33 Comments

  1. You’re right, these are the good answers. I think you’ll be the winner 😉
    Many thanks for this post, I think we all of us appreciate. Next step: we are now waiting for next puzzle.

  2. I’de have a question: are you generated pcap files each time with “real life” traffic (with real AppleTV in the shape of puzzle #3) or are you manually writing some of the entries? My question because I’ve notice a strange “Cneonction: close” on frame #1559. Depending on your answer, is that an Apple’s bug? Any explanation would be appreciated. Thanks in advance.

  3. sherri

    February 3, 2010 at 12:24 am

    Hi Sébastien,

    I saw that strange line on your blog, and I was surprised. We do “real life” captures and rarely edit packet contents. Mostly we just filter packets; once in a blue moon we need to edit out a personal detail, but we didn’t do any editing at all other than filtering on the AppleTV capture. It was just a brand-new out-of-the-box device connected to a hub.

    Curious! Whoever ends up with the AppleTV should check that out for us 🙂

  4. Hi,

    Congrats for the Puzzle. It was fun. If you want read a spanish , quick and dirty solution and detailed explanation for the questions go to :

    http://hacktimes.com/soluci_n_al_reto_forense_de_sans_puzzle_3/

  5. Good luck to everyone who entered! I wasn’t able to find the time to work on an entry this time, but I look forward to seeing everyone’s solutions!

  6. Sébastien & Sherri:

    I poked around at the weird spellings of “Connection:” that you pointed out, and I found some explanation here:

    http://triosec.secniche.org/concepts/nncoe_req_exp.txt

    Apparently it’s a way for hardware load balancers to modify “Connection: close” to keep it from actually closing connections.

    I learn soemthing new every day 😉

    Wesley

  7. sherri

    February 3, 2010 at 6:10 pm

    Wesley,

    Wow! That’s really interesting. Thanks for digging that up. 🙂

    Sherri

  8. Hey there folks. While you’re busy awaiting the results of Contest #3, please feel free to chew on Contest #4, which we’ve just published.

    I hope you’ll find it both trivial and challenging. 😉

    /jonathan

  9. I’m surprised that no one has posted their solution to puzzle 3 yet. Looks like I’ll be the first! My solution (with source code) is posted here:

    http://www.thewilder.net/ForensicsContest3/

  10. @Lou: see post on 2009-12-28, some answers are posted there

  11. Hi Sébastien,

    So there they are!. BTW, nice write-up. One of these days I’m going to learn Python.

  12. Lou, please don’t. From the looks of things, you’re doing just fine with Perl. For what it’s worth, you’ve gotten unofficial bonus points from me, as does anyone else who uses Perl for these challenges. 🙂

  13. @Jason: Extra points for Perl (not that I don’t like Perl but…)? Hope you’re joking. Python is such a robust, easy and nice language to learn? In addition, Python is used by serious network tools (W3AF, Scapy, nsm-console, …).

  14. Sébastien, you’re probably right. Seeing programs like the ones you wrote and mentioned makes me want to learn Python. Then seeing what people can do reverse engineering malware makes me want to learn ASM. Exploit development makes me want to learn C. Web application security makes me want to learn PHP and Javascript, etc. The problem is I’m just now finally starting to get the hang of Perl, and there ain’t no way I’m going to be able to learn everything I want.

  15. I can relate, Jason. I’ve wanted to learn Python and Ruby for some time now. I started learning Python about a year ago. Did some Facebook programming puzzles – the best way for me to learn is to actually try and solve a problem with a language. The month we have to work on these forensic puzzles is enough time for me to complete a solution in a language I’m not familiar with so I’ll probably stick with PERL unless I find lots of time or we get a really easy puzzle to solve.

  16. Oops! significant error in my last post. Meant to say the month we have to work on these puzzles ISN’T enough time for me to complete a solution in a new language.

  17. On puzzle number three I decided to try and learn C to help solve it, the resolute was a basic C program the use the winpcap lib to open a pcap file and parse through looking for the search strings. Not very impressive and not the best code but it was my first C app.

    http://svn.faulk.me/listing.php?repname=PCAP+Tools&path=%2Ftrunk%2Fpcap_appletv%2F&#ae9788ba0c093a92d435bff4908c662af

  18. sherri

    February 9, 2010 at 1:11 pm

    > the month we have to work on these puzzles ISN’T enough

    Speaking of which, what do you guys think is a good amount of time for solving the puzzles? How much time should we leave before the new puzzle comes out? We had a lot of requests to get the new puzzle out sooner, but now that we have, I get the impression it may have been a little too soon 🙂

  19. Here’s my 2 cents;

    The time given to complete a puzzle should depend on the complexity of the puzzle and the level of details required in the answer; for example, although puzzle #4 is relatively middle ground in complexity, I suspect it’ll take a lot of time to automate a process with which you can figure out the type of scan being done. In short, it’s not super hard, but needs considerable time to automate.

