Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Security Challenge VII

  • 04-01-2012 1:39am
    #1
    Closed Accounts Posts: 2,267 ✭✭✭


    Just after finishing up VI and stated that I wouldn't be running any more.. another idea popped into my head:

    VII:

    http://damo.clanteam.com/sch7/

    Usual rules apply.

    This one is completely different than the others. Should be fairly trivial for those in the know-how, for others there is a bit to learn :-)

    Do you find these type of challenges interesting? 22 votes

    yes
    0% 0 votes
    no
    100% 22 votes


Comments

  • Closed Accounts Posts: 465 ✭✭pacquiao


    O a scale of 1-10. How hard is this one?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    About 2-3.

    Just need the right tools for the job. Should be straight forward enough.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    pacquiao wrote: »
    O a scale of 1-10. How hard is this one?

    If you need a hint, let me know.


  • Closed Accounts Posts: 465 ✭✭pacquiao


    I had a look at it.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Your on the right track, but maybe edit that spoiler as that is a pretty strong spoiler. You got one piece of info incorrect in it though.


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    heheh that was the strong spoiler I was on about but its slightly incorrect.


  • Closed Accounts Posts: 465 ✭✭pacquiao


    is this it
    WEP Key: 6C52D55CEFC23E5196A83F9BCD


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    pacquiao wrote: »
    is this it
    WEP Key: 6C52D55CEFC23E5196A83F9BCD


    Also wrong, when its correct you'll know, but you need to know what to do with it when its correct.


  • Closed Accounts Posts: 465 ✭✭pacquiao


    I got it. That was really enjoyable. It's very realistic too.
    Thanks a lot Damo.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Only 3 guys on the hall of fame:
    Ack!
    pacquiao
    emf

    Are people stuck ?


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Jimi Hendrix - third rock from the sun ... wifi


  • Registered Users, Registered Users 2 Posts: 194 ✭✭daffy_duc


    Hi ;)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Well done :-)


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Done. Very good. Also discovered a bug in wireshark while working on it.
    The decode wireless traffic appears broken in 1.4.11 on Fedora. I tried using airodecap-ng to see if it made a difference which it did, then I analysed the decrypted traffic with wireshark. Took me a while but once I saw the you know what, I was in with in minutes.

    Really good challenge and really life-like as another poster said.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    skylops:
    I think its because aircrack captures wireless frames, while wireshark doesn't. You'll notice wireshark can decode wireless traffic it captures itself.

    By the way that other aircrack tool you use was part of the challenge :-)

    Putting in a spoiler as its giving away the challenge.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    skylops:
    I think its because aircrack captures wireless frames, while wireshark doesn't. You'll notice wireshark can decode wireless traffic it captures itself.

    By the way that other aircrack tool you use was part of the challenge :-)

    Putting in a spoiler as its giving away the challenge.

    Sorry, i meant to put in a spolier and for some unknown reason I quoted it instead :confused:

    Have fixed it now. What you said about
    wireshark
    makes sense.


  • Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    This was nice Damo. Thanks 900913 for the pointer.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    [-0-] wrote: »
    This was nice Damo. Thanks 900913 for the pointer.


    Damo helped me out alot with this challenge, I knew the key but I didnt know what to do with it. [-0-] now you know how to read encrypted wireless data.
    :-)
    I love these challenges cause I learn so much from them, and it's in a fun way.

    :-)


  • Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    I tried it with the above mentioned tools and it complained about insufficient ISVs. Must give it another go. :rolleyes:


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    make sure you..
    use airdecap-ng rather than aircrack-ng.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,216 ✭✭✭Kur4mA


    I want to start on these challenges too but I am also a total n00b. I not only think these are brilliant, but would love to see it taken further and have them permanently hosted. I'd be willing to contribute to that and am sure others would too. It would be great to start some knowledge sharing too. :)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Just some notes on this challenge. This one was a bit of a tricky one to setup. Putting it in a spoiler in-case some of you want to still do the challenge.

    Idea was to have a WiFi spot that has a weak encryption key. In the setup, the WiFi owner would visit the challenge page and log in. Another user (the fictitious character in the prologue of the challenge) sniffs wireless traffic in the air. Little does he know he sniffed encrypted traffic from this WiFi spot, that can actually be decrypted, revealing everything the WiFi owner did, including the credentials he used for the SCHVII hall of fame. Which is the idea of the challenge.

    But I didn't have a spare WiFi spot lying around to create this. So I setup a VM on my laptop running some flavor of linux, and used airbase-ng to create a fake WiFi spot from a wireless adapter (edimax ew-7128g) .

    So I created a fake eircom WiFi spot that is weak to the old wep generation algo that was exposed some years ago. I have matched the SSID, WEP key and MAC, as if it were a real eircom router.

    airbase-ng -e "eircom1234 5670" -a 00:0F:CC:29:C4:74 -c 3 -w 1809d03b82b17d47d8195be596 mon0

    Next, we want the person connection to this WiFi spot to actually be able to use the internet, so we gotta setup a tap interface and allow them to be assigned an IP. When they connect to my fake WiFi spot, they will actually be routed through my internet connection via my laptop's built in WiFi adapter (think intel 4965agn). You can look online on how to do this. There is far to much to explain here, but basically what I have executed is:

    ifconfig at0 up
    ifconfig at0 10.0.0.254 netmask 255.255.255.0
    route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -P FORWARD ACCEPT
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo > '/var/lib/dhcp3/dhcpd.leases'
    ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid
    dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 &[/code]


    Mean while, on another(!) WiFi adapter (alfa 500mw awus036h) on the linux VM, as the challenge says: the guy in the prologue (me) ran:
    airmon-ng start wlan0
    airodump-ng -w capture mon0

    ...which captured all traffic on our fake WiFi spot.

    Yet at the same time, on my phone (with all cookies/sessions cleared!), I connected to the fake WiFi spot. Browsed some random pages. Then browsed to the SCHVII page challenge page. Logged into the Hall Of Fame with correct credentials, which would go through our fake WiFi spot in the VM, which in turn would have been captured by our other WiFi adapter sniffing/monitoring traffic, and hence, the challenge was created.



  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Anyone stuck on this one?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Solution to this was:

    You will notice many of the files reference "eircom1234 5670". You may have decided to use one of the many online generators online to generate a WEP key: 1809d03b82b17d47d8195be596.

    Now you can decrypt the wireless packet capture file:
    # airdecap-ng -w 1809d03b82b17d47d8195be596 *.cap

    View the decrypted file with wireshark.

    You will see what use user was doing on the network. You will see an URL he visited and the credentials he used.


  • Banned (with Prison Access) Posts: 13,018 ✭✭✭✭jank


    Have no idea where you get that WEP key, all the online Generators gave me a key of 07FD5751E32199B641B49FF667 and I tried a few of them so that must mean my original plaintext ascii input is wrong..?

    Great challenge though, would love to know if there are more of these out there.


  • Registered Users, Registered Users 2 Posts: 1 gem600


    @jank
    use http://www.bacik.org/eircomwep/ to generate the wep key.


Advertisement