Forensics - Security Rocks

Medium

Description

Downloads

Solution

Go to 'Wireless -> WLAN Traffic' in WireShark to see the number of 'Auths' packets.

To filter out a specific SSID, use the following filter:

wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05
SSID filter

Using the EAPOL filter, we can see that the entire 4-way handshake is captured.

EAPOL

We just need the Wi-fi passphrase to decrypt the traffic.

Use aircrack-ng to do dictionary attack on the passphrase.

aircrack-ng

With the passphrase found, to decrypt the data in WireShark, add the wpa-pwd key as follows.

Add decryption key

Use the following filter to get all the data packets.

data filter

Found the transfer of secret.txt.

Follow decrypted TCP stream
Export FTP objects
secret.txt
dcode

Flag turns out to be base62 encoded: TUCTF{w1f1_15_d3f1n173ly_53cure3}

Last updated