?<\/h2>\n<p>We don\u2019t really need to use external programs for this but it will sure go quite a bit faster if we do. While <a href=\"https:\/\/web.archive.org\/web\/20080731070643\/http:\/\/www.remote-exploit.org\/codes_sipcrack.html\">the original reference page<\/a> for <code>sipdump<\/code> and <code>sipcrack<\/code> is defunct, you can visit that link to go to the Wayback machine\u2019s capture of it. It will help if you have a linux system handy (so Docker to the rescue for macOS and Windows folks) since the following answer details are running on Ubunbu.<\/p>\n<p>This question is taking advantage of the fact that the default authentication method for SIP is extremely weak. The process uses an MD5 challenge\/response, and if an attacker can capture call traffic it is possible to brute force the password offline (which is what we\u2019ll use <code>sipcrack<\/code> for).<\/p>\n<p>You can install them via <code>sudo apt install sipcrack<\/code>.<\/p>\n<p>We\u2019ll first generate a dump of the authentication attempts with <code>sipdump<\/code>:<\/p>\n<pre><code class=\"language-r\">system(\"sipdump -p src\/Voip-trace.pcap sip.dump\", intern=TRUE)\n##  [1] \"\"                                                               \n##  [2] \"SIPdump 0.2 \"                                                   \n##  [3] \"---------------------------------------\"                        \n##  [4] \"\"                                                               \n##  [5] \"* Using pcap file 'src\/Voip-trace.pcap' for sniffing\"           \n##  [6] \"* Starting to sniff with packet filter 'tcp or udp'\"            \n##  [7] \"\"                                                               \n##  [8] \"* Dumped login from 172.25.105.40 -&gt; 172.25.105.3 (User: '555')\"\n##  [9] \"* Dumped login from 172.25.105.40 -&gt; 172.25.105.3 (User: '555')\"\n## [10] \"* Dumped login from 172.25.105.40 -&gt; 172.25.105.3 (User: '555')\"\n## [11] \"\"                                                               \n## [12] \"* Exiting, sniffed 3 logins\"\n<\/code><\/pre>\n<pre><code class=\"language-r\">cat(readLines(\"sip.dump\"), sep=\"\\n\")\n## 172.25.105.3\"172.25.105.40\"555\"asterisk\"REGISTER\"sip:172.25.105.40\"4787f7ce\"\"\"\"MD5\"1ac95ce17e1f0230751cf1fd3d278320\n## 172.25.105.3\"172.25.105.40\"555\"asterisk\"INVITE\"sip:1000@172.25.105.40\"70fbfdae\"\"\"\"MD5\"aa533f6efa2b2abac675c1ee6cbde327\n## 172.25.105.3\"172.25.105.40\"555\"asterisk\"BYE\"sip:1000@172.25.105.40\"70fbfdae\"\"\"\"MD5\"0b306e9db1f819dd824acf3227b60e07\n<\/code><\/pre>\n<p>It saves the IPs, caller, authentication realm, method, nonce and hash which will all be fed into the <code>sipcrack<\/code>.<\/p>\n<p>We know from the placeholder answer text that the \u201cpassword\u201d is 4 characters, and this is the land of telephony, so we can make an assumption that it is really 4 digits. <code>sipcrack<\/code> needs a file of passwords to try, so We\u2019ll let R make a randomized file of 4 digit pins for us:<\/p>\n<pre><code class=\"language-r\">cat(sprintf(\"%04d\", sample(0:9999)), file = \"4-digits\", sep=\"\\n\")\n<\/code><\/pre>\n<p>We only have authenticaton packets for <code>555<\/code> so we can automate what would normally be an interactive process:<\/p>\n<pre><code class=\"language-r\">cat(system('echo \"1\" | sipcrack -w 4-digits sip.dump', intern=TRUE), sep=\"\\n\")\n## \n## SIPcrack 0.2 \n## ----------------------------------------\n## \n## * Found Accounts:\n## \n## Num  Server      Client      User    Hash|Password\n## \n## 1    172.25.105.3    172.25.105.40   555 1ac95ce17e1f0230751cf1fd3d278320\n## 2    172.25.105.3    172.25.105.40   555 aa533f6efa2b2abac675c1ee6cbde327\n## 3    172.25.105.3    172.25.105.40   555 0b306e9db1f819dd824acf3227b60e07\n## \n## * Select which entry to crack (1 - 3): \n## * Generating static MD5 hash... c3e0f1664fde9fbc75a7cbd341877875\n## * Loaded wordlist: '4-digits'\n## * Starting bruteforce against user '555' (MD5: '1ac95ce17e1f0230751cf1fd3d278320')\n## * Tried 8904 passwords in 0 seconds\n## \n## * Found password: '1234'\n## * Updating dump file 'sip.dump'... done\n<\/code><\/pre>\n<h2>Which RTP packet header field can be used to reorder out of sync RTP packets in the correct sequence?<\/h2>\n<p>Just reading involved here: <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc3550#page-13\">5.1 RTP Fixed Header Fields<\/a>.<\/p>\n<h2>The trace includes a secret hidden message. Can you hear it?<\/h2>\n<p>We could command line this one but honestly Wireshark has a pretty keen audio player. Fire it up, open up the PCAP, go to the \u201cTelephony\u201d menu, pick SIP and play the streams.