what's going on YouTube this is episode we're doing Wi-Fi network from hack the box which has a technology I've never seen before used in a VM and that is Wi-Fi and that's not to say I haven't seen someone hook up a wireless dongle pass it to the VM and get Wi-Fi this actually has full Hardware simulation so it has a Wi-Fi network built into this box with no Hardware component which is pretty cool especially because the root step involves attacking WPS which is Wi-Fi protected setup it's also something I didn't have much familiar in with that before this box I always thought that you just entered the pin and it magically lets you on the network for some reason I didn't think you entered the pin and sent you the wireless pre-shared key back for you to then log in so we'll go do that and then we're going to spend a lot of time in the Beyond route showing a fun tactic for creating a password spray program for Su along with explaining exactly how WPS works and its flaws because if you ever see WPS enabled you should always disable it it's a horrible service so with that being said let's jump in as always we start off with an end map so Dash SC for default scripts as V enumerate versions OA I'll put all formats put in the nmap directory and call it Wi-Fi network then the IP address of 1010 11.247 this can take some time to run so I've already ran it looking at the results we have three ports open I know that right away because we scan 1000 and there's 997 that are closed the first Port is FTP on Port 21 and its version tells us its vsftpd version 303 and I know this version is not vulnerable just because I've looked it up 100 times but Anonymous FTP login is allowed and we have a list of files that are on the web server all uploaded July 31st we also have SSH on the box it is listening on Port 22 and a Ubuntu server then we also have Port 53 which just says open it's TCP wrapped chances are this is going to be um a DNS server but let's go take a look at the FTP server and to download all those files I'm going to use wget just because it has a recursive option and lets me download everything at once so FTB 10 10 11 127 or 247 and we see it logs in and then it's going to go ahead and download everything if we go up I should move the actual directory into the FTP and the reason why I created the FTP directory is just to stay organized so I know these files came from FTP then we have a tar archive which probably we should unarchive and look at it but first i'm going to look at all the PDFs and the txt file I'm going to look at DOT txt first and if we do it it looks like it has a road map of something right I don't want to read all this we can see something like open wrt which is a open source wireless router and a lot of things about testing Wi-Fi we also have a bunch of PDFs the first thing I like doing on PDFs is running exif tool against them this is going to look at the metadata and potentially we can get some authors or how these were created we can see it is a Google Docs renderer and then the title is Wi-Fi network documentation on Project open wrt.pdf and look at them all it doesn't look like any interesting data is in the um metadata but let's go and actually open up some of those PDFs I think I could just run their open Command right I don't have to go to a file browser I can do open and then we can see this PDF there is a potential username Samantha wood93 and glancing over this nothing of that really seemed too interesting it's just about um well-being of employees but I'm going to start creating a user's list and I should have called like users.txt so we have a list of valid usernames we can also look at project Great Migration and this is just a blank presentation there's a potentially a email info at wifinetic.htb and some Social Media stuff that doesn't work then let's go to Project open wrt.pdf and we have a distribution list the manager and that's talking about migrating to a new wi-fi system but we also have a another username so I'm going to add that to my documentation so now let's go take a look at this tar archive I'm going to make a directory called backup and let's go in it and then do tar xvf on the archive and there's only an Etsy directory so let's go into Etsy and let's see this looks like it's just Etsy of a Linux system we have like group um pass WD and there is a user called net admin this is a non-default user so I'm also going to add net admin into users.txt and let's see there is drop bear and drop bear is a SSH server that I see on just like a lot of iot devices or just um random devices they don't use sshd they use drop bear for whatever reason um let's see there is shells it is using bin Ash let's see let's go into config there's always good things in config and based upon it saying nft tables I'm assuming this is like um a BSD server right because um Linux uses iptables BSD uses NF tables um I think that's Network filter tables there's a DHCP nothing too interesting there there is a drop bear config we can see open port 22 drop bear doesn't really interest me that much because the nmap scan if we looked at it um has let's see where is it it's using openssh so this is sshd it would say drop bear here if it was a drop bear server um look at firewall looks like a basic firewall um Wireless is interesting and we have a potential password very unique Wi-Fi