[EN] DEFCON 27 Advanced Wireless Exploitation Workshop — CTF Write-Up
Hello everyone. In this write-up, I will be sharing the write-up of the Capture The Flag (CTF) event organized at the end of DEFCON 27 — “Advanced Wireless Exploitation for Red Team and Blue Team” workshop, which was organized at 8th of July, 2019, by Besim ALTINOK.
Let’s dive into questions:
- Question #1:
In this question, we need to find WPA2 password of the Access Point given in this pcap file and also need to find the attacker’s hostname.
- Answer of Question #1:
Let’s start with cracking the WPA2 password first. In order to do that, first we need to check whether we have a potential target in our hands and whether are we able to perform a brute-force attack on given pcap file with aircrack-ng. We can do same process by analyzing the pcap file in Wireshark by checking if it hasa any EAPOL packets inside it.
As we can see from here, we have a packet that we can perform brute-force attack on it. Let’s see the EAPOL packets on Wireshark to double-check our process:
As we can see from here, since EAPOL packets are existing in the pcap file, we can double-check that we are able to perform brute-force attack.
Before performing brute-force attack, we need to have a powerful wordlist. We can either generate a wordlist or we can use other wordlists, which are already prepared:
Now, let’s use aircrack-ng and try to obtain the WPA2 password:
We have successfully obtained the password. Now that we got the password, we can proceed to second step of the question, which was identifying the attacker’s hostname. In order to do that, we need to use bootp filter which also were given us as a hint in the question. To mention BOOTP (Bootstrap Protocol), it is simply the representative protocol of DHCP because it is responsible from the configuration server which assigns IP addresses to the devices in a network.
Now we know that we need to use bootp filter to obtain hostname information but one important thing we need to remember in here is that the pcap file we have in our hands is currently encrypted. Which means we won’t be able to obtain the information we want without decrypting the file:
To decrypt the file, we need to identify a Decryption Key from IEEE 802.11 settings in Wireshark:
Now, let’s add the WPA2 password that we found previously as a Decryption Key:
Let’s try to filter bootp packets again:
From now on, we can view DHCP related packets and we can obtain the hostname information from the DHCP Discovery Packet:
The answer we’ve been looking for was: redteam.
- Question #2:
In this question, we need to identify Hidden SSIDs and we need to collect information about them.
- Answer of Question #2:
When we check out the pcap file, we can see that there are two hidden SSID values with 6-character length (\000\000\000\000\000\000) and 8-character length (\000\000\000\000\000\000\000\000). In here, each “\000” represents a single character:
First let’s inspect the Beacon Frame of 6-character length Hidden SSID:
From here, we can see that the Access Point with 6-characters length Hidden SSID is currently on Channel 6. We will be using this information later on while we are inspecting Probe Requests and Probe Responses.
Let’s check out the other Access Point with 8-characters length Hidden SSID:
And the Channel number of this AP is also 6.
While we are trying to identify the actual SSID value of an Hidden SSID, we can go with two methods: Passive Listening and Active Listening.
- Passive Listening: Simply, it is the analysis process of a pcap file after obtaining it with a tool such as airodump-ng.
- Active Listening: Additional to Passive Listening, in Active Listening, we generally perform a DoS attack (Deauthentication Attack) to a specific client to drop them from the network and force them to connect to the network again. Even though we can obtain the actual value of Hidden SSID with this way, we can also do brute-forcing with Probe Requests to get the actual value of an Hidden SSID.
At this point, since we already have a saved pcap file, we can analyze it on Wireshark.
When we check out the first Beacon Frame, we see that this frame is coming from “MS-NLB-PhysServer-32_10:44:34:62:5E” with actual MAC address of “02:30:44:34:62:5E”. Also, we can note that this packet is a Broadcast Packet since it is coming from the Access Point. To perform a more accurate analysis, we can analyze Probe Responses directly because they are being sent from Access Points to Clients, as we mentioned before. To filter Probe Responses, we can use the filter “wlan.fc.subtype == 0x0005”. When we check out the Probe Responses, we are not able to see any Probe Response packet coming out from “MS-NLB-PhysServer-32_10:44:34:62:5E” and returning to a client. Next step, we can inspect the Probe Requests with filter “wlan.fc.subtype == 0x0004”:
Let’s filter packets belong to “MS-NLB-PhysServer-32_10:44:34:62:5E”:
When we list all the Probe Requests belong to this Access Point, next thing we should do is trying to find a 6-characters length SSID value. However, as we can from above figure, there is no SSID value with 6-characters length. As a final step in here, we can try to identify other Access Points with different MAC addresses which may have a 6-characters length SSID value. When we do this, we can see the result in below:
The only 6-characters length SSID value in the pcap file is named as DefCon. After obtaining this information, we can check out any of the packets to verify whether it is the true SSID value or not by checking out it’s channel number. When we inspect a packet, we can see that it’s channel number is also 6:
Let’s follow same procedure while identifying the actual SSID value of the second Access Point with 8-characters length Hidden SSID. From Beacon Frame of second Access Point, we can see that the MAC address of Access Point is “C0:D3:C0:31:E7:C9” and resolved as “SamsungE_31:E7:C9”. Firstly, let’s try to filter Probe Responses coming out from this MAC address by using “wlan.fc.subtype == 0x0005” filter:
As we can see, there is only one SSID value which comes out from this Access Point and it is named as: “Flamingo”. We can also list Probe Requests:
Finally, when we inspect any of the packets coming from the Access Point with SSID Flamingo, we can see that the Channel Number is 6:
That was the solution of 2nd question. Let’s proceed to next question.
- Question #3:
In this question, we need to identify fake access points. As a hint, we’ve been told that we need to use airodump-ng.
