• The Fifth Underhanded C Contest – the scope is to write benign looking code which would pass trough a code-review (and/or there is plausible deniability for the coder), but which does some evil things. Found it via slashdot. Some of the previous solutions are truly ingenious.
• From the Forensics Contest comes Ann’s AppleTV, where you can win … Ann’s AppleTV of course!
• Forensic Practical Exercise #3 – no prizes, just fun (and it isn’t all that simple either!). If you don’t own encase, you can transform the provided image into a DD style raw image using the Sleuth Kit:

  img_cat.exe -v -i ewf Forensic_Practical_3.E01 > dd.raw

  Just consider that the resulting image will be around 4G (because the thumb drive it imaged was 4G).

Good luck to everyone!

PS. The current Ethical Hacker Challenge is still open until the 11th of January.

• Miracle on Thirty-Hack Street from ethicalhacker.net
• the sevenfour challenges (a “keygen-me” type of challenge)

Bonus content:

• t2’09 challenge solutions (via the Reverse Engineering Reddit)
• Hacking Challenges: Have Fun Improving Your Skills! [PDF] – presentation from the RaDaJo guys

Have fun!

Picture taken from ChrisDag’s photostream with permission.

• SSHliders – from ethicalhacker.net. This one is centered around *nix shell scripting and more advanced topics like pipes.
• Hugi Size Coding Compo #29 (from Hugi) – not much time left there, the deadline is the 28th of October. No flashy prizes either, just the bragging rights that you’ve created something useful in less than 124 bytes (the current leader)

Also, the solution to the Prison Break EH challenge has been posted (on EH.net with additional videos on the radajo blog). There is a lot of cool networking info in there, worth the read!

Have fun!

The first one is 0x41414141.com. Just go to the site and you can start directly. As far as I know, this is not time-bound.

The second one is spargecoduasta.com (“break this code”). It is put up by BitDefender and I don’t know if it has a time limit. The levels I’ve seen seem to focus on C/C++. It is available in both Romanian and English.

Finally, a little off-topic, but still a challenge: The Science Knowledge Quiz – with the tagline “Are you more science-savvy than the average American?”. Via Pat’s Daily Grind (I’ve got 11 out of the 12).

Have fun!

After validating that the MD5 sum for the downloaded file matches the one specified on the website, I first opened it up in NetworkMiner (http://networkminer.sourceforge.net/). I find the overview it gives much easier to understand than the statistics provided by Wireshark. Using it I identified the data stream between Ann’s computer and the unidentified laptop.

1. What is the name of Ann’s IM buddy?
Sec558user1 – this is tricky because the IM (which seems to be AOL – but many other IM’s behave in a similar fashion) routes chat traffic trough central servers (64.12.24.50 in this case – which belongs to AOL, making it even more probable that AIM was used) to make NAT traversal a non-issue, while file transfers are done trough direct connection to conserve bandwidth.

2. What was the first comment in the captured IM conversation?
Here’s the secret recipe… I just downloaded it from the file server. Just copy to a thumb drive and you’re good to go >:-)
(actually, > is escaped as HTML – ie >)

3. What is the name of the file Ann transferred?
recipe.docx

4. What is the magic number of the file you want to extract (first four bytes)?
50 4B 03 04 – Which corresponds to PK…, signaling that we are potentially dealing with a ZIP archive here. This is further reinforced by the filename (.docx, which is the new "open" document format from Microsoft – basically, it consists out of a zipped XML – similarly to the OpenOffice.org format)

5. What was the MD5sum of the file?
8350582774e1d4dbe1d61d64c89e0ea1

This is again tricky, because ZIP (like many other formats) admit arbitrary data after the logical end of the file. So, using a hex editor, we first carve the the part starting at PK in the 192.168.1.158 -> 192.168.1.159 (be careful not to include the traffic in the reverse direction). Then we need to convince ourselves that the end of the file has been correctly identified at the byte level. To do this we could study the ZIP specification (http://www.pkware.com/index.php?option=com_content&task=view&id=64&Itemid=107) or use a more empirical level: using a hex editor (HxD for example – http://mh-nexus.de/en/hxd/) eliminate the last byte of the file and "test" the integrity of the file (using the Test option from 7-zip for example – http://www.7-zip.org/ – but one could use almost any de-archiving program, since almost all of them offer a "Test" option). The test will fail. Now add back the last byte (which is 0x00) and perform the test again. It will succeeded. This means with a big probability that we correctly identified the actual (logical) end of the file.

6. What is the secret recipe?
The most recent version of OpenOffice.org (3.1.x) can open the docx format, so the following can be retrieved on any platform, regardless of whether MS Office 2007 is installed (an alternative solution would be to use the free MS Word 2007 viewer or the import filters available for older versions of MS Office).

The contents (sans the formatting):
Recipe for Disaster:
1 serving
Ingredients:
4 cups sugar
2 cups water
In a medium saucepan, bring the water to a boil. Add sugar. Stir gently over low heat until sugar is fully dissolved. Remove  the  saucepan from heat.  Allow to cool completely. Pour into gas tank. Repeat as necessary.

Challenge Question 1: What is the most probable reason Michael could not get network connectivity from the desk Ethernet jack?  What actions should the team take to determine exactly what is going on, collect full traffic captures, and gain full access to the network?

Most probably the switch to which the given port is connected has MAC address filtering turned on. To circumvent this, they must clone the MAC address of the VOIP phone.

