Description: This is the 2nd Wi-Fi Challenge: Level Intermediate. Have a look at the complete series of videos are challenges by visiting the group page: http://www.securitytube.net/groups?operation=view&groupId=9
In this challenge, you will again have to crack WEP :) Use the PCAP file below and begin your journey. Just one catch - there are multiple WEP keys which can be retrieved from the file and you win only if you find them all :)
http://code.securitytube.net/Challenge2.cap
Post a short comment if you are participating :)
Tags: wi-fi , security , hacking , challenge ,
Here I am, in participation!
It's Gonna be a long Night in Hell for me :) Have been waiting for this! I am in. I took a look at the trace and run Aircrack-NG on it but it failed!
Also, Airdecloak-NG crached! Looks like a bug in their code.
Going to try my best. :)
This is why ST is no.1 security video portal! Free knowledge, great community and a awsome teacher :)
lets do this.
just saw the video and wanted to says thanks to Fitzroy for his support. :)
Same here, just saw the Video. I must say thanks Fitzroy for your support.
The wireless challenges are interesting. I just don't have the time at the moment ;) Keep it up. I'm sure they'll all really appreciate it. @Fitzroy - thanks for providing some extra motivation for people. The carrot is usually more pleasant than the stick.
wooow... Love this game.
Thanks for your generosity Fitzroy, Im definitely taking parts in this one :)
--Chard
I learned a lot on the last one, so I'm all in on this one too..
Fitzroy , you are my friend ! thanks guy.
I'm not going to take part in this one because I went badly wrong last time, gave people a bum steer and bad code, and - if I'm honest - I'm just not smart enough to work this out.
Good luck with it to everyone else :-)
@Blackmarketeer Don't give up!! And don't talk like that about yourself :@ .
Practice will make you a master, not giving up. Learn from your mistakes, and take other peoples advices and you will be on the right path to become a wifi/hacking master. It takes time but it's worth it :)
Count me in.
I'm playing around with the capture file.
Did some simple things to get some insight.
- Replayed it in airodump-ng: only PwnMe SSID is shown.
- Run the capturefile through aircrack-ng; no crack here, not enough packets (too simple, but had to try it) ;)
So maybe we need the script from Challenge1 again or use another tool or script. (still in the open minded phase)
- Loaded the capture file in Wireshark, and did some filtering.
I added a new column "real date and time"
(-> edit, preferences, column) to sort all frames with this new column.
No gotcha yet! Just sharing what I did so far.
I'm browsing to get the click in my head and find out which frames we need and which frames we can discard from the capture.
@MamboYoyo You are very close ... you did something which could have almost given you the solution. Don't give up! :) If you are good with Wireshark, you could just use it for this one without any scripting required.
@Blackmarketeer You were the last person I expect would quit :) Your hunch was the closest in the last challenge and actually helped everyone.
Other this is an easy one! Don't quit!
I too am playing with different sorting in Wireshark. Making progress....I think
@WCNA Yes, as I always say - "Packets don't lie" :)
when i took a look on the pcap by wireshark , i realized that there is four authentication packets , there is difference between sequence of each couple.
so i tried to filter all the sequence number before the second authentication.
but now i'm trying with airdecloak-ng.
vivek Am i at the right track or not?
Trying filtering on conversations next
toooo many repeated sequence numbers :)
My logic just does not work like everyone elses - I am so illogical. My train of thought is pasted below - but it's just not the same as everyone elses:
The first thing that crosses my mind is how many keys could there be when Vivek say's 'all'? More specifically, how can we find out how many different keys have been used? In normal circumstances we would expect a single AP to be using the same key. If cloaking were going on we would have lots of spoof 'chaff' packets too, but these would tend only to be data packets which a number of tools can remove with a good degree of confidence. However, Vivek indicates that this is not a cloaking exersize, but part of the preamble to it. So this leads me to wonder how Vivek has generated packets with multple keys. Perhaps he has randomly changed the key on the access point and client during the session to confuse us- or perhaps he has used multiple clients to the same AP - or even both.
If he has changed the key mid flow it would be reasonable to expect to see some kind of short term failure or reathentication/association.However, if cloaking were in use, how could we possibly tell the wheat from the chaff?
Going for the obvious first, drill down on different clients and eliminate if we can. There appears to be a few other clients chatting, but they don't seem to be talking to the DLINK access point 00:21:91:D2:8E:25 - so for now I'm discounting them. (Liteon/Shanghai/apple to apple/ruckus & netgear).
It would be worth running a couple of tools on the whole capture, just to elimate them 'as is'. These are airdecloak-ng, and our old friend aircrack-ng.
First of all try the door and run the original trace file through aircrack-ng just in case, but it bombed out with 'failed - next try with 35000 IVs'
Next - did:
airdecloak-ng -i Challange2.pcap --bssid 00:21:91:d2:8e:25
This produced a couple of output files:
Challange2.pcap-filtered.pcap at 7.5 mb
Challange2.pcap-cloaked.pcap at 278 bytes
Running the larger of the two through aircrack-ng bombed out after about 20 seconds with 'failed - next try with 35000 IVs'
Tried running a number of filters with airdecloak-ng, and then running aircrack-ng on the resulting files, but no dice.
