標籤

Puzzle #3 Ann’s AppleTV

故事摘要:
Ann and Mr. X have set up their new base of operations. While waiting for the extradition paperwork to go through, you and your team of investigators covertly monitor her activity. Recently, Ann got a brand new AppleTV, and configured it with the static IP address 192.168.1.10.

目標:
  1. What is the MAC address of Ann’s AppleTV?
    這我看第 1 個封包,DNS Protocol,看了第二層內容

    Src:Apple_fe:07:c4 (00:25:00:fe:07:c4),在對應第三層 Src 確認,畢竟二三層是對應的。
    Statistics -> Endpoints

    這樣無法判斷哪個是 AppleTV 的 MAC,勾選左下 Name resolution
  2. What User-Agent string did Ann’s AppleTV use in HTTP requests?
    輸入 http.user_agent
    看第 6 個封包

    User-Agent:AppleTV/2.4\r\n
  3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?
    輸入 http.request.method == "GET" 過濾
    http 協定內容,一包一包看。第 6 包的 id 感覺是第幾部電影的樣子
    ,主要看 Request URI Query 參數。在第 63 包,有個ch=Movies-Search 看起來式搜尋電影的參數,v2 c2 參數感覺是要搜尋的結果,接著輸入 http.request.method == "GET" && http.request.uri.query.parameter contains "v2" 過濾封包,發現 63、194、235、281 結果分別為 h、ha、hac、hack
    hack
    第二次搜尋是 sneak ,在 1153 包他搜尋的參數把 a 打成 b。 另一種方式其實從 HTTP -> Requests 也可以知道,HTTP 的請求。
  4. What was the title of the first movie Ann clicked on?
    我們從 id 下手我感覺它是第幾部電影的樣子,我試試。
    輸入 http.request.uri.query.parameter contains "id" && ip.dst == 8.18.65.67 過濾。
    307 包有個 id=333441649
    我再進階找找
    再輸入 http.request.uri.query.parameter contains "333441649" 過濾。
    第 320 包,pageName=Movie%20Page-US-Hackers-Iain%20Softley-333441649
    第一部電影應該是 Hackers (感覺是喇到ㄉ)
    後來,就是 follow -> TCP Stream,另存 .zip 檔(save data 是 raw),解開它的 Content-Encoding: gzipGZIP 魔幻數字 0x1F8B 開始,用編輯器打開 .zip 檔,刪除 0x1F8B 前面的内容再存檔,解壓縮後就可以看到內容了。

     其中這是我之前喇到的結果,但是從這一個地方可以證明我是找對了<string>http://metrics.apple.com/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page-US-Hackers-Iain%20Softley-333441649&amp;pccr=true&amp;h5=appleitmsnatv%2Cappleitmsustv&amp;ch=Movie%20Page&amp;g=http%3A%2F%2Fax.itunes.apple.com%2FWebObjects%2FMZStore.woa%2Fwa%2FviewMovie%3Fid%3D333441649%26s%3D143441</string>
    第二部電影應該是 Sneakers
    1189 包,Movie%20Page-US-Sneakers-Phil%20Alden%20Robinson-283963264
  5. What was the full URL to the movie trailer (defined by “preview-url”)?
    a. Edit -> Find Packet -> String -> Packet details -> String「preview-url」
    b.http.request.uri.query.parameter contains "id" && http.request.uri contains "viewMovie"  查看 Respones in frame 會看到 xml 的封包回應
    c. 從上方解壓縮的 ZIP 裡尋找

    312 包
    http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v


    STDQ = Standard Quality
    VoD = Video on Demand
    SVoD = Subscription Video on Demand
    HDVoD = High Definition Video on Demand
  6. What was the title of the second movie Ann clicked on?
    第四題得知
    Sneakers
  7. What was the price to buy it (defined by “price-display”)?
    依照第 5 題的 a 方案,用 String 找出 xml price-display
    b 方案過濾,然後找  Respones in frame 也是找出 xml
    是第 1186 包,9.99
  8. What was the last full term Ann searched for?
    用前面過濾找電影的方式
    iknowyourewatchingme
補充
HTTP 語法 
HTTPCmmpression
標籤:

留言

張貼留言

熱門文章