Hacking Book | Free Online Hacking Learning

 Home

8 of sword shadow series -- wifi security test under hardware

Posted by chiappelli at 2020-02-24
all

Click to enter the Q & A applet

The article will talk about two things, the same is: WiFi deauther, the same is WiFi fishing.

Esp8266 WiFi module: there are many of them on this kind of network. This kind of network has a backplane with micro USB interface.

WiFi deauther

Scan WiFi devices, block selected connections, create dozens of networks and confuse WiFi scanners!

Github:https://github.com/spacehuhn/esp8266_deauther

First you need to download the source code to burn

Source code release page GitHub: https://github.com/spacehuhn/esp8266 ﹣ / release

You can burn with nodemcu, or compile and upload with Arduino ide

Here I will demonstrate the upload method of the two tools

NodeMCU Github:https://github.com/nodemcu/nodemcu-flasher

There are 32-bit and 64 bit, which are suitable for windows

Then connect the esp8266 with the data cable and check the port

Take win7 for example. Right click the computer, select manage, find the device manager, click the port, and you can see the port connected to esp8266,

I'm COM3 here, but your port may not be COM3

If you only see COM1 and do not see the port connected to esp8266, it is because you are lack of driver. You must install the driver. If it's installed or not, you can try to change a data line, because some data lines, especially the data lines delivered by the mobile phone, basically do not have the transmission function, only the charging function.

Driver installation is different from your device chip

Common chips: ch340 and CP2102. You can check your esp8266. Generally speaking, ch340 chip is rectangular and CP2102 is square. Of course, there is something written on it. You can check it by yourself.

(CH340)

(CP2102)

Ch340 chip is generally used

Download page: https://sparks.gogo.co.nz/ch340.html

If you download the ch340 driver, you need to pay attention to the content,

If you are a Mac user and the system is OSX Sierra (10.12), you need to pay attention to it when installing. If you download the driver provided by this page directly instead of that provided by the user, there will be a crash. When you plug in your esp8266 device, it crashes the Mac. The solution is to delete.

Open the terminal and input: CD / library / extensions/

Verify that the. Kext file exists: LS | grep usbserial.kext

The output should be: usbserial.kext

Then type: sudo RM - R usbserial.kext

Verify that the. Kext file has been deleted: LS | grep usbserial.kext

Output should be empty.

After the files stored in the receivers folder should be deleted: CD / private / var / db / receivers/

Find entities: LS | grep usbserial*

The output should be: codebender.cc.ch34xinstaller.usbserial.pkg.bom and codebender.cc.ch34xinstaller.usbserial.pkg.plist

Delete each file in the list above: sudo RM - R filename

Then restart it to solve the crash, and download the driver provided by the user. The original author also said that the driver provided by the user has not been tested by himself, but I tested it, and the test result is that you can connect. But if you are a student in school, and you connect to the Internet with the signal of Telecom and chuangfi software, then this problem will make your head big, and it will appear every time Some time, sometimes a few seconds, sometimes tens of seconds appear to disconnect automatically, and then you need to reconnect, which is very troublesome. Of course, the solution is the same as the one listed above. Delete the newly installed driver. Considering the compatibility problem sometimes, you can install a virtual machine if necessary. Under the Mac, I use the win system installed by VMware fusion.

OK, if it's connected, continue to go down. If not, please check it again.

Open nodemcu, select COM3 port under operation, click config configuration, click gear to load the firmware just downloaded

The following 0x00000 remains unchanged, then click Advanced, baudrate is set to 9600, and flash size is set to 1mbyte

Q: Why is baudrate set to 9600?

A: You can check the back of your esp8266, which is written below

And the bin I just downloaded is 1mbyte, so here I set the flash size to 1mbyte, and then go back to operation, click flash burning, burning is a little slow, you can see the burning progress bar and esp8266 flashing constantly on the software

Then the green label will appear in the lower left corner after burning, which means the burning is successful.

Then reconnect esp8266 at this time

Then you will see that WiFi with the name of Pwned appears in WiFi. This is the WiFi generated by the program we burned. The password is: deauther

And then connect the computer

Enter the address 192.168.4.1, and you will see the web page of the program,

Author's note: warning

The project is a proof of concept for testing and educational purposes. Neither the esp8266 nor its SDK was designed or built for this purpose. There may be errors!

Only for your own networks and devices!

It uses valid Wi Fi frames as described in IEEE 802.11 and does not block or interrupt any frequency. Before using, please check the laws and regulations of your country.

Please do not call this project "jammer", which completely destroys the real purpose of this project! If you do, it can only prove that you don't understand what this project represents. Publishing content about this content without a proper explanation indicates that you will only publish for hits, fame and / or money, and do not respect intellectual property rights, the community behind it and strive for better WiFi standards.

This is also what I want to show. I wrote this article just to share the knowledge points and pits I met in the production process, rather than to teach you how to attack others. It is important to use knowledge well.

