Category: Puzzle #6

Ann’s Aurora was one of our hardest contests yet. To get all the answers right, you had to carve out two Windows executable files, dissect Vick Timmes’ HTTP traffic, analyze malware, build a timeline and pinpoint connection open and close times to within a tenth of a second. Thanks to everyone who submitted an entry for Puzzle #6, “Ann’s Aurora,” and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of “Ann’s Aurora” is (*drumroll*)…. Wesley McGrew, for his fantastic new forensics tool, pcapline. Pcapline automatically parses a packet capture and generates an HTML report. Through your web browser, you can view a summary of all flows and drill down into each one. Pcapline automatically carves out all the files– not just the tiny GIFs embedded inside a single packet, but Windows executable files broken up throughout the packet capture. Wesley also included MD5sums in the report output.

Best of all, it’s simple to use– you just type “pcapline.py” and the evidence file name, and pcapline does the rest. Wesley has put a copy of the pcapline report output here:

http://mcgrewsecurity.com/codedump/evidence06.pcap_output/

Erik Hjelmvik, our Silver medalist, released a new version of Network Miner (.92) for Contest #6. We know a lot of you already know and love Network Miner, because in previous contests about half of the entries relied on Erik’s tool! For this contest, Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing. Thanks, Erik, for a shiny new release of your fantastic tool.

Leendert Pieter van Drimmelen built three utilities for this contest: stream_ts.py, which automatically displays TCP connection established/closed times; analyse_syn_packets.py, which calculates how often an IP or TCP field changes (it also accepts tshark filters); and pextract.c, which extracts PE files from packet captures or incoming traffic. Pextract also accepts BPF filters and tries to find executables that are XOR obfuscated. These are three small, sharp utilities which are good to have in your toolkit.

Eric Kollmann wrote three handy tools: mzcarver.exe (PE carving utility), contest6.pl (provides info about conversations), and contest6.exe (produces info about individual packets. You can limit by TCP flag and use BPFs). Nice work, Eric!

Jeff Wichman and Ruben Recabarren both created fantastic writeups, which you can read to get two detailed (and very different) methods for solving the contest. Iulian Anton also had a thorough narrative and created a couple of Perl utilities to assist with solving the contest. Candice Quates went “down the rabbit hole of javascript and exploit analysis,” and created trimexe.c, which extracts PE files from exported streams.

Thanks to the SANS Institute and the generosity of their vendor sponsors, the winners and finalists get to choose from the following list of prizes (winner picks first):

• Lenovo Ideapad Netbooks (2 Netbooks – 1 netbook per winner )
  Apple iPad – Sponsored by NetWitness Corporation
• Flip Video Recorder – Sponsored by MANDIANT Inc.
• F-Response TACTICAL (1 licensed copy) – Sponsored by F-Response
• Forensic Toolkit 3 (1 licensed copy) – Sponsored by AccessData Corp.
• Digital Forensics Magazine Subscriptions: Free print subscription for 12 months for the winner, and 2 digital online subscriptions for Finalists. The winner will also receive the backlist issues (i.e. 1-3). – Sponsored by Digital Forensics Magazine
• 2011 Digital Forensics/IR Summit Passes (3 passes – 1 pass per top three winners)

Many thanks to everyone who made this contest possible, including Rob Lee, Jeremy Scott, Jeff Murri, Brian Corcoran, Ryan Corvetti, Dennis Kirby, and the wonderful SANS A/V crew.

