part 1 of hw3

2024-05-20 17:17:02 -07:00 · 2024-05-20 17:17:02 -07:00 · f8b645bf7f
commit f8b645bf7f
parent 476a673f82
7 changed files with 20 additions and 2 deletions
--- a/hw3/bettercap-deauth.png
+++ b/hw3/bettercap-deauth.png
--- a/hw3/bettercap-wifi-recon.png
+++ b/hw3/bettercap-wifi-recon.png
--- a/hw3/bettercap-wifi-show.png
+++ b/hw3/bettercap-wifi-show.png
--- a/hw3/cracked.png
+++ b/hw3/cracked.png
--- a/hw3/hashcat-running.png
+++ b/hw3/hashcat-running.png
--- a/hw3/hcxpcapngtool.png
+++ b/hw3/hcxpcapngtool.png
--- a/hw3/hw3.md
+++ b/hw3/hw3.md
@ -3,6 +3,7 @@
 For this homework assignment, I will demostrate cracking the `NetSec` WiFi network, and performing some reconissance. I will do this via the `mallory` machine, running kali

 ## Crack the NetSec WiFi network password with bettercap
+
 After connecting to mallory, I start by running `bettercap` on the `wlan0` interface. I then try to turn on wifi reconnaissance.
 ![start-bettercap](./start-bettercap.png)

@ -11,14 +12,29 @@ As issue is returned that bettercap cannot put wlan0 into monitor mode. This is

 ### Find the BSSID and connected client of the NetSec Network

+Running `wifi.show` with bettercap, we see the BSSID of NetSec. That being 28:87:ba:75:7e:93
+![bettercap-wifi-show](./bettercap-wifi-show.png)
+
+with `wifi.recon 28:87:ba:75:7e:93` I can see the clients of the NetSec network. Here, we see the client with BSSID 70:f7:54:ff:1c:59
+![bettercap-wifi-recon](./bettercap-wifi-recon.png)
 ### Perform a deauth attack on the network with bettercap and capture the 4-way handshake

+With `wifi.deauth 70:f7:54:ff:1c:59` I can send a deauth message to the above client. We can see this worked, and the handshake was automatically captured
+![bettercap-deauth](./bettercap-deauth.png)
 ### Use the hcx toolsuite to convert the captured handshake to a format that hashcat can understand

+Using hcxpcapngtool of the hcx toolsuite, I can convent this pcap file to a format hashcat will understand (after copying the file from /root to /home/kai)
+![hcxpcapngtool](./hcxpcapngtool.png)
 ### Crack the password using hashcat and rockyou.txt

+Finally, I run `hashcat -m 22000 -a 0 -w 3 -o bettercap-cracked.txt handshake.hc22000 rockyou.txt` on the above converted handshake file, to crack the password and write it to `bettercap-cracked.txt`.
+![hashcat-running](./hashcat-running.png)
+
+After ~7 minutes, we have cracked the password. That being `crackme1`
+![cracked](./cracked.png)
+
 ### Connect workstation to the wifi network and show using nmtui
-Now that I have found the password, I can initiate a wifi connection from `mallory` to the raspberry pi
+Now that I have found the password, I can initiate a wifi connection from `mallory` to the NetSec network

 The first issue encountered was the the network manager was inactive. This is confirmed by running `systemctl status NetworkManager`

@ -36,9 +52,11 @@ The connection was successfull

 ## Scan the network with nmap
 I now want to scan the network to identify the router, and devices connected to the router. A quick check with `iwconfig` and looking at the `wlan0` interface shows that as a client of this router, we are in the subnet `192.168.0.0/24`
+
 ![subnet](./subnet.png)

 Now running `sudo nmap -sn 192.168.0.0/24` (a simple ping scan) we have some interesting results. I've run this a few times on different days to see which hosts are persistant, and less likely to be other students
+
 ![nmap](./nmap.png)
 ![nmap-1](./nmap-1.png)
 ![nmap-2](./nmap-2.png)