🕴️ CTF Website : https://uscc.cyberquests.org/
This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.
Some questions refer to files contained within this ZIP file : 🔗 Spring 2019 Cyber Quest Resources. Let’s start the fun.
The following questions based on 🔗 Wifi.pcap :
2️⃣7️⃣ You are part of a wireless penetration test and have acquired the 🔗 WiFi.pcapfile.
What is the BSSID of the WAP (colon delimited)?
We will use aircrack-ng to analysis the file and get BSSID of the WAP.
- Install Aircrack-ng\
Open terminal and run aircrack-ng command as following :
$ aircrack-ng WiFi.pcap Opening WiFi.pcapplease wait... Read 53337 packets. # BSSID ESSID Encryption 1 24:F5:A2:11:F7:6A Home_Net WEP (0 IVs) Choosing first network as target. Opening WiFi.pcapplease wait... Read 53337 packets. 1 potential targets Attack will be restarted every 5000 captured ivs. Starting PTW attack with 15273 ivs. Aircrack-ng 1.5.2 [00:00:03] Tested 2792 keys (got 15273 IVs) KB depth byte(vote) 0 1/ 5 6B(21760) 0B(19968) CF(19968) B5(19712) 98(19200) E8(19200) 1 0/ 2 F7(23808) 17(21760) 19(20224) BB(19968) 10(19968) 9F(19712) 2 1/ 6 F7(21760) 60(20992) 1B(20736) 98(20480) 0E(20224) 91(19456) 3 7/ 11 3F(19456) 1A(19200) C3(19200) E6(19200) 91(18944) 6B(18944) 4 3/ 5 A6(20224) 94(19968) C2(19456) BE(19456) 8D(19200) 2A(19200) KEY FOUND! [ 6B:F7:F7:3F:FC ] Decrypted correctly: 100%
The BSSID of the WAP
2️⃣8️⃣ Analyze the WiFi.pcap file.** How many seconds long is the packet capture, from beginning to end (round to the nearest second)?
Open the file in Wireshark.
Select from upper menu
Capture File Properties:
Capture length is 595 sec
2️⃣9️⃣ What is the WEP key of the WAP** (without colons) ?
From our Q27 using
3️⃣0️⃣ Use the WEP key to decrypt the traffic in** 🔗WiFi.pcap.
What is the session
_id assigned to the administrator of the network device?
Open file in Wireshark.
To add WEP Key to decrypt the traffic, From upper menu select
Preferences. You should see a window that looks like this:
Decryption keys \
then add the WEP key from previous answer without colons
03) Let’s search for all packets contains
session_id and word
using this filter:
tcp contains "session_id" && tcp contains "admin"
Notice the packet info
POST /login.cgi HTTP/1.1 which is a login
04) Let’s examine this packet, go to packet details tab expand
HTML Form URL Encoded: application/x-www-form-urlencoded , you will
find admin login details:
Form item: "http_username" = "admin"
Form item: "http_passwd" = "ba41d75ebd1339f3a420da1db2c48dc2"
Hypertext Transfer Protocol
You will find that admin granted a
session_id after successful login
Let’s check the rest of the packages, try this filter to view POST method packets:
http.request.method == "POST"
You will find admin applying some configuration to the device with same
session id, to view packets data right click on packet
You will find admin applying some configuration with same session
_id assigned to the administrator of the network device