Thinking to how Vivek would emulate this my best guess would be he would manually change the WEP key on the AP. This should result in deauthentication of the client. Filtering the capture file with wlan.fc.type_subtype == 0x0c (deauth) shows a block of them for about 8 seconds starting at packet number 170. Perhaps if I export subfiles here and try them against aircrack-ng (or even the python script created yesterday)? Worth a go.
I Neeeed Hint
Im here
black, I too am trying sorting by deauth as well as conversations without luck. Is anybody making any progress?
Not even a clue :(
Waiting for a hint.
WCNA, Only problem with this approach is if this *were* cloaking, it would not have deauth - so it's probably not in the spirit of what Vivek has set up here, and may be well off centre.
I've also tried sorting times on the theory that it would take a few seconds for V to change the wep key and we would see gaps
No more hints! why? Coz you guys have collaboratively figured out what needs to be done and one of the comments has the answer. Of course, I won't say which one :)
Good Night from India! Enjoy the Challenge. Hope to see the WEP keys in my mailbox tomorrow morning!
tried running it through ivstools to see if that would help...nada
I'm still a newbie to this so my progress has been spotty and in random directions at the moment...hehe..
I started the normal way..with aircrack first but kinda figured it wouldn't be that easy..hehe.. so then I turned to wireshark and started going through the packets. I did start noticing a few deauth packets.
I did filter by Deauth and figured that shortly after a deauth packet the the following packets would be encrypted with a new key.. So I did run the script from the last challenge on a few packets with a few little changes.
I haven't had much luck but I'm not giving up yet. These challenges are a great way for me to learn these tools.
and with me being a newbie in mind....just wondering @Blackmarketeer
when he speaks of multiple keys...would it be logical to think that he is talking about the 1-4 keys possible to set on a single AP? or do you think he actually meant he physically changed the key on the AP mid-capture.. again..just new and thinking out loud..
Nice Challenge Vivek,time for some work... :D
"would it be logical to think that he is talking about the 1-4 keys possible to set on a single AP?"
isnt that writen in WEP parameters > Key Index nr? or im wrong?
i think there is something with repeated sequence.. but how to seperate them? And useing Delta time displayed in columns there is 3 gaps...
@zero - it crossed my mind that he could be using a block of keys on the AP, but my best guess was even if he did this, it would deauthenticate.
Personally I would not recommend anyone follow anything I say - I tend to think totally illogically and get things badly wrong!
I'm pretty sure Vivek is getting us to practice with a view to dealing with cloaked chaff. Just changing the key probably won't create the same phenomena in the trace, so my train of thought is this would not really make useful practice.
There is also no mention of how long these keys are - perhaps he changed keys AND sizes in the process. You know how twisted his sense of humour is :-)
I've left a few individual packets taken from before and after the deauth running against a dictionary attack using the python script. I've made a minor modification to it to allow me to pass it the word list and capture file name and pasted it below - but I stress this is *my* thinking and it's probably very very wrong.
#!/usr/bin/python
# Author - Vivek Ramachandran vivek@securitytube.net
#
# Solution to Challenge 1: http://www.securitytube.net/1856
#
#USAGE: script.py path_to_wordlist path_to_capture
import sys, binascii, re
from subprocess import Popen, PIPE
f = open(sys.argv[1], 'r')
capfile = sys.argv[2]
for line in f:
wepKey = re.sub(r'\W+', '', line)
if len(wepKey) != 5 :
continue
hexKey = binascii.hexlify(wepKey)
print "Trying with WEP Key: " +wepKey + " Hex: " + hexKey
p = Popen(['airdecap-ng', '-w', hexKey, capfile], stdout=PIPE)
output = p.stdout.read()
finalResult = output.split('\n')[4]
if finalResult.find('1') != -1 :
print "Success WEP Key Found: " + wepKey
sys.exit(0)
print "Failure! WEP Key Could not be Found with the existing dictionary!"
Hmm.. Going to throw some time at this. :)
I am loving the out of the box thinking thats is being demonstrated here.
Do feel that I am somewhat out of my league, but this is all good, very good stuff.
Am going to be spending a little time on this one as well.
Nice going Vivek ;)
I would love to get involved with this challenge but i have food poisoning so im going to have to sit this one out, good luck to you all.
ive solved at least 1 key. it has something to do with newbies... greeting from russia :)
Well the answer is in one of the comments and mambo was supposedly close so I'm guessing it has to do with sorting by time. I'm trying different saved captures and running them through airdecloak and then aircrack. So far, no luck.
If someone gets this, could they give tell us if we're on the right track please.
airdecloak-ng gives me a nice Segmentation Fault :/ and i though i was too close....
Okey....then i got the first WEP key , i'm working on the other :)
My white hat is spinning... maybe sharing this will help us all.
I'm running: airodump-ng -r Challenge2
And looked over and over again what has happened.
Then I run: airodump-ng -r Challenge2 -w test
See what changed at the top of the screen.
We've got a 140-bits keystream.
and a xor file
but what is the next step? Or am I on the wrong track?