password one so what I'm going to do is spray all my current users with this password and the only login portal we have right now is SSH so I'll do crack map exec SSH 10 10 11 247 Dash U users dot text Dash p input in this password if I was just guessing um I would probably try just net admin first because um the network admin likely is setting up this wi-fi information right and we can see net admin can log in and he has shell access to this box so let's do SSH net admin at 10 10 11 247. paste in that password and we get logged in so the first thing I always like looking at is just what's in my home directory so I'm gonna do a fine dot dash type f doesn't look like there's any interesting files the next thing I want to look at is if I'm in like a container or something I can do an lsla on slash everything looks like a standard um Linux directory listing we could also look at IPA and look at e0 and this is the IP address I SSH too so there's nothing funny with like Nat going on right sh to one IP and land into a another one the interesting thing though is I see a bunch of Wireless interfaces we have wlan01 and two and then HW Sim I'm guessing this is some Hardware symbolism simulation for all these Wireless Lans there's also Man Zero which is a monitor information or monitor interface it can't send packets but it can receive all the packets it's often used when you're doing like Aero dump or TCP dump to list all the things that going on in the wireless Spectrum so looking at this both these Wireless interfaces are on the same network adapter my first bet is I want to look at what's listening to see if there's any unique Services listening on one of the wireless networks and nothing interesting at all these are all the ports that we had seen so I'm gonna go and run Lin piece so let's make dirt dub dub dub go in that and I'm going to copy opt P's lint peas over here let's stop a web server so http.server and then we can curl 10 10 14 8 Port 8000 Lin P's dot sh we forgot to pipe it over to bash so this is going to take a little bit of time to run probably about two to three minutes so I'm going to pause the video and we will resume when this is done okay so Lynn peas has finished let's go look at the results and let's see it's talking about system information I'm just glancing over whenever I see new titles or when I see a lot of red right there's a lot of information in lint piece that's just not interesting and whenever it says a kernel exploit I typically ignore these onto the very last thing because they are unreliable and also checking it isn't the most reliable I know it's not vulnerable to this whole set uid screen thing it's just um not a reliable tool right so that's always going to be the last always look at all the Recon before you go jumping down a rabbit hole unless you're a hundred percent positive so here it's listing a bunch of processes and this is an interesting thing that I didn't know Lynn peas did it must be one of the newer features when you have a process that has a special capability it is listing it out here so this is a bit better than just running like PS on a thing right it's doing that type of check um let's see binary process parent process IDs we can see that um process 8566 with parent ID is ran by user net admin but the parent process is root so I kind of want to look at what this process is let's see um the notes let's just do process this because that could be something um root is starting a process that then gets owned by net admin Let's see we have um no credentials in memory of course because we're not root we can't even look at that system d-path dot service files nothing interesting there system timers these all look like they're default ones socket files this all is a lot of noise to me just because if I saw it I don't know how to exploit it right away so that goes on the back burner just like um kernel exploits right pgp Keys PK exec super users users with the console there's definitely a lot of users one user root we have net admin the purple one is us ERS and groups login last login login each user useful software that's on the box so we have netcat lxc we should check if we're a member of the lxc group I don't believe I did that but I think it would have stood out earlier on in this limp piece thing if we were then we can pretty invest that way through the lxc um rsync host APD file so it found um this but this is in the example so it's probably not going to have any good information with it nothing ldap we do have root login is permitted in SSH which is interesting we have the SSH config let's see Pam file tmux it's looking at FTP files nothing interesting there there is a lot of things that limpi's checks files with interesting permissions this is going to be like set uid files all these look like they are standards or nothing interesting there same with all the um set GID files LOD so looks normal this is going to be capabilities and the first file I see with a unique capability is Reaver and this is a wireless attack tool so this one definitely stands out I'm going to stop looking at things because this is extremely extremely odd Reaver has capnet Raw which means it has full access over the network sockets so if we look at Reaver let's see what is its description it is a specific tool to attack WPS which should be disabled in all