We are currently in the process of grading submissions. This may take a few weeks, but rest assured we will announce the contest winners and results within the month.
Our next contest will be held at Defcon, August 4-7. We will probably post the contest/answers here when it’s over and we’ve recovered from Vegas.
Cheers!
Eric
Contestants!
The Network Forensics Puzzle Contest (“NFPC”) has proved to be quite a challenge for some. While a number of contestants have submitted correct answers, very few have accompanied their submission with additional narrative and/or tools. If you’ve already submitted, double check your answers and perhaps add a little extra to what you had before. It could be the difference that nets you a prize! We will be closing the contest on June 30th, and will post answers/winners soon after. Happy hunting!
Cheers!
Eric
Hello!
We have received *many* great submissions to the current contest; we have also received many requests to extend the deadline. Thus, we are going to extend the deadline. To those who haven’t submitted an answer yet, now you have more time! To those who have already submitted answers, consider creating a tool or adding more detail to your forensic analysis.
The new deadline is: June 30, 2011.
Same rules as before. Go have fun and solve some puzzles!
Cheers!
Eric
The prize for Puzzle #8 is … a BUFFALO WZR-HP-AG300H ! I hope that gets you excited. A number of great submissions have already been made; remember, to make your submission stand out try including an in-depth narrative or innovative script to put yourself above the rest.
Cheers!
Eric
Our latest puzzle was written by Eric Fulton, Jonathan Ham, and Sherri Davidoff.
Inter0ptik is on the lam and is pinned down. The area is crawling with cops, and so he must stay put. But he also desperately needs to be able to get a message out to Ann and Mr. X. Lucky for him he detects a single wireless access point (WAP) in the building next door that he might be able to use, but it is using encryption and there are no other opportunities available. What is Inter0ptik to do?
Meanwhile, next door…
Joe is a sysadmin at HackMe, Inc. He runs the technical infrastructure for a small company, including a WAP that he uses, pretty much exclusively, and also very rarely. He’s trying to use it now and has discovered his connection is dropping consistently. He captures some traffic, but he really has no idea how to interpret it. Suddenly he discovers he can’t even login to administer his WAP at all!
You are the forensic investigator. Your team got a tip that Inter0ptik might be hunkered down in the area and contacted local admins concerning suspicious network activity. Joe has provided you with his packet capture and helpfully tells you that his own MAC address is 00:11:22:33:44:55. Can you figure out what’s going on and track the attacker’s activities?
You have been given a packet capture of Inter0pt1k’s adventures, and have been asked to determine the following:
1) Joe’s WAP is beaconing. Based on the contents of the packet capture,
what are:
a. The SSID of his access point?
b. The BSSID of his access point?
2) How long is the packet capture, from beginning to end (in SECONDS -
please round to the nearest full second)?
3) How many WEP-encrypted data frames are there total in the packet capture?
4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in
the packet capture relating to Joe’s access point?
5) What was the MAC address of the station executing the Layer 2 attacks?
6) How many *unique* IVs were generated (relating to Joe’s access point):
a. By the attacker station?
b. By all *other* stations combined?
7) What was the WEP key of Joe’s WAP?
8) What were the administrative username and password of the targeted
wireless access point?
9) What was the WAP administrative passphrase changed to?
Submission Form
Deadline is 6/30/11 (11:59:59PM UTC-11) (In other words, if it’s still 6/30/11 anywhere in the world, you can submit your entry.)
PRIZE:
To be announced
The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a an approved Open Source License. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.
Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.
Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics course or book. All authors will receive full credit for their work.
Packet capture
Sha256sum: 969f82205739e4d912f7a4bddf3d22f591bfa8fa09c9690c88117d7477263b8b
Deadline is 5/31/11 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!
Copyright 2011, Lake Missoula Group, LLC. All rights reserved.
For all those attending DEFCON 2010, we’ll be hosting a puzzle contest starting Friday afternoon in the contest area. It’s a race against time; the first person to complete the puzzle wins a brand-new iPad. We’ll be posting the packet capture here after the contest for those of you who like the intellectual challenge. Contest description below… See you there!
Ann Dercover is on the run, and you’re hot on her trail as she travels around the globe hacking companies, stealing intellectual property, launching 0-day attacks and setting up sneaky backdoors. *You are the forensic investigator.* You’ve got a packet capture of Ann’s network traffic. Can you analyze Ann’s malicious traffic and solve the crime by Sunday? Prize: Win a brand-spanking new Apple iPad!
cheers!
