Author: admin

We received several requests from DEFCON attendees asking us to post the decryption keys and answers for the DEFCON 2012 contest. The decryption keys and answers are posted below. We will post the list of winners, and a walk-through of the solutions soon. Thank you for playing!

Decryption Keys
Contest Container: W3lc0m3toNFPC2012@defcon
Round2: Aw3s0m3s4uc3@
Round3: DFC=w00t!
Round4: 4r3g3ttingh4rd
Round5: tHiswi11b3fun#
Round6: Th3R4c3is0n$

SPOILER ALERT!!!

Answers to DEFCON 2012 Contest Questions

Round 1 Answer: 99901

Round 2 Answer: Golden Alley

Round 3 Answer: ICdarkwater

Round 4 Answer: 15684-b5.12

Round 5 Answer: 2300

Round 6 Answer: Dogfort

Copywrite 2012, LMG Security. All rights reserved.

Join Eric Fulton on Thursday, June 14 at 1:00 PM ET for the BlackHat Webcast, “Network Forensics: Uncovering Secrets of Mobile Applications“. You might even learn something for contest 10…which will be presented live later today on PaulDotCom!

On the Internet, every action leaves a mark—in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind. But what about mobile devices? What seemingly innocuous information are they sharing with, and without, your knowledge?

In this webcast, watch as Eric Fulton analyzes mobile network traffic and discover some interesting details about your favorite applications. You will see him locate GPS co-ordinates, identify installed mobile applications, and more.

Hello Everyone!
It has been a busy year, and once again we find ourselves nearing Defcon where we run the wildly popular Network Forensics Puzzle Contest. We have some good things in store for the coming months and would like to share.

PaulDotCom
We are running a NFPC over at PaulDotCom in the coming month. When it’s live we will share the link here. You should also check out PaulDotCom for a heap of great articles and videos.

Blackhat USA 2012
Want to be taught by the people who literally wrote the book on Network Forensics? Register for their highly praised course “NETWORK FORENSICS: BLACK HAT RELEASE” to learn the latest techniques in the field of Network Forensics. You’ll even get the book at 25% off, since it is the course text.

Defcon 20
Going to DEFCON? Join us at for the annual DEFCON Network Forensics Puzzle Contest, and win a shiny new iPad!
 

Other updates can be found following our twitter (@LMGSecurity or @trisk3t), our LinkedIn Page, or our Facebook Page. Cheers!

Network Forensics Puzzle Contest #8 posed a serious challenge, requiring contestants to demonstrate an advanced knowledge of protocols and meticulous attention to detail. Thank you to everyone who submitted an entry for Puzzle #8, and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of this contest is…Stefan S. Op de Beek ! Stefan wins a Buffalo Wireless Router for his correct answers and UTScapy test script. While the script didn’t work perfectly on my system, it is a great example of leveraging existing frameworks to analyze packet captures. Contestants, answers, and solutions below.

Contestants:
Joerg Gerschuetz
Winter Faulk
Aaron Wamapch
Kazunori Kojima
Adam Jenkins
Steeve Barbeau
Tyler Dean
Ward Perry
J-Michael Roberts
Anthony
Stefan S. of de Beek

Answers:
1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
A: 414s

3) How many WEP-encrypted data frames are there total in the packet capture?
$ tshark -r evidence08.pcap -R ‘((wlan.fc.type_subtype == 0x20) && (wlan.fc.protected == 1)) && (wlan.bssid == 00:23:69:61:00:d0)’|wc -l
A: 59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && wlan.wep.iv’ -T fields -e wlan.wep.iv | sort -u | wc -l
A: 29719

5) What was the MAC address of the station executing the Layer 2 attacks?
A: 1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa == 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
A: 14133 (14132 also accepted)

b) By all *other* stations combined?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa != 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
B : 15587

7) What was the WEP key of Joe’s WAP?
$ aircrack-ng -b 00:23:69:61:00:d0 evidence08.pcap
A: D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
username: admin
passphrase: admin

9) What was the WAP administrative passphrase changed to?
passphrase: hahp0wnedJ00