Puzzle #8 Answers

1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?

3) How many WEP-encrypted data frames are there total in the packet capture?

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?

5) What was the MAC address of the station executing the Layer 2 attacks?

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?
(We also accept 14132, as one of the IVs was *generated* by another station, and only *replayed* by the attacker’s station. See my comment #4 below.)
b) By all *other* stations combined?

7) What was the WEP key of Joe’s WAP?

8.) What were the administrative username and password of the targeted wireless access point?

9) What was the WAP administrative passphrase changed to?

Share and Enjoy:
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks
  • Slashdot
  • Suggest to Techmeme via Twitter
  • Technorati


  1. stefan op de beek

    August 2, 2011 at 2:20 pm

    Related to the solution of 6a I would like to point out that there is a distinct difference between the number of unique IV’s GENERATED and the number of unique IV’s SENT by the attacker’s station. Because the first IV (5987fd) sent by the attacker is actually a replay of a packet that was sent (and generated) earlier by the base station. Therefore, I would suggest the correct answer to 6a would be 14132 instead of the number of uniquely SENT IV’s by the attacker’s station which is 14133.

  2. When is the next challenge and is it being announced via twitter?

  3. I agree with stefan. Additionally, the answer to question 4 (total unique IVs) is 29719.

    When we add 14133 and 15587, we get 29720, which is one off from question 4.

  4. @stefan: Three of the most common types of programmatic errors are “infinite loops” and “off by one.” 🙂

    You’re surely correct in that exactly one of the IV’s sent by the attacking station was the replay. I counted it twice. My bad. And I’ll prove it too:

    $ tshark -r evidence08.pcap -R '(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa == 1c:4b:d6:69:cd:07) && wlan.wep.iv' -T fields -e wlan.wep.iv|sort -u >unique_IVs_sorted_attacker.txt
    $ tshark -r evidence08.pcap -R '(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa != 1c:4b:d6:69:cd:07) && wlan.wep.iv' -T fields -e wlan.wep.iv|sort -u >unique_IVs_sorted_not_attacker.txt
    $ wc -l unique_IVs_sorted*
    14133 unique_IVs_sorted_attacker.txt
    15587 unique_IVs_sorted_not_attacker.txt
    29720 total
    $ comm -12 unique_IVs_sorted_*


    Obviously we’ll be accepting either answer. 🙂

  5. @baganon: Contest #9 was at Defcon 19 exclusively, much like last year. It’s been fought and won. We’ll try to get to posting the puzzle for everyone who couldn’t make it to Vegas, and also come up with #10 as soon as we can. We don’t currently tweet, but may consider it. If we decided to, we’d announce it here, so stay tuned to this RSS feed, right?


  6. When will the winners of contest 8 be announced?

  7. For question 4:

    Am I using the correct display filter?

    wlan.wep.iv && wlan.fc.retry == 0 && wlan.bssid == 00:23:69:61:00:d0

    It shows me the output as: 57009 frames

    Below is the reason for using each of those display filters:

    wlan.wep.iv -> displays the frames with IVs
    wlan.fc.retry == 0 -> don’t display retransmitted frames. IV value is the same for retransmitted frames or when the R flag is set
    wlan.bssid == 00:23:69:61:00:d0 -> Joe’s WAP BSSID


  8. Have you announced the winners of this puzzle?

Leave a Reply

Your email address will not be published.