00:00 – Introduction
01:00 – Start of nmap
02:00 – Using wget to download all files from FTP then examining files, taking notes of the usernames
05:00 – Taking a look at the backup, discovering a password in the wireless config
06:45 – Using CrackMapExec to spray SSH with our password and getting a success with netadmin
09:15 – Running LinPeas to discover Reaver has the capability cap_net_raw
13:15 – Explaining why Reaver has this capability is interesting
14:40 – Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password
15:30 – Start of building a bash script to spray a single password across valid users with su
22:00 – Converting our script into a Bash Function so its easier to run without touching disk
24:55 – Talking about WPS and how this exploit worked
25:30 – The first vulnerability in the WPS Pin, the eighth digit is just a checksum
28:30 – The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3.
30:00 – Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong
31:15 – Changing the PIN and playing more with reaver to showcase how reaver works.
[ad_2]
source
