# Forensicscontest-puzzle8

Jump to navigation Jump to search

# Description

This post is the answer to the forensics contest, puzzle #8.

# Joe’s WAP is beaconing. Based on the contents of the packet capture, what are the SSID and BSSID of his access point?

• BSSID: 00:23:69:61:00:d0
• SSID: Ment0rNet
```\$ tshark -n -R wlan -r evidence08.pcap |grep SSID
1   0.000000 00:23:69:61:00:d0 -> ff:ff:ff:ff:ff:ff 802.11 105 Beacon frame,
SN=3583, FN=0, Flags=........, BI=100, SSID=Ment0rNet
(...TRUNCATED...)
```

# How long is the packet capture, from beginning to end (in SECONDS, please round to the nearest full second)?

Using nsm-console, or just the capinfos utility, we can easily answer this question:

```\$ capinfos -u evidence08.pcap
File name:               evidence08.pcap
Capture duration:    414 seconds
```

Beware using the evidence08.pcap file and not the evidence08-dec.pcap (generated by airdecap-ng) since this latest provides us with different results:

```\$ capinfos -u evidence08-dec.pcap
File name:               evidence08-dec.pcap
Capture duration:    405 seconds
```

The capture length is 414 seconds.

# How many WEP-encrypted data frames are there total in the packet capture?

Here is a useful online resource to write the filters: http://www.wireshark.org/docs/dfref/w/wlan.html

According to the IEEE 802.11 standard (page 62), to filter the data frames, the values of the frame control (FC) are:

• type: 10
• subtype: 0000

By combining the type and the subtype (wlan.fc.type_subtype), the binary value of 100000, converted in hexadecimal is: 0x20.

In addition, we also filter frames that are encrypted using WEP: wlan.fc.protected==1

At last, we filter on the appropriate BSSID: wlan.bssid == 00:23:69:61:00:d0

Combining the filters, here is the syntax:

```\$ tshark -r evidence08.pcap -R 'wlan.fc.type_subtype==0x20 && wlan.fc.protected==1
&& wlan.bssid==00:23:69:61:00:d0' | wc -l
59274
```

There are 59274 WEP-encrypted data frames in our capture file.

Notice that using the statistics, tshark also provides the solution:

```\$ tshark -r evidence08.pcap -z io,phs
[...TRUNCATED...]
===================================================================
Protocol Hierarchy Statistics
Filter:

wlan                                     frames:133068 bytes:6556285
wlan_mgt                           frames:15110 bytes:433527
data                                   frames:59274 bytes:5526728
===================================================================
```

# How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?

We first need to filter on the appropriate Access Point (AP):

```wlan.bssid==00:23:69:61:00:d0
```

We also want to only keep frames that contain IVs:

```wlan.wep.iv
```

To be able to count the number of frames, we must output the IVs by specifying it as a field:

```-T fields -e wlan.wep.iv
```

The command is:

```\$ tshark -r evidence08.pcap -R 'wlan.bssid==00:23:69:61:00:d0 && wlan.wep.iv'
-T fields -e wlan.wep.iv| sort -u |wc -l
29719
```

Joe's AP is generating 29719 unique WEP IVs during the capture.

# What was the MAC address of the station executing the Layer 2 attacks?

We first crack the key with aircrack-ng:

```\$ aircrack-ng evidence08.pcap
```

We can then use airdecap-ng to generate an unencrypted capture file (evidence08-dec.pcap):

```\$ airdecap -w D0E59EB904 evidence08.pcap
```

The statistics are:

```\$ tshark -r evidence08-dec.pcap -z io,phs
[...TRUNCATED...]
===================================================================
Protocol Hierarchy Statistics
Filter:

eth                                      frames:56692 bytes:3690010
ip                                     frames:2868 bytes:1427722
udp                                  frames:85 bytes:29395
http                               frames:59 bytes:21788
bootp                              frames:21 bytes:7182
dns                                frames:5 bytes:425
tcp                                  frames:2783 bytes:1398327
http                               frames:904 bytes:1134807
image-gif                        frames:14 bytes:10204
tcp.segments                   frames:8 bytes:6592
malformed                      frames:1 bytes:1514
data-text-lines                  frames:3 bytes:3720
ipv6                                   frames:47 bytes:3654
icmpv6                               frames:47 bytes:3654
arp                                    frames:53777 bytes:2258634
===================================================================
```

We immediately notice that the majority of the traffic concerns the ARP protocol. By writting the appropriate filter, we can find what mac address is responsible of the traffic:

```\$ tshark -r evidence08-dec.pcap -R arp -T fields -e eth.src -e eth.dst | sort | uniq -c
12664 00:11:22:33:44:55	00:23:69:61:00:ce
2 00:11:22:33:44:55	ff:ff:ff:ff:ff:ff
1 00:23:69:61:00:ce	00:11:22:33:44:55
1 00:23:69:61:00:ce	de:ad:be:ef:13:37
3 00:23:69:61:00:ce	ff:ff:ff:ff:ff:ff
41104 1c:4b:d6:69:cd:07	ff:ff:ff:ff:ff:ff
2 de:ad:be:ef:13:37	ff:ff:ff:ff:ff:ff
```

