Solving the 2016 NSA Codebreaker Challenge – Task 2

The second task contained some network traffic (in a pcap file) and a request to find the IP address of the undetonated IED by finding a string in the traffic.

Task 2 – Information Gathering and Triage, Part 2
Great work! Based on the signatures you provided, we were able to collect network communications that we believe contains traffic to an IED that is about to be detonated. Unfortunately, there appears to be a lot of unrelated network traffic in the collected data since other programs use the same port. Using the provided packet capture file (PCAP), we need your help to create more specific signatures for identifying network communications with the IED. This would be a huge first step in detecting when an IED has been armed, for example, which would allow us to alert troops in the region around where the signal was collected. For this task, your goals are to identify the version string sent by the client software when initiating a connection to the IED and to determine the IP address of the undetonated IED from the packet capture.

UPDATE: Intelligence suggests that the version strings are 11 characters long and look something like x.x-xxxxxxx

Opening up the file in Wireshark is pretty straightforward, but there were thousands of network frames present, so looking for right ones by hand wasn’t going to be very fun. Luckily, the string we were looking for had a known pattern so a regex could be constructed.

A couple minutes with a regex tester and we’ve got a working regex.

The resulting regex was “[a-z0-9].[a-z0-9][-][a-z0-9]{7}”. Drop that regex into Wireshark and we’ve got a match.

We’ve got a match: 9.8-dev8311

That frame also gives us the IP address of the undetonated IED which is the last piece of Task 2. The regex matched the value we needed, but had it not the likely solution would have been to add capital letters to its pattern. Instead of “[a-z0-9]” it simply would have been “[a-zA-Z0-9]”.

Update: Writeup on Task 3 has been posted.

This entry was posted in Infosec, Puzzles and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *