Riddles in the Dark - Blue Eyes

This riddle, or rather puzzle or what you want to call it got famous from xkcd and you can read the challenge there, but myself and others got confused from the wording. Here I will present my own version, which I think is more simple and clear. The “offical” answer is very beautiful, but I will here present my alternative solution as well.

My Wording of the Puzzle

On an island there is 100 blue eyed and 100 brown eyed men. The men are all very intelligent and to quote the xkcd wording “if a conclusion can be logically deduced, they will do it instantly”. They don’t know their own eye color and if they find out their color, they will magically be teleported to paradise the same day, but they need to be 100% sure of their color. They can not communicate with each other in any form. They can just observe. One day an angel comes down from the sky and says infront of them all: “I see someone with blue eyes”, then the angel leaves and never returns.

Who will leave the island and on which day?

Here are some other pointers:

  • They can not see the reflection of their eye color from the water or anything of the kind
  • It’s not relevant how long they have been on the island
  • There is no stupid answer. The answer is pure logic and really amazing.
  • The angel is not relevant. They could just as well have found a note on the ground stating the same thing
  • Remember that every blue eyed person see 100 brown eyed and 99 blue eyed, and it’s tempting for every blue eyed to assume there is 100 of each and that way know their color, but there might be 101 brown and 99 blue eyed. And it’s of course vice versa.
  • What do you mean by “which day”? Well, there is only one referance point.

My Problems with the Original Wording

  • Introducing a “guru” with green eye color. Useless information that pollutes the puzzle
  • Mentioning a ferry might indicate that there is a captain that they need to submit their eye color to. What if anyone is listening when a person submits his answer? And is there a restriction on how many times they can try to leave with the ferry? Can a person try “blue” one day and “brown” the next?

The “Offical” Answer

You can read the answer on xkcd, but I will try with my own wording here.

If we start with only 1 blue eyed and 1 brown eyed, the answer is simple. After the angel speaks, the blue eyed will look at the brown eyed and instanly know that himself must have blue eyes and leave day 1.

Notice this answer applies also if there was 1000 brown eyed and 1 blue eyed.

If there was 2 blue eyed and 1 brown eyed on the island, the blue eyed can think like this “If I have brown eyes, then this dude with blue eyes will know for certain that he has blue eyes and will leave today. If he doesn’t leave, then I must be the one with blue eyes and I can leave tonight”. They both think like this, because they are equal intelligent and they will both observe that the other guy didn’t leave on the first day and they leave day 2. Notice also that we can introduce 1000 brown eyed and there will be no difference, so we can conclude that the brown eyed are irrelevant and will never leave.

If there was 3 blue eyed, then each of them see 2 other blue eyed and think “If I have brown eyes, these two blue eyed will leave on day 2”. Now, if the other two doesn’t leave on day 2, each person confirms that they also have blue eyes and leave day 3.

See a pattern now? The 100 blue eyed will leave the island on day 100. Every person must use the same logic and think “I see 99 blue eyed, then if no one leaves on day 99, then I must have blue eyes as well and leave the next day”.

If you think you get the answer you can try asking yourself these questions quoted from the xkcd answer: *1. What is the quantified piece of information that the Guru/angel provides that each person did not already have? *2. Each person knows, from the beginning, that there are no less than 99 blue-eyed people on the island. How, then, is considering the 1 and 2-person cases relevant, if they can all rule them out immediately as possibilities? *3. Why do they have to wait 99 nights if, on the first 98 or so of these nights, they’re simply verifying something that they already know?

My Alternative Answer

It starts with one guy just standing up. Then another guy will stand next beside him. Let’s say one has blue and one has brown eyes. They have now formed this row: B/B (Bold being blue and regular brown)

The third person will see the colors of these guys and he will place himself in the middle. It doesn’t matter which color his eyes are, but let’s say they are brown. Updated Row: B/B/B

If the two initial guys have both the same color, the third guy will just move to one of either side.

The forth guy comes and he will place himself in the middle where blue and brown eyed are separated. His goal is to have one blue eyed and one brown eyed on each side. Let’s say he has blue eyes, which makes the row like this: B/B/B/B

The next guy will do the same and so on, until everyone is standing in the row, where the 100 men from the left is blue and the 100 men on the right is brown eyed.

Now everyone will know their eye color, just by looking around, except the two guys in the middle. They don’t know where the distinction between blue and brown is. They will see only blue eyes in one direction and only brown in the other, but they can’t know their own color. But for the other 198 men, they can leave the island on day 1.

I submited this answer to Randall (the creator of xkcd), but he claimed this answer was not valid because there was too much communication between the men :’(

Read More

DNS Reconnaissance

When doing a penetration test, one of the first things you will be doing is to discover as much as possible to build a layout of the platform you will be attacking. Here I will show a few tricks to map the whole domain. However, be careful doing scans like this, because they might be detected. Always consult the owner of the sytem beforehand. In the following examples I will use an offline local domain in a testing environment, namely sec542.org. There are many DNS tools available for this, like nmap, dig and many more. Here however I will use dnsrecon, which is a free and open source tool written in Python and included by default in Kali.

Steps

First we do a standard lookup to see what is the normal response is and to compare with later. Then you should check for misconfiguration in the zone transfer, which may give us lots of subdomains of the target. If this is not the case we can start to bruteforce using a dictionary. Lastly we can also do a reverse DNS scan.

