Page 3 of 6

Puzzle #8 Answers

1) Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?
SSID: Ment0rNet
BSSID: 00:23:69:61:00:d0

2) How long is the packet capture, from beginning to end (in SECONDS – please round to the nearest full second)?
414s

3) How many WEP-encrypted data frames are there total in the packet capture?
59274

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?
29719

5) What was the MAC address of the station executing the Layer 2 attacks?
1c:4b:d6:69:cd:07

6) How many *unique* IVs were generated (relating to Joe’s access point):
a) By the attacker station?
14133
(We also accept 14132, as one of the IVs was *generated* by another station, and only *replayed* by the attacker’s station. See my comment #4 below.)
b) By all *other* stations combined?
15587

7) What was the WEP key of Joe’s WAP?
D0:E5:9E:B9:04

8.) What were the administrative username and password of the targeted wireless access point?
admin:admin

9) What was the WAP administrative passphrase changed to?
hahp0wnedJ00

Gearing Up for DEFCON 19!

We are totally psyched for DEFCON 19! The Network Forensics Puzzle Contest (NFPC) will be running in the contest area. Watch our DEFCON forum for updates this week. Prizes include a Verizon 3g Network Extender and $150 ThinkGeek gift certificate (many thanks to ThinkGeek for sponsoring that prize).

To whet your appetite even more, check out the hot new graphic on the DEFCON 19 NFPC CD, designed by Mr. Scott Fretheim:

Players can pick up their CDs at the contest booth starting Thursday @ 10:00 AM. The contest will officially start on Friday. (Of course, we’ll post the contest materials online afterwards, too, so everyone can check out the latest challenge, just for fun.

Cheers!

Puzzle #7 Answers

Here is the solution to Puzzle #7: Ann’s Dark Tangent (DEFCON 2010). There are many ways to arrive at the solution. Here is our method; there are other tools you can use to reach the same answer.

You received a CD containing, among other things, a packet capture: evidence-defcon2010.pcap

Check the MD5 sum:

$ md5sum evidence-defcon2010.pcap
7c416421a626600f86e3702df0cac8ef evidence-defcon2010.pcap

If you examine the packet capture, you will see that it contains WEP-encrypted wireless traffic.

Crack the WEP key. You can do this using aircrack-ng in less than one second:

$ aircrack-ng evidence-defcon2010.pcap
Opening evidence-defcon2010.pcap
Read 426642 packets.
# BSSID    ESSID    Encryption
1 00:1C:10:B3:CC:F0 w00t    WEP (98923 IVs)
Choosing first network as target.
Opening evidence-defcon2010.pcap

Once you have the WEP key, use it to decrypt the traffic:

$ airdecap-ng -w 4A:7D:B5:08:CD evidence-defcon2010.pcap
Total number of packets read    426642
Total number of WEP data packets 187650
Total number of WPA data packets 0
Number of plaintext data packets 0
Number of decrypted WEP packets 187650
Number of corrupted WEP packets 0
Number of decrypted WPA packets 0

If you run strings on the packet capture (or view it in Wireshark), you will see IMAP and SMTP traffic, including an email with an attachment. This attachment is the key to the entire puzzle.

Dark Tangent,
I know you've been watching me. You should be able to figure out the =
location of our rendezvous point from my traffic. Contact me first with =
the name of the city where we will meet, and you win :-) I'll send you =
more details after that.=20
Ann
ps. See the attachment for a clue.

Carve out the email attachment. You can do this manually, or use the smtpdump tool by Franck Guénichot from Contest #2.

The email attachment is a GIF image, shown below:

There were five lines in the image, which read (from top to bottom):

App Store - App Name
Podcast Title
YouTube Video Title
Google Earth City Name
AIM Buddy Name

If you go through the packet capture, you will find that Ann used her iPad to:

  • Download the iPad app called “Solitaire”
  • Download and watch an Onion podcast called “Onion Radio News for Kids”
  • View a YouTube video called “Cry for Help – Rick Astley”
  • Search on Google Earth for “Hacker Valley, West Virginia”
  • IM her buddy, “inter0pt1c”

Line all the answers up, as shown in the GIF image, and read down the first column:

  • Solitaire
  • Onion Radio News for Kids
  • Cry for Help
  • Hacker Valley
  • inter0pt1c

The answer is “SOCHI”, a resort town in Russia where the winter Olympics will be held.

Thanks to everyone who played!

Puzzle #7 Winners

Over 221 teams registered to play Puzzle #7: Ann’s Aurora at DEFCON 18 (2010)! Each team was given a CD which contained the evidence, and teams were asked to text the answer to the phone at NFPC Headquarters. The first team to text the correct answer won the contest.

The Winner of Puzzle #7 (and the shiny new iPad) was (drumroll…)

Team Bam Bam!

These guys solved the puzzle after about 5 hours. We also have to give mad props to team Preset Kill Limit, who texted the correct answer just one minute after team Bam Bam. Wow, that was close!

Great job to everyone!

