forensics/wpa_ing_out

forensics/wpa_ing_out/output.txt

@@ -0,0 +1,41 @@
+$ nix-shell -p aircrack-ng
+$ nix build nixpkgs#rockyou
+$ aircrack-ng -w result/share/wordlists/rockyou.txt wpa-ing_out.pcap
+Reading packets, please wait...
+Opening wpa-ing_out.pcap
+Resetting EAPOL Handshake decoder state.
+Resetting EAPOL Handshake decoder state.
+Read 23523 packets.
+
+   #  BSSID              ESSID                     Encryption
+
+   1  00:5F:67:4F:6A:1A  Gone_Surfing              WPA (1 handshake)
+
+Choosing first network as target.
+
+Reading packets, please wait...
+Opening wpa-ing_out.pcap
+Resetting EAPOL Handshake decoder state.
+Resetting EAPOL Handshake decoder state.
+Read 23523 packets.
+
+1 potential targets
+
+                               Aircrack-ng 1.7
+
+      [00:00:00] 1269/10303727 keys tested (22890.06 k/s)
+
+      Time left: 7 minutes, 30 seconds                           0.01%
+
+                          KEY FOUND! [ mickeymouse ]
+
+
+      Master Key     : 61 64 B9 5E FC 6F 41 70 70 81 F6 40 80 9F AF B1
+                       4A 9E C5 C4 E1 67 B8 AB 58 E3 E8 8E E6 66 EB 11
+
+      Transient Key  : 26 85 7B AC DD 2C 44 E6 06 18 03 B0 0F F2 75 A2
+                       32 63 F7 35 74 2D 18 10 1C 25 F9 14 BC 41 DA 58
+                       52 48 86 B0 D6 14 89 F6 77 00 67 E0 AD 10 1B 00
+                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+      EAPOL HMAC     : 65 2F 6C 0E 75 F0 49 27 6A AA 6A 06 A7 24 B9 A9

forensics/wpa_ing_out/solution.md

@@ -0,0 +1,11 @@
+With the output of `output.txt`, open the pcap file in wireshark.
+
+Go to Edit > Preferences > Protocols > IEEE 802.11 > Decryption Keys [Edit...]
+
+Add key of type `wpa-pwd`: `mickeymouse:Gone_Surfing`
+
+The traffic should now be decrypted.
+
+... Turns out the password itself is the flag
+
+picoCTF{mickeymouse}