Here are the answers for Puzzle #3. Big thanks to everyone who entered! 🙂
Answer 1: 00:25:00:fe:07:c4 (002500fe07c4 will also be accepted)
Answer 2: AppleTV/2.4
Answer 3a: h
Answer 3b: ha
Answer 3c: hac
Answer 3d: hack
Answer 4: Hackers
Answer 5: http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640×278.h264lc.d2.p.m4v
Answer 6: Sneakers
Answer 7: $9.99
Answer 8: iknowyourewatchingme
Answer 2: AppleTV/2.4
Answer 3a: h
Answer 3b: ha
Answer 3c: hac
Answer 3d: hack
Answer 4: Hackers
Answer 5: http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640×278.h264lc.d2.p.m4v
Answer 6: Sneakers
Answer 7: $9.99
Answer 8: iknowyourewatchingme
February 2, 2010 at 11:18 pm
You’re right, these are the good answers. I think you’ll be the winner 😉
Many thanks for this post, I think we all of us appreciate. Next step: we are now waiting for next puzzle.
February 2, 2010 at 11:30 pm
I’de have a question: are you generated pcap files each time with “real life” traffic (with real AppleTV in the shape of puzzle #3) or are you manually writing some of the entries? My question because I’ve notice a strange “Cneonction: close” on frame #1559. Depending on your answer, is that an Apple’s bug? Any explanation would be appreciated. Thanks in advance.
February 3, 2010 at 12:24 am
Hi Sébastien,
I saw that strange line on your blog, and I was surprised. We do “real life” captures and rarely edit packet contents. Mostly we just filter packets; once in a blue moon we need to edit out a personal detail, but we didn’t do any editing at all other than filtering on the AppleTV capture. It was just a brand-new out-of-the-box device connected to a hub.
Curious! Whoever ends up with the AppleTV should check that out for us 🙂
February 3, 2010 at 6:51 am
Hi,
Congrats for the Puzzle. It was fun. If you want read a spanish , quick and dirty solution and detailed explanation for the questions go to :
http://hacktimes.com/soluci_n_al_reto_forense_de_sans_puzzle_3/
February 3, 2010 at 9:30 am
Good luck to everyone who entered! I wasn’t able to find the time to work on an entry this time, but I look forward to seeing everyone’s solutions!
February 3, 2010 at 12:12 pm
Sébastien & Sherri:
I poked around at the weird spellings of “Connection:” that you pointed out, and I found some explanation here:
http://triosec.secniche.org/concepts/nncoe_req_exp.txt
Apparently it’s a way for hardware load balancers to modify “Connection: close” to keep it from actually closing connections.
I learn soemthing new every day 😉
Wesley
February 3, 2010 at 6:10 pm
Wesley,
Wow! That’s really interesting. Thanks for digging that up. 🙂
Sherri
February 3, 2010 at 6:19 pm
Hey there folks. While you’re busy awaiting the results of Contest #3, please feel free to chew on Contest #4, which we’ve just published.
I hope you’ll find it both trivial and challenging. 😉
/jonathan
February 8, 2010 at 12:10 am
I’m surprised that no one has posted their solution to puzzle 3 yet. Looks like I’ll be the first! My solution (with source code) is posted here:
http://www.thewilder.net/ForensicsContest3/
February 8, 2010 at 1:11 am
@Lou: see post on 2009-12-28, some answers are posted there
February 8, 2010 at 1:15 am
@Lou: Here you are:
*Sébastien DAMAYE (http://www.aldeid.com): http://www.aldeid.com/index.php/Network-forensics/Puzzle3
*hacktimes (http://www.hacktimes.com/): http://www.hacktimes.com/soluci_n_al_reto_forense_de_sans_puzzle_3/
*Amar (http://www.yousicurity.com/): http://www.yousicurity.com/2010/02/gzippednot-applejuice.html
*Franck G. (http://malphx.free.fr/): http://malphx.free.fr/dotclear/index.php?post/2010/02/06/Another-solution-to-the-Network-Forensics-Puzzle-3
February 8, 2010 at 10:23 am
Hi Sébastien,
So there they are!. BTW, nice write-up. One of these days I’m going to learn Python.
February 8, 2010 at 3:24 pm
Lou, please don’t. From the looks of things, you’re doing just fine with Perl. For what it’s worth, you’ve gotten unofficial bonus points from me, as does anyone else who uses Perl for these challenges. 🙂
February 8, 2010 at 11:35 pm
@Jason: Extra points for Perl (not that I don’t like Perl but…)? Hope you’re joking. Python is such a robust, easy and nice language to learn? In addition, Python is used by serious network tools (W3AF, Scapy, nsm-console, …).
February 9, 2010 at 7:41 am
Sébastien, you’re probably right. Seeing programs like the ones you wrote and mentioned makes me want to learn Python. Then seeing what people can do reverse engineering malware makes me want to learn ASM. Exploit development makes me want to learn C. Web application security makes me want to learn PHP and Javascript, etc. The problem is I’m just now finally starting to get the hang of Perl, and there ain’t no way I’m going to be able to learn everything I want.
February 9, 2010 at 11:33 am
I can relate, Jason. I’ve wanted to learn Python and Ruby for some time now. I started learning Python about a year ago. Did some Facebook programming puzzles – the best way for me to learn is to actually try and solve a problem with a language. The month we have to work on these forensic puzzles is enough time for me to complete a solution in a language I’m not familiar with so I’ll probably stick with PERL unless I find lots of time or we get a really easy puzzle to solve.
