7 Days Left to Save $400 on SANSFIRE 2017

Boston 2016

Boston, MA | Mon, Aug 1 - Sat, Aug 6, 2016
This event is over,
but there are more training opportunities.

PCAP Puzzle #2

On June 7, 2016 judges Andrew Laman, Patrick Mooney, and Sally Vandeven unanimously determined the highest ranking solution was submitted by Tanner Kinkead. Congratulations Tanner! Other fine submissions were by:

Raymond Melzer
Ian Hayes
Joshua Roback
Jean-Yves Saghbini
Hasan Eray Doğan

Follow these links for the two files that explain Tanner's solution:

PCAP Puzzle 2 Solution
PCAP Boston Puzzle 2 Solution by Tanner Kinkead

We presented a pcap puzzle for readers to solve and received an overwhelming number of responses. So, Judy Novak created a second pcap puzzle for your enjoyment or torture. This time there will be three very savvy judges, Andy Laman, Sally Vandeven, and Patrick Mooney, evaluating the responses. Coincidentally, all three have earned SANS' highest certification, the GSE, along with many other SANS certifications.

The first ten correct responses will be judged based on an accompanying analysis of the answer. The winning analysis will be one that is deemed to be correct, with a thorough and yet easy to understand explanation. The prize will be your pride of packet Ninja distinction when the winner is announced!

Download the PCAP .
Send your solution to boston.pcap@anywherealone.com.

Note: The concepts required to solve this and the previous puzzle are taught in the SANS course SEC503: Intrusion Detection In-Depth.

This puzzle challenge requires some explanation. It requires a good understanding of IP fragmentation theory and a general knowledge of packets and TCP/IP. The premise is that various operating systems reassemble received overlapping fragments differently. For instance:

Packet 1 is the 0-offset fragment that contains an ICMP echo request header and the content of "EXPLOITS". Packet 2 arrives with a content of "OITSPLEX" that begins at fragment offset 8 and wholly overlaps the content in packet 1. A last fragment arrives at offset 16 that does not overlap prior fragments. The receiving host could reassemble the echo request as either:


The receiving host returns its reassembled interpretation in its ICMP echo reply content. A content of "EXPLOITSEXPLOITS" would indicate that the contents in packets 1 and 3 were favored, whereas a content of "OITSPLEXEXPLOITS" would mean that the content in packets 2 and 3 were favored.

Your challenge is to examine all the fragments found in puzzle2.pcap and determine the packet numbers of the favored fragment content by examining the receiving host's ICMP echo reply. Indicate the reason you believe that the receiving host favored a particular fragment. This could be the fragment arriving order preference of either the original or overlap in a well-formed packet or there may be other reasons involved in the receiver's preference such as other TCP/IP characteristics of a given fragment.

The content of each contiguous 8-bytes is either "EXPLOITS" or "OITSPLEX". These byte values were selected not to drive your brain crazy, but because they both result in the same checksum value. The pre-fragmented ICMP echo request has an ICMP checksum in the ICMP header. Whether fragmented or unfragmented packets are sent, the receiving host must validate this checksum and discard the reassembled packet if the computed checksum by the receiver does not match the ICMP checksum in the header. This requires all overlaps to have content that has the same checksum value.

Have fun and good luck!