# \[Forensic] WPA-ing Out (200 pts) ## Question I thought that my password was super-secret, but it turns out that passwords passed over the AIR can be CRACKED, especially if I used the same wireless network password as one in the rockyou.txt credential dump. Use this '[pcap file](https://artifacts.picoctf.net/c/8/wpa-ing_out.pcap)' and the `rockyou` wordlist. The flag should be entered in the picoCTF{XXXXXX} format. ## Hint Finding the IEEE 802.11 wireless protocol used in the wireless traffic packet capture is easier with wireshark, the JAWS of the network. Aircrack-ng can make a pcap file catch big air...and crack a password. ## Solution The challenge gave us a **pcap** file and some hints related to `rockyou` password. It seems like we must crack something to get the password. Firstly, I imported the **pcap** file to Wireshark to analyze. I checked the protocol hierarchy to see the packet structure. As you can see in the image below, I got 2 packets from **802.1X authentication** and **Data**. I was looking around the data traffic but nothing was interesting, all the data was encrypted.

It’s kind of stuck, so I decided to follow the hint and tried to crack any passwords. As a hint, I decided to use `aircrack-ng` and tried to crack the **pcap** file using `rockyou` wordlists ```bash aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-ing_out.pcap # /usr/share/wordlists/rockyou.txt: wordlist path # wpa-ing_out.pcap: pcap file to crack ``` Here we go, I could get the password.

Let’s use the password and see more traffic. Open your Wireshark and go to Edit/Preferences/Protocols, choose IEEE 802.11 and edit the decryption key as in the image below. (Gone\_Surfing is the SSID of wireless)

I checked the protocol hierarchy again, I could see more traffic was shown

Then I could filter UDP traffic. I tried to find some information related to picoCTF but got nothing

Hmm, where is the flag? I tried to check the flag format and could see that the flag format is picoCTF{XXXXXX}, thus maybe the password is the flag value. I tried to put the password as a flag and boom, I solved it. I thought that the password was used to extract more traffic data and then I could find the flag from there but it wasn’t true. Still learn much stuff regarding networking. Thanks to author MISTRESSVAMPY ## **Flag** ```json picoCTF{mickeymouse} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thomasbui.gitbook.io/blog/software-security/ctfs-write-ups/writeups-picoctf-collection/picogym-exclusive/forensic-wpa-ing-out-200-pts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.