August 2, 2011 – Network Forensics Puzzle Contest

1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
414s

3) How many WEP-encrypted data frames are there total in the packet capture?
59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
29719

5) What was the MAC address of the station executing the Layer 2 attacks?
1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?
14133
(We also accept 14132, as one of the IVs was *generated* by another station, and only *replayed* by the attacker’s station. See my comment #4 below.)
b) By all *other* stations combined?
15587

7) What was the WEP key of Joe’s WAP?
D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
admin:admin

9) What was the WAP administrative passphrase changed to?
hahp0wnedJ00

Day: August 2, 2011

Puzzle #8 Answers