routers just because it has so many various vulnerabilities um we need to specify the interface and the BSS ID of the target access point so what I'm going to do is a IW I'm going to hit tab to look at all the wireless things and I think it's IW list it is and we can do IW list scan and what this is going to do is scan for Wi-Fi networks and it's going to get um the open wrt network and its bssid which is just O2 and the rest hose so now we can run Reaver so if we run Reverb we specify the monitor interface we know is mon zero based upon just the IP address information so we can do revert Dash I mon zero and what was the other thing we needed the bs's ID with the dash B and when we run it let's see I did not say zero I just said mon retrieve Beacon and it got the WPS pin and got the pre-shared key which is the WPA2 password for this network um we could very try various users to see if another password spray right so if I cat Etsy pass WD we have lots of users that it could go to we could just try root first and we get lucky and we got root and that is the box but we're not going to stop there because this video has been really short um let's go much deeper and look at this so the first thing I want to look at is let's look at password spring and build something that's a little bit better than just spraying and then I'm going to look into exactly how that whole WPS attack worked right so we had a lot of users on this box um we got lucky and just got root right away but how would we spray the same password across all these users so we can create a quick bash script for that so I'm just going to do VI and then I'm going to call this bray.sh and the first thing we want to do is build a list of all the users right and we can just do users is equal to cat Etsy pass WD then all field separator colon print one we could do that um but that's not exactly elegant right because if we just run this command is going to get a ton of users in reality we just want the users that end with um or that the past wde line ends in sh because those can be the ones with a shell if we get rid of the awk you can see there's users on my system uh postgres has been bash ipsec and root all the shells really always end in sh there's like ash there's sh there's Dash there's bash so ending aligned in sh is relatively safe for finding active users on the box um I still don't like this just because we're going to use cat we're going to use grep and we're going to use awk we could do this all in one command so awk does have a um thing called NF which is going to be the very last field and I think if we say sh like this when you do this slash whatever that's going to be reg X and Etsy pass WD um let's see that did not work how do I do this do I have to do it in single quotes yeah single quotes um we can do the same thing as our grab so we got rid of both cat and grep but now we want to only get the first field so I'm going to do awk Dash F colon so that's gonna be the field separator colon and then we're going to use if NF which is the very last field is somewhat equal to sh there's going to be like a regular expression and then print one which is going to be the first um field if we do that on Etsy pass WD we get error because we did not close out the squiggly bracket so now we're just doing all this with one command or one binary which is a bit less noisy if someone's looking at um command out like what binaries I ran on a computer also maybe that stands out because if someone's looking at all the processes ran on a box um no administrator is probably going to type this command unless they're super familiar with awk they're probably gonna do all those pipes so maybe the pipes doesn't stand out as much but I like just using one binary when I can because maybe I don't have access to grep for whatever reason right um so now let's do four user in users so we're going to Loop through every user and then all we want to do is Echo the password so I'm going to do dollar one which is going to be the very first CIS ARG V so when we execute the script um we're gonna give it one argument and that's going to be that I'm going to say a timeout of two seconds so if this next command takes more than two seconds to run stop we're going to do an SU on the user and then a dash C who am I and then pipe the output to devno or pipe errors to devnol and then done I think that's all we have to do so if I move this bray.sh over to the Box so let's just call this V spray.sh put this in and let's see what was the password do we have it still easily uh there we go what is real and what is not with some numbers so now if I run spray.sh with the thing it immediately says root because that is the first account on the box and that's the valid password and that's going to keep trying all the other users and it doesn't get anything we can control Z and psef graph spray uh kill four three seven nine or four three six seven nine do we still have it running maybe Dash nine there we go now it's killed so let's improve this a little bit um we could look at all the return codes right so if I um let's do its on the SSH thing let's do V spray if we just Echo um let's see we'll do user and then dollar question mark this is going to be the exit code of the last command and now I'm going to run that spray again and we see root zero net admin 124 which is an