Spectre WiFi

Challenge:

A NETGEAR router in the main library of Eastern State University was hacked, leading to a prolonged man-in-the-middle attack and student passwords getting swiped. The network admin cannot remember how to log into the router’s admin portal to change the password and review the logs. He does not remember the WPA key to log in. He also thinks the default wpa keys were never changed. Here was the hash he found:

Original Hash: 124438d426a9cfe4d5c7cb7ac1a091c1b32a2b7bc70d81dd036ae8e41ead2523
Updated Hash: 4be29bb887c260061afb229d81d250a05f92fa59e324cc16fa7ae2fd3fadd1a9

Can you find out what the wpa keys were? Assume the key is not salted due to the age of the NETGEAR router.

Enter the answer as flag{password}.

Solution:

Note: On the morning of the second day of the competition the original challenge hash was replaced with one that required less resources to crack. We had already solved the challenge and thus able to retain the higher point value.

During our earlier reconnaissance of the GhostTown forums we recalled seeing a thread regarding the old default WPA implementation on NetGear Access Points. In the thread titled When will people learn about defaults? user deephax provided a link to a thread on the Hashcat forums which described the algorithm Netgear used to generate default WPA keys. The key was generated by choosing a word from a list of adjectives, a word from a list of nouns and then a three digit number (e.g. AdjectiveNoun123). We were able to locate a Github repo that contained the needed wordlists and started a Hashcat session on our cracking rig.

We first generated a new dictionary containing all the possible combinations of the Noun and Adjective wordlists, which generated a new wordlist just shy of 40M words:

$ git clone https://github.com/LivingInSyn/netgear_hashcat_wordlist.git
$ cd netgear_hashcat_wordlist

$ ~/Tools/hashcat-utils/src/combinator.bin wordlists/adjectives.txt wordlists/nouns.txt > combined.txt

$ wc -l combined.txt
39609024 combined.txt

With the new wordlist we started a Hashcat session in Hybrid attack mode (wordlist + mask) and used ?d?d?d for the mask. It took under 5 seconds to crack the original hash:

$ hashcat -m1400 -w4 -a6 "124438d426a9cfe4d5c7cb7ac1a091c1b32a2b7bc70d81dd036ae8e41ead2523" combined.txt ?d?d?d

Dictionary cache hit:
* Filename..: combined.txt
* Passwords.: 39609024
* Bytes.....: 650520958
* Keyspace..: 39609024000

124438d426a9cfe4d5c7cb7ac1a091c1b32a2b7bc70d81dd036ae8e41ead2523:flexiblewillow831

Status...........: Cracked

The accepted flags were:

  • Original: flag{flexiblewillow831}
  • Updated: flag{calmcarrot515}

Published:

Updated:

Leave a comment