Tuesday, December 2, 2014

Kaizen - Android Forensics #1 (find saved WiFi passwords)

File: android-forensics.zip

The kaizen CTF was also the first time I'd done a CTF challenge that involved Android forensics. I'd messed around the Android filesystem before with adb shell, but never gone looking for specific things.

Here's the challenge text:

A user created a backup of his Android phone and saved it on the Desktop. What is the wifi password of the network that the user connected to?

This is a good example of something that logically must be stored somewhere on the phone, but something that I would never think about being available to anyone with access to the filesystem.

After poking around a while wihtout any success, I thought that the string "ssid" or "SSID" would likely be stored near the password, wherever that would be...

Running grep -r "ssid" data/ yields a fair number of hits, but one sticks out in particular:

./misc/wifi/wpa_supplicant.conf:    ssid="HomeNetwork"

This looks promising... Investigating the rest of the file shows it contains the "psk" that we're looking for!



No comments:

Post a Comment