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hot on the heels of the previous CyberDefenders Challenge Solution comes this noisy installment which solves their Acoustic challenge. You can find the source Rmd on GitHub, but I&#8217;m also testing the limits of WP&#8217;s markdown rendering and putting it in-stream as well. No longer book expository this time since much of the setup\/explanatory bits [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[681,677,709,764,3,798,91],"tags":[],"class_list":["post-13137","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-data-analysis-2","category-data-driven-security","category-data-wrangling","category-information-security","category-pcap","category-r"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Acoustic: Solving a CyberDefenders PCAP SIP\/RTP Challenge with R, Zeek, tshark (&amp; friends) - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Acoustic: Solving a CyberDefenders PCAP SIP\/RTP Challenge with R, Zeek, tshark (&amp; friends) - rud.is\" \/>\n<meta property=\"og:description\" content=\"Hot on the heels of the previous CyberDefenders Challenge Solution comes this noisy installment which solves their Acoustic challenge. You can find the source Rmd on GitHub, but I&#8217;m also testing the limits of WP&#8217;s markdown rendering and putting it in-stream as well. No longer book expository this time since much of the setup\/explanatory bits [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-25T14:40:14+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"27 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Acoustic: Solving a CyberDefenders PCAP SIP\\\/RTP Challenge with R, Zeek, tshark (&#038; friends)\",\"datePublished\":\"2021-07-25T14:40:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/\"},\"wordCount\":2290,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"articleSection\":[\"Cybersecurity\",\"Data Analysis\",\"data driven security\",\"data wrangling\",\"Information Security\",\"pcap\",\"R\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/\",\"name\":\"Acoustic: Solving a CyberDefenders PCAP SIP\\\/RTP Challenge with R, Zeek, tshark (& friends) - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"datePublished\":\"2021-07-25T14:40:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2021\\\/07\\\/25\\\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Acoustic: Solving a CyberDefenders PCAP SIP\\\/RTP Challenge with R, Zeek, tshark (&#038; friends)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Acoustic: Solving a CyberDefenders PCAP SIP\/RTP Challenge with R, Zeek, tshark (& friends) - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/","og_locale":"en_US","og_type":"article","og_title":"Acoustic: Solving a CyberDefenders PCAP SIP\/RTP Challenge with R, Zeek, tshark (& friends) - rud.is","og_description":"Hot on the heels of the previous CyberDefenders Challenge Solution comes this noisy installment which solves their Acoustic challenge. You can find the source Rmd on GitHub, but I&#8217;m also testing the limits of WP&#8217;s markdown rendering and putting it in-stream as well. No longer book expository this time since much of the setup\/explanatory bits [&hellip;]","og_url":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/","og_site_name":"rud.is","article_published_time":"2021-07-25T14:40:14+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"27 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Acoustic: Solving a CyberDefenders PCAP SIP\/RTP Challenge with R, Zeek, tshark (&#038; friends)","datePublished":"2021-07-25T14:40:14+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/"},"wordCount":2290,"commentCount":3,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"articleSection":["Cybersecurity","Data Analysis","data driven security","data wrangling","Information Security","pcap","R"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/","url":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/","name":"Acoustic: Solving a CyberDefenders PCAP SIP\/RTP Challenge with R, Zeek, tshark (& friends) - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2021-07-25T14:40:14+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2021\/07\/25\/acoustic-solving-a-cyberdefenders-pcap-sip-rtp-challenge-with-r-zeek-tshark-friends\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Acoustic: Solving a CyberDefenders PCAP SIP\/RTP Challenge with R, Zeek, tshark (&#038; friends)"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-3pT","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":13120,"url":"https:\/\/rud.is\/b\/2021\/07\/20\/packet-maze-solving-a-cyberdefenders-pcap-puzzle-with-r-zeek-and-tshark\/","url_meta":{"origin":13137,"position":0},"title":"Packet Maze: Solving a CyberDefenders PCAP Puzzle with R, Zeek, and tshark","author":"hrbrmstr","date":"2021-07-20","format":false,"excerpt":"It was a rainy weekend in southern Maine and I really didn't feel like doing chores, so I was skimming through RSS feeds and noticed a link