- Answer of Question #3:
The only thing we need to do in here is using “ — uptime” parameter while opening up the airodump-ng. Because; if any fake access point(s) exist in the environment, this or these access point’s uptime value will be less than real access points. For example, if a real access point’s uptime value is 10 days, a fake access point’s uptime value would be only couple of hours (assuming that it is recently created). Another point we need to be careful on here is, when an attacker sets up a fake access point, they generally hide their SSID information to increase their uptime value silently. With this way, a normal user who have no idea about airodump-ng will not be able to know there is a fake access point in the environment. Before we start to analyze the pcap file with “airodump-ng -r <file_name> — uptime” command, let’s try to identify the non-hidden SSID values by filtering Beacon Frames from the pcap file by opening it with Wireshark:
As a result, there are 3 different SSID values such as Pbbbg, DEFCON_WPA_1 and ALPHA. Yet, those are not all of the SSID values; in order to find all SSID values, we also need to check out Probe Responses:
When we check out Probe Response frames, we find that there are 2 other SSID values namely Caesars_Resorts and BETA. Now that we have completed SSID analysis, we can not proceed with airodum-ng part:
When we take a look on the output from airodump-ng, consecutively, Access Points with SSIDs ALPHA, BETA and Caesars_Resorts have uptime values as 128 days and another Access Point with SSID value BETA with different MAC address has 79 days of uptime value. However, when we check out the Access Points with SSIDs DEFCON_WPA_1 and Pbbbbg, we can see that they are not so innocent at all. DEFCON_WPA_1 has only 1 hour and 25 minutes of uptime value and Pbbbbg has only 3 minutes of uptime value. In here, we can say that one of those or both of those access points are fake access points based on their uptime values.
- Question #4:
In this question, we need to find information about a student from the given pcap file.
When you see this question, you may recall Eduroam Networks since there is something related with a student. To mention about Eduroam Network, it is the WiFi network used by college students and academicians in universities. To find about more on Eduroam Networks, you can check out the DEFCON 27 Presentation by Besim ALTINOK.
- Answer of Question #4:
We can start to solving the question by checking out whether there is an SSID with value “eduroam”:
As we can see, the Access Point with MAC address “A0:A4:C5:BC:E5:0D” and resolved as “IntelCor_BC:E5:0D” has many Beacon Frames with SSID eduroam. When we inspect further of these packets, we can see that there is a Association Request packet which tells us that somebody tried to connect to this network:
In here, we can see that the Samsung device sent a Association Request to this network. After this analysis, we should go to investigate if somebody has communicated with this network using EAP, because Eduroam Network is like an Enterprise Network, which needs credential authentication.
As we can see from above figure, before the Samsung device’s request, there is another Apple device trying to connect to this network but there are couple of Failure packets being returned from Access Point to the Client that tells us they were not able to establish a connection. In here, we can check out these Response, Identity packets to see what information stored inside them:
In here, we can see that there is an Identitf information with username 0310260149127180@wlan.mnc260.mcc310.3gppnetwork.org and we can al so see that country information from Mobile Country Code and mobile operator information from Mobile Network Code. Now, let’s try to find the packet(s) which contains correct information about the student (the packets with proper Authentication process):
From here, we can see that the Authorization information sent in Response, Identity packet from the Samsung device was correct because there is a Success message at the end of those packets. When we inspect the correspondent Response, Identity packet:
We see that the Identity information has the username LegendaryNacar@hacettepe.edu.tr, which tells us the the format is in “Name-Surname” or “Surname-Name” because “L” in“Legendary” and “N” in “Nacar” was written as capital letters. Lastly, we can see that this student is a student of Hacettepe University by looking at the mail extension. Note that these identity packets are much more detailed and contains more information in a real life situation.
- Question #5:
In this question, we need to crack the WEP password of the Access Point given in the pcap file. As a hint, we’ve been told that we can use the characters “b43s15m6” while we are creating our wordlist.
- Answer of Question #5:
In order to detect the SSID of the Access Point with WEP password, we can open the pcap file with airodump-ng:
We can see that the Access Point we are targeting has the SSID: GameOfPwners. And we can verify that it uses WEP Encryption.
To perform a brute-force attack against this WEP protected network, we can create a wordlist and use aircrack-ng tool. First, let’s try to create a wordlist depending on the number of characters given in the hint (8 characters):
Now let’s execute aircrack-ng by giving this wordlist to it:
Unfortunately, we were not able to crack the password. There might be two reasons on why this is happening:
- We are using an insufficient wordlist.
- The password we need to find has a different WEP key length than 128 bit, which is set as default in aircrack-ng.
Since we are creating our wordlist by using the characters given in the question, we can ignore first option and focus on the second one.
In WEP encryption algorithms, the RC4 stream cipher sets the password length and it is generally in 64 or 128 bit length and also it uses XOR in encryption process. In order to find right bit number for the key length, we can go from smaller to bigger bit numbers and we can give this as a parameter to aircrack-ng and to do that, we can check out the man page of aircrack-ng:
As we can see from here, we need to give our bit number by using the parameter “-n”. It can start from 64 and go up to 512 bits following 128, 152, 256 and 512. First, we can try 64 bits for our password and the man page says that its correspondence in WEP is 40-bits, which equals to 5-bytes and a 5 characters long password. So, we need to create a new wordlist which consists of 5-characters length passwords:
Now, let’s execute aircrack-ng with the command “aircrack-ng -n 64 <file_name> -w 5charwordlist.txt”:
Now we’ve obtained the WEP password.
This CTF gave me the chance to learn new things along with testing my knowledge on the things which I already knew. I hope you enjoyed it while reading it and I hope you learnt something new. Last but not least, I would like to thank Besim ALTINOK for preparing this CTF.
That’s all folks, see you on my next write-ups!
Resources:
