Cyber Quests Spring 2019 | write-up [3]

🕴️ CTF Website : https://uscc.cyberquests.org/

This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.

Tools that you may need include Wireshark, aircrack-ng, and exiftool (all of which are included in many security-focused Linux distributions, including Kali Linux).

Some questions refer to files contained within this ZIP file : 🔗 Spring 2019 Cyber Quest Resources. Let’s start the fun.

The following questions based on 🔗 Wifi.pcap :

2️⃣7️⃣ You are part of a wireless penetration test and have acquired the 🔗 WiFi.pcapfile.

What is the BSSID of the WAP (colon delimited)?

✅ Answer:

We will use aircrack-ng to analysis the file and get BSSID of the WAP.

Install Aircrack-ng\

https://www.aircrack-ng.org/doku.php?id=install_aircrack

Open terminal and run aircrack-ng command as following :
aircrack-ng WiFi.pcap

$ aircrack-ng WiFi.pcap
Opening WiFi.pcapplease wait...
Read 53337 packets.

   #  BSSID              ESSID                     Encryption

   1  24:F5:A2:11:F7:6A  Home_Net                  WEP (0 IVs)

Choosing first network as target.

Opening WiFi.pcapplease wait...
Read 53337 packets.

1 potential targets

Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 15273 ivs.


                                   Aircrack-ng 1.5.2 


                      [00:00:03] Tested 2792 keys (got 15273 IVs)

   KB    depth   byte(vote)
    0    1/  5   6B(21760) 0B(19968) CF(19968) B5(19712) 98(19200) E8(19200) 
    1    0/  2   F7(23808) 17(21760) 19(20224) BB(19968) 10(19968) 9F(19712) 
    2    1/  6   F7(21760) 60(20992) 1B(20736) 98(20480) 0E(20224) 91(19456) 
    3    7/ 11   3F(19456) 1A(19200) C3(19200) E6(19200) 91(18944) 6B(18944) 
    4    3/  5   A6(20224) 94(19968) C2(19456) BE(19456) 8D(19200) 2A(19200) 

                         KEY FOUND! [ 6B:F7:F7:3F:FC ] 
    Decrypted correctly: 100%

The BSSID of the WAP 24:F5:A2:11:F7:6A

2️⃣8️⃣ Analyze the WiFi.pcap file.** How many seconds long is the packet capture, from beginning to end (round to the nearest second)?

Select one:

✅ Answer:

Open the file in Wireshark.
Select from upper menu Statistics Capture File Properties :

Capture length is 595 sec

2️⃣9️⃣ What is the WEP key of the WAP** (without colons) ?

✅ Answer:

From our Q27 using aircrack-ng tool:
WEP key 6BF7F73FFC

3️⃣0️⃣ Use the WEP key to decrypt the traffic in** 🔗WiFi.pcap.

What is the session _id assigned to the administrator of the network device?

✅ Answer:

Open file in Wireshark.
To add WEP Key to decrypt the traffic, From upper menu select Wireshark Preferences. You should see a window that looks like this:

Select Protocols IEEE 802.11 Decryption keys [edit]\

then add the WEP key from previous answer without colons 6BF7F73FFC

03) Let’s search for all packets contains session_id and word admin using this filter:

tcp contains "session_id" && tcp contains "admin"

Notice the packet info POST /login.cgi HTTP/1.1 which is a login packet.

04) Let’s examine this packet, go to packet details tab expand HTML Form URL Encoded: application/x-www-form-urlencoded , you will find admin login details:

Form item: "http_username" = "admin"

Form item: "http_passwd" = "ba41d75ebd1339f3a420da1db2c48dc2"

expand Hypertext Transfer Protocol

You will find that admin granted a session_id after successful login with session_id=f29e8307513709b98b88b8e029bb7f53

Let’s check the rest of the packages, try this filter to view POST method packets:

http.request.method == "POST"

You will find admin applying some configuration to the device with same session id, to view packets data right click on packet follow TCP Stream

You will find admin applying some configuration with same session

Session_id assigned to the administrator of the network device f29e8307513709b98b88b8e029bb7f53

References :
https://wiki.wireshark.org/HowToDecrypt802.11