A NETGEAR router in the main library of Eastern State University was hacked, leading to a prolonged man-in-the-middle attack and student passwords getting swiped. The network admin cannot remember how to log into the router’s admin portal to change the password and review the logs. He does not remember the WPA key to log in. He also thinks the default wpa keys were never changed. Here was the hash he found:
Can you find out what the wpa keys were? Assume the key is not salted due to the age of the NETGEAR router.
Enter the answer as
Note: On the morning of the second day of the competition the original challenge hash was replaced with one that required less resources to crack. We had already solved the challenge and thus able to retain the higher point value.
During our earlier reconnaissance of the GhostTown forums we recalled seeing a thread regarding the old default WPA implementation on NetGear Access Points. In the thread titled When will people learn about defaults? user
deephax provided a link to a thread on the Hashcat forums which described the algorithm Netgear used to generate default WPA keys. The key was generated by choosing a word from a list of adjectives, a word from a list of nouns and then a three digit number (e.g.
AdjectiveNoun123). We were able to locate a Github repo that contained the needed wordlists and started a Hashcat session on our cracking rig.
We first generated a new dictionary containing all the possible combinations of the Noun and Adjective wordlists, which generated a new wordlist just shy of 40M words:
$ git clone https://github.com/LivingInSyn/netgear_hashcat_wordlist.git $ cd netgear_hashcat_wordlist $ ~/Tools/hashcat-utils/src/combinator.bin wordlists/adjectives.txt wordlists/nouns.txt > combined.txt $ wc -l combined.txt 39609024 combined.txt
With the new wordlist we started a Hashcat session in Hybrid attack mode (wordlist + mask) and used
?d?d?d for the mask. It took under 5 seconds to crack the original hash:
$ hashcat -m1400 -w4 -a6 "124438d426a9cfe4d5c7cb7ac1a091c1b32a2b7bc70d81dd036ae8e41ead2523" combined.txt ?d?d?d Dictionary cache hit: * Filename..: combined.txt * Passwords.: 39609024 * Bytes.....: 650520958 * Keyspace..: 39609024000 124438d426a9cfe4d5c7cb7ac1a091c1b32a2b7bc70d81dd036ae8e41ead2523:flexiblewillow831 Status...........: Cracked
The accepted flags were: