Network Forensics Puzzle Contest » sherri

Puzzle #10: $150 Cash Prize & Deadline Extension

sherri — Wed, 23 Nov 2011 06:26:53 +0000

Hi everybody! It’s been a whirlwind around here, and in all the rush of fall we never did get around to announcing the prize for Puzzle #10: The L33t Pill. So here it is:

First place: $150 Cash (w00t!)
Second place: A hollow spy half-dollar!

Since we only just announced the prize, we’re moving the submission deadline to January 3, 2012. Bust out your forensics kung-fu over winter break and find the secret ingredient to the L33t Pill! May the best solution win.

Puzzle #10: The L33t Pill

sherri — Tue, 11 Oct 2011 20:35:29 +0000

Our popular DEFCON 2011 puzzle is now open for public competition! This six-round puzzle is our best challenge yet. Since the answers to the puzzle have been released, this challenge now has a twist: The winner will be the person who submits the MOST ELEGANT solution.

WARNING: This contest contains off-color humor which may not be appropriate for the classroom, children, rodents, etc.

The lead chemist of a high-profile pharmaceutical company was involved in a serious accident, leaving him in a coma days before the release of the company’s highly publicized “133t pill.” The chemist was the only person in possession of the list of ingredients required to produce the wonder drug, and it is not known if he will ever recover. All chemical evidence of the drug has been destroyed, but the company believes that the missing ingredients may have been stored electronically. You have been hired as a forensic investigator, to recover the final ingredient of their 133t pill. Can you find the missing ingredient?

Prizes To Be Announced! Deadline is 11/22/11 (11:59:59PM UTC-11) (In other words, if it’s still 11/22/11 anywhere in the world, you can submit your entry.) Please use the Official Submission Form to submit your answers.

Remember, the MOST ELEGANT solution wins. The answers to this puzzle have already been published; now your job is to demonstrate excellent ways to solve it. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under an approved Open Source License. All responses should be submitted as PLAIN TEXT. Microsoft Word documents, PDFs, etc will NOT be reviewed. Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize).

Here’s a link to the encrypted contest volume:
Defcon2011-Contest.tc

SHA256 CHECKSUM:
6906e4a08bd498c6ff78928b1c8d292a9f89f2ecfac60094528f4497e2254474

The Defcon2011-Contest.tc is an encrypted password-protected Truecrypt volume. Inside are six individual Truecrypt archives which each contain a single round of the contest. You will need to mount each encrypted volume using Truecrypt before you can access its contents. Here is a page which shows you how to mount a Truecrypt volume.

The password to unlock Defcon2011-Contest.tc is: !#$h1d3&&s33k$#!
The password to unlock round1 is: r0und1g0!!

At DEFCON, when a team found the answer to a round, they texted it to Headquarters (HQ). If their answer was correct, staff texted back the key to unlock the next round.

SPOILER ALERT: You can find the keys to each of the encrypted volumes here.

SUPER SPOILER ALERT: For your convenience, we’ve also unlocked all the rounds for those of you who just want to play around with individual round puzzles without having to solve the whole thing in order. You can find the individual round puzzles here:

Round1
Round2
Round3
Round4
Round5
Round6

SUPER DUPER SPOILER ALERT: Here are the ANSWERS TO THE PUZZLE. Remember, your job is to come up with the MOST ELEGANT solution.

Exceptional solutions will be published on this site with full attribution. We are happy to link to your site if you intend to maintain an up-to-date version of your tool. Exceptional submissions may also be used as examples and tools in the Network Forensics course and book, with full attribution. By submitting your answer to this puzzle, you agree that your code submissions will be freely published under the GPL license, and your solution’s text will be licensed according to the Creative Commons v3 “Attribution” License. All authors will receive full credit for their work.

Deadline is 1/3/12 (11:59:59PM UTC-11) (In other words, if it’s still 1/3/12 anywhere in the world, you can submit your entry.) Please use the Official Submission Form to submit your answers.

Good luck!!!

This puzzle was created by Scott Fretheim, Randi Price, Eric Fulton, Sherri Davidoff, and Jonathan Ham (Lake Missoula Group, LLC).

Puzzle #9: Ann’s Deception (DEFCON 2011)

sherri — Tue, 16 Aug 2011 06:19:09 +0000

This year’s DEFCON contest was a huge success, with over 200 teams entering! The contest was split up into six rounds of increasing difficulty. The first team to complete all six rounds won the contest. Now that the contest is over, we’re placing the materials here for folks who would like to play around on their own.

WARNING: This contest contains off-color humor which may not be appropriate for the classroom, children, rodents, etc.