The traffic looks like:

```\$ tshark -r evidence08-dec.pcap -R 'eth.src==1c:4b:d6:69:cd:07 && arp' | head -n 20
694 174.581146 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
695 174.979009 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
696 174.980033 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
697 174.983103 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
698 174.987200 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
699 174.988185 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
700 174.989207 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
701 174.990785 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
702 174.991810 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
703 174.992256 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
704 174.993305 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
705 174.994879 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
706 174.995391 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
707 174.996375 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
708 174.997439 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
709 174.998425 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
710 174.999487 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
711 175.000472 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
712 175.001537 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
713 175.003544 1c:4b:d6:69:cd:07 -> ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.1.100?  Tell 192.168.1.1
```

We can conclude that the mac address of the station making the layer 2 attacks is 1c:4b:d6:69:cd:07.

# How many *unique* IVs were generated (relating to Joe’s access point)

## By the attacker station?

We first need to filter on the appropriate AP:

```wlan.bssid==00:23:69:61:00:d0
```

We also need to filter the frames that come from the attacker:

```wlan.sa==1c:4b:d6:69:cd:07
```

To know the number of IVs generated by the attacker station:

```\$ tshark -r evidence08.pcap -R 'wlan.bssid==00:23:69:61:00:d0
&& wlan.sa==1c:4b:d6:69:cd:07
&& wlan.wep.iv' -T fields -e wlan.wep.iv| sort -u | wc -l
14133
```

The answer is 14133.

## By all *other* stations combined?

```\$ tshark -r evidence08.pcap -R 'wlan.bssid==00:23:69:61:00:d0
&& wlan.sa!=1c:4b:d6:69:cd:07 && wlan.wep.iv'
-T fields -e wlan.wep.iv| sort -u | wc -l
15587
```

# What was the WEP key of Joe’s WAP?

The aircrack-ng suite helps us decrypting the key:

```\$ aicrack-ng evidence08.pcap

Aircrack-ng 1.1

[00:00:00] Tested 587 keys (got 26805 IVs)

KB    depth   byte(vote)
0    3/  4   D0(33536) BC(33024) 27(33024) 1F(33024) 7B(31744) 2F(31744) FF(31488) CA(30976) 96(30720) C9(30720) 69(30720) 6F(30720) DF(30464) E8(30464)
1    0/  1   E5(38656) 82(33024) 0C(32256) 3C(32000) EB(31744) 42(31488) 8B(31232) 3D(31232) 8C(31232) 31(30976) 32(30976) 6A(30976) 07(30976) 58(30976)
2    0/  5   9E(34048) 27(33792) 7A(32768) E9(32512) 8B(31744) C3(31744) D0(31488) 7B(31488) 2B(31488) 36(31488) BF(31232) E0(31232) 3D(30976) 4A(30720)
3    0/  3   B9(35328) 57(35072) B1(34048) 7C(33024) 00(32768) 06(32512) CF(32256) 9C(31744) 09(31488) 3F(31232) 7F(31232) 47(31232) D6(31232) 2B(31232)
4    8/ 10   A9(31488) B9(31232) 10(31232) 95(30976) A5(30976) 7A(30976) 08(30720) E1(30720) C8(30720) 8B(30720) B2(30464) B3(30464) 87(30464) 52(30464)

KEY FOUND! [ D0:E5:9E:B9:04 ]
```

Decrypted correctly: 100% The key is D0E59EB904.

# What were the administrative username and password of the targeted wireless access point?

List of tshark filters for HTTP: http://www.wireshark.org/docs/dfref/h/http.html

```\$ tshark -r evidence08-dec.pcap -R 'http.request && http.authbasic' -T fields -e http.authbasic | uniq
admin:admin
```

Tshark is really helpful once more. We filter the HTTP requests (http.request) that contain a Base64 authentication (http.authbasic) and we display the content of the Base64 (-T fields -e http.authbasic). Notice that tshark automatically decodes the Base64:

• username: admin
• password: admin

With such credentials, no way that anyone accessing the LAN won't be able to administer the router ;-)

# What was the WAP administrative passphrase changed to?

By filtering the HTTP requests (-R http.request) and displaying the details (-V) of the packets, it is easy to guess that the new passphrase is sent as a parameter in the URL (form GET method):

```\$ tshark -r evidence08-dec.pcap -V -R 'http.request' | grep -i pass
SecurityMode=3&CipherType=1&PassPhrase=hahp0wnedJ00&GkuInterval=3600&layout=en
```