eric

Network Forensics Puzzle Contest #10 posed a serious challenge, requiring contestants to demonstrate advanced reasoning and meticulous attention to detail, even when reading the scenario. Thank you to everyone who submitted an entry for Puzzle #10, and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of this contest is…Steve B. ! Steve was both the first person to solve the contest AND the person to have the most eloquent solution. He’ll be receiving a prize for being first and the Blackhat Black Card! We’ll be posting a walkthrough and answers in the coming weeks. Steve wrote a great write-up [available here].

Honorable Mentions:

  • Jatiki
  • Zak

 

Join Eric Fulton on Thursday, June 14 at 1:00 PM ET for the BlackHat Webcast, “Network Forensics: Uncovering Secrets of Mobile Applications“. You might even learn something for contest 10…which will be presented live later today on PaulDotCom!

On the Internet, every action leaves a mark—in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind. But what about mobile devices? What seemingly innocuous information are they sharing with, and without, your knowledge?

In this webcast, watch as Eric Fulton analyzes mobile network traffic and discover some interesting details about your favorite applications. You will see him locate GPS co-ordinates, identify installed mobile applications, and more.

Hello Everyone!
It has been a busy year, and once again we find ourselves nearing Defcon where we run the wildly popular Network Forensics Puzzle Contest. We have some good things in store for the coming months and would like to share.

PaulDotCom
We are running a NFPC over at PaulDotCom in the coming month. When it’s live we will share the link here. You should also check out PaulDotCom for a heap of great articles and videos.

Blackhat USA 2012
Want to be taught by the people who literally wrote the book on Network Forensics? Register for their highly praised course “NETWORK FORENSICS: BLACK HAT RELEASE” to learn the latest techniques in the field of Network Forensics. You’ll even get the book at 25% off, since it is the course text.

Defcon 20
Going to DEFCON? Join us at for the annual DEFCON Network Forensics Puzzle Contest, and win a shiny new iPad!
 

Other updates can be found following our twitter (@LMGSecurity or @trisk3t), our LinkedIn Page, or our Facebook Page. Cheers!

Network Forensics Puzzle Contest #8 posed a serious challenge, requiring contestants to demonstrate an advanced knowledge of protocols and meticulous attention to detail. Thank you to everyone who submitted an entry for Puzzle #8, and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of this contest is…Stefan S. Op de Beek ! Stefan wins a Buffalo Wireless Router for his correct answers and UTScapy test script. While the script didn’t work perfectly on my system, it is a great example of leveraging existing frameworks to analyze packet captures. Contestants, answers, and solutions below.

Contestants:
Joerg Gerschuetz
Winter Faulk
Aaron Wamapch
Kazunori Kojima
Adam Jenkins
Steeve Barbeau
Tyler Dean
Ward Perry
J-Michael Roberts
Anthony
Stefan S. of de Beek

Answers:
1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
A: 414s

3) How many WEP-encrypted data frames are there total in the packet capture?
$ tshark -r evidence08.pcap -R ‘((wlan.fc.type_subtype == 0x20) && (wlan.fc.protected == 1)) && (wlan.bssid == 00:23:69:61:00:d0)’|wc -l
A: 59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && wlan.wep.iv’ -T fields -e wlan.wep.iv | sort -u | wc -l
A: 29719

5) What was the MAC address of the station executing the Layer 2 attacks?
A: 1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?

$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa == 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
A: 14133 (14132 also accepted)

b) By all *other* stations combined?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa != 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
B : 15587

7) What was the WEP key of Joe’s WAP?
$ aircrack-ng -b 00:23:69:61:00:d0 evidence08.pcap
A: D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
username: admin
passphrase: admin

9) What was the WAP administrative passphrase changed to?
passphrase: hahp0wnedJ00

1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
414s

3) How many WEP-encrypted data frames are there total in the packet capture?
59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
29719

5) What was the MAC address of the station executing the Layer 2 attacks?
1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?
14133
(We also accept 14132, as one of the IVs was *generated* by another station, and only *replayed* by the attacker’s station. See my comment #4 below.)
b) By all *other* stations combined?
15587

7) What was the WEP key of Joe’s WAP?
D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
admin:admin

9) What was the WAP administrative passphrase changed to?
hahp0wnedJ00

We are currently in the process of grading submissions. This may take a few weeks, but rest assured we will announce the contest winners and results within the month.