Here’s a link to the encrypted contest volume:
Defcon2011-Contest.tc

SHA256 CHECKSUM:
6906e4a08bd498c6ff78928b1c8d292a9f89f2ecfac60094528f4497e2254474

At the start time, DEFCON attendees visited the contest booth to obtain the first decryption passwords, provided below:

The password to unlock Defcon2011-Contest.tc is: !#$h1d3&&s33k$#!
The password to unlock round1 is: r0und1g0!!

When a team found the answer to a round, they texted it to Headquarters (HQ). If their answer was correct, staff texted back the key to unlock the next round.

SPOILER ALERT: You can find the keys to each of the encrypted volumes here.

Round1
Round2
Round3
Round4
Round5
Round6

A few notes:

1. You will not get the correct answer simply by running “strings” on the packet captures. It is more complicated than that.

2. Please do not attempt to brute-force the answer by guessing. We reserve the right to cut you off from submitting answers if you abuse the privilege.

3. There are six contest rounds containing six evidence files. You must analyze the evidence files in order to answer the question(s) which go along with each capture.

Have fun!

This puzzle was created by Scott Fretheim, Randi Price, Eric Fulton, Sherri Davidoff, and Jonathan Ham (Lake Missoula Group, LLC).

Puzzle #9 Answers

sherri — Tue, 16 Aug 2011 06:18:36 +0000

Here are the answers to Puzzle #9: Ann’s Deception (DEFCON 2011):

Round 1 Decryption Key: r0und1g0!!
In this capture we were looking for the name of the company. This is located inside an email.
Answer: Factory-Made-Winning-Pharmaceuticals
Round 2 Decryption Key: !n1c3?w0rk
In this capture we were looking for the date of a speech given by Bruce Schneier. To solve this puzzle you must carve out a packet capture which was sent as an email attachment. Inside that packet capture, you can find the data by looking through the web traffic to see the pages Ann viewed.
Answer: October 6-7, 2011
Round 3 Decryption Key:?g3tting!t0ugh
In this capture we were looking for Romulus’s password. This can be found by carving out the VOIP conversation and listening to it.
Answer: rom127#
Round 4 Decryption Key: m4k1ng?pr0g
In this packet capture we were looking for the name on the 16th line in a spread sheet. To find the answer, you need to carve out the SMB transfer of the 7zip file containing the credit card file. In order to unlock the 7zip file you will need to use the password YOU found in Round 3.
Answer: Jason Wilson
Round 5 Decryption Key: 0v3r#h4lf?w4y
In this packet capture, you need to carve out the SMB file transfer of the ingredients list. To unlock the 7zip file containing the ingredients list, you will need to use the password you found in in Round 4.
Answer:8.4 oz- Red Bull; Tim
Round 6 Decryption Key: ch33rs!0n3$m0r3
Round 6 requires you to find the final ingredient of the 133t pill. To unlock the volume, you must use the cipher along with the previous answers from Rounds 1-5. Begin by solving the cipher, and then use the cipher as the password to unlock the Truecrypt volume.
Cipher Solution: 00gmu1rt#?
Answer: 2oz Vodka

Gearing Up for DEFCON 19!

sherri — Sun, 31 Jul 2011 22:14:11 +0000

We are totally psyched for DEFCON 19! The Network Forensics Puzzle Contest (NFPC) will be running in the contest area. Watch our DEFCON forum for updates this week. Prizes include a Verizon 3g Network Extender and $150 ThinkGeek gift certificate (many thanks to ThinkGeek for sponsoring that prize).

To whet your appetite even more, check out the hot new graphic on the DEFCON 19 NFPC CD, designed by Mr. Scott Fretheim:

Players can pick up their CDs at the contest booth starting Thursday @ 10:00 AM. The contest will officially start on Friday. (Of course, we’ll post the contest materials online afterwards, too, so everyone can check out the latest challenge, just for fun.

Cheers!

Puzzle #7 Answers

sherri — Sun, 31 Jul 2011 21:50:14 +0000

Here is the solution to Puzzle #7: Ann’s Dark Tangent (DEFCON 2010). There are many ways to arrive at the solution. Here is our method; there are other tools you can use to reach the same answer.

You received a CD containing, among other things, a packet capture: evidence-defcon2010.pcap

Check the MD5 sum:

$ md5sum evidence-defcon2010.pcap
7c416421a626600f86e3702df0cac8ef evidence-defcon2010.pcap

If you examine the packet capture, you will see that it contains WEP-encrypted wireless traffic.

