Prompt

We have created a packet capture on a temporary wireless network that a couple of hackers have set up. Break into their network and see what you can learn.

PCAP3.cap9223.3KB

Walk-Through

This challenge involves a wireless network using WPA encryption. The aircrack-ng Linux tool can be used to solve this challenge. In addition, the Rockyou wordlist is useful for cracking the password.

Questions 1 and 2 can be solved by analyzing the packet capture in Wireshark. Since only access points are supposed to send beacon frames, the access point can be easily identified.

Question 3 can be solved by running aircrack-ng on the packet capture.

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b C0:4A:00:80:76:E4 PCAP3.cap

Questions 4 – 11 can be solved by using the previously acquired WPA key to decrypt traffic in Wireshark. This can be done by selecting “Edit → Preferences → Protocols → IEEE 802.11” and then checking “Enable decryption” and adding the decryption key.

Questions 4 – 9 can be solved by following various TCP streams for HTTP traffic between a user and the router’s admin panel.

GET /userRpm/StatusRpm.htm HTTP/1.1
Host: 192.168.0.254
Connection: keep-alive
Authorization: Basic YWRtaW46TkNMLVJDSkQtNjI4MQ==
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
DNT: 1
Referer: http://192.168.0.254/userRpm/StatusRpm.htm
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4

HTTP/1.1 200 OK
Server: Router
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="TP-LINK Wireless N Nano Router WR702N"

<SCRIPT language="javascript" type="text/javascript">
var statusPara = new Array(
1,
1,
21,
15000,
392,
"4.19.1 Build 130528 Rel.52704n ",
"WR702N 1.0 00000000",
1,
0,0 );
</SCRIPT>
<SCRIPT language="javascript" type="text/javascript">
var lanPara = new Array(
"C0-4A-00-80-76-E4",
"192.168.0.254",
"255.255.255.0",
0,0 );
</SCRIPT>
<SCRIPT language="javascript" type="text/javascript">
var wlanPara = new Array(
1,
"TP-LINK_8076E4",
1,
5,
"C0-4A-00-80-76-E4",
"192.168.0.254",
2,
7,
0,
1,
6,
0,0 );
</SCRIPT>

Questions 10 and 1 can be solved by using this Wireshark filter: wlan.fc.type_subtype eq 12

WiFi PCAP 3

Prompt

Walk-Through

Questions

What is the MAC address of the router?

What is the ESSID of the WiFi network?

What is the password for the wireless network?

What is the IP address of the router?

What company manufactured the router?

What is the model of the router?

What firmware version is installed on the router?

What release number is the router using?

What is the IP address of the user who logged into the router admin panel?

What is the MAC address of the first victim of the deauth attack?

What is the MAC address of the second victim of the deauth attack?