Author: admin

Puzzle #8

Our latest puzzle was written by Eric Fulton, Jonathan Ham, and Sherri Davidoff.

Inter0ptik is on the lam and is pinned down. The area is crawling with cops, and so he must stay put. But he also desperately needs to be able to get a message out to Ann and Mr. X. Lucky for him he detects a single wireless access point (WAP) in the building next door that he might be able to use, but it is using encryption and there are no other opportunities available. What is Inter0ptik to do?

Meanwhile, next door…

Joe is a sysadmin at HackMe, Inc. He runs the technical infrastructure for a small company, including a WAP that he uses, pretty much exclusively, and also very rarely. He’s trying to use it now and has discovered his connection is dropping consistently. He captures some traffic, but he really has no idea how to interpret it. Suddenly he discovers he can’t even login to administer his WAP at all!

You are the forensic investigator. Your team got a tip that Inter0ptik might be hunkered down in the area and contacted local admins concerning suspicious network activity. Joe has provided you with his packet capture and helpfully tells you that his own MAC address is 00:11:22:33:44:55. Can you figure out what’s going on and track the attacker’s activities?

You have been given a packet capture of Inter0pt1k’s adventures, and have been asked to determine the following:

1) Joe’s WAP is beaconing. Based on the contents of the packet capture,
what are:
a. The SSID of his access point?
b. The BSSID of his access point?

2) How long is the packet capture, from beginning to end (in SECONDS –
please round to the nearest full second)?

3) How many WEP-encrypted data frames are there total in the packet capture?

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in
the packet capture relating to Joe’s access point?

5) What was the MAC address of the station executing the Layer 2 attacks?

6) How many *unique* IVs were generated (relating to Joe’s access point):
a. By the attacker station?
b. By all *other* stations combined?

7) What was the WEP key of Joe’s WAP?

8) What were the administrative username and password of the targeted
wireless access point?

9) What was the WAP administrative passphrase changed to?

Submission Form
Deadline is 6/30/11 (11:59:59PM UTC-11) (In other words, if it’s still 6/30/11 anywhere in the world, you can submit your entry.)

PRIZE:
To be announced

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a an approved Open Source License. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics course or book. All authors will receive full credit for their work.

Packet capture
Sha256sum: 969f82205739e4d912f7a4bddf3d22f591bfa8fa09c9690c88117d7477263b8b

Deadline is 5/31/11 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!
Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

More Contests!

Hello! Apologies for the lack of communications as of late, however new contests are coming soon. Expect regular contests and updates in the coming months, with the first contest of 2011 being posted some time next week.

Cheers!
Eric

2/9/2011 EDIT – Egads! It appears I spoke too soon. The next puzzle pcap’s are all done but a few things need to be done before the contest begins. Soon friends… -Eric

Puzzle #4 Winners

Here it is, finally, the announcement of the Puzzle #4 winner, finalists, and semifinalists. Once again, a huge congratulations to everyone who sent in correct answers to what was arguably our most difficult contest yet!

And as we’re sort of beginning to expect, we were totally blown away by the quality of the analysis we received. While there were lots of correct guesses at the “X-tra Credit”, many of you found solid ways to demonstrate (with references and citations) your passive fingerprinting of the active fingerprinting tool. Nice.

I’ll be following up with commentary and emails to a few of you and answering previous posts and the like, over the next few days. In the meantime, please do check out the Finalist submissions, particularly that of our winner… (drum roll)…

Sébastien Damaye has seriously thrown down the gauntlet on this one, and deserves an uncontested First Prize. (We’ve already begun to use his tools to look at other pcaps.)

At the core of the solution to this puzzle, and so many other similar real-world puzzles, is the ability to look at stochastic data, and do a sufficiently deep (and sometimes fuzzy) statistical analysis to determine what was going on. Lots of you made impressive inroads on how to shake out that analysis, but Sébastien gave us a new tool to bring things like sequence and acknowledgement number distributions stark view. Rather than go on to describe his efforts further myself, I’ll direct you to his own impressive write-up at aldeid.com.

Congratulations, Sébastien! Your shiny new netbook is on it’s way soon!

Of course there are several other submissions we want to mention (in order of submission):

As a few other folks did, Eugenio Delfa began an excellent first pass with snort to look for malfeasance, and to identify the port scanner. His new python script looks useful as well, allowing command-line statistical inspection without all the awk’ing and sorting I typically do with tcpdump or tshark output.

Eric Kollmann starts right off with a correct identification of nmap based on its known behavior, including the predictable things it does with SYN packets, and its use of a bogus ICMP code in the OS fingerprinting tests. His development of a new exe (“nfc”), and tweaks to Satori are welcome additions to his ongoing contributions to the community.

Arvind Doraiswamy submitted a perl script to extract and summarize flow data as well, and Adam Bray‘s pkts2db.pl & scansearcher.pl are solid contributions.

Thanks again to everyone who participated, and more than that, hold on to your hats. Puzzle #5 is imminent, and looks like a lot of fun!