Eric
Ann’s Aurora was one of our hardest contests yet. To get all the answers right, you had to carve out two Windows executable files, dissect Vick Timmes’ HTTP traffic, analyze malware, build a timeline and pinpoint connection open and close times to within a tenth of a second. Thanks to everyone who submitted an entry for Puzzle #6, “Ann’s Aurora,” and a special congratulations to the relatively small number of folks who submitted correct answers.
The winner of “Ann’s Aurora” is (*drumroll*)…. Wesley McGrew, for his fantastic new forensics tool, pcapline. Pcapline automatically parses a packet capture and generates an HTML report. Through your web browser, you can view a summary of all flows and drill down into each one. Pcapline automatically carves out all the files– not just the tiny GIFs embedded inside a single packet, but Windows executable files broken up throughout the packet capture. Wesley also included MD5sums in the report output.
Best of all, it’s simple to use– you just type “pcapline.py” and the evidence file name, and pcapline does the rest. Wesley has put a copy of the pcapline report output here:
http://mcgrewsecurity.com/codedump/evidence06.pcap_output/
Erik Hjelmvik, our Silver medalist, released a new version of Network Miner (.92) for Contest #6. We know a lot of you already know and love Network Miner, because in previous contests about half of the entries relied on Erik’s tool! For this contest, Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing. Thanks, Erik, for a shiny new release of your fantastic tool.
Leendert Pieter van Drimmelen built three utilities for this contest: stream_ts.py, which automatically displays TCP connection established/closed times; analyse_syn_packets.py, which calculates how often an IP or TCP field changes (it also accepts tshark filters); and pextract.c, which extracts PE files from packet captures or incoming traffic. Pextract also accepts BPF filters and tries to find executables that are XOR obfuscated. These are three small, sharp utilities which are good to have in your toolkit.
Eric Kollmann wrote three handy tools: mzcarver.exe (PE carving utility), contest6.pl (provides info about conversations), and contest6.exe (produces info about individual packets. You can limit by TCP flag and use BPFs). Nice work, Eric!
Jeff Wichman and Ruben Recabarren both created fantastic writeups, which you can read to get two detailed (and very different) methods for solving the contest. Iulian Anton also had a thorough narrative and created a couple of Perl utilities to assist with solving the contest. Candice Quates went “down the rabbit hole of javascript and exploit analysis,” and created trimexe.c, which extracts PE files from exported streams.
Thanks to the SANS Institute and the generosity of their vendor sponsors, the winners and finalists get to choose from the following list of prizes (winner picks first):
Many thanks to everyone who made this contest possible, including Rob Lee, Jeremy Scott, Jeff Murri, Brian Corcoran, Ryan Corvetti, Dennis Kirby, and the wonderful SANS A/V crew.
Thanks most of all to everyone out there who participated. See you next time! 
WINNERS:
|
|
Finalists:
|
|
Semifinalists:
|
|
Correct Answers:
|
Here are the answers to Puzzle #6: Ann’s Aurora. Thanks to everyone who played!
(Note: There were a lot of questions about rounding for questions 4, 5, 8 and 10. Due to the confusion, we accepted both mathematically correct rounding and answers that were simply truncated to the nearest tenth.)
Answer 1: http://10.10.10.10:8080/index.php
Answer 2: vEI
Answer 3a: index.phpmfKSxSANkeTeNrah.gif
Answer 3b: df3e567d6f16d040326c7a0ea29a4f41
Answer 4: 1.3 seconds (will also accept 1.2)
Answer 5: 87.6 seconds (will also accept 87.5)
Answer 6a: Windows executable
Answer 6b: b062cb8344cd3e296d8868fbef289c7c
Answer 7a: Every third packet
Answer 7b: Every packet
Answer 7c: Every 10-15 seconds
Answer 8: 123.7 (will also accept 123.6)
Answer 9: b062cb8344cd3e296d8868fbef289c7c
Answer 10: 198.4
Hi everyone,
Just wanted to put out a little hint for Puzzle #6: Ann’s Aurora. Over half the entries so far have had questions #6b and #9 wrong (with everything else right)! Carving files can be tricky, and here are some tips.
All right, I’ve probably said too much Hope that helps you track down Ann’s sneaky activities. Have fun!
By Lenny Zeltser. Lenny teaches the reverse-engineering malware (REM) course at SANS Institute.
We are very grateful to everyone who submitted answers to our Puzzle #5: Ms. Moneymany’s Mysterious Malware. Congratulations to everyone who provided correct answers to this network forensics puzzle with a malware twist.
Don Jackson (wins a Lenovo Netbook)
Bashar Ewaida
Christian North
dn1nj4
Eric Kollmann
Eugenio Delfa
Iñaki Rodríguez
Mark Hillick
Scott Cubic
yulyul2003
Recent Comments