Rating:

��## Evil farmers (Misc, 400, 3 solves)

tl;dr Brute-force first wep password, find second wep password, recover peppers

We start off by exporting the capture to `pcap` using wireshark, `aircrack-ng` doesn't allow `pcapng` as input.

After loading it in `aircrack-ng` and removing networks without any handshakes, captured IVS and names, we're left with:

```

# BSSID ESSID Encryption

1 C4:6E:1F:97:74:5C FLOVIOMEL WPA (1 handshake)

8 C8:3A:35:50:F7:F0 ChattyOfficeInc WEP (132219 IVs)

13 58:6D:8F:2C:C9:98 Linksys F WPA (1 handshake)

26 00:00:00:00:00:00 � WEP (1 IVs)

2914 CA:FF:FF:FF:FF:FF ��������������?:�@� o�N?? WEP (1 IVs)

```

`ChattyOfficeInc` looks interesting, 132k IVs should be more than enough to crack it using PTW attack.

Unfortunately, that didn't work, we had to brute-force the password, which turned out to be `lamep`

```

michal@ctf:/media/sf_Desktop$ airdecap-ng -w 6c:61:6d:65:70 look.pcap

Total number of packets read 646333

Total number of WEP data packets 147872

Total number of WPA data packets 30161

Number of plaintext data packets 44

Number of decrypted WEP packets 30452

Number of corrupted WEP packets 0

Number of decrypted WPA packets 0

```

Using a cool program [Network Miner](http://www.netresec.com/?page=NetworkMiner), we were able to quickly find a suspicious POST login:

![scr1](scr1.png)

After some investigation, we found out, that our farmer has changed the WEP password

```

Form item: "wifiEn" = "disabled"

Form item: "wpsmethod" = "pbc"

Form item: "GO" = "wireless_security.asp"

Form item: "ssidIndex" = "ChattyOfficeInc"

Form item: "security_mode" = "1"

Form item: "security_shared_mode" = "enable"

Form item: "wep_default_key" = "1"

Form item: "wep_key_1" = "keepgoingdude"

Form item: "WEP1Select" = "1"

Form item: "wep_key_2" = "ASCII"

Form item: "WEP2Select" = "1"

Form item: "wep_key_3" = "ASCII"

Form item: "WEP3Select" = "1"

Form item: "wep_key_4" = "ASCII"

Form item: "WEP4Select" = "1"

Form item: "cipher" = "aes"

Form item: "passphrase" = "12345678"

Form item: "keyRenewalInterval" = "3600"

Form item: "wpsenable" = "disabled"

Form item: "wpsMode" = "pbc"

Form item: "PIN" = ""

```

So `keepgoingdude` is the second WEP password, let's decrypt the pcap one more time

It turns out that the farmer got a little naughty ;), but that wasn't the point of the challange

We've noticed a suspicous `Internet Printing Protocol` stream with `job-name: flag.png`

After a lot of struggling to recover the PostScript file, we've managed to get a part of it:

![scr2](scr2.png)

And get the flag: `DCTF{md5("pepper")}`

Original writeup (https://github.com/p4-team/ctf/blob/master/2016-09-24-dctf/misc400/README.md).