Winner:

Sébastien Damaye (wins a Lenovo Netbook)

Finalists:

Adam Bray
Arvind Doraiswamy
Eric Kollmann
Eugenio Delfa

Semifinalists:

Ahmed Adel Mohamed
Christian
Garima
Jason Kendall
Juan Garrido & Pedro Sanchez
Peter Chong
Sterling Thomas
Tom Samstag
Vikrant

Correct:

Adam Bray
Ahmed Adel Mohamed
Anand Harikrishnan
Arvind Doraiswamy
Chad Stewart
Chris Steenkamp
Christian
David Clements
Eric Kollmann
Eugenio Delfa
Francisco Pecorella
Garima
Gustavo Delgado
Jason Kendall
Juan Garrido & Pedro Sanchez
Marco Castro
Masashi Fujiwara
Matt McKnew
Peter Chong
Sébastien Damaye (wins a Lenovo Netbook)
Sterling Thomas
Takuro Uetori
Tom Samstag
Vikrant
Winter Faulk

Puzzle #4 Answers

Here are the answers to Puzzle #4. Another big thanks to everyone who played. 🙂

Answer 1: 10.42.42.253
Answer 2: TCP Connect
Answer 3: 10.42.42.50, 10.42.42.56, & 10.42.42.25
Answer 4: 00:16:cb:92:6e:dc
Answer 5: 10.42.42.50
Answer 6: 135, 139

X-TRA CREDIT: The tool used was nmap. There are many ways to try to fingerprint the tool, but one fast way is to look at the TCP window sizes coming from the scanning system. In the case of nmap, some things stand out, including SYN packets with a window size of 31337. A google search on that turns up Fyodor’s patent application. 🙂

The first scan, run with “nmap 10.42.42.1/24” would have yielded results that looked something like this:

Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-02 18:33 EST
All 1000 scanned ports on 10.42.42.25 are closed

Interesting ports on 10.42.42.50:
Not shown: 998 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn

All 1000 scanned ports on 10.42.42.56 are closed

Interesting ports on 10.42.42.253:
Not shown: 999 closed ports
PORT STATE SERVICE
3128/tcp open squid-http

Nmap done: 256 IP addresses (4 hosts up) scanned in 468.46 seconds

(Though of course you couldn’t have known about 10.42.42.253, which was the scanner itself, as it would have used the loopback interface for that, and so the external packet sniffer wouldn’t have seen those bits.)

The second scan, using nmap’s “-A” option would have yielded results like this:

Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-02 18:42 EST
All 1000 scanned ports on 10.42.42.25 are closed
MAC Address: 00:16:CB:92:6E:DC (Apple Computer)
Device type: phone|media device|general purpose|web proxy|specialized
Running: Apple embedded, Apple iPhone OS 1.X, Apple Mac OS X 10.2.X|10.3.X|10.4.X|10.5.X, Blue Coat SGOS 5.X, FreeBSD 4.X, VMware ESX Server 3.0.X
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 10.42.42.50:
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
MAC Address: 70:5A:B6:51:D7:B2 (Unknown)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows 2000 SP4, Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows

All 1000 scanned ports on 10.42.42.56 are closed
MAC Address: 00:26:22:CB:1E:79 (Unknown)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

Interesting ports on 10.42.42.253:
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3128/tcp open http-proxy Squid webproxy 2.7.STABLE3
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 – 2.6.25
Network Distance: 0 hops

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (4 hosts up) scanned in 78.42 seconds

(Again, you wouldn’t have seen nmap inspect the host it was running on, but the results are included for completeness.)

Puzzle #4 Update

After reviewing the submissions so far, it seems that question #2 is perhaps a little too ambiguous. We’re amending it to read:

For the FIRST port scan that MR. X conducted, what type was it?

If you’ve already posted a submission, please re-evaluate your answer accordingly, and feel free to re-submit!

Also, we’ll be extending the deadline by two weeks to 3/18/10.

Cheers!

Puzzle #4: The Curious Mr. X

While a fugitive in Mexico, Mr. X remotely infiltrates the Arctic Nuclear Fusion Research Facility’s (ANFRF) lab subnet over the Interwebs. Virtually inside the facility (pivoting through a compromised system), he conducts some noisy network reconnaissance. Sadly, Mr. X is not yet very stealthy.

Unfortunately for Mr. X, the lab’s network is instrumented to capture all traffic (with full content). His activities are discovered and analyzed… by you!

Here is the packet capture containing Mr. X’s activity. As the network forensic investigator, your mission is to answer the following questions:

1. What was the IP address of Mr. X’s scanner?
2. For the FIRST port scan that Mr. X conducted, what type of port scan was it? (Note: the scan consisted of many thousands of packets.) Pick one:

  • TCP SYN
  • TCP ACK
  • UDP
  • TCP Connect
  • TCP XMAS
  • TCP RST

3. What were the IP addresses of the targets Mr. X discovered?
4. What was the MAC address of the Apple system he found?
5. What was the IP address of the Windows system he found?
6. What TCP ports were open on the Windows system? (Please list the decimal numbers from lowest to highest.)
X-TRA CREDIT (You don’t have to answer this, but you get super bonus points if you do): What was the name of the tool Mr. X used to port scan? How can you tell? Can you reconstruct the output from the tool, roughly the way Mr. X would have seen it?

Deadline is 3/18/10 (11:59:59PM UTC-11) (In other words, if it’s still 3/18/10 anywhere in the world, you can submit your entry.)

Please use the Official Submission form to submit your answers. Here is your evidence file:
http://forensicscontest.com/contest04/evidence04.pcap
MD5 (evidence04.pcap) = 804648497410b18d9a7cb1d4b2252ef7

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a an approved Open Source License. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Exceptional solutions may be incorporated into the SANS Network Forensics Investigative Toolkit (SNIFT kit). Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics course. All authors will receive full credit for their work.

Deadline is 3/18/10 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!

Copyright 2010, Lake Missoula Group, LLC. All rights reserved.

Puzzle #1: Ann’s Bad AIM

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

http://forensicscontest.com/contest01/evidence01.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to [email protected]. Deadline is 9/10/09. Good luck!!