Rating:

Network Admin :: Q4
=================

Challenge Prompt
--------

> The network admin is busy today, from the pcap, figure out the following questions.
>
> What is the network admins password?

-------------------

__For these challenges, three files were supplied: [`NET_ADMIN.pcapng`](../NET_ADMIN.pcapng), [`NET_ADMIN2.pcapng`](../NET_ADMIN2.pcapng), and [`Net_admin_Diagram.png`](../Net_admin_Diagram.png)__

The target [PCAP] file for this challenge is the second one, [`NET_ADMIN2.pcapng`](../NET_ADMIN2.pcapng), since that is the one that has the packets for actual authentication. If you dig deep into [Wireshark] on the packets that include his name and the "`Password`" string you can see fields for `User-Authenication` but the password is encrypted.

You can notice though that it is the [RADIUS][RADIUS] protocol. That at least gave us some keywords we use to start some research.

I Googled for a good while and eventually found out that the [Jumbo John The Ripper] has support for scraping out a [RADIUS][RADIUS] "shared secret" with a [PCAP]. That sounded like everything we needed, with everything we had... but it wasn't exactly _a password._ The shared secret, though, could help us uncover the password.

So I downloaded [Jumbo John The Ripper] with [`git`][git] and ran the [`radius2john.pl`][radius2john.pl] script to get a format that [Jumbo John The Ripper] could work with. Then I compiled [Jumbo John The Ripper] and ran it.

```
git clone "https://github.com/magnumripper/JohnTheRipper"
cd JohnTheRipper/run
./radius2john.pl ../../NET_ADMIN2.pcapng > hashes.txt
cd ../src
configure
make
cd ../run
./john hashes.txt
```

It got the shared secret pretty quickly!

```
Using default input encoding: UTF-8
Loaded 1 password hash (dynamic_1017 [md5($s.$p) (long salt) 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
ferrari (10.10.2.200)
1g 0:00:00:00 DONE 2/3 (2017-10-21 14:27) 33.33g/s 173600p/s 173600c/s 173600C/s 123456..Geronimo
Use the "--show" option to display all of the cracked passwords reliably
Session completed
```

So shared secret was `ferrari`... but this isn't the flag, it's not the password.

I banged my head against the wall for a while to figure out how I could get a [RADIUS] password with the shared secret.... eventually my research found that I could just use [Wireshark].

The article describing such is here: [http://wifiphil.blogspot.com/2015/12/troubleshooting-decrypt-radius-packets.html](http://wifiphil.blogspot.com/2015/12/troubleshooting-decrypt-radius-packets.html)

With that in effect, [Wireshark] would show me the password in plaintext.

Now this is a challenge I actually liked. It was difficult, but I felt like I was researching and learning and finding tools and techniques to get what I want. That is a CTF; not a GTF.

__Flag: `routergod`__

[pcap]: https://en.wikipedia.org/wiki/Pcap
[PCAP]: https://en.wikipedia.org/wiki/Pcap
[CyberSEED]: https://www.csi.uconn.edu/cybersecurity-week/
[RTL-SDR]: https://www.rtl-sdr.com/
[System76]: https://system76.com/
[PCAP]: [pcap]: https://en.wikipedia.org/wiki/Pcap
[regex]: https://en.wikipedia.org/wiki/Regular_expression
[scapy]: http://www.secdev.org/projects/scapy/
[Wireshark]: https://www.wireshark.org/
[RADIUS]: https://en.wikipedia.org/wiki/RADIUS
[John The Ripper]: https://github.com/magnumripper/JohnTheRipper
[Jumbo John The Ripper]: https://github.com/magnumripper/JohnTheRipper
[git]: https://git-scm.com/
[radius2john]: https://github.com/piyushcse29/john-the-ripper/blob/master/run/radius2john.pl
[radius2john.pl]: https://github.com/piyushcse29/john-the-ripper/blob/master/run/radius2john.pl
[rockyou.txt]: https://wiki.skullsecurity.org/Passwords

Original writeup (https://github.com/USCGA/cyberseed_2017/tree/master/capture_the_flag/network_admin/q4).