CTF Name: irisCTF
PCAP FORENSICS ON LAYER 2 TRAFFIC
During the past weekend, my team fr334aks participated in the just concluded irisCTF organized by IrisSec. T’was a jeopardy style CTF with challenges ranging from Easy, Medium and Hard. The following writeup is one of the interesting challenges that i was able to solve.
WI-THE-FI
Challenge: You’re probably used to pcaps captured at layer 3 in promiscuous mode, but do you know what to do with a pcap captured at layer 2 in monitor mode? We are provided with the following pcap file as part of the challenge.
SOLUTION
First things first when it comes to network forensics, i prefer to use wireshark. Opening the file in wireshark i confirmed what the hint in the question referred to. The packets were all transmitted in layer-2 also known as the the data-link layer. This included 802.11 protocol packets which are part of the IEEE 802.1 set of LAN standards. These standards allow users in a wifi network to access internet. When a wireless network has password authentication, wpa/psk, the packets captured in monitor mode only displays mac addresses of the data transfer participants as well as data packets whose payload is encrypted. Therefore, to decode such data, we must have access to the wifi password or a way to obtain it. The authentication and key exchange for wifi takes place through the Extensible Authentication Protocol over LAN.(EAPol)
The eapol packet contains the following data:
- mac header - 12 bytes
- ethernet type - 2 bytes assigned to 88-8e,EAPol
- version - 1 byte
- packet type - 1 byte
- packet Body Length - 2 bytes
- Packet Body - variable length
- Frame Check Sequence - 4 bytes
The pcap file provided had a handshake captured which can be denoted by using the wireshark filter eapol.
To crack the handshake using a wordlist, I used aircrack-ng as shown below
aircrack-ng BobertsonNet.cap -w /snap/seclists/current/Passwords/xato-net-10-million-passwords-1000000.txt
The wifi password as cracked by aircrack-ng is billybob1 Now that i got the wifi password, the next step is to use it to unencrypt the data packets in the capture. On wireshark, navigate through Edit -> Preferences -> Protocols -> IEEE 802.11 On this view, select Enable Decryption, Go to the decryption keys -> Edit To add a new decryption key, select New and in the key type, select WPA-PWD on the options listed which is as according to the Router's configuration. In the Key tab provide the appropriate password and the ssid of the network with a colon to separate the two values.
Click on Save to apply the settings and go back to the packet window to analyse the unencrypted traffic. Using the protocol hierarchy, you will observe some TCP,UDP(DNS) and ICMP packets. Filter using TCP to view only tcp packets.
Most of the packets had a length of 110 so you can make it easier to view data packets with more data and length than 110 by clicking on the length tab to sort using descending order. You can find the flag in the first packet's decrypted ccmp data as shown below.
- Flag: irisctf{4ircr4ck_g0_brrrrrrrrrrrrrrr}
CONCLUSION
The challenge was interesting and required some research on the protocols and wireshark configurations. Another config that can be used in other cases in the IEEE 802.11 section is the ignore protection bit flag . In the challenge above it was not necessary to enable the option but i had attempted before i got the solution which revealed some management packets such as LLC etc which was also interesting.