Crack the WEP key. You can do this using aircrack-ng in less than one second:

$ aircrack-ng evidence-defcon2010.pcap
Opening evidence-defcon2010.pcap
Read 426642 packets.
# BSSID    ESSID    Encryption
1 00:1C:10:B3:CC:F0 w00t    WEP (98923 IVs)
Choosing first network as target.
Opening evidence-defcon2010.pcap

Once you have the WEP key, use it to decrypt the traffic:

$ airdecap-ng -w 4A:7D:B5:08:CD evidence-defcon2010.pcap
Total number of packets read    426642
Total number of WEP data packets 187650
Total number of WPA data packets 0
Number of plaintext data packets 0
Number of decrypted WEP packets 187650
Number of corrupted WEP packets 0
Number of decrypted WPA packets 0

If you run strings on the packet capture (or view it in Wireshark), you will see IMAP and SMTP traffic, including an email with an attachment. This attachment is the key to the entire puzzle.

Dark Tangent,
I know you've been watching me. You should be able to figure out the =
location of our rendezvous point from my traffic. Contact me first with =
the name of the city where we will meet, and you win   I'll send you =
more details after that.=20
Ann
ps. See the attachment for a clue.

Carve out the email attachment. You can do this manually, or use the smtpdump tool by Franck Guénichot from Contest #2.

The email attachment is a GIF image, shown below:

There were five lines in the image, which read (from top to bottom):

App Store - App Name
Podcast Title
YouTube Video Title
Google Earth City Name
AIM Buddy Name

If you go through the packet capture, you will find that Ann used her iPad to:

Download the iPad app called “Solitaire”
Download and watch an Onion podcast called “Onion Radio News for Kids”
View a YouTube video called “Cry for Help – Rick Astley”
Search on Google Earth for “Hacker Valley, West Virginia”
IM her buddy, “inter0pt1c”

Line all the answers up, as shown in the GIF image, and read down the first column:

Solitaire
Onion Radio News for Kids
Cry for Help
Hacker Valley
inter0pt1c

The answer is “SOCHI”, a resort town in Russia where the winter Olympics will be held.

Thanks to everyone who played!

Puzzle #7 Winners

sherri — Sun, 31 Jul 2011 21:26:24 +0000

Over 221 teams registered to play Puzzle #7: Ann’s Aurora at DEFCON 18 (2010)! Each team was given a CD which contained the evidence, and teams were asked to text the answer to the phone at NFPC Headquarters. The first team to text the correct answer won the contest.

The Winner of Puzzle #7 (and the shiny new iPad) was (drumroll…)

Team Bam Bam!

These guys solved the puzzle after about 5 hours. We also have to give mad props to team Preset Kill Limit, who texted the correct answer just one minute after team Bam Bam. Wow, that was close!

Great job to everyone!

Puzzle #7: Ann’s Dark Tangent (DEFCON 2010)

sherri — Sun, 31 Jul 2011 21:14:56 +0000

At long last! Here is a copy of Puzzle #7, “Ann’s Dark Tangent,” which was run at Defcon 18 (2010). This contest was unusual in that the answer was a single word. The contest was open to DEFCON 18 attendees who were at the conference. Although the contest has long since closed, you might enjoy playing around with the packet capture, which contains wireless iPad traffic.

Ann has arranged a rendezvous with Dark Tangent. You are the forensic investigator. Can you figure out their destination?

Here’s a copy of their network traffic:

evidence-defcon2010.pcap
MD5sum: 7c416421a626600f86e3702df0cac8ef

The first team to submit the correct answer wins a brand new Apple iPad.

A few notes:
1. You will not get the correct answer simply by running “strings” on the packet capture. It is more complicated than that.
2. Please do not attempt to brute-force the answer by guessing. We reserve the right to cut you off from submitting answers if you abuse the privilege.

Have fun!

Puzzle #7 was written by Sherri Davidoff, Eric Fulton and Jonathan Ham.

Defcon 2010

sherri — Fri, 23 Jul 2010 00:42:13 +0000

For all those attending DEFCON 2010, we’ll be hosting a puzzle contest starting Friday afternoon in the contest area. It’s a race against time; the first person to complete the puzzle wins a brand-new iPad. We’ll be posting the packet capture here after the contest for those of you who like the intellectual challenge. Contest description below… See you there!

Ann Dercover is on the run, and you’re hot on her trail as she travels around the globe hacking companies, stealing intellectual property, launching 0-day attacks and setting up sneaky backdoors. *You are the forensic investigator.* You’ve got a packet capture of Ann’s network traffic. Can you analyze Ann’s malicious traffic and solve the crime by Sunday? Prize: Win a brand-spanking new Apple iPad!

cheers!
Eric

Puzzle #6 Winners

sherri — Fri, 09 Jul 2010 06:57:32 +0000

Ann’s Aurora was one of our hardest contests yet. To get all the answers right, you had to carve out two Windows executable files, dissect Vick Timmes’ HTTP traffic, analyze malware, build a timeline and pinpoint connection open and close times to within a tenth of a second. Thanks to everyone who submitted an entry for Puzzle #6, “Ann’s Aurora,” and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of “Ann’s Aurora” is (*drumroll*)…. Wesley McGrew, for his fantastic new forensics tool, pcapline. Pcapline automatically parses a packet capture and generates an HTML report. Through your web browser, you can view a summary of all flows and drill down into each one. Pcapline automatically carves out all the files– not just the tiny GIFs embedded inside a single packet, but Windows executable files broken up throughout the packet capture. Wesley also included MD5sums in the report output.

Best of all, it’s simple to use– you just type “pcapline.py” and the evidence file name, and pcapline does the rest. Wesley has put a copy of the pcapline report output here:

http://mcgrewsecurity.com/codedump/evidence06.pcap_output/

Erik Hjelmvik, our Silver medalist, released a new version of Network Miner (.92) for Contest #6. We know a lot of you already know and love Network Miner, because in previous contests about half of the entries relied on Erik’s tool! For this contest, Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing. Thanks, Erik, for a shiny new release of your fantastic tool.

Leendert Pieter van Drimmelen built three utilities for this contest: stream_ts.py, which automatically displays TCP connection established/closed times; analyse_syn_packets.py, which calculates how often an IP or TCP field changes (it also accepts tshark filters); and pextract.c, which extracts PE files from packet captures or incoming traffic. Pextract also accepts BPF filters and tries to find executables that are XOR obfuscated. These are three small, sharp utilities which are good to have in your toolkit.

Eric Kollmann wrote three handy tools: mzcarver.exe (PE carving utility), contest6.pl (provides info about conversations), and contest6.exe (produces info about individual packets. You can limit by TCP flag and use BPFs). Nice work, Eric!

Jeff Wichman and Ruben Recabarren both created fantastic writeups, which you can read to get two detailed (and very different) methods for solving the contest. Iulian Anton also had a thorough narrative and created a couple of Perl utilities to assist with solving the contest. Candice Quates went “down the rabbit hole of javascript and exploit analysis,” and created trimexe.c, which extracts PE files from exported streams.

Thanks to the SANS Institute and the generosity of their vendor sponsors, the winners and finalists get to choose from the following list of prizes (winner picks first):

Lenovo Ideapad Netbooks (2 Netbooks – 1 netbook per winner )
Apple iPad – Sponsored by NetWitness Corporation
Flip Video Recorder – Sponsored by MANDIANT Inc.
F-Response TACTICAL (1 licensed copy) – Sponsored by F-Response
Forensic Toolkit 3 (1 licensed copy) – Sponsored by AccessData Corp.
Digital Forensics Magazine Subscriptions: Free print subscription for 12 months for the winner, and 2 digital online subscriptions for Finalists. The winner will also receive the backlist issues (i.e. 1-3). – Sponsored by Digital Forensics Magazine
2011 Digital Forensics/IR Summit Passes (3 passes – 1 pass per top three winners)

Many thanks to everyone who made this contest possible, including Rob Lee, Jeremy Scott, Jeff Murri, Brian Corcoran, Ryan Corvetti, Dennis Kirby, and the wonderful SANS A/V crew.

Thanks most of all to everyone out there who participated. See you next time!

WINNERS:

Wesley McGrew

Finalists:

Erik Hjelmvik
Leendert Pieter van Drimmelen
Eric Kollmann
Jeff Wichman
Ruben Recabarren
Iulian Anton
Candice Quates

Semifinalists:

Francesco Acchiappati
Mark Hillick
Richard Shawn O’Connell
Ashish, Garima, Vikrant
Jon Larimer

Correct Answers:

Andy Patrick
Brian Sommers
Candice Quates
Carlos Pérez López
David Rodriguez
Eric Kollmann
Erik Hjelmvik
Francesco Acchiappati
Hsiang-Jen Shih
Iulian Anton
Jeremy Scott
Jon Larimer
Kazunori Kojima
Leendert Pieter van Drimmelen
Mark Hillick
Masashi Fujiwara
Peter Chong
Rakesh Mukundan
Richard Shawn O’Connell
Ruben Recabarren
Seth Leone & Ryan Sommers
Takuro Uetori
Wesley McGrew
Winter Faulk
Yogesh Khatri
Zoher Anis