Puzzle #8: HackMe, Inc.

Inter0ptik is on the lam and is pinned down. The area is crawling with cops, and so he must stay put. But he also desperately needs to be able to get a message out to Ann and Mr. X. Lucky for him he detects a single wireless access point (WAP) in the building next door that he might be able to use, but it is using encryption and there are no other opportunities available. What is Inter0ptik to do?

Meanwhile, next door…

Joe is a sysadmin at HackMe, Inc. He runs the technical infrastructure for a small company, including a WAP that he uses, pretty much exclusively, and also very rarely. He’s trying to use it now and has discovered his connection is dropping consistently. He captures some traffic, but he really has no idea how to interpret it. Suddenly he discovers he can’t even login to administer his WAP at all!

You are the forensic investigator. Your team got a tip that Inter0ptik might be hunkered down in the area and contacted local admins concerning suspicious network activity. Joe has provided you with his packet capture and helpfully tells you that his own MAC address is 00:11:22:33:44:55. Can you figure out what’s going on and track the attacker’s activities?

 

 

 

1) Joe’s WAP is beaconing. Based on the contents of the packet capture,
what are:
a. The SSID of his access point?
b. The BSSID of his access point?

 

 패킷의 프로토콜이 802.11(WLAN)이므로 무선랜 패킷임을 알 수 있고 SSID가  Ment0rNet 인 것을 알 수 있습니다.

 

MAC 주소는 00:23:69:61:00:d0 인것을 알 수 있습니다.

 

2) How long is the packet capture, from beginning to end (in SECONDS –please round to the nearest full second)? 414초

 

 

3) How many WEP-encrypted data frames are there total in the packet capture?

패킷 내 Type/Subtype이 0x20인 경우, 데이터 프레임이다

 

"wlan.fc.type_subtype == 0x20"으로 필터를 적용한 후, 우측 하단에 59274개 인것을 알 수 있습니다.

 

4) How many *unique* WEP initialization vectors (IVs) are there TOTAL in the packet capture relating to Joe’s access point?

tshark 명령어로 BSSID의 패킷에서 중복을 제거한 IV 개수를 계산하는 명령어입니다.

 

5) What was the MAC address of the station executing the Layer 2 attacks?

아래와 같이 [Endpoints] 기능을 사용하면 1c:4b:d6:69:cd:07 주소를 확인할 수 있습니다.

6) How many *unique* IVs were generated (relating to Joe’s access point):
a. By the attacker station?

00:23:69:61:00:d0(AP)와 1c:4b:d6:69:cd:07(클라이언트) 사이에서 주고받은 고유한(중복 제외) WEP IV 값이 총 14133개입니다.

b. By all *other* stations combined?

00:23:69:61:00:d0(AP)와 통신 중인 패킷 중에서, 송신 주소(wlan.sa)가 1c:4b:d6:69:cd:07이 아닌 나머지 모든 장치에서 발생한 고유한 WEP IV의 15587개입니다. 

 

7) What was the WEP key of Joe’s WAP?

aircrack-ng 프로그램을 이용하여 키 값 D0:E5:9E:B9:04 확인할 수 있습니다.

 

8) What were the administrative username and password of the targeted wireless access point?

해당 WEP 키(D0 E59 EB904)가 올바르게 작동하여 모든 암호화된 패킷이 성공적으로 복호화된 것을 알 수 있습니다.

 

복호화된 패킷에서 http 프로토콜을 필터링하면 admin:admin 계정정보를 알 수 있습니다.

 

9) What was the WAP administrative passphrase changed to?

http.authbasic 옵션을 필터링한 후 passphrase 문자열을 검색하여 hahp0wnedJ00 찾은 것을 알 수 있습니다.