Author: admin

DEFCON 2012 Contest: Decryption Keys and Answers

We received several requests from DEFCON attendees asking us to post the decryption keys and answers for the DEFCON 2012 contest. The decryption keys and answers are posted below. We will post the list of winners, and a walk-through of the solutions soon. Thank you for playing!

Decryption Keys
Contest Container: W3lc0m3toNFPC2012@defcon
Round2: Aw3s0m3s4uc3@
Round3: DFC=w00t!
Round4: 4r3g3ttingh4rd
Round5: tHiswi11b3fun#
Round6: Th3R4c3is0n$

SPOILER ALERT!!!

Answers to DEFCON 2012 Contest Questions

Round 1 Answer: 99901

Round 2 Answer: Golden Alley

Round 3 Answer: ICdarkwater

Round 4 Answer: 15684-b5.12

Round 5 Answer: 2300

Round 6 Answer: Dogfort

Copywrite 2012, LMG Security. All rights reserved.

Network Forensics: Uncovering Secrets of Mobile Applications

Join Eric Fulton on Thursday, June 14 at 1:00 PM ET for the BlackHat Webcast, “Network Forensics: Uncovering Secrets of Mobile Applications“. You might even learn something for contest 10…which will be presented live later today on PaulDotCom!

On the Internet, every action leaves a mark—in routers, firewalls, web proxies, and within network traffic itself. When a hacker breaks into a bank, or an insider smuggles secrets to a competitor, evidence of the crime is always left behind. But what about mobile devices? What seemingly innocuous information are they sharing with, and without, your knowledge?

In this webcast, watch as Eric Fulton analyzes mobile network traffic and discover some interesting details about your favorite applications. You will see him locate GPS co-ordinates, identify installed mobile applications, and more.

PaulDotCom, Blackhat USA 2012, Defcon #20

Hello Everyone!
It has been a busy year, and once again we find ourselves nearing Defcon where we run the wildly popular Network Forensics Puzzle Contest. We have some good things in store for the coming months and would like to share.

PaulDotCom
We are running a NFPC over at PaulDotCom in the coming month. When it’s live we will share the link here. You should also check out PaulDotCom for a heap of great articles and videos.

Blackhat USA 2012
Want to be taught by the people who literally wrote the book on Network Forensics? Register for their highly praised course “NETWORK FORENSICS: BLACK HAT RELEASE” to learn the latest techniques in the field of Network Forensics. You’ll even get the book at 25% off, since it is the course text.

Defcon 20
Going to DEFCON? Join us at for the annual DEFCON Network Forensics Puzzle Contest, and win a shiny new iPad!
 

Other updates can be found following our twitter (@LMGSecurity or @trisk3t), our LinkedIn Page, or our Facebook Page. Cheers!

Puzzle #8 Winners

Network Forensics Puzzle Contest #8 posed a serious challenge, requiring contestants to demonstrate an advanced knowledge of protocols and meticulous attention to detail. Thank you to everyone who submitted an entry for Puzzle #8, and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of this contest is…Stefan S. Op de Beek ! Stefan wins a Buffalo Wireless Router for his correct answers and UTScapy test script. While the script didn’t work perfectly on my system, it is a great example of leveraging existing frameworks to analyze packet captures. Contestants, answers, and solutions below.

Contestants:
Joerg Gerschuetz
Winter Faulk
Aaron Wamapch
Kazunori Kojima
Adam Jenkins
Steeve Barbeau
Tyler Dean
Ward Perry
J-Michael Roberts
Anthony
Stefan S. of de Beek

Answers:
1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
A: 414s

3) How many WEP-encrypted data frames are there total in the packet capture?
$ tshark -r evidence08.pcap -R ‘((wlan.fc.type_subtype == 0x20) && (wlan.fc.protected == 1)) && (wlan.bssid == 00:23:69:61:00:d0)’|wc -l
A: 59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && wlan.wep.iv’ -T fields -e wlan.wep.iv | sort -u | wc -l
A: 29719

5) What was the MAC address of the station executing the Layer 2 attacks?
A: 1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?

$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa == 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
A: 14133 (14132 also accepted)

b) By all *other* stations combined?
$ tshark -r evidence08.pcap -R ‘(wlan.bssid == 00:23:69:61:00:d0) && (wlan.sa != 1c:4b:d6:69:cd:07) && wlan.wep.iv’ -T fields -e wlan.wep.iv|sort -u|wc -l
B : 15587

7) What was the WEP key of Joe’s WAP?
$ aircrack-ng -b 00:23:69:61:00:d0 evidence08.pcap
A: D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
username: admin
passphrase: admin

9) What was the WAP administrative passphrase changed to?
passphrase: hahp0wnedJ00

Puzzle # 9 Winners

Over 200 teams entered the Network Forensics Puzzle Contest at DEFCON 19. Five teams were able to finish the challenge during the DEFCON conference. Congratulations to this year’s winning team: “5154c”! It was a really close match. Each of the top three teams came in only 15 minutes apart. We really hope all of you enjoyed competing, and we look forward to seeing you again next year!

Top Ten Finalists at DEFCON 19:

1. 5154c (Winner!)
2. C2 eye
3. Barnhaus Crew
4. ArchMage
5. PSKL
6. Team Cheese
7. 8008
8. Team Moosey Fate
9. Chippendales
10. Kyle Bragle

Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

Puzzle #8 Answers

1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
414s

3) How many WEP-encrypted data frames are there total in the packet capture?
59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
29719

5) What was the MAC address of the station executing the Layer 2 attacks?
1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?
14133
(We also accept 14132, as one of the IVs was *generated* by another station, and only *replayed* by the attacker’s station. See my comment #4 below.)
b) By all *other* stations combined?
15587

7) What was the WEP key of Joe’s WAP?
D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
admin:admin

9) What was the WAP administrative passphrase changed to?
hahp0wnedJ00

Contest Closed!

We are currently in the process of grading submissions. This may take a few weeks, but rest assured we will announce the contest winners and results within the month.

Our next contest will be held at Defcon, August 4-7. We will probably post the contest/answers here when it’s over and we’ve recovered from Vegas.

Cheers!
Eric

The Final Days

Contestants!
The Network Forensics Puzzle Contest (“NFPC”) has proved to be quite a challenge for some. While a number of contestants have submitted correct answers, very few have accompanied their submission with additional narrative and/or tools. If you’ve already submitted, double check your answers and perhaps add a little extra to what you had before. It could be the difference that nets you a prize! We will be closing the contest on June 30th, and will post answers/winners soon after. Happy hunting!

Cheers!
Eric

Deadline Extension!

Hello!
We have received *many* great submissions to the current contest; we have also received many requests to extend the deadline. Thus, we are going to extend the deadline. To those who haven’t submitted an answer yet, now you have more time! To those who have already submitted answers, consider creating a tool or adding more detail to your forensic analysis.

The new deadline is: June 30, 2011.
Same rules as before. Go have fun and solve some puzzles!

Cheers!
Eric

Puzzle #8 Prize!

The prize for Puzzle #8 is … a BUFFALO WZR-HP-AG300H ! I hope that gets you excited. A number of great submissions have already been made; remember, to make your submission stand out try including an in-depth narrative or innovative script to put yourself above the rest.

Cheers!
Eric