Description: This is the solution to the Wi-Fi Security Challenge 2 posted here: http://www.securitytube.net/video/1862
In this video, I present the solution, announce the winners and announce - the Mega Challenge - "The 12 Tasks of Aircules"! :) We also talk about the schedule for the WPA/WPA2/802.1x videos and other challenges.
The key hack in the challenge was the messed up timestamps. It made it obvious that this consisted of packets from traces collected at different times and mixed together. The solution was to first arrange the packets based on timestamp, and then to find the point in the packet trace, where the next trace started. The we separate the trace files and use Aircrack-ng to crack it.
Here is Josh Wright's post on using Scapy and Python: http://www.packetstan.com/2011/05/sorting-packet-captures-with-scapy.html
This will come in handy for later challenges. Definitely recommended you to have a look.
Thanks all for participating and please take the time to write about your experience in the competition, whether you found it to be difficult / easy, suggestions for future challenges etc. and most importantly congratulate the winners! :)
Tags: Wi-Fi security , challenge 2 , scapy , wireshark , hacking ,
Congrats to the winners and everybody who participated in the challenge.
It's an honor to have my name in your slide Vivek
Thank you very much ....
can you increase the period for the challenge because the only reason that made me failed to get the second key is the time i work 9 hours and sleep almost 6 hours so i only have discontinuous 9 hours :) :) to crack
Thanks, Thanks, Thanks & Thanks my friend.
Going to view how you got the second password.
I must say, we are learning a lot from those challenges. :D
That is the purpose of this challenges. To learn, colaborate and have fun. Knowledge should be free and open source and it will always be like that on securitytube ;)
my solution http://vimeo.com/23749539
very interested in winners one
The video is black and white.. Is that on purpose or an error?
By the way "-n 64" was my blunder :D :D
Video is in full colour for me ? I always have to watch them directly on Vimeo as the embeding in this page won't work for me - but that's no problem.
Thanks for a wonderful brain busting challenge Vivek.To be honest this was probably easier than the last one, which caught me out as I was expecting some complex twist. The lesson and moral of the story that I take away with me - look at what you have right before your eyes and don't assume anything. I got the first one but way after everyone else (thanks to Josh and his comments), but the second eluded me. Simple truth is as Vivek says: "Know your tools" and to that one age old phrase springs to mind ... RTFM!
As a side note: in the end the Python brute forcer was never needed, and it would have failed anyway if more than a single packet were offered to it because the parser was only ever set to read '1' in the answer from airdecap-ng. However, this modification deals with that and may come in useful later on:
#!/usr/bin/python
# Author - Vivek Ramachandran vivek@securitytube.net
#
# Solution to Challenge 1: http://www.securitytube.net/1856
import sys, binascii, re
from subprocess import Popen, PIPE
f = open(sys.argv[1], 'r')
capfile = sys.argv[2]
pattern = re.compile(".+(\s|\t)0$")
for line in f:
wepKey = re.sub(r'\W+', '', line)
if len(wepKey) != 5 :
continue
hexKey = binascii.hexlify(wepKey)
print "Trying with WEP Key: " +wepKey + " Hex: " + hexKey
p = Popen(['airdecap-ng', '-w', hexKey, capfile], stdout=PIPE)
output = p.stdout.read()
finalResult = output.split('\n')[4]
if not pattern.search(finalResult):
print "Success WEP Key Found: " + wepKey
sys.exit(0)
print "Failure! WEP Key Could not be Found with the existing dictionary!"
