PE File Reader

Pe File Reader [Opening .exe files to analyze the PE-header] Hello_Friend, and welcome to the 20's, Cybermonkeys! Let's start this decade by learning some stuff. Last year, we already took an in-depth look at Linux-binaries (aka ELF files) , now let's start messing around with it's infamous Windows-Counterpart (that also happens to be the xBox file format). Introduction The PE-file format is around for quite some time now, and while heavy optimizations took place, it hasn't really changed all that much since then. In fact, it is one of the most widely encountered file formats out in the wilds. Although there is technically a difference between PE32 files (32bit) and PE32+ files (64bit), we will ignore this fact for the sake of this blogpost. Some file extensions deriving from this format are: .acm   [ a Windows audio-codec] .ax    [MPEG-4 DVD format] .cpl   [dynamic link libraries for control panels] .dll   [dynamic link libraries] .drv   [ha
2

Jamming a wireless lan




Jamming wireless technology

[also called "deauthentication attack"]

Buenaz diaz, cybermonkeys.
Nearly every device nowadays is using some form of 802.11 wireless technology.
This is awesome from a user's pov; This is nuts from a droid's pov.
The w-lan technology is pretty easy to bust once you understood how it worx.
If you target a normie or a static device (A video camera for example),
there should be no big deal. The victim will experiance a strange witchcraft and looses all wireless connections.
On the other hand: The attack is visible from a wide range. Packages floating the aether are a clear sign for a classical DOS-attack for those who are able to see. So it would be good practice to mask yourself good enough.
If you happen to have little knowlege about this kind of shit, check the Toolz section and look around for macchanger. Also, do not blindly copy these commands since some parameters may vary on every device, especially the name of the monitoring device set up with airmon-ng.

Attack vectors

When working as intended, clients connected to an access point will send a special frame to the access point when they want to end the connection, and the access point will send a special frame to each device that is disconnected from the network before deleting it from it's connection list. By imitating the access point, we can spoof this frame and inject it into the network's flux data.
We can even broadcast this frame to every device connected to the specific network. After the device gets disconnected, it will immediately try to reconnect, so we keep on bursting these frames, thus we are causing a Denial-of-service event. If we perform this attack automaticly, we can forge a mighty weapon. For example, we can create an agent that waits for a specifig device to appear in the network (for example an annoying neighbour), and start attacking it.

Preparations


We need to set up some stuff before we can have fun, but it is not too hard.
First, request a new mac address so secops and spiders won't have any hard proof against you.
Also, you will have to set up your wlan device, to be specific you must start airmon-ng to set your device into monitoring mode. First, use the check-kill command to kill every process that collides with the aircrack suite.

Macchanger will come handy here, but you will have to set your wlan device down first.
Check out the pic, you can track the commands in the console window there.

Here are all commands:



//set up airmon-ng
airmon-ng check kill
iwconfig 
//find name of your device, mine is "wlan0"
airmon-ng start wlan0
//monitor mode active, name should change to "wlan0mon"

//get a fresh mac address
ifconfig wlan0mon down
macchanger -a wlan0mon
ifconfig wlan0mon up

//all set up

Try writing a shellscript that does this setup for you, so you can act swiftly.
Also, depending on your account, you might need to sudo these commands.

Finding a target

Next, we need to find a target for our attack.
We are doing this with the program airodump-ng. As you can see in the picture, you can find a big chunk of information, therefore it is a good practice to narrow down which network you want to scan.

You can do this with the following command:



;insert the name and mac address of your monitoring device
airodump-ng --bssid XX:XX:XX:XX:XX:XX wlan0mon
In the upper table you can find the names of all access points in the area, the lower table shows connected stations. Do not confuse stations with access points, as the name suggests.

Some interesting fields:
  • BSSID: Mac address of this access point, important information for targeting
  • PWR: connection power, you can assume how far away a device is, or even locate it if you have another scanning device
  • Beacons: Number of beacons received from the device. A device may choose not to send beacons, in this case it is a hidden device (more below)
  • Data: number of real payloads going over this access point. The more clients are connected, the faster this number will increase
  • Enc: Encryption type of the access point. Not important in this scenario, but this is without doubt a real important data field
  • Auth: Authentification type of this network
  • ESSID: The name that is broadcast to represent this network
Lower part:
  • BSSID: Mac address of the access point this client is connected to
  • Station: Mac address of the client
  • Probe: Might show the name of the device, or it's username

It is also possible to use the program Kismet to monitor the devices around you, but I never really used it since I am familiar with the aircrack suite. But nevertheless Kismet is a usefull tool that even shows some more information about the devices.

If the access point chose not to send any beacons (stealth mode), there are two things you can do to discover them, where the first one is active and fast, but not very stealthy. The second one requires time, but you cannot be detected.

For both methods, start a monitoring device, bring up wireshark, and set up following filter:
wlan.fc.type_subtype==0x05

 The stealth technique requires only waiting from now on. The filter tells wireshark only to show probe responds frames, which are part of the connection protocol set by the IEEE.
[picture not related]
Now we lurk. Eventually, a client would connect to the network and you can grab the information about the access point under IEEE 802.11 wireless LAN management frame.
For active discovery, you will have to engage this attack against a device in the hidden network and monitor the respond frame when the device auto-reconnects after deauthentication.


Start the attack


Although you do not really need to do so, it would be a good practise to set the WNIC of the attacking mashine to the same channel the target is on. For future attacks you can skip this step, but for now at least try it one time since it might come in handy if you script this attack to automaticly attack different targets.


ifconfig wlan0mon down
iwconfig wlan0mon channel 1
ifconfig wlan0mon up

For the actual attack we will be using the program aireplay-ng from the aircrack suite.
You can either broadcast the attack frames to every device associated with the access point, or target a specific device. Aireplay will send a fixed number of frames, or infinite frames, depending on your goals. If you want to sniff wpa2 keys or try to locate hidden networks, consider sending only 2-3 deauthentication frames so an intrusion detection system won't bust your ass or automaticly swaps the channel.

To broadcast the deauthentication frames, try


aireplay-ng -0 10 -a XX:XX:XX:XX:XX:XX wlan0mon

Parameters:
  • 0: deauthentication mode
  • 10: send x frames (here 10), if you leave the parameter blank, aireplay will keep sending deathentication frames forever 
  • a: mac address of the access point we are attacking
  • wlan0mon: name of your interface device
To target a specific device in the network, use

aireplay-ng -0 10 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0mon

Obviously, the c parameter is for the target client. If you want to target more than one, but not all clients, consider writing a shellscript.

Here is a picture of how the attack looks like if it is successful:


As already stated, your frames will be seen from space, depending on your attack you can vary the rate of packet burst. For example, somebody playing online games would have a bad ping if you sent a deauth frame every 30 ms, for example.

That's it, cybermonkeys. If you liked this post, leave me a holler.

War does not determine who is right...
...only who is left.

- numb.3rs

Comments

Post a Comment