Forensicscontest-puzzle8

From aldeid
Jump to navigation Jump to search

Description

This post is the answer to the forensics contest, puzzle #8.

Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?

  • BSSID: 00:23:69:61:00:d0
  • SSID: Ment0rNet
$ tshark -n -R wlan -r evidence08.pcap |grep SSID
  1   0.000000 00:23:69:61:00:d0 -> ff:ff:ff:ff:ff:ff 802.11 105 Beacon frame,
SN=3583, FN=0, Flags=........, BI=100, SSID=Ment0rNet
(...TRUNCATED...)

How long is the packet capture, from beginning to end (in SECONDS, please round to the nearest full second)?

Using nsm-console, or just the capinfos utility, we can easily answer this question:

$ capinfos -u evidence08.pcap
File name:               evidence08.pcap
Capture duration:    414 seconds

Beware using the evidence08.pcap file and not the evidence08-dec.pcap (generated by airdecap-ng) since this latest provides us with different results:

$ capinfos -u evidence08-dec.pcap
File name:               evidence08-dec.pcap
Capture duration:    405 seconds

The capture length is 414 seconds.

How many WEP-encrypted data frames are there total in the packet capture?

Here is a useful online resource to write the filters: http://www.wireshark.org/docs/dfref/w/wlan.html

According to the IEEE 802.11 standard (page 62), to filter the data frames, the values of the frame control (FC) are:

  • type: 10
  • subtype: 0000

By combining the type and the subtype (wlan.fc.type_subtype), the binary value of 100000, converted in hexadecimal is: 0x20.

In addition, we also filter frames that are encrypted using WEP: wlan.fc.protected==1

At last, we filter on the appropriate BSSID: wlan.bssid == 00:23:69:61:00:d0

Combining the filters, here is the syntax:

$ tshark -r evidence08.pcap -R 'wlan.fc.type_subtype==0x20 && wlan.fc.protected==1 
&& wlan.bssid==00:23:69:61:00:d0' | wc -l
59274

There are 59274 WEP-encrypted data frames in our capture file.

Notice that using the statistics, tshark also provides the solution:

$ tshark -r evidence08.pcap -z io,phs
[...TRUNCATED...]
===================================================================
Protocol Hierarchy Statistics
Filter: 

wlan                                     frames:133068 bytes:6556285
  wlan_mgt                           frames:15110 bytes:433527
  data                                   frames:59274 bytes:5526728
===================================================================

How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?

We first need to filter on the appropriate Access Point (AP):

wlan.bssid==00:23:69:61:00:d0

We also want to only keep frames that contain IVs:

wlan.wep.iv

To be able to count the number of frames, we must output the IVs by specifying it as a field:

-T fields -e wlan.wep.iv

The command is:

$ tshark -r evidence08.pcap -R 'wlan.bssid==00:23:69:61:00:d0 && wlan.wep.iv' 
-T fields -e wlan.wep.iv| sort -u |wc -l
  29719

Joe's AP is generating 29719 unique WEP IVs during the capture.

What was the MAC address of the station executing the Layer 2 attacks?

We first crack the key with aircrack-ng:

$ aircrack-ng evidence08.pcap

We can then use airdecap-ng to generate an unencrypted capture file (evidence08-dec.pcap):

$ airdecap -w D0E59EB904 evidence08.pcap

The statistics are:

$ tshark -r evidence08-dec.pcap -z io,phs
[...TRUNCATED...]
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:56692 bytes:3690010
  ip                                     frames:2868 bytes:1427722
    udp                                  frames:85 bytes:29395
      http                               frames:59 bytes:21788
      bootp                              frames:21 bytes:7182
      dns                                frames:5 bytes:425
    tcp                                  frames:2783 bytes:1398327
      http                               frames:904 bytes:1134807
        image-gif                        frames:14 bytes:10204
          tcp.segments                   frames:8 bytes:6592
          malformed                      frames:1 bytes:1514
        data-text-lines                  frames:3 bytes:3720
  ipv6                                   frames:47 bytes:3654
    icmpv6                               frames:47 bytes:3654
  arp                                    frames:53777 bytes:2258634
===================================================================

We immediately notice that the majority of the traffic concerns the ARP protocol. By writting the appropriate filter, we can find what mac address is responsible of the traffic:

$ tshark -r evidence08-dec.pcap -R arp -T fields -e eth.src -e eth.dst | sort | uniq -c
12664 00:11:22:33:44:55	00:23:69:61:00:ce
   2 00:11:22:33:44:55	ff:ff:ff:ff:ff:ff
   1 00:23:69:61:00:ce	00:11:22:33:44:55
   1 00:23:69:61:00:ce	de:ad:be:ef:13:37
   3 00:23:69:61:00:ce	ff:ff:ff:ff:ff:ff
41104 1c:4b:d6:69:cd:07	ff:ff:ff:ff:ff:ff
   2 de:ad:be:ef:13:37	ff:ff:ff:ff:ff:ff

