david/netsec-djw2
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

part 1 of hw3

Browse Source
This commit is contained in:
David Westgate 2024-05-20 17:17:02 -07:00
parent 476a673f82
commit f8b645bf7f
7 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
hw3/bettercap-deauth.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 348 KiB

BIN
hw3/bettercap-wifi-recon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
hw3/bettercap-wifi-show.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
hw3/cracked.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

BIN
hw3/hashcat-running.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 124 KiB

BIN
hw3/hcxpcapngtool.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 238 KiB

20
hw3/hw3.md
View File

@ -3,6 +3,7 @@
For this homework assignment, I will demostrate cracking the `NetSec` WiFi network, and performing some reconissance. I will do this via the `mallory` machine, running kali For this homework assignment, I will demostrate cracking the `NetSec` WiFi network, and performing some reconissance. I will do this via the `mallory` machine, running kali
## Crack the NetSec WiFi network password with bettercap ## Crack the NetSec WiFi network password with bettercap
After connecting to mallory, I start by running `bettercap` on the `wlan0` interface. I then try to turn on wifi reconnaissance. After connecting to mallory, I start by running `bettercap` on the `wlan0` interface. I then try to turn on wifi reconnaissance.
![start-bettercap](./start-bettercap.png) ![start-bettercap](./start-bettercap.png)
@ -11,14 +12,29 @@ As issue is returned that bettercap cannot put wlan0 into monitor mode. This is
### Find the BSSID and connected client of the NetSec Network ### Find the BSSID and connected client of the NetSec Network
Running `wifi.show` with bettercap, we see the BSSID of NetSec. That being 28:87:ba:75:7e:93
![bettercap-wifi-show](./bettercap-wifi-show.png)
with `wifi.recon 28:87:ba:75:7e:93` I can see the clients of the NetSec network. Here, we see the client with BSSID 70:f7:54:ff:1c:59
![bettercap-wifi-recon](./bettercap-wifi-recon.png)
### Perform a deauth attack on the network with bettercap and capture the 4-way handshake ### Perform a deauth attack on the network with bettercap and capture the 4-way handshake
With `wifi.deauth 70:f7:54:ff:1c:59` I can send a deauth message to the above client. We can see this worked, and the handshake was automatically captured
![bettercap-deauth](./bettercap-deauth.png)
### Use the hcx toolsuite to convert the captured handshake to a format that hashcat can understand ### Use the hcx toolsuite to convert the captured handshake to a format that hashcat can understand
Using hcxpcapngtool of the hcx toolsuite, I can convent this pcap file to a format hashcat will understand (after copying the file from /root to /home/kai)
![hcxpcapngtool](./hcxpcapngtool.png)
### Crack the password using hashcat and rockyou.txt ### Crack the password using hashcat and rockyou.txt
Finally, I run `hashcat -m 22000 -a 0 -w 3 -o bettercap-cracked.txt handshake.hc22000 rockyou.txt` on the above converted handshake file, to crack the password and write it to `bettercap-cracked.txt`.
![hashcat-running](./hashcat-running.png)
After ~7 minutes, we have cracked the password. That being `crackme1`
![cracked](./cracked.png)
### Connect workstation to the wifi network and show using nmtui ### Connect workstation to the wifi network and show using nmtui
Now that I have found the password, I can initiate a wifi connection from `mallory` to the raspberry pi Now that I have found the password, I can initiate a wifi connection from `mallory` to the NetSec network
The first issue encountered was the the network manager was inactive. This is confirmed by running `systemctl status NetworkManager` The first issue encountered was the the network manager was inactive. This is confirmed by running `systemctl status NetworkManager`
@ -36,9 +52,11 @@ The connection was successfull
## Scan the network with nmap ## Scan the network with nmap
I now want to scan the network to identify the router, and devices connected to the router. A quick check with `iwconfig` and looking at the `wlan0` interface shows that as a client of this router, we are in the subnet `192.168.0.0/24` I now want to scan the network to identify the router, and devices connected to the router. A quick check with `iwconfig` and looking at the `wlan0` interface shows that as a client of this router, we are in the subnet `192.168.0.0/24`
![subnet](./subnet.png) ![subnet](./subnet.png)
Now running `sudo nmap -sn 192.168.0.0/24` (a simple ping scan) we have some interesting results. I've run this a few times on different days to see which hosts are persistant, and less likely to be other students Now running `sudo nmap -sn 192.168.0.0/24` (a simple ping scan) we have some interesting results. I've run this a few times on different days to see which hosts are persistant, and less likely to be other students
![nmap](./nmap.png) ![nmap](./nmap.png)
![nmap-1](./nmap-1.png) ![nmap-1](./nmap-1.png)
![nmap-2](./nmap-2.png) ![nmap-2](./nmap-2.png)