error S Johnson 88 error error so zero was success so we can see it trying all the users so let's do a kill-943809 to make sure that's dead and what I want to do now is say if The Last Exit code is equal to zero then we could exit and now we'll end the script right but what I'm actually going to do is say return and we're going to make this into a function so I'm going to highlight everything and we're going to call this do spray and I forgot to indent this and then this could be do spray one like that and the whole reason I like doing it this way is we could both copy the script so if I just copy this we move it over I need a set paste there we go we can do bash spray.sh put in the password and it will work which uh it won't because typos if let's see how do I screw this up do I need a space after this there we go so immediately we get root and it exits because we got a valid user but what if I didn't want to touch disk let's fix it on my computer since this is a bash function let's see let's just RM spray.sh we can cat spray we could just grab this function and then paste it in here and now I have a do spray command and I can paste this and that just added the bash command to spray users so we didn't have to touch disk at all and the whole reason I did this all in bash I probably should have said it earlier is lack of dependencies we could upload a program called um Su crack we've done it in a previous video but that's a c program sometimes you compile in your box you upload it and then it doesn't work right so the whole reason I did this in bash is just there's no dependencies so with that being said I realized I wanted to look at what process 8469 was real quick and that's just sshd so that's why that makes sense when you're in Lin piece it said there was a process owned by net admin that had a parent process ID of root and looking at it we can see it's because I came from SSH because the SSH service is root I logged in it downgrades me to net admin and gives me a shell so now let's finish this video off by talking about WPS um if you wanted to look at that spray script I'm going to put it on my GitHub somewhere but there it is for you if you want to copy it so let's run that Reaver command again because a lot of magic happened be under the hood that I didn't explain I don't even think I explained what WPS was which is just a old technology to authenticate to wireless networks um it was created I think in 2013 there were a few forms of it like a push button you may see like a WPS button on your router you push it and then it enables it there's this that just stays active there's near field communication that use different Wireless protocols like um RFID there was USB it was a large protocol but a lot of old routers just enabled it by default and it had a lot of security vulnerabilities in it that were very questionable um if this was just a eight digit PIN that had proper timeouts it wouldn't be that bad especially if that pin rolled every hour or so and you couldn't just Brute Force the whole key space but there were two big flaws to this technology the first one is it's not really an eight digit PIN this last digit is just to checksum um I think the whole purpose of it was a user types this and then it tells them they typed it wrong they made a typo and they'd even have to send the request to the router because it has a built-in check some kind of like the Lun algorithm of credit cards and when I first try to figure out this checksum I asked chat GPT and it was wrong um it's just saying essentially add all the previous numbers and then mod 10 right so if we did that so we got one now it becomes three because we added 2 6 10 15 21 28 mod 10 would be eight or what it was saying was actually um minus I'm trying to get my browser back on screen it doesn't look like it works but it was saying 10 minus that um pin calculation mod 10. so essentially this would be um two because it would be eight mod 10. and that's wrong I went in actually Googled a lot of things Googled a WPS generator if we just Google let's see if I open up Firefox see if it loads for me we could Google it but essentially you have to multiply every other digit by three and then do that and that's what um chat gbt was missing so if you Google like WPS generator python there's this and we could run it let's just grab this V notes um whoops okay so we want to calculate it I'm just going to multiply every other one by three so that'd be three two nine four times three is twelve but I'm going to mod 10 it because every 10 doesn't matter so I'm just going to put 2. then Let's see we multiply no multiply oh actually wasn't supposed to multiply that one uh 3 times 5 is 15 but again I'm going to drop the 10 off of it then 6 and then 3 times 7 is 21. so now let's do this so we got 3 plus 2 that's going to be five then plus 9 we're at 14 18 23 29 0. so that works so that is exactly how the WPS generator worked but that is not the only fault going from eight digits to seven digits isn't a killer flaw it also suffers from what Microsoft did with LM hashes not ntlm the precursor to that which was just land man and it's actually split up into two so how this works is you only need to note the first four in order to validate this is correct and then you just need to know the last three so instead of doing like 10 to the eighth