Normal lookup:

[~]$ dnsrecon.py -d sec542.org -t std  
[*] Performing General Enumeration of Domain:  
[-] DNSSEC is not configured for sec542.org 
[*] 	 SOA ns1.sec542.org 192.168.1.8 
[*] 	 NS ns1.sec542.org 192.168.1.8 
[-] 	 Recursion enabled on NS Server 192.168.1.8 
[*] 	 Bind Version for 192.168.1.8 9.9.5-3ubuntu0.1-Ubuntu 
[*] 	 NS ns2.sec542.org 192.168.1.23 
[*] 	 MX mail2.sec542.org 192.168.1.8 
[*] 	 MX mail.sec542.org 192.168.1.23 
[*] 	 A sec542.org 192.168.1.8 
[*] Enumerating SRV Records 
[-] No SRV Records Found for sec542.org 
[*] 0 Records Found

Check for zone transfer:

[~]$ dnsrecon.py -d sec542.org -a
[*] Testing NS Servers for Zone Transfer
[*] Checking for Zone Transfer for sec542.org name servers
[*] Resolving SOA Record
[*] 	 SOA ns1.sec542.org 192.168.1.8
[*] Resolving NS Records
[*] NS Servers found:
[*] 	NS ns2.sec542.org 192.168.1.23
[*] 	NS ns1.sec542.org 192.168.1.8
[*] Removing any duplicate NS server IP Addresses...
[*]  
[*] Trying NS server 192.168.1.23
[-] Zone Transfer Failed for 192.168.1.23!
[-] Port 53 TCP is being filtered
[*]  
[*] Trying NS server 192.168.1.8
[*] 192.168.1.8 Has port 53 TCP Open
[*] Zone Transfer was successful!!
[*] 	 NS ns1.sec542.org 192.168.1.8
[*] 	 NS ns2.sec542.org 192.168.1.23
[*] 	 A @.sec542.org 192.168.1.8
[*] 	 A mail2.sec542.org 192.168.1.8
[*] 	 A scanner.sec542.org 192.168.1.8
[*] 	 A ns1.sec542.org 192.168.1.8
[*] 	 A ns2.sec542.org 192.168.1.23
[*] 	 A bar.sec542.org 192.168.1.18
[*] 	 A mail.sec542.org 192.168.1.23
[*] 	 A hr-web.sec542.org 192.168.1.8
[*] 	 A webdev.sec542.org 192.168.1.23
[*] 	 A foo.sec542.org 192.168.1.67
[*] 	 A dbdev.sec542.org 192.168.1.23
[*] 	 A www.sec542.org 192.168.1.8
[*] 	 A shellshock.sec542.org 192.168.1.8

So this was a success. We got A and NS records. Now let’s try a dictionary attack. The namelist.txt that comes default with dnsrecon contains normal subdomain names as seen in the wild.

[~]$ dnsrecon.py -d sec542.org -t brt -D /opt/dnsrecon/namelist.txt
[*] Performing host and subdomain brute force against sec542.org
[*] 	 CNAME ajax.sec542.org bootcamp.sec542.org
[*] 	 CNAME bootcamp.sec542.org www.sec542.org
[*] 	 A www.sec542.org 192.168.1.8
[*] 	 CNAME auth.sec542.org www.sec542.org
[*] 	 A www.sec542.org 192.168.1.8
[*] 	 A mail.sec542.org 192.168.1.23
[*] 	 A mail2.sec542.org 192.168.1.8
[*] 	 A ns1.sec542.org 192.168.1.8
[*] 	 A ns2.sec542.org 192.168.1.23
[*] 	 A scanner.sec542.org 192.168.1.8
[*] 	 CNAME sniffer.sec542.org www.sec542.org
[*] 	 A www.sec542.org 192.168.1.8
[*] 	 A webdev.sec542.org 192.168.1.23
[*] 	 A www.sec542.org 192.168.1.8

Here we also found some CNAME records, which we didn’t see before. Now let’s try a reverse DNS scan of the whole IP range.

[~]$ dnsrecon.py -r 192.168.1.0/24
[*] Reverse Look-up of a Range
[*] Performing Reverse Lookup from 192.168.1.0 to 192.168.1.255
[*] 	 PTR bar.sec542.org 192.168.1.18
[*] 	 PTR mail.sec542.org 192.168.1.23
[*] 	 PTR mail2.sec542.org 192.168.1.7
[*] 	 PTR www.sec542.org 192.168.1.41
[*] 	 PTR heartofgold.sec542.com 192.168.1.42
[*] 	 PTR foo.sec542.org 192.168.1.67

PTR is records that we didn’t have before. If we want to be more stealthy, we can use Google to discover subdomains by doing the following:

Start by searching in Google for the domain in question with the site: tag

site:sans.org

The first we see is a bunch of results for the www subdomain. Now we can do the search again, but excluding that subdomain:

site:sans.org -site:www.sans.org

Great. Now we just continue doing this until no new subdomains show up.

site:sans.org -site:www.sans.org -site:isc.sans.org

There is also an option to use Google in dnsrecon with the following command, but I have not got it to work yet: $ dnsrecon.py -d sans.org -t goo

Read More

Trusted Path in Linux

Trusted path is a way for the system to authenticate itself to the user. Examples of this is Ctrl+Alt+Del in Windows, the terminal console physically on a server and the home button on a smartphone.

Read More

Race Conditions

What is a race condition?

Let say we have a voting system with the number of votes stored in variables. This is what we expect to happen when a user vote on a particular option and a variable gets incremented by one:

Read More

Coherent Knowledge-based Operations (CKO)

Intro

I was introduced to CKO in the class Information Warfare at my university (NTNU). I couldn’t gather much information about it online, so I decided to share some notes about what my understanding of it is.

Read More