Our next contest will be held at Defcon, August 4-7. We will probably post the contest/answers here when it’s over and we’ve recovered from Vegas.

Cheers!
Eric

Contestants!
The Network Forensics Puzzle Contest (“NFPC”) has proved to be quite a challenge for some. While a number of contestants have submitted correct answers, very few have accompanied their submission with additional narrative and/or tools. If you’ve already submitted, double check your answers and perhaps add a little extra to what you had before. It could be the difference that nets you a prize! We will be closing the contest on June 30th, and will post answers/winners soon after. Happy hunting!

Cheers!
Eric

Hello!
We have received *many* great submissions to the current contest; we have also received many requests to extend the deadline. Thus, we are going to extend the deadline. To those who haven’t submitted an answer yet, now you have more time! To those who have already submitted answers, consider creating a tool or adding more detail to your forensic analysis.

The new deadline is: June 30, 2011.
Same rules as before. Go have fun and solve some puzzles!

Cheers!
Eric

The prize for Puzzle #8 is … a BUFFALO WZR-HP-AG300H ! I hope that gets you excited. A number of great submissions have already been made; remember, to make your submission stand out try including an in-depth narrative or innovative script to put yourself above the rest.

Cheers!
Eric

Our latest puzzle was written by Eric Fulton, Jonathan Ham, and Sherri Davidoff.

Inter0ptik is on the lam and is pinned down. The area is crawling with cops, and so he must stay put. But he also desperately needs to be able to get a message out to Ann and Mr. X. Lucky for him he detects a single wireless access point (WAP) in the building next door that he might be able to use, but it is using encryption and there are no other opportunities available. What is Inter0ptik to do?

Meanwhile, next door…

Joe is a sysadmin at HackMe, Inc. He runs the technical infrastructure for a small company, including a WAP that he uses, pretty much exclusively, and also very rarely. He’s trying to use it now and has discovered his connection is dropping consistently. He captures some traffic, but he really has no idea how to interpret it. Suddenly he discovers he can’t even login to administer his WAP at all!

You are the forensic investigator. Your team got a tip that Inter0ptik might be hunkered down in the area and contacted local admins concerning suspicious network activity. Joe has provided you with his packet capture and helpfully tells you that his own MAC address is 00:11:22:33:44:55. Can you figure out what’s going on and track the attacker’s activities?

You have been given a packet capture of Inter0pt1k’s adventures, and have been asked to determine the following:

1) Joe’s WAP is beaconing. Based on the contents of the packet capture,
what are:
a. The SSID of his access point?
b. The BSSID of his access point?

2) How long is the packet capture, from beginning to end (in SECONDS –
please round to the nearest full second)?

3) How many WEP-encrypted data frames are there total in the packet capture?

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in
the packet capture relating to Joe’s access point?

5) What was the MAC address of the station executing the Layer 2 attacks?

6) How many *unique* IVs were generated (relating to Joe’s access point):
a. By the attacker station?
b. By all *other* stations combined?

7) What was the WEP key of Joe’s WAP?

8) What were the administrative username and password of the targeted
wireless access point?

9) What was the WAP administrative passphrase changed to?

Submission Form
Deadline is 6/30/11 (11:59:59PM UTC-11) (In other words, if it’s still 6/30/11 anywhere in the world, you can submit your entry.)

PRIZE:
To be announced

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a an approved Open Source License. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics course or book. All authors will receive full credit for their work.

Packet capture
Sha256sum: 969f82205739e4d912f7a4bddf3d22f591bfa8fa09c9690c88117d7477263b8b

Deadline is 5/31/11 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!
Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

© 2014 Network Forensics Puzzle Contest Suffusion theme by Sayontan Sinha