The SANS Holiday Challenge is an high-skilled Ethical Hacking technical exercise sponsored by SANS Cybercon and organized by Counterhack team.
The 2013 edition is the tenth annual installment and the biggest and best ever organized by Ed Skoudis, Josh Wright, & Tom Hessman.
During Christmas Holidays me and Giacomo started to work to the Challenge reading the history and downloading the PCAP file provided by CounterHack team (You can find details and PCAP file on SANS Pen Testing web site). We spent several hours and nightly funny moments investigating the file, producing a detailed analysis of attacks and creating a report that we submit to CounterHack team for validation. We would like also to thank you Mr. GaraNews helped us with Bro and Snort analysis of the PCAP file during my stay in Germany!! 🙂
Today a blog post on SANS Pen Testing Web Site announce winners and “honorable mentions” of the Holiday Challenge 2013: our report has been referred to as “honorable mention” for the following reasons:
“Andrew and Giacomo had an excellent technical write-up with beautiful formatting, and even went the step further to ask “why” for each of the attacks (correctly citing that Mr. Potter wants to encourage the rapid growth of dental disease in Bedford Falls through manipulating drinking water fluoride levels). The team-of-two even went so far as to evaluate datestamp information in the “Firmware Update” phishing attack, identifying the 5-hour window between the upload of the ab-qfe.exe executable and the retrieval by Don Sawyer.”
We produced three main documents: the final report, the event timeline and the hosts list. All these documents, as well as the zip file containing the evidence found, are available for download from fantaghost.com. The evidence file is password protected and the opening password is clearly indicated at the end of the report. We stripped out all the malicious content by the evidence zip archive to avoid Antivirus detection and any dangerous behavior.
SANS Holiday Challenge 2013 Report (252.6 Kb, PDF) [ MD5: d55e6d208aa13f24454eb3631472797a ] >> Download
Investigation Evidences file (39.7 Mb, ZIP) [ MD5: 384b295f81028c21888f1e6b52c820c8 ] >> Download
All the malicious content extracted by PCAP file is also available for download. The archive password is ‘infected’ (without quotes).
DISCLAIMER: The archive below contains materials that can be potentially damaging or dangerous. If you do not fully understand something on this post, then DO NOT DOWNLOAD THE ARCHIVE! Refer to the laws in your province/country before accessing, using,or in any other way utilizing these materials.These materials are for educational and research purposes only.Do not attempt to violate the law with anything contained here. If this is your intention, then LEAVE NOW! Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.
SANS_Challenge_2013_malicious.zip (890.6 Kb, ZIP) [ MD5: f93c1866e93c36d5fea054ca08874509 ] >> Download
Any comment and suggestion are more than welcome, please use the Comment form below or send us an email.
Enjoy the reading!