President -- BSidesLisbon 2017

Points: 200

Solves:

Description:

We are given a tcpdump capture file dump that was supposedly sniffed from the network used by the President of the USA (hence the challenge name).

The goal was to extract some useful info from it, i.e.: find the flag.

flag format: flag{...}

Solution:

Our first attempt was to open it with Wireshark to explore the contents of the captured packets.

The first packet was a Beacon frame, encapsulating important info about the network, such as the SSID (“Covfefe”) and the encryption capabilities of the network. Looking at the packet fields, in particular to the RSN Information Tag, we learned that the security protocol in place was the WPA2-PSK.

Searching online for “WPA2-PSK attacks” we learned that the weakness in the WPA2-PSK system is that the passphrase hash is shared in what is known as the 4-way handshake. This basically means that it may be possible to crack it using a dictionary attack on this handshake.

Using that hint, we immediately tried to run aircrack-ng tool with a popular wordlist (both readily available in Kali VM):

$ aircrack-ng dump -w /usr/share/wordlists/rockyou.txt 

This first attack was an immediate success and returned the key: “123456789123456789”.

Then it was just a matter of supplying this key (along with the SSID) to the airdecap-ng in order to get the decrypted packets.

$ airdecap-ng -e Covfefe -p 123456789123456789 dump

Once we got the decrypted packets, we directly searched for the flag,

$ strings dump-dec | grep flag

and got: flag{WPA2_CCMP_sh0uldnt_b3_th3_0nly_3ncripti0n_l4y3r}.