Puzzle #4 Answers

Here are the answers to Puzzle #4. Another big thanks to everyone who played. 🙂

Answer 1: 10.42.42.253
Answer 2: TCP Connect
Answer 3: 10.42.42.50, 10.42.42.56, & 10.42.42.25
Answer 4: 00:16:cb:92:6e:dc
Answer 5: 10.42.42.50
Answer 6: 135, 139

X-TRA CREDIT: The tool used was nmap. There are many ways to try to fingerprint the tool, but one fast way is to look at the TCP window sizes coming from the scanning system. In the case of nmap, some things stand out, including SYN packets with a window size of 31337. A google search on that turns up Fyodor’s patent application. 🙂

The first scan, run with “nmap 10.42.42.1/24” would have yielded results that looked something like this:

Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-02 18:33 EST
All 1000 scanned ports on 10.42.42.25 are closed

Interesting ports on 10.42.42.50:
Not shown: 998 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn

All 1000 scanned ports on 10.42.42.56 are closed

Interesting ports on 10.42.42.253:
Not shown: 999 closed ports
PORT STATE SERVICE
3128/tcp open squid-http

Nmap done: 256 IP addresses (4 hosts up) scanned in 468.46 seconds

(Though of course you couldn’t have known about 10.42.42.253, which was the scanner itself, as it would have used the loopback interface for that, and so the external packet sniffer wouldn’t have seen those bits.)

The second scan, using nmap’s “-A” option would have yielded results like this:

Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-02 18:42 EST
All 1000 scanned ports on 10.42.42.25 are closed
MAC Address: 00:16:CB:92:6E:DC (Apple Computer)
Device type: phone|media device|general purpose|web proxy|specialized
Running: Apple embedded, Apple iPhone OS 1.X, Apple Mac OS X 10.2.X|10.3.X|10.4.X|10.5.X, Blue Coat SGOS 5.X, FreeBSD 4.X, VMware ESX Server 3.0.X
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 10.42.42.50:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
MAC Address: 70:5A:B6:51:D7:B2 (Unknown)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows 2000 SP4, Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows

All 1000 scanned ports on 10.42.42.56 are closed
MAC Address: 00:26:22:CB:1E:79 (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 10.42.42.253:
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3128/tcp open http-proxy Squid webproxy 2.7.STABLE3
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 – 2.6.25
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 78.42 seconds

(Again, you wouldn’t have seen nmap inspect the host it was running on, but the results are included for completeness.)

3 Comments

  1. in case anyone is interested, my writeup can be found here:
    http://chatteronthewire.blogspot.com/2010/03/forensics-contest-4-answer.html

  2. Nice writeup Eric, I like nfc, nice tool.
    Feel free to review my writeup here: http://www.aldeid.com/index.php/Network-forensics/Puzzle4
    And also the tool I wrote in the shape of this puzzle: http://www.aldeid.com/index.php/Pyscanxtract

  3. Excellent work folks; Sébastien I really liked your Pyscanxtract tool… way to go.

Leave a Reply

Your email address will not be published. Required fields are marked *