├── Chapman-CactusCon-NFWorkshop16.pdf
├── README.md
├── round1
    └── round1.py
└── round6
    └── round6.py


/Chapman-CactusCon-NFWorkshop16.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rj-chap/NFWorkshop16/05230eccd19f69941b3738fe0da5c355c8e9dca7/Chapman-CactusCon-NFWorkshop16.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | This repo contains the files for the "Network Forensics Workshop Deux: Long Live Packet Pillaging" workshop, which will be held at CactusCon 2016 (http://www.cactuscon.com/ryan-chapman).
 2 | 
 3 | README.md v0.1 -- If this number changes, go check the change log :)
 4 | 
 5 | ---
 6 | 
 7 | # Workshop Details
 8 | 
 9 | In the workshop, I will walk attendees through how Bechtel’s "Team Threat Level Pancakes" (formerly "Team DOFIR") took 1st place in LMG Security’s Network Forensics Puzzle Contest (NFPC) at DefCon 23 (2015). This was a repeat win for us, and we enjoyed every minute that we have spent on these challenges. LMG holds an awesome annual contest, and we are proud to show the tech that we used to complete the most recent challenge. Keep in mind that this is a "WE" thing. I put together the workshop, but OUR TEAM wins these things. I am honored to work with such awesome people.
10 | 
11 | To solve the sucker, we used tools such as Wireshark, NetworkMiner, bash, volatility, Python, and others. I cover how we put together some scripts and commands in order to streamline our methodology. My goal: Show off some cool network forensics tech and garner interest for yet another NFPC. We want some top-notch competition, so check out what we have to offer and be sure to get your game on at DefCon 24 in 2016!
12 | 
13 | ---
14 | 
15 | # Requirements
16 | 
17 | I recommend that you use Kali Linux v2.0+.  See here: https://www.kali.org/downloads/.  If you are using Kali, you will still need to download some additional tools to your distro.  If you are not using Kali, well then you have your work cut out for you!
18 | 
19 | For the workshop, please install the following tools:
20 | 
21 | - *bless* – Great nix-based hex editor
22 | - *Audacity* – Audio playing/editing program with the ability to play audio files in reverse (see Round 3)
23 | - *tcplay* – Free and simple TrueCrypt Implementation based on dm-crypt (see Round 6)
24 | 
25 | You can install all three in Kali using the following command:
26 | 
27 | **sudo apt-get install bless audacity tcplay**
28 | 
29 | ## NetworkMiner
30 | 
31 | Last year, I made a point to avoid NetworkMiner.  This year, our intern showed us that ease-of-use tools such as NetworkMiner might be required in these challenges.  Hah!
32 | 
33 | We will *need* NetworkMiner (NM) to complete Round 3.  You can grab NM here: http://www.netresec.com/?page=NetworkMiner.  Feel free to run NM under Windows, either in your host OS or within a Windows-based VM.
34 | 
35 | Personally, I like to run NM under Kali using mono.  For details, see here: http://www.netresec.com/?page=Blog&month=2011-12&post=No-more-Wine---NetworkMiner-in-Linux-with-Mono.
36 | 
37 | If you want to run NM under Kali, please visit the above link and set this up prior to the workshop.
38 | 
39 | ## Non-Kali Requirements
40 | 
41 | Many of the tools that you will need for this workshop are bundled with Kali 2.x.  For those not using Kali, please make sure that you have the following tools available in addition to those listed above:
42 | 
43 | - Wireshark (1.12.x preferred; please only use 2.0 if you are familiar with all GUI-based changes)
44 | - Python (2.6 preferred -- avoid 3.0 'cause reasons)
45 | - Volatility 2.4+ (http://www.volatilityfoundation.org/ -- we'll be using 2.4)
46 | - foremost (http://foremost.sourceforge.net/)
47 | - aircrack-ng (http://www.aircrack-ng.org/)
48 | 
49 | ---
50 | 
51 | # Obtaining the Files
52 | 
53 | At CactusCon 2016, I will be handing out 40 copies of LMG Security's Network Forensics Puzzle Challenge 2015 DVD.  If you receive one, and you have a DVD drive, great!
54 | 
55 | Additionally, I will have a WNDR3700 router setup along with a switch.  The relevant files will be available via a local network share on this private network.  Be sure to bring a network adapter if you don't have one built-in, and be sure to bring an Ethernet cable too (heck, bring a few and share).
56 | 
57 | If CactusCon '16 is over, and you did not receive the associated PCAP files at the conference, FEAR NOT!  Please contact me for details or go directly to the source: LMG Security (@LMGSecurity).
58 | 
59 | ## Passwords
60 | 
61 | The TrueCrypt volumes on the official LMG Security DVD require passwords.
62 | Please note that zeroes are often used instead of the letter 'o'.
63 | 
64 | Round 1: WhcFDjEQm9
65 | 
66 | Round 2: 4TWSDjtAeb
67 | 
68 | Round 3: jHfk4ykZBC
69 | 
70 | Round 4: 86BNnSn7Jp
71 | 
72 | Round 5: djawp7Tw6W
73 | 
74 | Round 6: hcdLwUKPTC
75 | 
76 | Round 7: zxEjEhCsVP
77 | 
78 | (Round 7 is a bonus round that we do not cover in this workshop, but I felt it appropriate to include the password anyway.)
79 | 


