Salaheldin

June 22, 2019

Cyber Quests Spring 2019 | write-up [3]

US Cyber Challenge

CTF Writeup

๐Ÿ•ด๏ธ Website : https://uscc.cyberquests.org/

This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.

Tools that you may need include Wireshark, aircrack-ng, and exiftool (all of which are included in many security-focused Linux distributions, including Kali Linux).

Some questions refer to files contained within this ZIP file: ๐Ÿ”— Spring 2019 Cyber Quest Resources .

The following questions refer to ๐Ÿ”— WiFi.pcap :

2๏ธโƒฃ7๏ธโƒฃ You are part of a wireless penetration test and have acquired the ๐Ÿ”— WiFi.pcap file. What is the BSSID of the WAP (colon delimited)?

โœ… Answer:

We will use aircrack-ng to analysis the file and get BSSID of the WAP.

01) Install Aircrack-ng
https://www.aircrack-ng.org/doku.php?id=install_aircrack

02) Open terminal and run aircrack-ng command as following :

aircrack-ng WiFi.pcap

$ aircrack-ng WiFi.pcap
Opening WiFi.pcapplease wait...
Read 53337 packets.

   #  BSSID              ESSID                     Encryption

   1  24:F5:A2:11:F7:6A  Home_Net                  WEP (0 IVs)

Choosing first network as target.

Opening WiFi.pcapplease wait...
Read 53337 packets.

1 potential targets

Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 15273 ivs.


                                   Aircrack-ng 1.5.2 


                      [00:00:03] Tested 2792 keys (got 15273 IVs)

   KB    depth   byte(vote)
    0    1/  5   6B(21760) 0B(19968) CF(19968) B5(19712) 98(19200) E8(19200) 
    1    0/  2   F7(23808) 17(21760) 19(20224) BB(19968) 10(19968) 9F(19712) 
    2    1/  6   F7(21760) 60(20992) 1B(20736) 98(20480) 0E(20224) 91(19456) 
    3    7/ 11   3F(19456) 1A(19200) C3(19200) E6(19200) 91(18944) 6B(18944) 
    4    3/  5   A6(20224) 94(19968) C2(19456) BE(19456) 8D(19200) 2A(19200) 

                         KEY FOUND! [ 6B:F7:F7:3F:FC ] 
	Decrypted correctly: 100%

The BSSID of the WAP > 24:F5:A2:11:F7:6A


2๏ธโƒฃ8๏ธโƒฃ Analyze the WiFi.pcap file. How many seconds long is the packet capture, from beginning to end (round to the nearest second)?

Select one:

  • 462
  • 595
  • 126
  • 745

โœ… Answer:

01) Open the file in Wireshark.

02) Select from upper menu Statistics > Capture File Properties :

cyberquest-28-img-1.jpg

cyberquest-28-img-2.jpg


Capture length is > 595 sec


2๏ธโƒฃ9๏ธโƒฃ What is the WEP key of the WAP (without colons)?

โœ… Answer:

From our Q27 using aircrack-ng tool:
WEP key > 6BF7F73FFC


3๏ธโƒฃ0๏ธโƒฃ Use the WEP key to decrypt the traffic in ๐Ÿ”— WiFi.pcap. What is the session_id assigned to the administrator of the network device?

โœ… Answer:

01) Open file in Wireshark.

02) To add WEP Key to decrypt the traffic, From upper menu select Wireshark->Preferences. You should see a window that looks like this:

cyberquest-29-img-1.jpg

Select Protocols-> IEEE 802.11 > Decryption keys [edit]

cyberquest-29-img-2.jpg

then add the WEP key from previous answer without colons 6BF7F73FFC

cyberquest-29-img-3.jpg

03) Let's search for all packets contains session_id and word admin using this filter:

tcp contains "session_id" && tcp contains "admin"

cyberquest-29-img-4.jpg

Notice the packet info POST /login.cgi HTTP/1.1 which is a login packet.

04) Let's examine this packet, go to packet details tab > expand HTML Form URL Encoded: application/x-www-form-urlencoded , you will find admin login details:

Form item: "http_username" = "admin"

Form item: "http_passwd" = "ba41d75ebd1339f3a420da1db2c48dc2"

cyberquest-29-img-5.jpg

> expand Hypertext Transfer Protocol

You will find that admin granted a session_id after successful login with session_id=f29e8307513709b98b88b8e029bb7f53

cyberquest-29-img-6.jpg

Let's check the rest of the packages, try this filter to view POST method packets:

http.request.method == "POST"

cyberquest-29-img-7.jpg

You will find admin applying some configuration to the device with same session id, to view packets data right click on packet > follow > TCP Stream

cyberquest-29-img-8.jpg

You will find admin applying some configuration with same session

Session_id assigned to the administrator of the network device > f29e8307513709b98b88b8e029bb7f53

References :
https://wiki.wireshark.org/HowToDecrypt802.11