Incoherent Ramblings

So I finally picked the 5 pin U.S. Lock I picked up from DEFCON 18 (In my defense I never really messed with it until a week before DEFCON 19). So after successfully opening the lock with a rake a few times I was able to open it with just the pick. I think my problem was that I was using to much torque. Once I let up on the death grip I was good to go.

I decided to open the lock to see what was going on inside…

First I had to open the lock, hey it only took me a year. Once I got that done I removed the retention plate holding the plug in place.

After this the plug should slide freely from the face of the lock. If your not careful the pins will fall out.

After I got the plug out and the top pins removed, I removed the springs.

The then I removed the bottom pins.

This is everything removed.

The springs look jacked up. I dont think that I did this when removing them which leads me to wonder if it was all the shite picking I was doing. Anyone know?

I just ordered a few practice sets to help me out. Im a complete n00b when it comes to lock-picking. Hopefully I will improve, whether I do or not I will try to post my progress here.

DEFCON 2011 Network Forensics Puzzle: The Heist Part 2

*Note* I am in no way affiliated with the contest and if you couldnt tell the post below contains my solution for the round

After extracting the contents from round_5.tc, you are left with a pcap and a html page outlining the challenge:

The network at Factory-Made-Winning had been acting strange all day and Tim was getting very concerned what was happening at his company. He began looking over some traffic….
Use the packet capture in this folder to help Tim find out whats happening:

1) What is the 3rd ingredient on the list from the mysterious file that was transfered?

Another pcap to analyze. Another 7z to carve. Another password protected archive. This time the password useonce@ gained from round3 will be put to use. If you didnt see the previous post you should probably check that since it contains how to finish this one as well.

DEFCON 2011 Network Forensics Puzzle: The Heist

*Note* I am in no way affiliated with the contest and if you couldnt tell the post below contains my solution for the round

After extracting the contents from round_4.tc, you are left with a pcap and a html page outlining the challenge:

Inter0ptic arrived to Factory-Made-Winning, and casually made his way past the front security desk. He then slipped into a secure access area by tailgating behind an employee. On the way in he found a sticky note with a password on it “useonce@”. The password might come in handy later! With a grin and a chuckle, Inter0ptic found an empty cubical and plugged in his laptop.
Use the packet capture in this folder to learn more about Inter0ptic’s adventure at the pharmaceutical company and answer the question below:

1. What is the 16th name inside the mysterious file transfered?

After opening the file in WireShark you’ll notice a lot of SMB traffic. I noticed a file transferred with a 7z extension and figured I would attempt to carve it out. Again, I had to look up the file signatures for 7z.

I used tcpxtract again.


echo "p7z(100000000, \x37\x7a\xbc\xaf\x27\x1c);" > /etc/tcpxtract.conf

mv 00000000.p7z 00000000.7z


Notice the p7z extension in the tcpxtract.conf? For whatever reason tcpxtract didnt like the fact that I had an integrer as the first character on the line. So I added p7z and it worked fine. I just had to change the extension back if I wanted this file to work on Winblows.

Once I opened the file I noticed a xls file. I tried extracting the file but the archive was password protected. nooooooooooooooo. But wait, we have a password………Yeah I tried useonce@ too. It didnt work. After scratching my head for a bit someone had the bright idea to try Romulus’ password. That worked….herp derp. Thank Ryan.

DEFCON 2011 Network Forensics Puzzle: Ipad or Remedial Training?

*Note* I am in no way affiliated with the contest and if you couldnt tell the post below contains my solution for the round

After extracting the contents from round_3.tc, you are left with a pcap and a html page outlining the challenge:

A mysterious call is made to Romulus (a new accounts manager) at Factory-Made-Winning.
Use the packet capture in this folder to learn more about the phone call and answer the following question:

1. What is Romulus’ password?

Well this is pretty straightforward. The description tells you outright that this is a phone call. Opening up the packet in Wireshark -> telephony -> statistics reveals nothing. What about Cain and Abel? Open the packet in Cain and click sniffer -> VoIP.

Listen to the VoIP recording… profit.

rom127#

DEFCON 2011 Network Forensics Puzzle: Inception

*Note* I am in no way affiliated with the contest and if you couldnt tell the post below contains my solution for the round

After extracting the contents from round_2.tc, you are left with a pcap and a html page outlining the challenge:

Ann, afraid that someone may be watching her, decides to capture all of her home traffic. She mentions her fear to Mr. X and explains that she has been capturing her home traffic for days and will be sending the packets out for analysis later in the day. She sends her captures to the one person she knows can trust. After their discussion, Mr. X rushes to his lab, to see if he can intercept Ann’s outbound message and use her capture to get more detail on her upcoming activities..
Use the packet capture in this folder to answer the following question:

1. What is the date, as it appears in the capture, of the cryptographer’s speaking engagement? (hint: It isn’t at Defcon)

Again, I start with trying to narrow down what I am looking for, we know that Ann is looking to send a packet capture of her home network. I make an initial assumption that Ann will continue to use email as her form of communication (after round 1).


echo "ann1smysterious > ~/keywords.txt
echo "capture" >> ~/keywords.txt
echo "cap" >> ~/keywords.txt
echo "pcap" >> ~/keywords.txt

tcpflow -r ~/Evidence02.pcap -c | grep -i -f ~/keywords.txt


After reviewing the output of the above command you will notice that Ann is communicating with “Mr. X”, which is really d_tangent@aol.com (To field of email). The email confirms that Ann is sending “Mr. X” a packet capture, the email contains an attachement.

The attachment is call Help.pcap with a length of 263982 bytes. Since we need to extract the pcap from the data stream (pcap from pcap ~ Inception, Nice) we need to know the file header: File Signatures – Gary Kessler. In this case A1 B2 C3 D4.

We will use tcpxtract to pull out the embedded pcap. First add the pcap file type to tcpxtract.conf


cp /etc/tcpxtract.conf /etc/tcpxtract.conf_BAK
echo "pcap(2638139, \xd4\xc3\xb2\xa1);" > /etc/tcpxtract.conf

tcpxtract -f ~/Evidence02.pcap


This will output a pcap file named 00000000.pcap. Running chaosreader against 00000000.pcap will produce some interesting results.


chaosreader -r 00000000.pcap


Open the resulting index.html and click on the images report tab. You will notice a great deal of images of Bruce Schneier. Googling Mr. Bruce Schneier will confirm that he is a renowned cryptographer. Now we just need to find when his speaking engagement is scheduled.

Looking at Mr. Bruce Schneier’s speaking engagement schedule you will see that the date in question is October 6-7, 2011.