Category: Contest

Deadline Extension!

Hello!
We have received *many* great submissions to the current contest; we have also received many requests to extend the deadline. Thus, we are going to extend the deadline. To those who haven’t submitted an answer yet, now you have more time! To those who have already submitted answers, consider creating a tool or adding more detail to your forensic analysis.

The new deadline is: June 30, 2011.
Same rules as before. Go have fun and solve some puzzles!

Cheers!
Eric

Puzzle #8 Prize!

The prize for Puzzle #8 is … a BUFFALO WZR-HP-AG300H ! I hope that gets you excited. A number of great submissions have already been made; remember, to make your submission stand out try including an in-depth narrative or innovative script to put yourself above the rest.

Cheers!
Eric

Puzzle #8

Our latest puzzle was written by Eric Fulton, Jonathan Ham, and Sherri Davidoff.

Inter0ptik is on the lam and is pinned down. The area is crawling with cops, and so he must stay put. But he also desperately needs to be able to get a message out to Ann and Mr. X. Lucky for him he detects a single wireless access point (WAP) in the building next door that he might be able to use, but it is using encryption and there are no other opportunities available. What is Inter0ptik to do?

Meanwhile, next door…

Joe is a sysadmin at HackMe, Inc. He runs the technical infrastructure for a small company, including a WAP that he uses, pretty much exclusively, and also very rarely. He’s trying to use it now and has discovered his connection is dropping consistently. He captures some traffic, but he really has no idea how to interpret it. Suddenly he discovers he can’t even login to administer his WAP at all!

You are the forensic investigator. Your team got a tip that Inter0ptik might be hunkered down in the area and contacted local admins concerning suspicious network activity. Joe has provided you with his packet capture and helpfully tells you that his own MAC address is 00:11:22:33:44:55. Can you figure out what’s going on and track the attacker’s activities?

You have been given a packet capture of Inter0pt1k’s adventures, and have been asked to determine the following:

1) Joe’s WAP is beaconing. Based on the contents of the packet capture,
what are:
a. The SSID of his access point?
b. The BSSID of his access point?

2) How long is the packet capture, from beginning to end (in SECONDS –
please round to the nearest full second)?

3) How many WEP-encrypted data frames are there total in the packet capture?

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in
the packet capture relating to Joe’s access point?

5) What was the MAC address of the station executing the Layer 2 attacks?

6) How many *unique* IVs were generated (relating to Joe’s access point):
a. By the attacker station?
b. By all *other* stations combined?

7) What was the WEP key of Joe’s WAP?

8) What were the administrative username and password of the targeted
wireless access point?

9) What was the WAP administrative passphrase changed to?

Submission Form
Deadline is 6/30/11 (11:59:59PM UTC-11) (In other words, if it’s still 6/30/11 anywhere in the world, you can submit your entry.)

PRIZE:
To be announced

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a an approved Open Source License. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics course or book. All authors will receive full credit for their work.

Packet capture
Sha256sum: 969f82205739e4d912f7a4bddf3d22f591bfa8fa09c9690c88117d7477263b8b

Deadline is 5/31/11 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!
Copyright 2011, Lake Missoula Group, LLC. All rights reserved.

Defcon 2010

For all those attending DEFCON 2010, we’ll be hosting a puzzle contest starting Friday afternoon in the contest area. It’s a race against time; the first person to complete the puzzle wins a brand-new iPad. We’ll be posting the packet capture here after the contest for those of you who like the intellectual challenge. Contest description below… See you there!

Ann Dercover is on the run, and you’re hot on her trail as she travels around the globe hacking companies, stealing intellectual property, launching 0-day attacks and setting up sneaky backdoors. *You are the forensic investigator.* You’ve got a packet capture of Ann’s network traffic. Can you analyze Ann’s malicious traffic and solve the crime by Sunday? Prize: Win a brand-spanking new Apple iPad!

cheers!
Eric

Puzzle #6 Winners

Ann’s Aurora was one of our hardest contests yet. To get all the answers right, you had to carve out two Windows executable files, dissect Vick Timmes’ HTTP traffic, analyze malware, build a timeline and pinpoint connection open and close times to within a tenth of a second. Thanks to everyone who submitted an entry for Puzzle #6, “Ann’s Aurora,” and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of “Ann’s Aurora” is (*drumroll*)…. Wesley McGrew, for his fantastic new forensics tool, pcapline. Pcapline automatically parses a packet capture and generates an HTML report. Through your web browser, you can view a summary of all flows and drill down into each one. Pcapline automatically carves out all the files– not just the tiny GIFs embedded inside a single packet, but Windows executable files broken up throughout the packet capture. Wesley also included MD5sums in the report output.

