SWE Books Twitter 🐦 Github 🐙

[Forensic] WPA-ing Out (200 pts)

Question

I thought that my password was super-secret, but it turns out that passwords passed over the AIR can be CRACKED, especially if I used the same wireless network password as one in the rockyou.txt credential dump. Use this 'pcap file' and the rockyou wordlist. The flag should be entered in the picoCTF{XXXXXX} format.

Hint

Finding the IEEE 802.11 wireless protocol used in the wireless traffic packet capture is easier with wireshark, the JAWS of the network.

Aircrack-ng can make a pcap file catch big air...and crack a password.

Solution

The challenge gave us a pcap file and some hints related to rockyou password. It seems like we must crack something to get the password.

Firstly, I imported the pcap file to Wireshark to analyze. I checked the protocol hierarchy to see the packet structure. As you can see in the image below, I got 2 packets from 802.1X authentication and Data. I was looking around the data traffic but nothing was interesting, all the data was encrypted.

It’s kind of stuck, so I decided to follow the hint and tried to crack any passwords.

As a hint, I decided to use aircrack-ng and tried to crack the pcap file using rockyou wordlists

aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-ing_out.pcap

# /usr/share/wordlists/rockyou.txt: wordlist path
# wpa-ing_out.pcap: pcap file to crack

Here we go, I could get the password.

Let’s use the password and see more traffic. Open your Wireshark and go to Edit/Preferences/Protocols, choose IEEE 802.11 and edit the decryption key as in the image below. (Gone_Surfing is the SSID of wireless)

I checked the protocol hierarchy again, I could see more traffic was shown

Then I could filter UDP traffic. I tried to find some information related to picoCTF but got nothing

Hmm, where is the flag? I tried to check the flag format and could see that the flag format is picoCTF{XXXXXX}, thus maybe the password is the flag value. I tried to put the password as a flag and boom, I solved it.

I thought that the password was used to extract more traffic data and then I could find the flag from there but it wasn’t true. Still learn much stuff regarding networking. Thanks to author MISTRESSVAMPY

Flag

picoCTF{mickeymouse}
Previous[Web] JAuth (300 pts)NextPicoCTF 2022

Last updated