it is 10 to the fourth plus ten to the third which is in like tremendously lower amount of hashes and we can prove that Reaver is doing this by if we just run Reaver and add Dash VV we'll see all the messages and that's where M1 M2 M3 and all these stuff comes into play um this is kind of like a Diffie helmet exchange getting like perfect forward secrecy working and then M4 this is the message that we're sending with one two three four if this sends a knack back then it's wrong if it just keeps going then it's correct so this one hash only is the first four digits if I specify let's see I think there's a way to specify a pin right um Dash p um one two three four five six seven zero is the first pen that river ever chooses so let's get this wrong let's do four three two one then five six seven zero and we see let's see oh um oh there we go so we went to message four we got a knack back so we know one two three four is wrong all right four three two one is wrong um if we do one two three four five six let's do eight zero see what happens here and we see it goes past message four and goes to message five and then message six this is the one we're sending this second half of the password and it says it is wrong so that is exactly how this tool Works um Reverb by default always chooses one two three four five six seven zero first um so if we wanted to we could go Etsy um wpsupplicant.com and permission denied let's actually get the root password again one two three four five six seven zero is the PIN let's escalate to root so we can change exactly how this is working and get a different pin so set that up CD Etsy WPA supplicant uh it's wfacelkit.com let's see how is this generating pin let's just grep Dash rwps and it is oh running this tool use a local bin WPS check so let's cut this and let's see there we go so here's the pin one two three four five six seven zero so I'm going to change this to one two three five and then we'll do one two three so one two three five one two three okay and the checksum is definitely going to change so let's see this becomes let's just type it out real quick I probably should grab this tool WPS pen I easily just run this I have to run the program that's not the one I was looking for but let's just calculate manually uh one two three five one two three so this becomes three two six four three two nine so three plus two is five eleven fifteen eighteen 29 and then um that'd be 9 mod 10 which is one so this pin should just be one or the checksum as long as we did that correctly okay and let's see that was inner service right we can probably do service WPS check restart okay let's run that same Reaver command and see if this fails okay it did fail sweet so we have successfully changed the PIN and we can see it doing the Brute Force and it got rate limiting so it's going to wait a minute but we can see it went with let's see trying pin one two three four five six seven zero now it tried all zeros one two three uh zero one two three and then the next pin it tries is I don't know because it has to wait a minute let's um set the PIN to be four zeros first so we can see this one work so let's do another SU I have to get the password and after this we'll wrap the video to make sure everything works hopefully you enjoyed this Beyond root segment but yeah um SU Dash put this in the user local bin WPS check it was and it we want to do four zeros and now this becomes easier to check the um pen zero one two three four one two three so this is zero zero zero so the first four zeros and then we multiply by three two nine there we go so that is three plus two is six three plus two is five plus nine is fourteen so the pen is going to be six uh let's see six six and why they multiplied every other character by three I have no idea that's right right one two three six three two nine yeah that looks fine then service restart WPS check was that the service restart oh I always think I was typing system CTL there we go so now when we run Reaver see we did not get the pen but we can see it definitely changed Logics so the first one one two three four five six seven zero it got The Knack oh I guess it failed diffie-hellman or something here so now it tries it we get to M4 we get the Knack so one two three four okay and then it tries zero zero zero five six seven eight remember our pin started with four zeros we didn't get past message four here so this message we get past four get five get to six the second half of the password is wrong so now it's going to try again with four zeros and then we still get to six and then we get rate limiting so the next one again it's going to again try to brute force with four zeros and then we'll see what the next four are so I'm just going to speed up oh I don't have to speed up the video but you can see the Reaver tool is very confident that the first four are correct because it progressed past M4 and it's just trying to brute force that last three and I say three not four because again that last digit is a checksum um so I could do three times three is nine so it's going to be nine plus three which is 12. right yeah nine plus three is twelve plus nine is 21. which one mod 10 would be nine so that's why I was calculating that last number so hopefully that makes sense and you've enjoyed everything take care guys and I will see you all next time