Best of all, it’s simple to use– you just type “pcapline.py” and the evidence file name, and pcapline does the rest. Wesley has put a copy of the pcapline report output here:

http://mcgrewsecurity.com/codedump/evidence06.pcap_output/

Erik Hjelmvik, our Silver medalist, released a new version of Network Miner (.92) for Contest #6. We know a lot of you already know and love Network Miner, because in previous contests about half of the entries relied on Erik’s tool! For this contest, Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing. Thanks, Erik, for a shiny new release of your fantastic tool.

Leendert Pieter van Drimmelen built three utilities for this contest: stream_ts.py, which automatically displays TCP connection established/closed times; analyse_syn_packets.py, which calculates how often an IP or TCP field changes (it also accepts tshark filters); and pextract.c, which extracts PE files from packet captures or incoming traffic. Pextract also accepts BPF filters and tries to find executables that are XOR obfuscated. These are three small, sharp utilities which are good to have in your toolkit.

Eric Kollmann wrote three handy tools: mzcarver.exe (PE carving utility), contest6.pl (provides info about conversations), and contest6.exe (produces info about individual packets. You can limit by TCP flag and use BPFs). Nice work, Eric!

Jeff Wichman and Ruben Recabarren both created fantastic writeups, which you can read to get two detailed (and very different) methods for solving the contest. Iulian Anton also had a thorough narrative and created a couple of Perl utilities to assist with solving the contest. Candice Quates went “down the rabbit hole of javascript and exploit analysis,” and created trimexe.c, which extracts PE files from exported streams.

Thanks to the SANS Institute and the generosity of their vendor sponsors, the winners and finalists get to choose from the following list of prizes (winner picks first):

  • Lenovo Ideapad Netbooks (2 Netbooks – 1 netbook per winner )
    Apple iPad – Sponsored by NetWitness Corporation
  • Flip Video Recorder – Sponsored by MANDIANT Inc.
  • F-Response TACTICAL (1 licensed copy) – Sponsored by F-Response
  • Forensic Toolkit 3 (1 licensed copy) – Sponsored by AccessData Corp.
  • Digital Forensics Magazine Subscriptions: Free print subscription for 12 months for the winner, and 2 digital online subscriptions for Finalists. The winner will also receive the backlist issues (i.e. 1-3). – Sponsored by Digital Forensics Magazine
  • 2011 Digital Forensics/IR Summit Passes (3 passes – 1 pass per top three winners)

Many thanks to everyone who made this contest possible, including Rob Lee, Jeremy Scott, Jeff Murri, Brian Corcoran, Ryan Corvetti, Dennis Kirby, and the wonderful SANS A/V crew.

Thanks most of all to everyone out there who participated. See you next time! 🙂


WINNERS:

Wesley McGrew

Finalists:

Erik Hjelmvik
Leendert Pieter van Drimmelen
Eric Kollmann
Jeff Wichman
Ruben Recabarren
Iulian Anton
Candice Quates

Semifinalists:

Francesco Acchiappati
Mark Hillick
Richard Shawn O’Connell
Ashish, Garima, Vikrant
Jon Larimer

Correct Answers:

Andy Patrick
Brian Sommers
Candice Quates
Carlos Pérez López
David Rodriguez
Eric Kollmann
Erik Hjelmvik
Francesco Acchiappati
Hsiang-Jen Shih
Iulian Anton
Jeremy Scott
Jon Larimer
Kazunori Kojima
Leendert Pieter van Drimmelen
Mark Hillick
Masashi Fujiwara
Peter Chong
Rakesh Mukundan
Richard Shawn O’Connell
Ruben Recabarren
Seth Leone & Ryan Sommers
Takuro Uetori
Wesley McGrew
Winter Faulk
Yogesh Khatri
Zoher Anis

Puzzle #6 Answers

Here are the answers to Puzzle #6: Ann’s Aurora. Thanks to everyone who played!

