I Smell Packets


Winning Solution to “Name That Tune” – Packet Challenge
March 2, 2010, 3:12 pm
Filed under: 802.11, cowpatty, Wireshark, wpa

The winner of the “Name that Tune” – Packet Challenge is Jon Wolhberg (@jonw18 on Twitter) Here’s Jon’s solution:

Jon writes:

Here is my answer to the latest packet challenge and how I got to it.

The song is Never Gonna Give You Up by Rick Astley

The first thing I did was to open the pcap in wireshark and just look around to see if anything sticks out. What I noticed right away were all of the beacon frames which means we are dealing with some wireless traffic. Since the beacon frame has the name of the network, I decided to look at one of the packets and identify the SSID — in this case the name is “Linksys”.

I also noticed that the protocol being used is 802.11 which means there is some authentication to the network and probably some encryption surrounding the packets. I decided to look for the packets the provided the authentication in hopes of cracking the password. After some trial and error, in Wireshark, I filtered on eapol to see if eap over lan was the method for authentication. Low and behold I got 8 packets, that have the authentication handshake (these can be seen in packets 137,139-143,145,148).

Now that I have the SSID and I know I have a capture file with the authentication handshake, I need to crack the password. For this I used Backtrack4. After loading Backtrack I decided to use the program cowpatty. In order for this to work I need the capture file, the SSID, and a dictionary file, which cowpatty comes with (yes there are faster ways). The command I used was ./cowpatty -f dict -r 11.pcap -s Linksys (-f = dictionary file, -r = capture file, -s = SSID). After a few seconds the password had been cracked. The password is 12345678

Now that I have to the password, I need to decrypt the packets. I went back to wireshark with the packet capture opened and went to edit -> preferences > IEEE 802.11. You then need to enter the wpa password in Key 1 exactly as the following: wpa-pwd:12345678:Linksys
You also have to check the box that says “enable decryption”.

Once this is done the packets will become decrypted. I then saw an IP address I had not seen before (209.237.235.166). Not recognizing this address, I did a NSlookup to see what it resolved to, and it came back to lala.com, a music site. I also noticed that the site was sending a lot of traffic to the on port 1420 to the client machine. Wondering what that was, in wireshark I clicked on one of the packets and clicked follow tcp stream. It was there that I saw that this is a web request and in the header it revealed this: Content-Type: audio/x-mpeg. This was the song we need to identify. In the tcp stream I saved all traffic from the server to the client. I saved this as song.mp3

Figuring this was a media file I ran the file command to verify. To my surprise I got the response: filetype ascii data. I then remembered that the http headers are also downloaded, so we need to remove them. I could have used a hex editor but found a good perl program at
http://blog.rootshell.be/2009/04/15/forensics-reconstructing-data-from-pcap-files/

The program strips out the http headers. I then ran the file command again and got this MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, Stereo. Now that I have the file I just need to listen to it. After listening for a couple of seconds, I couldn’t remeber the song title. I open my iPhone and loaded the Shazam app that identifies songs…. and that is how I got my answer.

Chris continues:

Congrats Jon! Well done. Thanks to everyone who sent in entries. Honorable mentions go out to Travis Lee for his entry, he used Aircrack-ng to crack the WPA key. And Andy and Fab who used this Top 20 Password List to crack the key:

Imperva reveals top 20 passwords

Look for another challenge coming soon.


Bookmark and Share

Advertisements

Leave a Comment so far
Leave a comment



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: