Linux BOF & Wireless Attacks

Environment setup

  1. install edb

sudo apt-get install edb

  1. disable ASLR and DEP on linux

sudo bash -c "echo 0 > /proc/sys/kernel/randomize_va_space"
cat /proc/sys/kernel/randomize_va_space

sudo nano /etc/default/grub
# GRUB_CMDLINE_LINUX_DEFAULT="quiet splash noexec=off noexec32=off clearcpuid=514"
sudo update-grub
sudo reboot

  1. edb is pretty much the same as immunity debugger you can do the same steps as we did on windows.

GDB Basics Cheat Sheet

Starting and Quitting

  • gdb <program>: Start GDB with a program.

  • run or r: Start the program.

  • quit or q: Exit GDB.

Breakpoints

  • break <location> or b <location>: Set a breakpoint.

  • info breakpoints or i b: List breakpoints.

  • delete <num> or d <num>: Delete a breakpoint.

Stepping and Continuing

  • next or n: Step to the next line (skip functions).

  • step or s: Step into a function.

  • continue or c: Continue execution.

Inspecting Variables and Memory

  • print <expr> or p <expr>: Print value of an expression.

  • x/<format> <address>: Examine memory (e.g., x/4x for 4 hex values).

  • info locals: Show local variables.

Stack and Frames

  • backtrace or bt: Show the call stack.

  • frame <num> or f <num>: Switch to a frame.

  • info frame: Show details of the current frame.

Running and Control

  • kill: Stop program execution.

  • jump <location>: Jump to a line or address.

Threads

  • info threads: List threads.

  • thread <num>: Switch to a thread.

Exploit Vuln program

  • protostar stack5

  • compile 32-bit program with no ASLR and no execution protection

Wireless

Config Adapter TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]

  • check Adapter info

  • install required drivers

start monitoring

  • check the wireless adapter for monitor mode:

  • Start monitor mode on the wireless interface, this will change the interface name to wlan0mon

  • Now let’s capture the wireless packets that fly around us on the air to know what wifi networks available.

BSSID: The MAC address (unique identifier) of the access point or router.

ESSID: The network name (SSID) broadcast by the access point.

ENC: The encryption protocol used (e.g., WEP, WPA, WPA2).

Cipher: The encryption algorithm used for securing the data (e.g., CCMP, TKIP).

Auth: The authentication method (e.g., PSK, MGT) used to verify devices connecting to the network.

Channel: The specific frequency band used on which the access point is operating.

Network power:

WF_S_S_4@2x.webp

Attacking target:

  • Capturing the target traffic to/from clients to get authentication handshakes.

  • De-authenticate all clients to force them authenticate and then capture the authentication packets.

  • No try to capture authentication handshakes again.

Inspecting the captured traffic with wireshark:

In Wireshark we want to filter with eapol to get the 4-way handshake for WiFi connections.

Cracking Authentication keys

  • Put the interface back to managed mode

  • Cracking

Cracking with hashcat

Convert the cap file to hash with hashcat utils or using this web app: https://hashcat.net/cap2hashcat/

  1. Brute Force Attack for 8 Digits

  1. Brute Force Attack for 8 Characters (Digits and Alphabet)

?a: Represents any alphanumeric character (lowercase, uppercase, digits, and symbols).

  1. brute force lower letters

  1. Brute Force Attack for 8 to 11 Digits

PreviousPentest_NotesNextWriteUps

Last updated