Hey Mambo i'm sorry for telling you this , but i got the first key without using airodump , but this dosen't mean that you are in the wrong track , i think there is more than one way to do it
Anyone willing to work in team to solve this ?
my final answer is - there was 1 key at all and i dont have time left to spend on this (have not tried bruteforce/dictionary on the packets from stations other then dlink and apple). look close at the time - there are some time periods :) answer seems to be simple. thanks for the series, vivek, wifi is fun
Hey ahmadqdemat congrats for finding the first key.
The other thing I've running is:
aircrack-ng -K ......
Do you mind sharing your method?
Mambo as tohaz said "There is some time periods"
Thanks! ahmadqdemat.
Yes there is some time period between them, if so i'm guessing there's 2 wep passwords ? only 1 time period, like 2-3 minutes.
What i'm guessing is to split the pcap files into both time frames and try to crack each ?
re: ahmad
I've been trying removing time periods delta and relative below 0 and then running it through aircrack, now trying bruteforce....alas, no luck
Am I getting closer?
you have almost 6 minutes of live capturing in the pcap files
just use aircrack on the right range of minutes , but regarding the seconde wep key i'm trying to bruetforce it right now
I marked 2 packets and i want to save as a new cap file from the first marked till the last marked but even after this i'm seeing other packets not in the range i chose. Any clue what's wrong ?
@m0ei:Did you use the "First to last Marked" option?
yes i did use that option. i arranged the packets in Date and Time order then i marked 2 packets, first packet and the last packet in that time range, then i used that save as with " First to Last Marked" option.
Should work...I guess you have already checked to see if you have other packets outside of your range marked....
ok i give up, spent a lot of time on it. Now after viewing the solution, it will easier than the first one. good night all, going to sleep.
Btw Vivek, you can start using Backtrack 5. :)
Hello all!
I hope I am not late for this challenge. Although I am novice to wireless security and learned a lot from vivek megaprimer, I will give it a try anyway.
Good luck all of you!
Just a note that you can use Scapy to read from a packet capture and re-sort all the packets by time. This makes analysis a lot easier, and then you can use display filters like "frame.number < 32000" to create extracts in Wireshark:
>>> p=rdpcap("Challenge2-Extract1.pcap")
>>> o=sorted(p, key=lambda ts: ts.time)
>>> wrpcap("Challenge2-sorted-time.cap",o)
Both the first and the last lines took a while on my system to complete, but the sorted() function was very fast.
-Josh
Thanks Josh. It;s a pleasure to have both Vivek and you here to help us people new to this.
Thank you too Ahmad
Thanks Josh!
Others - I had used just the reverse process of what Josh has mentioned to shuffle packets from 2 trace files together - using random.shuffle. This should give you a hint of how the packet trace was created and what to do.
2 people have cracked the first key -
1. Ahmad Qudeimat (email sent to me 2:13AM IST)
2. Robert McLendon (email sent to me 6:50 AM IST)
Interestingly, both of them have the same first key cracked!
Challenge is still on! If I don't receive a full solution in 3 more hours - Alfa Card up for grabs! I will announce that formally as well as a comment.
Ok, Lets stir things up, shall we :) Challenge now qualifies for a Prize! Shiny new Alfa Card! :)
next challenge when release ?
Thanks .
i've solved second key. it's used to say about tasty thing :)
The Challenge has been solved!:
Winners:
1. Troy Schlueter ( Dagis ) (9:20AM IST)
2. Anton Onuchin from Russia ( tohaz ) (11:12AM IST)
I am still keeping the contest lines open! If you crack one / both the keys, you will receive a honorary mention in the solution video!
Congrats to both of them!
Please give us more time :) just woke up and i have cracked 1 pass, i'm cracking the second one.
First key found :D
waiting for more people to complete, then let's exchange answers. good luck :)
I feel just like the first key :-( Cheeky Vivek :-)
No luck on the second key, i tried different wordlists.
mmm do we need to use airdecloak-ng on the second time frame package ?
Ah im too late to play well i play it tomorrow b4 you pist the answer
Was wondering if ya were gonna move your videos to backtrack 5??? Not feeling it so much thus far since i guess all the wifi tools were garbage and they removed them all :-(
my best was not enough, Congratulation to Dagis and tohaz . . .
Thanks everyone for participating!
The solution has now been posted: http://www.securitytube.net/video/1867
Winners are announced and we pre-announce the launch of the Mega Challenge - "The 12 Tasks of Aircules"! :)
I know it is late but I try XD
Challenge 3 has been posted! http://www.securitytube.net/video/1884
Enjoy!
Sorry i know i had gone through the challenge late ...............but what i am thinking was to filter out the data packets based on the IVs,so that we can fragment the cap and then triggering aircrack-ng we can find out all................
Hey Vivek. I just want to thank you for everything, Untill now I've watched every part of your megaprimer. Unfurtunetly i'm not familiar with scripting, but I'm also trying to become a security expert like you. Thanks for making the basics possible through this videos. I'll also try to take this challenge. I think i should filter them somehow in Wireshark save them separably and crack them by once...