Thanks most of all to everyone out there who participated. See you next time! 🙂

---

WINNERS: Wesley McGrew

Finalists: Erik Hjelmvik Leendert Pieter van Drimmelen Eric Kollmann Jeff Wichman Ruben Recabarren Iulian Anton Candice Quates

Semifinalists: Francesco Acchiappati Mark Hillick Richard Shawn O’Connell Ashish, Garima, Vikrant Jon Larimer

Correct Answers: Andy Patrick Brian Sommers Candice Quates Carlos Pérez López David Rodriguez Eric Kollmann Erik Hjelmvik Francesco Acchiappati Hsiang-Jen Shih Iulian Anton Jeremy Scott Jon Larimer Kazunori Kojima Leendert Pieter van Drimmelen Mark Hillick Masashi Fujiwara Peter Chong Rakesh Mukundan Richard Shawn O’Connell Ruben Recabarren Seth Leone & Ryan Sommers Takuro Uetori Wesley McGrew Winter Faulk Yogesh Khatri Zoher Anis

Here are the answers to Puzzle #6: Ann’s Aurora. Thanks to everyone who played!

(Note: There were a lot of questions about rounding for questions 4, 5, 8 and 10. Due to the confusion, we accepted both mathematically correct rounding and answers that were simply truncated to the nearest tenth.)

Answer 1: http://10.10.10.10:8080/index.php
Answer 2: vEI
Answer 3a: index.phpmfKSxSANkeTeNrah.gif
Answer 3b: df3e567d6f16d040326c7a0ea29a4f41
Answer 4: 1.3 seconds (will also accept 1.2)
Answer 5: 87.6 seconds (will also accept 87.5)
Answer 6a: Windows executable
Answer 6b: b062cb8344cd3e296d8868fbef289c7c
Answer 7a: Every third packet
Answer 7b: Every packet
Answer 7c: Every 10-15 seconds
Answer 8: 123.7 (will also accept 123.6)
Answer 9: b062cb8344cd3e296d8868fbef289c7c
Answer 10: 198.4

Hi everyone,

Just wanted to put out a little hint for Puzzle #6: Ann’s Aurora. Over half the entries so far have had questions #6b and #9 wrong (with everything else right)! Carving files can be tricky, and here are some tips.

• The answers to #6b and #9 are the SAME. Yes! If you get two different answers, go back and double check your work. They should match up.
• You can’t just run a file carving tool like foremost on the entire pcap and expect to carve out the file correctly. This is because foremost will identify the file type by its magic number, but it doesn’t remove the packet headers and reassemble the data. If you use foremost on the whole packet capture to carve out the files, the files you carve out will actually contain bits and pieces of TCP protocol data, etc. (Those of you who came up with MD5sums of “00bf222f746c43589307839e16f91520” and “d0af8e4f2c22f2d01b3da890a3e57ce4”– these are WRONG! Try again.)
• To manually carve out the files, you will need to reassemble the TCP stream in the correct order, separate out ONE side of the conversation, extract the raw packet data, and then carve the PE file out of that. It’s not as hard as it sounds– you can do this with Wireshark pretty easily.

All right, I’ve probably said too much 🙂 Hope that helps you track down Ann’s sneaky activities. Have fun!

Our latest puzzle was written by Sherri Davidoff, Eric Fulton and Jonathan Ham.

Hi! Recently we were challenged by SANS Fellow Rob Lee (author of “Computer Forensics” 508) to create a puzzle based on an Advanced Persistent Threat (APT). We thought this was a great idea! So this month we are doing a special release through the SANS Institute based on APT. SANS is sponsoring some especially cool prizes– check out the full puzzle and writeup here:

http://computer-forensics.sans.org/challenges/

The contest is a client-side attack based on Operation Aurora. This packet capture contains a full recording of a real Windows system getting exploited via the same mechanism that was used to exploit Google. Ann spear-phishes a developer, who clicks on a link and connects to her malicious web server. Then she configures the victim to make outbound persistent connection attempts to her server so that she can retain access and reconnect in the future.

We hope you have fun with this puzzle! We certainly had fun creating it. 🙂 To submit your answers, just use the Official Submission Form, as usual.