--------------------------------------------------------------------------------
/round1/round1.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import sys
 3 | import os
 4 | import re
 5 | 
 6 | # First argument should be the input file (most likely "irc_privmsg.txt")
 7 | file = sys.argv[1]
 8 | 
 9 | # Second argument should be the output filename (try something like "irc_decoded.txt")
10 | output_file = sys.argv[2]
11 | 
12 | outputdata = []
13 | 
14 | with open(str(file), 'r') as flow:
15 | 
16 | 	for line in flow.readlines():
17 | 		if re.search('PRIVMSG', line):
18 | 
19 | 			parsed_line = line.split(':')
20 | 			strip_line = parsed_line[-1].strip()
21 | 
22 | 
23 | 			try:
24 | 				outputdata.append(str(line + '+++ Decoded ROT13: ' + str(strip_line).decode('rot13') + '\n'))
25 | 				continue
26 | 			except:
27 | 				pass
28 | 		else:
29 | 			outputdata.append(str(line))
30 | 
31 | with open(output_file, 'wb+') as f:
32 |     for line in outputdata:
33 |         f.write(line)
34 | 
35 | print "Done!  See %s." % (output_file)
36 | 


--------------------------------------------------------------------------------
/round6/round6.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | def reverse(plaintext):
 4 | 
 5 | 	alphabet = {'a': 'z',
 6 | 				'b': 'y',
 7 | 				'c': 'x',
 8 | 				'd': 'w',
 9 | 				'e': 'v',
10 | 				'f': 'u',
11 | 				'g': 't',
12 | 				'h': 's',
13 | 				'i': 'r',
14 | 				'j': 'q',
15 | 				'k': 'p',
16 | 				'l': 'o',
17 | 				'm': 'n',
18 | 				'n': 'm',
19 | 				'o': 'l',
20 | 				'p': 'k',
21 | 				'q': 'j',
22 | 				'r': 'i',
23 | 				's': 'h',
24 | 				't': 'g',
25 | 				'u': 'f',
26 | 				'v': 'e',
27 | 				'w': 'd',
28 | 				'x': 'c',
29 | 				'y': 'b',
30 | 				'z': 'a'}
31 | 
32 | 	decoded = ""
33 | 
34 | 	#Convert each letter to corresponding letter in the reverse alphabet
35 | 	for character in plaintext.lower():
36 | 		if character in alphabet:
37 | 			character = alphabet[character]
38 | 		decoded += character
39 | 
40 | 	return decoded
41 | 
42 | decode_us = ["Wrw blf ivnvnyvi gl hsldvi zmw kfg lm xovzm fmwvidvzi uli WvuXlm?",
43 | 			 "Nln sld wrw blf tvg lm Ofpv'h xlnkfgvi?...zmw bvh.",
44 | 			 "Nln'h szev vbvh rm gsv yzxp lu gsvri svzwh...zmw z gdvoev bvzi lowh kzhhdliw rh vzhb gl tfvhh.",
45 | 			 "Bvzs R tfvhh hrmxw rg'h qfhg rorpvzorvmh."]
46 | 
47 | for decode_me in decode_us:
48 | 	print decode_me
49 | 	print reverse(decode_me) + "\n"
50 | 


--------------------------------------------------------------------------------