The easiest way to do this is to start capturing the traffic on the network interface of the laptop and then plug the VOIP phone into it. The initial packets (most probably DHCP requests) will reveal the phone MAC address. Sidenote: most ethernet ports these days are auto-sensing (ie. no crossover cable is required). But just to make sure, one should use a crossover cable or an intermediate switch (not hub!) is one is available. After the MAC address has been determined, the host OS should be instructed to use the given MAC address for the laptop network card. You can find instructions for Linux here: http://linuxhelp.blogspot.com/2005/09/how-to-change-mac-address-of-your.html and for Windows here: http://www.irongeek.com/i.php?page=security/changemac

Sidenote: given that the packet captures show two distinct networks (192.168.1.0/24 and 172.29.0.0/16), it is clear that the administrators have tried to separate the computer networks from the VOIP one. However, relying only on different (sub-)nets is extremely weak and at least VLAN level separation should have been implemented (then again, maybe the available switches don’t have VLAN features). 172.29.0.0/16 most probably is the VOIP network, since we see SIP packets on it and 192.168.1.0/24 the computer network.

If only MAC filtering is implemented, after changing the MAC address, it is possible to join any of the two available networks, meaning that they can interact with the "computer" network, even if the given port was originally assigned to a VOIP phone.

Challenge Question 2: What tool should Lincoln download, if any, to be able to capture traffic on the desktop computer?

Sectools.org contains a nice list of available packet sniffers ( http://sectools.org/sniffers.html ). Given the constraints, my tool of choice would be WinDump, the Windows port of tcpdump ( http://www.winpcap.org/windump/install/ )

Challenge Question 3: Starting with the reverse connection from the desktop computer, describe a step-by-step approach that could be applied prior to 09:00 the next day in order to capture the network traffic on the remote network and get a capture file for further in-depth analysis. Make sure your approach follows Michael’s advice to avoid detection.

• download WinDump ( http://www.winpcap.org/windump/install/bin/windump_3_9_5/WinDump.exe ) and WinPcap to the laptop
• use the instructions provided at the following link to construct a portable version of WinPcap: http://paperlined.org/apps/wireshark/winpcap_silent_install.html
• you can package up all the files (WinDump and the WinPcap DLLs + driver) into a single file using the SFX functionality from 7zip. To make sure that you don’t get under the 0.5 meg limit, use Zip with the Store algorithm
• upload the resulting file to the general’s desktop (this part of the challenge is a little forced IMHO, since the IDS should have detected the reverse connection if it is sensible to long-lived, low traffic connections…)
• launch the SFX, wait until all the files are extracted and copy npf.sys into c:WindowsSystem32drivers
• before 9:00 AM (at 8:55 for example) launch WinDump (this will capture at most 5 MB of data):

  WinDump -i 1 -w capture.pcap -C 5

• after WinDump has stopped, retrieve the capture file and clean up (delete the driver, the SFX file, etc)

Challenge Question 4: Help the team complete this aspect of their mission by analyzing the packet capture file collected on the desktop computer and provide detailed information about the environment. Your response should at least include the type of network traffic collected, details about the General’s laptop computer, details about the Scylla Codes server plus any other server available, and provide the names and contents of the files stored on the server the input passphrase is based on.

The collected traffic consists of 6 requests made to the Scylla server (10.10.20.94) using HTTPS. To decode them, first convert the provided key file into PEM format with OpenSSL:

openssl rsa -in server.key -out server_key.pem 

Then use the resulting PEM file as described here for example to let Wireshark decode the traffic: http://www.novell.com/coolsolutions/appnote/19321.html

Now you can use the "Follow SSL stream" functionality from Wireshark to analyze each request. From the headers it seems that the general’s laptop is running Windows Vista Media Center (tablet? edition), while the Scylla server is running Linux/Apache:

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506) 
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8g DAV/2 PHP/5.2.9 

Challenge Question 5: What are the validation code and input passphrase used by the General to generate the Scylla validation code for this week?

The validation code is "6189db841f01413a05a53b7135137a17"

BONUS QUESTION: Briefly describe your recommendations about how The Company could have detected and defended against the tactics you described in your answer to Question 3.

The attack could have been prevented by using a whitelisting product which doesn’t let unknown executables be started. Other mitigating measures would be:

• using Group Policy to disable autorun
• using Group Policy to controls what kind of USB devices can be used: http://www.windowsecurity.com/articles/Control-USB-Devices-Group-Policy.html
• using a switched network
• using an outbound proxy and make sure that only valid HTTP/HTTPS traffic can leave the network

One could work around many of these restrictions (for example: finding a vulnerability in an installed software, running meterpreter in-process, killing the whitelisting software, masking the outbound connection as a HTTP one, using ARP spoofing to get around the switched network, etc), but it raises the bar considerably.

Sorry for being a little late: the T2’09 challenge just started. Via the F-Secure weblog. Don’t be fooled by the fact that page already contains two entries (“Mr. Speed” and “Mr. Style”) in the top. From what I understand, these are to signal that two winners will be selected, one for speed and one for style.

The page also contains entries from past years for you to play with.

A “find the vulnerability” type contest from Immunity.

A Javascript compression contest – this is not an “official” contest (in the sense that there are no prizes and no very strict rules), but more of a “one-upmanship”. Still interesting though.

Update: I almost missed this one: Network Forensics Puzzle Contest.

Have fun!

Picture taken from Joachim’s photostream with permission.