HackThebox - Wifinetic

00:00 - Introduction 01:00 - Start of nmap 02:00 - Using wget to download all files from FTP then examining files, taking notes of the usernames 05:00 - Taking a look at the backup, discovering a password in the wireless config 06:45 - Using CrackMapExec to spray SSH with our password and getting a success with netadmin 09:15 - Running LinPeas to discover Reaver has the capability cap_net_raw 13:15 - Explaining why Reaver has this capability is interesting 14:40 - Running Reaver to attempt to brute force the WPS Pin and getting the WPA PSK which is also the root password 15:30 - Start of building a bash script to spray a single password across valid users with su 22:00 - Converting our script into a Bash Function so its easier to run without touching disk 24:55 - Talking about WPS and how this exploit worked 25:30 - The first vulnerability in the WPS Pin, the eighth digit is just a checksum 28:30 - The second flaw in WPS, the PIN is broken in half if the first four digits are wrong the responses tell you. Making the possibilities of hashes from 10^7 to 10^4 + 10^3. 30:00 - Showing the WSC Nack gets sent after Message 4 if the first four of the pin is wrong 31:15 - Changing the PIN and playing more with reaver to showcase how reaver works.