The traffic looks like:

$ tshark -r evidence08-dec.pcap -R 'eth.src==1c:4b:d6:69:cd:07 && arp' | head -n 20
694 174.581146 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
695 174.979009 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
696 174.980033 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
697 174.983103 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
698 174.987200 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
699 174.988185 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
700 174.989207 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
701 174.990785 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
702 174.991810 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
703 174.992256 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
704 174.993305 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
705 174.994879 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
706 174.995391 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
707 174.996375 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
708 174.997439 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
709 174.998425 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
710 174.999487 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
711 175.000472 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
712 175.001537 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
713 175.003544 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1

We can conclude that the mac address of the station making the layer 2 attacks is 1c:4b:d6:69:cd:07.

How many *unique* IVs were generated (relating to Joe’s access point)

By the attacker station?

We first need to filter on the appropriate AP:

wlan.bssid==00:23:69:61:00:d0

We also need to filter the frames that come from the attacker:

wlan.sa==1c:4b:d6:69:cd:07

To know the number of IVs generated by the attacker station:

$ tshark -r evidence08.pcap -R 'wlan.bssid==00:23:69:61:00:d0
 && wlan.sa==1c:4b:d6:69:cd:07
 && wlan.wep.iv' -T fields -e wlan.wep.iv| sort -u | wc -l
  14133

The answer is 14133.

By all *other* stations combined?

$ tshark -r evidence08.pcap -R 'wlan.bssid==00:23:69:61:00:d0
 && wlan.sa!=1c:4b:d6:69:cd:07 && wlan.wep.iv' 
 -T fields -e wlan.wep.iv| sort -u | wc -l
  15587

What was the WEP key of Joe’s WAP?

The aircrack-ng suite helps us decrypting the key:

$ aicrack-ng evidence08.pcap

                                                                                  Aircrack-ng 1.1

                                                                  [00:00:00] Tested 587 keys (got 26805 IVs)

  KB    depth   byte(vote)
   0    3/  4   D0(33536) BC(33024) 27(33024) 1F(33024) 7B(31744) 2F(31744) FF(31488) CA(30976) 96(30720) C9(30720) 69(30720) 6F(30720) DF(30464) E8(30464) 
   1    0/  1   E5(38656) 82(33024) 0C(32256) 3C(32000) EB(31744) 42(31488) 8B(31232) 3D(31232) 8C(31232) 31(30976) 32(30976) 6A(30976) 07(30976) 58(30976) 
   2    0/  5   9E(34048) 27(33792) 7A(32768) E9(32512) 8B(31744) C3(31744) D0(31488) 7B(31488) 2B(31488) 36(31488) BF(31232) E0(31232) 3D(30976) 4A(30720) 
   3    0/  3   B9(35328) 57(35072) B1(34048) 7C(33024) 00(32768) 06(32512) CF(32256) 9C(31744) 09(31488) 3F(31232) 7F(31232) 47(31232) D6(31232) 2B(31232) 
   4    8/ 10   A9(31488) B9(31232) 10(31232) 95(30976) A5(30976) 7A(30976) 08(30720) E1(30720) C8(30720) 8B(30720) B2(30464) B3(30464) 87(30464) 52(30464) 

                        KEY FOUND! [ D0:E5:9E:B9:04 ] 

Decrypted correctly: 100% The key is D0E59EB904.

What were the administrative username and password of the targeted wireless access point?

List of tshark filters for HTTP: http://www.wireshark.org/docs/dfref/h/http.html

$ tshark -r evidence08-dec.pcap -R 'http.request && http.authbasic' -T fields -e http.authbasic | uniq
admin:admin

Tshark is really helpful once more. We filter the HTTP requests (http.request) that contain a Base64 authentication (http.authbasic) and we display the content of the Base64 (-T fields -e http.authbasic). Notice that tshark automatically decodes the Base64:

  • username: admin
  • password: admin

With such credentials, no way that anyone accessing the LAN won't be able to administer the router ;-)

What was the WAP administrative passphrase changed to?

By filtering the HTTP requests (-R http.request) and displaying the details (-V) of the packets, it is easy to guess that the new passphrase is sent as a parameter in the URL (form GET method):

$ tshark -r evidence08-dec.pcap -V -R 'http.request' | grep -i pass
   SecurityMode=3&CipherType=1&PassPhrase=hahp0wnedJ00&GkuInterval=3600&layout=en

Appendix: Frame Control Type and SubType

Framecontrol-type-subtype-1.png

Framecontrol-type-subtype-2.png