(Note: There were a lot of questions about rounding for questions 4, 5, 8 and 10. Due to the confusion, we accepted both mathematically correct rounding and answers that were simply truncated to the nearest tenth.)

Answer 1: http://10.10.10.10:8080/index.php
Answer 2: vEI
Answer 3a: index.phpmfKSxSANkeTeNrah.gif
Answer 3b: df3e567d6f16d040326c7a0ea29a4f41
Answer 4: 1.3 seconds (will also accept 1.2)
Answer 5: 87.6 seconds (will also accept 87.5)
Answer 6a: Windows executable
Answer 6b: b062cb8344cd3e296d8868fbef289c7c
Answer 7a: Every third packet
Answer 7b: Every packet
Answer 7c: Every 10-15 seconds
Answer 8: 123.7 (will also accept 123.6)
Answer 9: b062cb8344cd3e296d8868fbef289c7c
Answer 10: 198.4

Contest #6 HINT!

Hi everyone,

Just wanted to put out a little hint for Puzzle #6: Ann’s Aurora. Over half the entries so far have had questions #6b and #9 wrong (with everything else right)! Carving files can be tricky, and here are some tips.

  • The answers to #6b and #9 are the SAME. Yes! If you get two different answers, go back and double check your work. They should match up.
  • You can’t just run a file carving tool like foremost on the entire pcap and expect to carve out the file correctly. This is because foremost will identify the file type by its magic number, but it doesn’t remove the packet headers and reassemble the data. If you use foremost on the whole packet capture to carve out the files, the files you carve out will actually contain bits and pieces of TCP protocol data, etc. (Those of you who came up with MD5sums of “00bf222f746c43589307839e16f91520” and “d0af8e4f2c22f2d01b3da890a3e57ce4”– these are WRONG! Try again.)
  • To manually carve out the files, you will need to reassemble the TCP stream in the correct order, separate out ONE side of the conversation, extract the raw packet data, and then carve the PE file out of that. It’s not as hard as it sounds– you can do this with Wireshark pretty easily.

All right, I’ve probably said too much 🙂 Hope that helps you track down Ann’s sneaky activities. Have fun!

Puzzle #5 Winners

By Lenny Zeltser. Lenny teaches the reverse-engineering malware (REM) course at SANS Institute.

We are very grateful to everyone who submitted answers to our Puzzle #5: Ms. Moneymany’s Mysterious Malware. Congratulations to everyone who provided correct answers to this network forensics puzzle with a malware twist.

Don Jackson submitted the solution that we picked as the winner of this contest. We were very impressed with the thoroughness of his description, with the attention to detail, and with the focus on network-related aspects of the incident. Reading Don’s solution made us feel like we are looking over the shoulder of the forensic analyst, as he formed theories and looked for evidence to substantiate or disprove them. Great job, Don, and congratulations on winning the Lenovo Ideapad netbook!

We also wanted to mention several other solutions that ranked close to the top:

We were impressed by the in-depth dive yulyul2003 took when looking at the inner-workings of the malicious executable. Though this level of detail was a bit outside the scope of this puzzle, we liked the analysis yulyul2003 performed of the infection and rootkit-related functionality of the specimen. This solution also provides excellent details regarding the infection mechanism.

Eugenio Delfa created a handy tool called castflow for carving PCAP files, which he used to extract files from the network traffic capture. Eugenio also performed some behavioral analysis of the malicious executable in the lab–we appreciated seeing these details in his write-up.

Iñaki Rodríguez showcased the use of tshark for analyzing network traffic–very nice. We also liked the use of Snort by dn1nj4 to examine the network traffic capture for signs of malicious activity.

Thanks to everyone who participated in this puzzle!

Winner:

Don Jackson (wins a Lenovo Netbook)

Finalists:

Bashar Ewaida
Christian North
dn1nj4
Eric Kollmann
Eugenio Delfa
Iñaki Rodríguez
Mark Hillick
Scott Cubic
yulyul2003

Correct:

Ahmed Adel Mohamed
Alan Tu
Ashish, Garima, Vikrant
Bobby
Candice Quates
Chet Kress
Dave Eilert
Don Jackson (winning submission)
Gaurav
Jeff Wichman
Joe Creasey
Masashi Fujiwara
Matt Erasmus
Param Singh
Parin
Peter Chong
Scott Cubic
Shane Kennedy
Takuro Uetori
Tareq Saade
Victor Ant Torre
Winter Faulk

Puzzle #6: Ann’s Aurora

Our latest puzzle was written by Sherri Davidoff, Eric Fulton and Jonathan Ham.

