Here it is, finally, the announcement of the Puzzle #4 winner, finalists, and semifinalists. Once again, a huge congratulations to everyone who sent in correct answers to what was arguably our most difficult contest yet!
And as we’re sort of beginning to expect, we were totally blown away by the quality of the analysis we received. While there were lots of correct guesses at the “X-tra Credit”, many of you found solid ways to demonstrate (with references and citations) your passive fingerprinting of the active fingerprinting tool. Nice.
I’ll be following up with commentary and emails to a few of you and answering previous posts and the like, over the next few days. In the meantime, please do check out the Finalist submissions, particularly that of our winner… (drum roll)…
Sébastien Damaye has seriously thrown down the gauntlet on this one, and deserves an uncontested First Prize. (We’ve already begun to use his tools to look at other pcaps.)
At the core of the solution to this puzzle, and so many other similar real-world puzzles, is the ability to look at stochastic data, and do a sufficiently deep (and sometimes fuzzy) statistical analysis to determine what was going on. Lots of you made impressive inroads on how to shake out that analysis, but Sébastien gave us a new tool to bring things like sequence and acknowledgement number distributions stark view. Rather than go on to describe his efforts further myself, I’ll direct you to his own impressive write-up at aldeid.com.
Congratulations, Sébastien! Your shiny new netbook is on it’s way soon!
Of course there are several other submissions we want to mention (in order of submission):
As a few other folks did, Eugenio Delfa began an excellent first pass with snort to look for malfeasance, and to identify the port scanner. His new python script looks useful as well, allowing command-line statistical inspection without all the awk’ing and sorting I typically do with tcpdump or tshark output.
Eric Kollmann starts right off with a correct identification of nmap based on its known behavior, including the predictable things it does with SYN packets, and its use of a bogus ICMP code in the OS fingerprinting tests. His development of a new exe (“nfc”), and tweaks to Satori are welcome additions to his ongoing contributions to the community.
Arvind Doraiswamy submitted a perl script to extract and summarize flow data as well, and Adam Bray‘s pkts2db.pl & scansearcher.pl are solid contributions.
Thanks again to everyone who participated, and more than that, hold on to your hats. Puzzle #5 is imminent, and looks like a lot of fun!
Winner:
Sébastien Damaye (wins a Lenovo Netbook)
Finalists:
Adam Bray
Arvind Doraiswamy
Eric Kollmann
Eugenio Delfa
Semifinalists:
Ahmed Adel Mohamed
Christian
Garima
Jason Kendall
Juan Garrido & Pedro Sanchez
Peter Chong
Sterling Thomas
Tom Samstag
Vikrant
Correct:
Adam Bray
Ahmed Adel Mohamed
Anand Harikrishnan
Arvind Doraiswamy
Chad Stewart
Chris Steenkamp
Christian
David Clements
Eric Kollmann
Eugenio Delfa
Francisco Pecorella
Garima
Gustavo Delgado
Jason Kendall
Juan Garrido & Pedro Sanchez
Marco Castro
Masashi Fujiwara
Matt McKnew
Peter Chong
Sébastien Damaye (wins a Lenovo Netbook)
Sterling Thomas
Takuro Uetori
Tom Samstag
Vikrant
Winter Faulk
April 2, 2010 at 5:24 am
I have not played for this one,
but Well Done, Sébastien !
April 2, 2010 at 5:33 am
Congratulations Sébastien! I had a feeling you’d win after seeing your solution. 🙂
April 2, 2010 at 7:50 am
Thank you Franck and Adam to share this success with me. I would like to congratulate all of you guys with correct answers. I have reviewed some and I have the feeling that the level is growing up. I would like to thank you forensicscontest team to make us discover new interesting things each time. Good luck for puzzle #5 to all of us.
April 2, 2010 at 12:26 pm
Congratulations Sébastien! I’m like Adam. After reading your writeup, I figured you had it…
I’m just excited to be named a Semifinalist! I was only shooting for Correct Answers.
May 21, 2010 at 7:23 pm
I have not played for this one,
but Well Done, Sébastien !