Scenario
Thank you for responding to our call. The Ministry of Defense of Velorian is in desperate need of assistance…
We need to keep this discreet, but we believe that the public WiFi at the Ministry of Defense offices in Velorian has been compromised. The impact seems minimal, but network diagrams show that no real segmentation of the network has been implemented and that device-to-device traffic is allowed. Government ministers use this network with BYoD equipment and Velorian MoDNet hosts. Please analyze the provided pcap file and confirm how and when this occurred. Remember that this investigation is classified as TLP Amber.
Files
opshieldwall1.zip
containing the network capture “VELORIA-NETWORK.pcap”
Setup
Given the simplicity of this challenge, we can limit ourselves to tshark
/ wireshark
.
Questions
Question 1
Please confirm the SSID of our WiFi network.
First, let’s get familiar with the capture. We’ll use the following command to gather some statistics:
|
|
-r
allows reading a file-q
makes the output quieter (useful for stats as it displays global statistics, not per packet)-z
enables statistics display
There are many possible values (tshark -z help
to display them), but here we primarily want to know:
- the packet count
- the capture duration
- the IPv4 addresses with the most packets
- the IPv4 endpoints exchanging the most
- the most used protocols
Packet count and duration: 106; 31.6 sec
|
|
IPv4 endpoints:
- with the most packets:
|
|
- exchanging the most:
|
|
Most used protocols:
|
|
To answer, we can simply use the command:
|
|
Explication : (https://www.wireshark.org/docs/dfref/w/wlan.html)
-t
displays only user-specified fields (thus requiring the use of the-e
option to specify fields)-e wlan.ssid
specifies that thewlan.ssid
field (SSID of wireless networks) should be extracted and displayed-xxd -r -p
converts the output from hexadecimal to readable text
Answer :
VELORIA-MoD-AP012
Question 2
Please confirm the MAC address of the access point (AP).
|
|
Answer :
02:00:00:00:01:00
Question 3
Please confirm the AP’s authentication state/mechanism and attack vector.
Switching to Wireshark.
Answer :
WPS
Question 4
What is the packet number where the attack began?
We can easily deduce that it’s at the first connection attempt (the only one in the capture).
Answer :
93
Question 5
What is the packet number where the attack ended?
It’s clear that it ends when the authentication fails.
Answer :
8