The Puzzle

Ann Dercover is after SaucyCorp’s Secret Sauce recipe. She’s been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp’s servers. One night, while conducting reconnaissance, she sees him log into his laptop (10.10.10.70) and VPN into SaucyCorp’s headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he’s been coveting, Vick clicks on the link. Ann is ready to strike…

You are the forensic investigator. Your mission is to analyze the packet capture containing Ann’s exploit, build a timeline, and submit your evidence including…

1. What was the full URI of Vick Timmes’ original web request? (Please include the port in your URI.)
2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled “COMMENT”, then filled their data element with a string. What was the value of this string?
3. Vick’s computer made a second HTTP request for an object.
   1. What was the filename of the object that was requested?
   2. What is the MD5sum of the object that was returned?
4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
6. In packet 17, the malicious server sent a file to the client.
   1. What type of file was it? Choose one:
      • Windows executable
      • GIF image
      • PHP script
      • Zip file
      • Encrypted data
   2. What was the MD5sum of the file?
7. Vick’s computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:
   1. How often does the TCP initial sequence number (ISN) change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
   2. How often does the IP ID change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
   3. How often does the source port change? (Choose one.)
      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
8. Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

Here is your evidence file: evidence06.pcap

• MD5 (evidence06.pcap) = efac05c50c0ae92bf0818e98763920bd
• SHA256 (evidence06.pcap)= fa5fc1ffad525688626c301372b37e101efcbbbd124f9781f5701648e6a02be3

Prizes!

SANS worked with several vendors to put together a generous prize package for this contest. Rob writes, “This year we are offering multiple overall prizes. Some of these prizes have been offered by sponsoring vendors that support future digital forensics research, analysis, and the spirit of the competition. The winning team or individual will have their first choice at the prize list. Win in first place? First to choose your prize.” Here’s the list:

• Lenovo Ideapad Netbooks (2 Netbooks – 1 netbook per winner )
• Apple iPad – Sponsored by NetWitness Corporation
• Flip Video Recorder – Sponsored by MANDIANT Inc.
• F-Response TACTICAL (1 licensed copy) – Sponsored by F-Response
• Forensic Toolkit 3 (1 licensed copy) – Sponsored by AccessData Corp.
• Digital Forensics Magazine Subscriptions: Free print subscription for 12 months for the winner, and 2 digital online subscriptions for runner up prizes. The winner will also receive the backlist issues (i.e. 1-3). – Sponsored by Digital Forensics Magazine
• 2011 Digital Forensics/IR Summit Passes (3 passes – 1 pass per top three winners)

Contest materials may not be used for any commercial purposes whatsoever, including marketing, without explicit written permission. If you are interested in using the contest materials for purposes besides your own personal use, please ask first. Full terms of use are available here.

Deadline is 6/27/10 (11:59:59PM UTC-11) (In other words, if it’s still 6/27/10 anywhere in the world, you can submit your entry.)

Please use the Official Submission Form to submit your answers.

Warning: When answering this puzzle, remember that you will be working with real-world malicious software. Be careful not to infect yourself! Use an isolated system, which you will be able to reinstall at the end of your investigation.

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under an approved Open Source License. All responses should be submitted as PLAIN TEXT. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified.

The contest materials are copyrighted. The files are for personal use only. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back to the original site at sans.org. Contest materials may not be used for any commercial purposes whatsoever, including marketing, without explicit written permission. If you are interested in using the contest materials for purposes besides your own personal use, please ask first.

Exceptional solutions may be incorporated into the SANS Network Forensics Investigative Toolkit (SNIFT kit). Exceptional submissions may also be used as examples and tools in the Network Forensics course, with full attribution. By submitting your answer to this puzzle, you agree that your code submissions will be freely published under the GPL license, and your solution’s text will be licensed according to the Creative Commons v3 “Attribution” License. All authors will receive full credit for their work.

Deadline is 6/27/10 (11:59:59PM UTC-11). Here’s the Official Submission Form. Good luck!!

Copyright 2010, Lake Missoula Group, LLC. All rights reserved.