I downloaded the latest version. Many online tutorials are the previous versions. Some of them are installed in Chinese version, some of them are not, but the latest version already supports Chinese version.

Description from author update:

Supported web interface languages:

Cn Chinese

CS Czech language

Germany Germany

EN English

Fr French

It's Italian

Ro Romania

Ru Russia

TLH Klingon

Please note that the 512KB version does not include the MAC vendor list, only the English file of the web interface.

How to set it?

First, enter the settings function, find the Lang option, change en to CN, and then slide down to save

It's the Chinese interface

When you click Scan AP, you need to click refresh to see the scan results

Then tick on the back and click the attack to launch the authentication attack

What is a deauthentication attack?

De authentication flood attack, which is called de authentication flood attack in the world, is a form of denial of service attack in wireless network. It aims to transform the client into uncorrelated / unauthenticated by cheating the authentication frame from AP to the unicast address of the client Status.

The difference between jammer and dearther is that in SSID, a lot of WiFi can be forged, which can be random or fixed

Then come to attack here and choose beacon attack, which is the second option, and then check WiFi, you can see many interference WiFi just forged by yourself

Summing up function

DEAUTH

Turn off the WiFi device by sending the de authentication frame to the access point and client device you select.

This is only possible because many devices do not use the 802.11w-2009 standard, which provides protection against this attack.

Please select only one target! When you select multiple targets to run and launch attacks on different channels, it will quickly switch between these channels, and you cannot reconnect to the access point that hosts this web interface.

Beacon fire

Beacon packets are used to notify access points. By constantly sending beacon packets, it looks like you've created a new WiFi network.

You can specify the network name under SSID.

Probe

The client device sends a probe request to ask if there is a known network nearby.

Use this attack to confuse the WiFi tracker by asking you for the network specified in the SSID list.

Your home network is unlikely to be affected by this attack.

0x02 compile and upload with Arduino IDE

Download Arduino IDE

Then, in the zip that you just downloaded, open esp8266 ﹣, and if this prompt appears

Right click the property modification and open mode, and select Arduino ide. If the software is in English and Ctrl + comma, it can be set to Chinese

Then set the Arduino ide as follows

You will find that you don't have a development board of nodemcu, so you need to click the file to select the preferences (Ctrl + comma), and then add the following website in the add-on development board Manager:

http://arduino.esp8266.com/stable/package_esp8266com_index.json

http://phpsecu.re/esp8266/package_deauther_index.json

Then click Tools - > development board - > development board management, it will load for a while, then search for esp8266, then install, and then install:

arduino-esp8266-deauther

Note: esp8266 installation version 2.0.0

Then click upload in the upper left corner. It will take a little time to upload. At this time, esp8266 is flashing continuously

The lower left corner will be displayed if the upload is successful

0x03wifi fishing

This source code is from a friend on the Internet, and it's quite smooth when burning this source code.

The effect as like as two peas is to cover the original WiFi, create a WiFi that is exactly the same, and then click the link to jump to the fishing page.

Then when you enter the WiFi password, you can remove the coverage. The original WiFi on your face, but the attacker's background will receive the content you just entered.

Download flash tools

Click the blank under download column to download.

Firmware x599

Open the Flash tool instead, select the first item, and then set it according to the figure. Here, note that the default file column is not checked. You need to check it yourself, and then turn it all green to represent normal. If there is a red error, open the software again and fill it in.

Click start to start burning after setting

Tips for completion

A WiFi nickname named HH should appear after the successful burning

If not, reconnect to esp8266 or click rst on esp8266.

Upload the web file after the completion of the above

Find the tools file of Arduino IDE, and replace the tools in the source code,

Then open Arduino IDE, create a new project and save it to a directory. Click esp8266 sketch data upload under the tool, and you will be prompted to select No. you will be prompted: spiffs warning: mkspiffs cancelled.

Then find the save directory, which will generate a data directory

Then put the fishing source code into this directory, and follow the figure to set

Then click Tools and select esp8266 sketch data upload

Then wait for upload, upload succeeded

And esp8266 does not blink, which means the upload is done,

Then disconnect the ESP8266 again and connect to the HH WiFi. The password is: m1234567

Then visit http://192.168.1.1/backdoor.html

If the upload is successful but the access page is blank, please set the version of esp8266 to 2.3.0, and then put it on again. If it is still blank, please click the rst button on esp8266.

When the fished enter the password, you need to reconnect and open the page again to see the password entered by the fished.

If the burning fails or fails to respond, please try to empty flash, or swipe a flash size empty. Bin in.

For the first time, I wrote an article about hardware. As I just touched it, there will be some mistakes in the article. Please be able to correct them. I wrote such an article in the spirit of sharing and recording. All the contents in this article are only for knowledge discussion.

Article: Sword shadow / first instance: Akuma second instance: VIGA

To be careful Click "read the original" to discuss the topic with the author and communicate directly

© 2023