Side Quest - Day 1
In this challenge, we are given a wireshark capture called VanSpy.pcapng. When we open it with wireshark, we just see the following:
The protocol 802.11 is the one used for Wifi communication. Because we don’t have any other protocol, we guess that we have to crack the wifi password to recover the traffic. To do so, we are going to export the hash of the Wifi password and crack it using hashcat. I found this blog that explains a lot about Wifi attacks and in our case how to recover and crack the hash of the Wifi. First we run the following command:
1
hcxpcapngtool -o VanSpy.hash VanSpy.pcapng
We get some output like this:
But what is interesting is that we recovered the hash of the Wifi in our text file:
We can now run hashcat on it like so:
1
hashcat -m 22000 VanSpy.hash /usr/share/wordlists/rockyou.txt
To know which mode to use with hashcat just go to the hashcat website and search for a similar-looking hash.
The password is pretty weak so we find pretty fast the clear text password Christmas:
We now have to specify it in our wireshark. To do so, we go to the Edit menu, then in Preferences, then in the Protocols subsection we search the protocol IEEE 802.11 and specify the Decryption Key:
We specify the key as follows:
Now we can search in our Wireshark file as we would have done in a normal capture. We can search for TCP, HTTP, FTP traffic… After a bit of digging, we can see that there is a use of the port 4444… Which is the default port for Metasploit… Should be interesting:
As we can see, there are a lot of PSH, ACK. This means that data are exchanged here. If we right click on on of them and select Follow > TCP Stream like this:
We get the following result:
Mmmmh… Looks like a non-standard user we got here… What we see is that the user is running as Administrator and run Mimikatz commands to increase its privileges to NT AUTHORITY\SYSTEM and export the RDP certificate:
Thanks to our attacker, we get the content of the LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.pfx certificate because he converted it to base64:
For some reason converting the base64 directelly from the terminal didn’t work so I used Cyber Chef to recover the original content of the file.
Now we have our LOCAL_MACHINE_Remote Desktop_0_INTERN-PC.pfx we should be able to recover the private key and decode the RDP traffic… But it seems like there is a password…
After trying to crack it using rockyou (unsuccessful) I search on the internet for a way to recover it… All to get to know that it was… mimikatz…
So we run the previous command and specify the password as mimikatz and we get a pretty server.pem private key:
We can remove the header to just keep the part that starts with -----BEGIN PRIVATE KEY----- and we then specify it in the Protocols section (as we saw earlier) but this time in the RDP section:
More information about RDP decryption can be found on this hackingarticles blog and this paloaltonetworks one.
We then specify the IP address of the server (the one with the port 3389), the port 3389, the protocol tpkt and the path of the private key:
When we search for RDP in the search bar, we now have plenty of results:
Here I was blocked… I tried to look at every packet, but didn’t find anything… All the packets had non-printable characters so it was a dead end… Or was it ? I then realised that RDP is like a video stream, so maybe we could recover this video ? I search for a tool that would do that and found this incredible tool pyrdp. I also found this blog from kalilinuxtutorials that helped me understand how to use it.
So I exported the PDU by clicking on the File menu, then Export PDUs to file and we select OSI Layer 7. Now we have some RDP traffic without any colour:
A Protocol Data Unit (PDU) in Wireshark refers to a unit of data at the transport layer of a network protocol. When exported from Wireshark, a PDU capture typically contains the raw data exchanged between network devices during communication. PDUs are useful for analyzing and troubleshooting network issues, providing insights into the structure and content of data packets.
We then save it as a pcap file:
Note that the format
pcapis important. Using the defaultpcapngwill not work for the toolpyrdp.
I ran the pyrdp in a venv to have less trouble with dependencies. I ran the following commands:
1
2
3
4
python3 -m venv venv
cd pyrdp
pip3 install -U -e '.[full]'
cd ..
We then run the following command to export the PDUs in a format that pyrdp understands:
1
python3 pyrdp/pyrdp/bin/convert.py -o py_rdp_output export_pdu.pcap
And we get this beautiful output:
For some unknown reason the pyrdp-player wouldn’t run when using its binary from the venv so I ran it from the docker like so:
1
sudo docker run -v "$PWD/py_rdp_output:/pwd" -e DISPLAY=$DISPLAY -e QT_X11_NO_MITSHM=1 --net=host gosecure/pyrdp pyrdp-player
We have this window that pops up:
We go to the File > Open section and select in our folder the file called [STRIP].pycap and we open it:
Note that we need to look in OUR directory. Because we are using the docker image, it is not in the default folder that is open when you get to this menu. You need to go in the
/pwdfolder because this is the name I gave in the docker command (-v "$PWD/py_rdp_output:/pwd").
We get this window that is AWESOME!!! Let me explain. Now, we have the full replay of the RDP communication that went through the wireshark capture. And what is fantastic is that we have the key pressed by the user and also the content of the clipboard!!!
We now just have to press play and wait for the answers to come to us:
And we now have the key to validate the challenge.