search

Linux BOF & Wireless Attacks

hashtag
Environment setup

  1. install edb

sudo apt-get install edb

  1. disable ASLR and DEP on linux

sudo bash -c "echo 0 > /proc/sys/kernel/randomize_va_space"
cat /proc/sys/kernel/randomize_va_space

sudo nano /etc/default/grub
# GRUB_CMDLINE_LINUX_DEFAULT="quiet splash noexec=off noexec32=off clearcpuid=514"
sudo update-grub
sudo reboot

  1. edb is pretty much the same as immunity debugger you can do the same steps as we did on windows.

hashtag
GDB Basics Cheat Sheet

hashtag
Starting and Quitting

  • gdb <program>: Start GDB with a program.

  • run or r: Start the program.

  • quit or q: Exit GDB.

hashtag
Breakpoints

  • break <location> or b <location>: Set a breakpoint.

  • info breakpoints or i b: List breakpoints.

  • delete <num> or d <num>: Delete a breakpoint.

hashtag
Stepping and Continuing

  • next or n: Step to the next line (skip functions).

  • step or s: Step into a function.

  • continue or c: Continue execution.

hashtag
Inspecting Variables and Memory

  • print <expr> or p <expr>: Print value of an expression.

  • x/<format> <address>: Examine memory (e.g., x/4x for 4 hex values).

  • info locals: Show local variables.

hashtag
Stack and Frames

  • backtrace or bt: Show the call stack.

  • frame <num> or f <num>: Switch to a frame.

  • info frame: Show details of the current frame.

hashtag
Running and Control

  • kill: Stop program execution.

  • jump <location>: Jump to a line or address.

hashtag
Threads

  • info threads: List threads.

  • thread <num>: Switch to a thread.

hashtag
Exploit Vuln program

  • protostar stack5

  • compile 32-bit program with no ASLR and no execution protection

hashtag
Wireless

hashtag
Config Adapter TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]

  • check Adapter info

  • install required drivers

hashtag
start monitoring

  • check the wireless adapter for monitor mode:

  • Start monitor mode on the wireless interface, this will change the interface name to wlan0mon

  • Now let’s capture the wireless packets that fly around us on the air to know what wifi networks available.

BSSID: The MAC address (unique identifier) of the access point or router.

ESSID: The network name (SSID) broadcast by the access point.

ENC: The encryption protocol used (e.g., WEP, WPA, WPA2).

Cipher: The encryption algorithm used for securing the data (e.g., CCMP, TKIP).

Auth: The authentication method (e.g., PSK, MGT) used to verify devices connecting to the network.

Channel: The specific frequency band used on which the access point is operating.

Network power:

WF_S_S_4@2x.webp

hashtag
Attacking target:

  • Capturing the target traffic to/from clients to get authentication handshakes.

  • De-authenticate all clients to force them authenticate and then capture the authentication packets.

  • No try to capture authentication handshakes again.

Inspecting the captured traffic with wireshark:

In Wireshark we want to filter with eapol to get the 4-way handshake for WiFi connections.

hashtag
Cracking Authentication keys

  • Put the interface back to managed mode

  • Cracking

hashtag
Cracking with hashcat

Convert the cap file to hash with hashcat utils or using this web app: https://hashcat.net/cap2hashcat/arrow-up-right

  1. Brute Force Attack for 8 Digits

  1. Brute Force Attack for 8 Characters (Digits and Alphabet)

?a: Represents any alphanumeric character (lowercase, uppercase, digits, and symbols).

  1. brute force lower letters

  1. Brute Force Attack for 8 to 11 Digits

PreviousPentest_NotesNextWriteUps

Last updated