Homework

Submission deadline passed

Update (10 Dec): Deadline passed, new submissions are not accepted any more.

Introduction

• The homework is not mandatory.
• Expected solving time: up to 3 hours.
• Tools:
  • aircrack-ng suite: aircrack-ng, airdecap-ng
  • Dictionary for WiFi cracking
  • Wireshark
  • Media player with Ogg Vorbis Support link link
  • Steghide
• Scoring: up 10 points. Cheaters will get their overall course score multiplied by 0.
• Deadline: 30 November 2012
• 1 minus point for every day the submission has delayed. Zero points after 9 December 2012.
• Questions regarding the homework should be sent to mait.peekma[=at=]eesti.ee

Task

You are working at a law enforcement agency. Your colleagues are hunting a huge group of bad guys who are hiding a cyberweapon at an unknown location. It is known that those bad guys are communicating to each other by hiding messages inside pictures on a popular public gallery and one of the pictures contain the address of the cyberweapon. A password is required to extract the hidden message from the picture file. Moreover, without that password it is not possible to tell whether the picture contains a hidden message or not. As the public gallery is very popular, it is not possible to identify whether the person who downloaded the picture was a member of the group or just an internet user. Your colleagues have captured a piece of encrypted WiFi traffic nearby one of the suspect's home. They believe that it contains a recording from an answering machine that contains the password to extract the hidden information. Your task is to find the hidden information - the street address of hidden cyberweapon.

Description

1. Grab the .pcap file that contains the encrypted WiFi traffic. Examine the file using Wireshark, find the SSID of the AP.
2. Use aircrack-ng and a dictionary to brute-force the WiFi password.
3. Decrypt the .pcap file using airdecap-ng
4. Open the decrypted .pcap file using Wireshark. The file contains some HTTP traffic including an audio file (.ogg). Try to extract the audio file (File -> Export -> Objects -> HTTP -> ...) It might have happened that a number of packets are missing and the audio file is corrupted. In this case: try to grab the audio file from its original URL.
5. The audio file contains a password. The criminals have read a comic and used a password generator, thus the password contains exactly four english words separated by spaces.
6. The gallery has 256 images. One of them contains a hidden secret message that can be decrypted using the password found in the previous step. The message has been encrypted and hidden inside the image using Steghide. Find the image - you might need to download all the files (script it if you can!) and extract the hidden message that contains a street address.
7. Write a report and send it to mait.peekma[=at=]eesti.ee by 30 November 2012. The report (PDF) must be written in english and must contain:
   1. Update 13 Nov: Your full name and student code.
   2. The SSID name of the access point. The WiFi encryption that was used (WEP, WPA, WPA2, ...) (2 points). Update 3 Nov: Describe how did you identify the encryption method.
   3. Description how the WiFi password was found and how the file was decrypted (aircrack-ng and airdecap-ng commands and the results) (2 points).
   4. Description how the audio file was extracted or downloaded (if it was corrupted) and what was the 4 word password (2 points).
   5. What is steganography? Using your own words, no less than 15, no more than 20 words (2 points).
   6. Description how the image was found and how the the secret message was extracted (steghide command and the result), what is the hidden message (2 points). Update 3 Nov: What is the name of the image file that contains the secret message?

Update 13 Nov: I expect well formatted and structured reports from master level students.