    The best time to release the new puzzle is at the same time you reveal the winners for the prior puzzle; I think people will be more motivated to work on the new puzzle that way.

  20. In addition to what Amar has said, announcing the prize at the same time as the puzzle might not be a bad idea.

  21. I thought the month for Puzzle 3 was fine. I didn’t find out about the contest until about halfway through January, and I knocked together my solution over the course of 4 or so evenings in a hotel on a trip. I’ve only spent an hour or so of cursory analysis of Puzzle 4’s pcap, but I estimate spending about the same amount of time on it.

  22. I spent one long day scripting for puzzle 2. It helped that I have managed SMTP services for quite some time and felt comfortable in that area. For puzzle 3, I only started with a basic understanding of HTTP and XML. I also decided early on to rely less on available PERL modules (due to difficulty getting some to install on some platforms) and write my own rudimentary XML

  23. … fat fingered and sent that last msg before I was done…

    XML parser.

    To answer Sherri’s question, I think 6 weeks would be better for those of us who want to put some time into scripts, along with with hints like the ones given for puzzle 3 but earlier on in the contest. If the goal is to get some quality tools out of the solutions, then more time and some suggestions to get us thinking will really help. I’m sure you don’t want to squelch our creativity by giving too much direction. I thought the hints you gave last time gave me some good ideas for how I might have fine tuned my scripts.

    Thanks for running the contest! I’ve been having a lot of fun with this.

  24. I’m not the one running the contest, but my opinion would be that if it were much longer period of time, I probably wouldn’t participate. A one-month time limit sort of caps the amount of time anyone can spend on their submission, making it more likely that someone like me that can only put in spare time here and there (evenings on travel, etc) can be competitive. Much more time than that and it winds up leaving “weekend-project” territory and becoming a more serious project, which I don’t really have time for.

    I think that after that one-month limit, whatever scripts are considered for addition to the SANS course material and toolkit can be tweaked and added to outside the context of the contest. For example, my Puzzle 3 tool is nice in my opinion, but could benefit from a lot of further hacking with other samples of AppleTV traffic, which I probably wouldn’t bother doing within the scope of a contest anyway. If it turned out to be a tool folks would actually use though, it’d be worth it.

  25. Are you going to list out the names of people that got the answers correct?

  26. sherri

    February 17, 2010 at 1:34 pm

    Hi TJS,

    Yes, definitely! We will be announcing the winners in the same format as last time.

    best,
    Sherri

  27. @Sherri: still no result for puzzle #3? I guess you have much to do with all our answers 😉

  28. sherri

    February 23, 2010 at 4:02 am

    Sébastien — Sorry for the wait! We’ve been building and testing the 50 netbooks for Orlando, so more hosed than usual on this end. We know you’re waiting and we’re excited to give away this shiny new AppleTV! Soon, we promise.

    Sherri

  29. We all know it is difficult to find a “universal” humor, something everyone would find funny. But I guess I found some kind of one (hope there is no copyright on that sentence)…

    “Deadline for submmitting the winner is 2/28/10 (11:59:59PM UTC-11) (In other words, if it’s still 2/28/10 anywhere in the world, you can submit the name of the winner.)”

    In case you havn’t understood, that was humor 😉

  30. sherri

    February 27, 2010 at 4:26 am

    Hi Sébastien,

    That’s fair! We will make a big push this weekend and aim to get the winners published by your deadline of 2/28/10 (11:59:59PM UTC-11). Looking at all these great submissions, I think it’s going to be tight! (What do we win if we make it?? 😉

    Sherri

  31. I would say the right to post a new puzzle 😛

  32. sherri

    March 3, 2010 at 11:21 pm

    Winners are up! Sorry it took so long. You guys had great entries, and it was really tough to pick just one. Thank you all for making this so interesting and for building these fantastic tools for the community to use and play with.

Leave a Reply

Your email address will not be published. Required fields are marked *