Puzzle #7: Ann’s Dark Tangent (DEFCON 2010)

At long last! Here is a copy of Puzzle #7, “Ann’s Dark Tangent,” which was run at Defcon 18 (2010). This contest was unusual in that the answer was a single word. The contest was open to DEFCON 18 attendees who were at the conference. Although the contest has long since closed, you might enjoy playing around with the packet capture, which contains wireless iPad traffic.

Ann has arranged a rendezvous with Dark Tangent. You are the forensic investigator. Can you figure out their destination?

Here’s a copy of their network traffic:

evidence-defcon2010.pcap
MD5sum: 7c416421a626600f86e3702df0cac8ef

The first team to submit the correct answer wins a brand new Apple iPad.

A few notes:
1. You will not get the correct answer simply by running “strings” on the packet capture. It is more complicated than that.
2. Please do not attempt to brute-force the answer by guessing. We reserve the right to cut you off from submitting answers if you abuse the privilege.

Have fun! 🙂

Puzzle #7 was written by Sherri Davidoff, Eric Fulton and Jonathan Ham.

Copyright 2010, Lake Missoula Group, LLC. All rights reserved.

Contest Closed!

We are currently in the process of grading submissions. This may take a few weeks, but rest assured we will announce the contest winners and results within the month.

Our next contest will be held at Defcon, August 4-7. We will probably post the contest/answers here when it’s over and we’ve recovered from Vegas.

Cheers!
Eric

The Final Days

Contestants!
The Network Forensics Puzzle Contest (“NFPC”) has proved to be quite a challenge for some. While a number of contestants have submitted correct answers, very few have accompanied their submission with additional narrative and/or tools. If you’ve already submitted, double check your answers and perhaps add a little extra to what you had before. It could be the difference that nets you a prize! We will be closing the contest on June 30th, and will post answers/winners soon after. Happy hunting!

Cheers!
Eric

Deadline Extension!

Hello!
We have received *many* great submissions to the current contest; we have also received many requests to extend the deadline. Thus, we are going to extend the deadline. To those who haven’t submitted an answer yet, now you have more time! To those who have already submitted answers, consider creating a tool or adding more detail to your forensic analysis.

The new deadline is: June 30, 2011.
Same rules as before. Go have fun and solve some puzzles!

Cheers!
Eric

Puzzle #8 Prize!

The prize for Puzzle #8 is … a BUFFALO WZR-HP-AG300H ! I hope that gets you excited. A number of great submissions have already been made; remember, to make your submission stand out try including an in-depth narrative or innovative script to put yourself above the rest.

Cheers!
Eric

Puzzle #8

Our latest puzzle was written by Eric Fulton, Jonathan Ham, and Sherri Davidoff.

Inter0ptik is on the lam and is pinned down. The area is crawling with cops, and so he must stay put. But he also desperately needs to be able to get a message out to Ann and Mr. X. Lucky for him he detects a single wireless access point (WAP) in the building next door that he might be able to use, but it is using encryption and there are no other opportunities available. What is Inter0ptik to do?

Meanwhile, next door…

Joe is a sysadmin at HackMe, Inc. He runs the technical infrastructure for a small company, including a WAP that he uses, pretty much exclusively, and also very rarely. He’s trying to use it now and has discovered his connection is dropping consistently. He captures some traffic, but he really has no idea how to interpret it. Suddenly he discovers he can’t even login to administer his WAP at all!

You are the forensic investigator. Your team got a tip that Inter0ptik might be hunkered down in the area and contacted local admins concerning suspicious network activity. Joe has provided you with his packet capture and helpfully tells you that his own MAC address is 00:11:22:33:44:55. Can you figure out what’s going on and track the attacker’s activities?

You have been given a packet capture of Inter0pt1k’s adventures, and have been asked to determine the following:

1) Joe’s WAP is beaconing. Based on the contents of the packet capture,
what are:
a. The SSID of his access point?
b. The BSSID of his access point?

2) How long is the packet capture, from beginning to end (in SECONDS –
please round to the nearest full second)?

3) How many WEP-encrypted data frames are there total in the packet capture?

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in
the packet capture relating to Joe’s access point?

5) What was the MAC address of the station executing the Layer 2 attacks?

6) How many *unique* IVs were generated (relating to Joe’s access point):
a. By the attacker station?
b. By all *other* stations combined?

7) What was the WEP key of Joe’s WAP?

8) What were the administrative username and password of the targeted
wireless access point?

9) What was the WAP administrative passphrase changed to?

Submission Form
Deadline is 6/30/11 (11:59:59PM UTC-11) (In other words, if it’s still 6/30/11 anywhere in the world, you can submit your entry.)

PRIZE:
To be announced

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a an approved Open Source License. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified. Also, please understand that the contest materials are copyrighted and that we’re offering them publicly for the community to enjoy. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back. If you are interested in using the contest materials for other purposes, just ask first.

Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics course or book. All authors will receive full credit for their work.

Packet capture
Sha256sum: 969f82205739e4d912f7a4bddf3d22f591bfa8fa09c9690c88117d7477263b8b

Deadline is 5/31/11 (11:59:59PM UTC-11). Here’s the Official Submission form. Good luck!!
Copyright 2011, Lake Missoula Group, LLC. All rights reserved.