127 lines
6.4 KiB
Markdown
127 lines
6.4 KiB
Markdown
# Homework 3: Cracking WiFI!
|
|
|
|
For this homework assignment, I will demostrate cracking the `NetSec` WiFi network, and performing some reconissance. I will do this via the `mallory` machine, running kali
|
|
|
|
## Crack the NetSec WiFi network password with bettercap
|
|
|
|
After connecting to mallory, I start by running `bettercap` on the `wlan0` interface. I then try to turn on wifi reconnaissance.
|
|
|
|
|
|
As issue is returned that bettercap cannot put wlan0 into monitor mode. This is strange, but I work around it by running `sudo iwconfig wlan0 mode Monitor` to do this manually
|
|
|
|
|
|
### Find the BSSID and connected client of the NetSec Network
|
|
|
|
Running `wifi.show` with bettercap, we see the BSSID of NetSec. That being 28:87:ba:75:7e:93
|
|
|
|
|
|
with `wifi.recon 28:87:ba:75:7e:93` I can see the clients of the NetSec network. Here, we see the client with BSSID 70:f7:54:ff:1c:59
|
|
|
|
### Perform a deauth attack on the network with bettercap and capture the 4-way handshake
|
|
|
|
With `wifi.deauth 70:f7:54:ff:1c:59` I can send a deauth message to the above client. We can see this worked, and the handshake was automatically captured
|
|
|
|
### Use the hcx toolsuite to convert the captured handshake to a format that hashcat can understand
|
|
|
|
Using hcxpcapngtool of the hcx toolsuite, I can convent this pcap file to a format hashcat will understand (after copying the file from /root to /home/kai)
|
|
|
|
### Crack the password using hashcat and rockyou.txt
|
|
|
|
Finally, I run `hashcat -m 22000 -a 0 -w 3 -o bettercap-cracked.txt handshake.hc22000 rockyou.txt` on the above converted handshake file, to crack the password and write it to `bettercap-cracked.txt`.
|
|
|
|
|
|
After ~7 minutes, we have cracked the password. That being `crackme1`
|
|
|
|
|
|
### Connect workstation to the wifi network and show using nmtui
|
|
Now that I have found the password, I can initiate a wifi connection from `mallory` to the NetSec network
|
|
|
|
The first issue encountered was the the network manager was inactive. This is confirmed by running `systemctl status NetworkManager`
|
|
|
|
|
|
|
|
This was fixed by running `sudo systemctl start NetworkManager`
|
|
|
|
Now with `sudo nmtui` I can finally attempt connect to NetSec with the password, `crackme1`.
|
|
|
|
|
|
|
|
The connection was successfull
|
|
|
|
|
|
|
|
## Scan the network with nmap
|
|
I now want to scan the network to identify the router, and devices connected to the router. A quick check with `iwconfig` and looking at the `wlan0` interface shows that as a client of this router, we are in the subnet `192.168.0.0/24`
|
|
|
|
|
|
|
|
Now running `sudo nmap -sn 192.168.0.0/24` (a simple ping scan) we have some interesting results. I've run this a few times on different days to see which hosts are persistant, and less likely to be other students
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To summerize this, the interesting devices, excluding ourselves (mallory) are
|
|
```
|
|
Nmap scan report for Archer (192.168.0.1)
|
|
MAC Address: 28:87:BA:75:7E:98 (TP-Link Limited)
|
|
|
|
Nmap scan report for bookworm (192.168.0.139)
|
|
MAC Address: D8:3A:DD:7E:3C:31 (Unknown)
|
|
|
|
Nmap scan report for 192.168.0.47
|
|
Host is up (1.2s latency).
|
|
MAC Address: 70:F7:54:FF:1C:59 (Ampak Technology)
|
|
|
|
Nmap scan report for 192.168.0.240
|
|
MAC Address: E4:5F:01:91:0C:52 (Raspberry Pi Trading)
|
|
```
|
|
We have one router/gateway (archer/28:87:BA:75:7E:98), one persistant client device (bookworm/D8:3A:DD:7E:3C:31). The other devices shown in some of these scans do not seem to persist and are not shown in my last scan which is at the time of writing. I will now scan for open ports on these available devices. Specifically, I will scan the default 1000 common ports.
|
|
|
|
### Open ports and services on archer
|
|
As the router/gateway, I do not expect any interesting servcies to be running here. But let us make sure
|
|
|
|
|
|
|
|
As probably expected, our gateway is responding to DNS requests, upnp, and has web interfaces open on http/s.
|
|
|
|
Using ssh tunneling from 192.168.0.1:80 to localhost:8080, I can take a look at the web page on http. As shown, it prompts for a password, but is otherwise unremkable. When looking at the page on https, it is also un-remarkable, and just says that https is not supported and to use http instead. (not shown)
|
|
|
|
|
|
|
|
I decided not to try any attacks against the router and will be moving on.
|
|
|
|
### Open ports and services on bookworm
|
|
Bookworm is running rtmp and sun-answerbook services. This is interesting. I will explore the rtmp stream later on
|
|
|
|
|
|
|
|
### Open ports and services on khadas
|
|
Upon scanning, the machine with MAC 70:F7:54:FF:1C:59 revealed its hostname as Khadas and has a port for ipp (printing) service open
|
|
|
|
ssh connection can be made to khadas with default credentials (root/khadas)
|
|
|
|
|
|
|
|
### Open ports and services on Raspberry Pi Trading (reterm-i)
|
|
The only interesting service running here is ssh. Moving on
|
|
|
|
|
|
|
|
### Access the RTMP(RTSP in assignment) stream
|
|
|
|
As shown above, I have discovered an rtmp network video stream on the bookworm device. My research shows the stream url likely consists of a format like rtmp://192.168.0.139:1935/${path}/${key}
|
|
I have tried various things to recover the stream url path and key. It seems like the path may be 'live', but I cannot figure out the key
|
|
* Guess random plausible stream keys or default keys common on raspberry pi cameras
|
|
* Try to see if the media stream is actually RTSP and not RTMP (it's on an rtmp port, but assignment suggests it should be rtsp)
|
|
* brute force stream keys with a bash script using ffmpeg and rockyou.txt
|
|
* poke around khadas (root and khadas user) to see any reference to rtmp streams
|
|
* perform de-auth attack and try to capture handshakes on 802.11 to see if I can get the datagrams (via wireshark) for any clients who many be streaming from the stream (which streams would include the path and key)
|
|
|
|
For now, this is as far as I have come
|
|
|
|
#### Screenshot - TODO
|
|
|
|
#### Camera make, model, brand, capacity, and manufacture date - TODO
|