With the correct words in the list it works with either of the split capture files AND single packets. My thanks to Vivek for the guts of this - and the introduction to Python - it rocks :-)
I think I cheated on this challenge a little bit. The first thing I did was sort the packet capture by timestamp and write out a new capture using Scapy:
root@bt:~# scapy
>>> p=rdpcap("Challenge2.pcap")
>>> o=sorted(p, key=lambda ts: ts.time)
>>> wrpcap("Challenge2-sorted-time.cap",o)
I spent a little time trying to recover the key by analyzing the contents and where I thought a key change operation might happen (the wep.iv field resets unnaturally after about 37K packets). I got tied up with something else, so I tried to hack the hacked hack. :)
root@bt:~# i=8000
root@bt:~# while [ $i -lt 130000 ] ; do tcpdump -r Challenge2-sorted-time.cap -c $i -w test.dump 2>/dev/null; echo "Testing with $i packets."; aircrack-ng -qb 00:21:91:d2:8e:25 test.dump; i=$(($i+1000)); done
Testing with 8000 packets.
Failed. Next try with 5000 IVs.
Testing with 9000 packets.
Failed. Next try with 5000 IVs.
Testing with 10000 packets.
Failed. Next try with 5000 IVs.
...
Testing with 47000 packets.
KEY FOUND! [ 4E:30:6F:42:7A ] (ASCII: N0oBz )
Decrypted correctly: 100%
Testing with 48000 packets.
KEY FOUND! [ 4E:30:6F:42:7A ] (ASCII: N0oBz )
Decrypted correctly: 100%
Testing with 49000 packets.
KEY FOUND! [ 4E:30:6F:42:7A ] (ASCII: N0oBz )
Decrypted correctly: 100%
Testing with 50000 packets.
KEY FOUND! [ 4E:30:6F:42:7A ] (ASCII: N0oBz )
Decrypted correctly: 100%
Testing with 51000 packets.
Failed. Next try with 20000 IVs.
The bash script while loop uses tcpdump to create a file extract, starting from the beginning of the packet capture file for $i packets. $i starts with 8000, and increments by 1000 for each loop.
Unfortunately, Aircrack-ng doesn't exit after the crack fails, so I had to setup another loop in a 2nd terminal window to kill Aircrack-ng every 60 seconds:
root@bt:~# while : ; do ; sleep 60; killall aircrack-ng; done
After 47,000 packets we get the first key, N0oBz. We keep cracking and after we move to 51,000 packets, the cracking fails. Presumably this is where the new key use starts. So, we can use tshark to create a new extract for our analysis:
root@bt:~# tshark -r Challenge2-sorted-time.cap -nR "frame.number gt 51000" -w out.dump
root@bt:~# aircrack-ng -qb 00:21:91:d2:8e:25 out.dump
KEY FOUND! [ 59:75:4D:6D:59 ] (ASCII: YuMmY )
Decrypted correctly: 100%
Certainly, Vivek's analysis in Wireshark is more articulate and informative, but when I'm working on a pentest, my time is valuable for the customer, and any remaining time I get to spend on improving the reporting output or taking on other analysis tasks. It's important to balance understanding and getting the job done in the time allotted, even if getting the key is a total hack. :)
Vivek, these challenges are wonderful, but an extended period of time would be very welcome here. I think a week per challenge would give more people a chance to work on these (including myself).
Thanks again!
-Josh
AAAAARRRRGGGHHH!!! The solution was sooo much simpler than I made it. I sliced and diced this capture in so many different ways (at least 40) my eyes started to melt. I guess the main problem I had was I was unsure whether this was building on the last challenge or not. I even ended up adding raw_input to Crack-1.py to make it easier to try the different slices. What also threw me off was there were so many packets with the same sequence number (oh yeah, it got sliced up that way too :)). If it hadn't have been for Ahmad and Josh I never would have gotten the 1st key (well eventually I would have but after 10 hours, I was beat).
The really sad part? I posted the answer and over-complicated it so much I missed the easy solution (kicks self in ass). From yesterday: "I've also tried sorting times on the theory that it would take a few seconds for V to change the wep key and we would see gaps"
Any chance of you postponing the mega-challenge till after June 5? I will be turning my computer off the week before as I have to stay away from securitytube that week and really cram hard for the cissp exam.
