tcpdump -vn 'ip[6] & 128 != 0'
My previous post will cover the installation pretty decently. Nothing changed with installation on OS X except you will want to change your interface to en0 vice eth0.
Also, if you are running unto issues with executing Cuckoo box and get the following:
raise Exception, “Cannot find VBoxPython module”
Exception: Cannot find VBoxPython module
Try to run it as:
$ python2.6 cuckoo.py
So I finally picked the 5 pin U.S. Lock I picked up from DEFCON 18 (In my defense I never really messed with it until a week before DEFCON 19). So after successfully opening the lock with a rake a few times I was able to open it with just the pick. I think my problem was that I was using to much torque. Once I let up on the death grip I was good to go.
I decided to open the lock to see what was going on inside…
First I had to open the lock, hey it only took me a year. Once I got that done I removed the retention plate holding the plug in place.
After this the plug should slide freely from the face of the lock. If your not careful the pins will fall out.
After I got the plug out and the top pins removed, I removed the springs.
The then I removed the bottom pins.
This is everything removed.
The springs look jacked up. I dont think that I did this when removing them which leads me to wonder if it was all the shite picking I was doing. Anyone know?
I just ordered a few practice sets to help me out. Im a complete n00b when it comes to lock-picking. Hopefully I will improve, whether I do or not I will try to post my progress here.
DEFCON 2011 Network Forensics Puzzle: The Heist Part 2
*Note* I am in no way affiliated with the contest and if you couldnt tell the post below contains my solution for the round
After extracting the contents from round_5.tc, you are left with a pcap and a html page outlining the challenge:
The network at Factory-Made-Winning had been acting strange all day and Tim was getting very concerned what was happening at his company. He began looking over some traffic….
Use the packet capture in this folder to help Tim find out whats happening:
1) What is the 3rd ingredient on the list from the mysterious file that was transfered?
Another pcap to analyze. Another 7z to carve. Another password protected archive. This time the password useonce@ gained from round3 will be put to use. If you didnt see the previous post you should probably check that since it contains how to finish this one as well.
DEFCON 2011 Network Forensics Puzzle: The Heist
*Note* I am in no way affiliated with the contest and if you couldnt tell the post below contains my solution for the round
After extracting the contents from round_4.tc, you are left with a pcap and a html page outlining the challenge:
Inter0ptic arrived to Factory-Made-Winning, and casually made his way past the front security desk. He then slipped into a secure access area by tailgating behind an employee. On the way in he found a sticky note with a password on it “useonce@”. The password might come in handy later! With a grin and a chuckle, Inter0ptic found an empty cubical and plugged in his laptop.
Use the packet capture in this folder to learn more about Inter0ptic’s adventure at the pharmaceutical company and answer the question below:
1. What is the 16th name inside the mysterious file transfered?
After opening the file in WireShark you’ll notice a lot of SMB traffic. I noticed a file transferred with a 7z extension and figured I would attempt to carve it out. Again, I had to look up the file signatures for 7z.
I used tcpxtract again.
echo "p7z(100000000, \x37\x7a\xbc\xaf\x27\x1c);" > /etc/tcpxtract.conf
tcpxtract -f ~/Evidence04.pcap
mv 00000000.p7z 00000000.7z
Notice the p7z extension in the tcpxtract.conf? For whatever reason tcpxtract didnt like the fact that I had an integrer as the first character on the line. So I added p7z and it worked fine. I just had to change the extension back if I wanted this file to work on Winblows.
Once I opened the file I noticed a xls file. I tried extracting the file but the archive was password protected. nooooooooooooooo. But wait, we have a password………Yeah I tried useonce@ too. It didnt work. After scratching my head for a bit someone had the bright idea to try Romulus’ password. That worked….herp derp. Thank Ryan.
DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?
*Note* I am in no way affiliated with the contest and if you couldnt tell the post below contains my solution for the round
After extracting the contents from round_3.tc, you are left with a pcap and a html page outlining the challenge:
A mysterious call is made to Romulus (a new accounts manager) at Factory-Made-Winning.
Use the packet capture in this folder to learn more about the phone call and answer the following question:
1. What is Romulus’ password?
Well this is pretty straightforward. The description tells you outright that this is a phone call. Opening up the packet in Wireshark -> telephony -> statistics reveals nothing. What about Cain and Abel? Open the packet in Cain and click sniffer -> VoIP.
Listen to the VoIP recording… profit.
rom127#