to a PacketMaze challenge in the latest This Week In 4n6. Since it's also been a while since I've done any serious content\u2026","rel":"","context":"In &quot;Cybersecurity&quot;","block_context":{"text":"Cybersecurity","link":"https:\/\/rud.is\/b\/category\/cybersecurity\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6127,"url":"https:\/\/rud.is\/b\/2017\/07\/27\/reading-pcap-files-with-apache-drill-and-the-sergeant-r-package\/","url_meta":{"origin":13137,"position":1},"title":"Reading PCAP Files with Apache Drill and the sergeant R Package","author":"hrbrmstr","date":"2017-07-27","format":false,"excerpt":"It's no secret that I'm a fan of Apache Drill. One big strength of the platform is that it normalizes the access to diverse data sources down to ANSI SQL calls, which means that I can pull data from parquet, Hie, HBase, Kudu, CSV, JSON, MongoDB and MariaDB with the\u2026","rel":"","context":"In &quot;Apache Drill&quot;","block_context":{"text":"Apache Drill","link":"https:\/\/rud.is\/b\/category\/apache-drill\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":12977,"url":"https:\/\/rud.is\/b\/2021\/03\/01\/brimming-with-possibilities-query-zqd-mine-logs-with-zq-from-r\/","url_meta":{"origin":13137,"position":2},"title":"Brimming With Possibilities: Query zqd &#038; Mine Logs with zq from R","author":"hrbrmstr","date":"2021-03-01","format":false,"excerpt":"Brim Security maintains a free, Electron-based desktop GUI for exploration of PCAPs and select cybersecurity logs: along with a broad ecosystem of tools which can be used independently of the GUI. The standalone or embedded zqd server, as well as the zq command line utility let analysts run ZQL (a\u2026","rel":"","context":"In &quot;Cybersecurity&quot;","block_context":{"text":"Cybersecurity","link":"https:\/\/rud.is\/b\/category\/cybersecurity\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2021\/03\/brimr-graph.png?fit=1200%2C667&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":22211,"url":"https:\/\/rud.is\/b\/2024\/08\/26\/reading-pcap-files-directly-with-duckdb\/","url_meta":{"origin":13137,"position":3},"title":"Reading PCAP Files (Directly) With DuckDB","author":"hrbrmstr","date":"2024-08-26","format":false,"excerpt":"2024-08-30 UPDATE: Binary versions of this extension are available for amd64 Linux (linux_amd64 & linux_amd64_gcc4) and Apple Silicon. (osx_arm64). $ duckdb -unsigned v1.0.0 1f98600c2c Enter \".help\" for usage hints. Connected to a transient in-memory database. Use \".open FILENAME\" to reopen on a persistent database. D SET custom_extension_repository='https:\/\/w3c2.c20.e2-5.dev\/ppcap\/latest'; D INSTALL ppcap;\u2026","rel":"","context":"In &quot;duckdb&quot;","block_context":{"text":"duckdb","link":"https:\/\/rud.is\/b\/category\/duckdb\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2046,"url":"https:\/\/rud.is\/b\/2013\/02\/08\/extended-simple-example-asn-graph-visualization-example-r-to-d3\/","url_meta":{"origin":13137,"position":4},"title":"Extended (Simple) ASN Graph Visualization Example [R to D3]","author":"hrbrmstr","date":"2013-02-08","format":false,"excerpt":"The small igraph visualization in the previous post shows the basics of what you can do with the BulkOrigin & BulkPeer functions, and I thought a larger example with some basic D3 tossed in might be even more useful. Assuming you have the previous functions in your environment, the following\u2026","rel":"","context":"In &quot;d3&quot;","block_context":{"text":"d3","link":"https:\/\/rud.is\/b\/category\/d3\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":11712,"url":"https:\/\/rud.is\/b\/2019\/01\/02\/apache-drill-1-15-0-sergeant-0-8-0-pcapng-support-proper-column-types-mounds-of-new-metadata\/","url_meta":{"origin":13137,"position":5},"title":"Apache Drill 1.15.0 + sergeant 0.8.0 = pcapng Support, Proper Column Types &#038; Mounds of New Metadata","author":"hrbrmstr","date":"2019-01-02","format":false,"excerpt":"Apache Drill is an innovative distributed SQL engine designed to enable data exploration and analytics on non-relational datastores [...] without having to create and manage schemas. [...] It has a schema-free JSON document model similar to MongoDB and Elasticsearch; [a plethora of APIs, including] ANSI SQL, ODBC\/JDBC, and HTTP[S] REST;\u2026","rel":"","context":"In &quot;Apache Drill&quot;","block_context":{"text":"Apache Drill","link":"https:\/\/rud.is\/b\/category\/apache-drill\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/13137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=13137"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/13137\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=13137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=13137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=13137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}