If not, what I'll do is just pretend the challenge starts on the 7th and do the challenge then. Thanks for all the fun- Robert
Another dead end road I went down was a false theory of how you put together the challenge. I guessed that you had taken the legitimate traffic, copied it and changed the IVs, sequence numbers, flags, etc and mixed the whole thing together. After sorting by seq# and then time, I was looking through each packet for some anomaly. I figured you would leave some clue in the flags to suggest what was real and what was bogus traffic. I spent probably 4 hours scouring the packets for this theory.
sorry about video quality, completly lost encoding skills
http://vimeo.com/23755898
changed codec, video is 10 times better
Josh,
I agree with you. This challenge could have ruled out visual inspection if the time difference between the packet captures had been kept negligible by overwriting the timestamps in the file. Then depending on how the challenge was created one would have to look at the IV, SN or RSSI values for separation. In such a case, your solution would probably be one of the best options to begin with before moving to the more complicated analysis using other parameters.The trace file roughly had around 150,000 packets, hence with a segmentation of around 1000 per run the key recovery time would be well within 20-30 minutes as you have shown.
And as you aptly put it, in the pentest world sometimes solving the problem in the least amount of time is all that matters.
I think a week per challenge would be a good idea, I also got emails from a lot of people saying they could not make time at short notice and hence could not compete. All forthcoming challenges would be a week long.
I really appreciate you sharing your knowledge and elaborating on the different techniques you are using! We are all learning a lot of new things from this. Thanks!
@tohaz Thanks for posting the video! I will link it to the page along with the other video from Troy as soon as he is done. Congrats again!
@Ahmadqdemat :) Yes, the way I created the trace was that I ran aircrack-ng on it with the -n 64 option. As soon as it cracked the key, I stopped the trace collection. I was hoping that this minimal trace file might not be crackable with just the default options of Aircrack-ng, and my hunch was right :) and this added the final twist :)
@Blackmarketeer Yes, the thing I repeatedly want to stress upon is know your tools, their limitations and how to work around them with minimal extra effort. Of course, later challenges may require you to write some code (Scapy will be your best friend soon)
@WCNA Yours was the comment I was referring to when I said "no more hints" :) No problem my friend, bad luck! but more challenges to fight with very soon!
I thoroughly enjoyed hosting this challenge and will be posting the next one in the next 1-2 days! This will be of Level Advanced. If you wanna read up - do some basic scripting with Python and Scapy, understand IV, RSSI, SN etc. a little better and have a look at airdecloak-ng and WEP Cloaking.
I though it would have something to do with the packet time but didn't have time to get too deep into cracking the keys because of an almost unstated school assignment due like 18 hours after the challenge video was posted.
4 hours of sleep FTW!!
Thank you for this asome video`s it has been a thriller weeken trying to catch up :) my level of knowledge has gone thrue the roof in just 3 days.. im just wondering this script you made for the Wi-Fi Challange 1 There is no patch for stupidity. Crack-1.py uses a wordlist to convert to hex then parses it true to airdecap-ng with -w options. If i have goten this right. My question is, how can i insted of using password list bruteforce Challenge-1 and preferably with GPU power. Im totaly new to wifi before this weekend so hense the newb question
HI Everyone,
Sorry for the delay in posting how I figured this out. I just uploaded the webcast to Vimeo, so it should be done the conversion process soon.
http://www.vimeo.com/23841977
This is a lot of fun to do, and thanks to Vivek for these challenges!!
I would also like to thank Josh for his scapy tip :)
Congratulations to the winners and everyone who took part. As with many challenges, the answer is easy ... when the solution is known!
I used the "ivstools" on the second capture file (from the 34 minute mark onwards) and it creates the IVS file which is becomes the file argument for aircrack, and finds the key without the "-n 64" hint. Applying the same process to the first exported data segment resulted in a failed aircrack run...still trying to get my head around the 'why' and 'why not'