Hi! Recently we were challenged by SANS Fellow Rob Lee (author of “Computer Forensics” 508) to create a puzzle based on an Advanced Persistent Threat (APT). We thought this was a great idea! So this month we are doing a special release through the SANS Institute based on APT. SANS is sponsoring some especially cool prizes– check out the full puzzle and writeup here:

http://computer-forensics.sans.org/challenges/

The contest is a client-side attack based on Operation Aurora. This packet capture contains a full recording of a real Windows system getting exploited via the same mechanism that was used to exploit Google. Ann spear-phishes a developer, who clicks on a link and connects to her malicious web server. Then she configures the victim to make outbound persistent connection attempts to her server so that she can retain access and reconnect in the future.

We hope you have fun with this puzzle! We certainly had fun creating it. 🙂 To submit your answers, just use the Official Submission Form, as usual.

The Puzzle

Ann Dercover is after SaucyCorp’s Secret Sauce recipe. She’s been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp’s servers. One night, while conducting reconnaissance, she sees him log into his laptop (10.10.10.70) and VPN into SaucyCorp’s headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he’s been coveting, Vick clicks on the link. Ann is ready to strike…

You are the forensic investigator. Your mission is to analyze the packet capture containing Ann’s exploit, build a timeline, and submit your evidence including…

  1. What was the full URI of Vick Timmes’ original web request? (Please include the port in your URI.)
  2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled “COMMENT”, then filled their data element with a string. What was the value of this string?
  3. Vick’s computer made a second HTTP request for an object.

    1. What was the filename of the object that was requested?
    2. What is the MD5sum of the object that was returned?
  4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  6. In packet 17, the malicious server sent a file to the client.

    1. What type of file was it? Choose one:

      • Windows executable
      • GIF image
      • PHP script
      • Zip file
      • Encrypted data
    2. What was the MD5sum of the file?
  7. Vick’s computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:

    1. How often does the TCP initial sequence number (ISN) change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    2. How often does the IP ID change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    3. How often does the source port change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
  8. Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
  10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

Here is your evidence file: evidence06.pcap

  • MD5 (evidence06.pcap) = efac05c50c0ae92bf0818e98763920bd
  • SHA256 (evidence06.pcap)= fa5fc1ffad525688626c301372b37e101efcbbbd124f9781f5701648e6a02be3

Prizes!

SANS worked with several vendors to put together a generous prize package for this contest. Rob writes, “This year we are offering multiple overall prizes. Some of these prizes have been offered by sponsoring vendors that support future digital forensics research, analysis, and the spirit of the competition. The winning team or individual will have their first choice at the prize list. Win in first place? First to choose your prize.” Here’s the list:

Contest materials may not be used for any commercial purposes whatsoever, including marketing, without explicit written permission. If you are interested in using the contest materials for purposes besides your own personal use, please ask first. Full terms of use are available here.

Deadline is 6/27/10 (11:59:59PM UTC-11) (In other words, if it’s still 6/27/10 anywhere in the world, you can submit your entry.)

Please use the Official Submission Form to submit your answers.

Warning: When answering this puzzle, remember that you will be working with real-world malicious software. Be careful not to infect yourself! Use an isolated system, which you will be able to reinstall at the end of your investigation.

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under an approved Open Source License. All responses should be submitted as PLAIN TEXT. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified.

The contest materials are copyrighted. The files are for personal use only. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back to the original site at sans.org. Contest materials may not be used for any commercial purposes whatsoever, including marketing, without explicit written permission. If you are interested in using the contest materials for purposes besides your own personal use, please ask first.

Exceptional solutions may be incorporated into the SANS Network Forensics Investigative Toolkit (SNIFT kit). Exceptional submissions may also be used as examples and tools in the Network Forensics course, with full attribution. By submitting your answer to this puzzle, you agree that your code submissions will be freely published under the GPL license, and your solution’s text will be licensed according to the Creative Commons v3 “Attribution” License. All authors will receive full credit for their work.

Deadline is 6/27/10 (11:59:59PM UTC-11). Here’s the Official Submission Form. Good luck!!

Copyright 2010, Lake Missoula Group, LLC. All rights reserved.