Over 250 teams entered the Network Forensics Puzzle Contest at DEFCON 21. Congratulations to this year’s Winning Team: “Red Team”! We hope you enjoyed competing, and we look forward to seeing you again next year.

Top Three Finalists at DEFCON 21:

1. Red Team
2. Tom Pohl

The contest decryption keys, answers, and a walk-through of the solutions will be posted the week of 9/22/13. Thank you for playing!

Copywrite 2013, LMG Security. All rights reserved.

Network Forensics Puzzle Contest #10 posed a serious challenge, requiring contestants to demonstrate advanced reasoning and meticulous attention to detail, even when reading the scenario. Thank you to everyone who submitted an entry for Puzzle #10, and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of this contest is…Steve B. ! Steve was both the first person to solve the contest AND the person to have the most eloquent solution. He’ll be receiving a prize for being first and the Blackhat Black Card! We’ll be posting a walkthrough and answers in the coming weeks. Steve wrote a great write-up [available here].

Honorable Mentions:

  • Jatiki
  • Zak


We received several requests from DEFCON attendees asking us to post the decryption keys and answers for the DEFCON 2012 contest. The decryption keys and answers are posted below. We will post the list of winners, and a walk-through of the solutions soon. Thank you for playing!

Decryption Keys
Contest Container: W3lc0m3toNFPC2012@defcon
Round2: Aw3s0m3s4uc3@
Round3: DFC=w00t!
Round4: 4r3g3ttingh4rd
Round5: tHiswi11b3fun#
Round6: Th3R4c3is0n$


Answers to DEFCON 2012 Contest Questions

Round 1 Answer: 99901

Round 2 Answer: Golden Alley

Round 3 Answer: ICdarkwater

Round 4 Answer: 15684-b5.12

Round 5 Answer: 2300

Round 6 Answer: Dogfort

Copywrite 2012, LMG Security. All rights reserved.

Join Eric Fulton on Thursday, June 14 at 1:00 PM ET for the BlackHat Webcast, “Network Forensics: Uncovering Secrets of Mobile Applications“. You might even learn something for contest 10…which will be presented live later today on PaulDotCom!

On the Internet, every action leaves a mark—in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind. But what about mobile devices? What seemingly innocuous information are they sharing with, and without, your knowledge?

In this webcast, watch as Eric Fulton analyzes mobile network traffic and discover some interesting details about your favorite applications. You will see him locate GPS co-ordinates, identify installed mobile applications, and more.

Hello Everyone!
It has been a busy year, and once again we find ourselves nearing Defcon where we run the wildly popular Network Forensics Puzzle Contest. We have some good things in store for the coming months and would like to share.

We are running a NFPC over at PaulDotCom in the coming month. When it’s live we will share the link here. You should also check out PaulDotCom for a heap of great articles and videos.

Blackhat USA 2012
Want to be taught by the people who literally wrote the book on Network Forensics? Register for their highly praised course “NETWORK FORENSICS: BLACK HAT RELEASE” to learn the latest techniques in the field of Network Forensics. You’ll even get the book at 25% off, since it is the course text.

Defcon 20
Going to DEFCON? Join us at for the annual DEFCON Network Forensics Puzzle Contest, and win a shiny new iPad!

Other updates can be found following our twitter (@LMGSecurity or @trisk3t), our LinkedIn Page, or our Facebook Page. Cheers!

Network Forensics Puzzle Contest #8 posed a serious challenge, requiring contestants to demonstrate an advanced knowledge of protocols and meticulous attention to detail. Thank you to everyone who submitted an entry for Puzzle #8, and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of this contest is…Stefan S. Op de Beek ! Stefan wins a Buffalo Wireless Router for his correct answers and UTScapy test script. While the script didn’t work perfectly on my system, it is a great example of leveraging existing frameworks to analyze packet captures. Contestants, answers, and solutions below.

Joerg Gerschuetz
Winter Faulk
Aaron Wamapch
Kazunori Kojima
Adam Jenkins
Steeve Barbeau
Tyler Dean
Ward Perry
J-Michael Roberts
Stefan S. of de Beek

1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
A: 414s

3) How many WEP-encrypted data frames are there total in the packet capture?
$ tshark -r evidence08.pcap -R ‘((wlan.fc.type_subtype == 0×20) && (wlan.fc.protected == 1)) && (wlan.bssid == 00:23:69:61:00:d0)’|wc -l
A: 59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && wlan.wep.iv’ -T fields -e wlan.wep.iv | sort -u | wc -l
A: 29719

5) What was the MAC address of the station executing the Layer 2 attacks?
A: 1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?

$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa == 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
A: 14133 (14132 also accepted)

b) By all *other* stations combined?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa != 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
B : 15587

7) What was the WEP key of Joe’s WAP?
$ aircrack-ng -b 00:23:69:61:00:d0 evidence08.pcap
A: D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
username: admin
passphrase: admin

9) What was the WAP administrative passphrase changed to?
passphrase: hahp0wnedJ00

Hello! Apologies for the lack of communications as of late, however new contests are coming soon. Expect regular contests and updates in the coming months, with the first contest of 2011 being posted some time next week.


2/9/2011 EDIT – Egads! It appears I spoke too soon. The next puzzle pcap’s are all done but a few things need to be done before the contest begins. Soon friends… -Eric

© 2013 Network Forensics Puzzle Contest Suffusion theme by Sayontan Sinha