February 9, 2010 at 11:41 am
Oops! significant error in my last post. Meant to say the month we have to work on these puzzles ISN’T enough time for me to complete a solution in a new language.
February 9, 2010 at 12:46 pm
On puzzle number three I decided to try and learn C to help solve it, the resolute was a basic C program the use the winpcap lib to open a pcap file and parse through looking for the search strings. Not very impressive and not the best code but it was my first C app.
http://svn.faulk.me/listing.php?repname=PCAP+Tools&path=%2Ftrunk%2Fpcap_appletv%2F&#ae9788ba0c093a92d435bff4908c662af
February 9, 2010 at 1:11 pm
> the month we have to work on these puzzles ISN’T enough
Speaking of which, what do you guys think is a good amount of time for solving the puzzles? How much time should we leave before the new puzzle comes out? We had a lot of requests to get the new puzzle out sooner, but now that we have, I get the impression it may have been a little too soon 🙂
February 9, 2010 at 1:29 pm
Here’s my 2 cents;
The time given to complete a puzzle should depend on the complexity of the puzzle and the level of details required in the answer; for example, although puzzle #4 is relatively middle ground in complexity, I suspect it’ll take a lot of time to automate a process with which you can figure out the type of scan being done. In short, it’s not super hard, but needs considerable time to automate.
The best time to release the new puzzle is at the same time you reveal the winners for the prior puzzle; I think people will be more motivated to work on the new puzzle that way.
February 9, 2010 at 1:52 pm
In addition to what Amar has said, announcing the prize at the same time as the puzzle might not be a bad idea.
February 9, 2010 at 4:27 pm
I thought the month for Puzzle 3 was fine. I didn’t find out about the contest until about halfway through January, and I knocked together my solution over the course of 4 or so evenings in a hotel on a trip. I’ve only spent an hour or so of cursory analysis of Puzzle 4’s pcap, but I estimate spending about the same amount of time on it.
February 9, 2010 at 5:27 pm
I spent one long day scripting for puzzle 2. It helped that I have managed SMTP services for quite some time and felt comfortable in that area. For puzzle 3, I only started with a basic understanding of HTTP and XML. I also decided early on to rely less on available PERL modules (due to difficulty getting some to install on some platforms) and write my own rudimentary XML
February 9, 2010 at 5:41 pm
… fat fingered and sent that last msg before I was done…
XML parser.
To answer Sherri’s question, I think 6 weeks would be better for those of us who want to put some time into scripts, along with with hints like the ones given for puzzle 3 but earlier on in the contest. If the goal is to get some quality tools out of the solutions, then more time and some suggestions to get us thinking will really help. I’m sure you don’t want to squelch our creativity by giving too much direction. I thought the hints you gave last time gave me some good ideas for how I might have fine tuned my scripts.
Thanks for running the contest! I’ve been having a lot of fun with this.
February 9, 2010 at 8:02 pm
I’m not the one running the contest, but my opinion would be that if it were much longer period of time, I probably wouldn’t participate. A one-month time limit sort of caps the amount of time anyone can spend on their submission, making it more likely that someone like me that can only put in spare time here and there (evenings on travel, etc) can be competitive. Much more time than that and it winds up leaving “weekend-project” territory and becoming a more serious project, which I don’t really have time for.
I think that after that one-month limit, whatever scripts are considered for addition to the SANS course material and toolkit can be tweaked and added to outside the context of the contest. For example, my Puzzle 3 tool is nice in my opinion, but could benefit from a lot of further hacking with other samples of AppleTV traffic, which I probably wouldn’t bother doing within the scope of a contest anyway. If it turned out to be a tool folks would actually use though, it’d be worth it.
February 14, 2010 at 7:33 pm
Are you going to list out the names of people that got the answers correct?
February 17, 2010 at 1:34 pm
Hi TJS,
Yes, definitely! We will be announcing the winners in the same format as last time.
best,
Sherri
February 23, 2010 at 3:52 am
@Sherri: still no result for puzzle #3? I guess you have much to do with all our answers 😉
February 23, 2010 at 4:02 am
Sébastien — Sorry for the wait! We’ve been building and testing the 50 netbooks for Orlando, so more hosed than usual on this end. We know you’re waiting and we’re excited to give away this shiny new AppleTV! Soon, we promise.
Sherri
February 27, 2010 at 1:48 am
We all know it is difficult to find a “universal” humor, something everyone would find funny. But I guess I found some kind of one (hope there is no copyright on that sentence)…
“Deadline for submmitting the winner is 2/28/10 (11:59:59PM UTC-11) (In other words, if it’s still 2/28/10 anywhere in the world, you can submit the name of the winner.)”
In case you havn’t understood, that was humor 😉
February 27, 2010 at 4:26 am
Hi Sébastien,
That’s fair! We will make a big push this weekend and aim to get the winners published by your deadline of 2/28/10 (11:59:59PM UTC-11). Looking at all these great submissions, I think it’s going to be tight! (What do we win if we make it?? 😉
Sherri
February 27, 2010 at 5:46 am
I would say the right to post a new puzzle 😛
March 3, 2010 at 11:21 pm
Winners are up! Sorry it took so long. You guys had great entries, and it was really tough to pick just one. Thank you all for making this so interesting and for building these fantastic tools for the community to use and play with.