ID/PASSWORD\u304c\u308f\u304b\u3063\u3066telnet\u3067\u4e2d\u306b\u5165\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u306e\u3067\u4e2d\u3092\u8997\u3044\u3066\u3044\u308b\u3068gpio\u304c\u898b\u3048\u3066\u307e\u3057\u305f\uff0e
\n\n# ls -lA /proc/gpio/\r\nls -lA /proc/gpio/\r\n-r--r--r-- 1 root root 0 Jan 1 07:22 gpio12_in\r\n-r--r--r-- 1 root root 0 Jan 1 07:22 gpio22_in\r\n-rw-r--r-- 1 root root 0 Jan 1 07:22 gpio23_out\r\n-rw-r--r-- 1 root root 0 Jan 1 07:22 gpio27_out\r\n-r--r--r-- 1 root root 0 Jan 1 07:22 gpio6_in\r\n-rw-r--r-- 1 root root 0 Jan 1 07:22 gpio7_out\r\n-r--r--r-- 1 root root 0 Jan 1 07:22 gpio8_in\r\n\n
\u3066\u3053\u3068\u3067\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u307e\u3057\u305f\uff0e
\n/proc/gpio # echo 1 > gpio7_out\r\necho 1 > gpio7_out\r\n/proc/gpio # echo 0 > gpio7_out\r\necho 0 > gpio7_out\r\n\n
/proc/gpio # echo 0 > gpio23_out\r\necho 0 > gpio23_out\r\n/proc/gpio # echo 1 > gpio23_out\r\necho 1 > gpio23_out\r\n\n
/proc/gpio # cat gpio22_in\r\ncat gpio22_in\r\n0\r\n/proc/gpio # cat gpio22_in\r\ncat gpio22_in\r\n1\r\n\n
\u3068\u3044\u3046\u611f\u3058\u30672\u3064\u306eLED\u30681\u3064\u306e\u30dc\u30bf\u30f3\u306f\u7c21\u5358\u306b\u5229\u7528\u3067\u304d\u307e\u3057\u305f\uff0e\u4ed6\u306f\u3061\u3087\u3063\u3068\u53e9\u3044\u305f\u3060\u3051\u3067\u306f\u89e3\u3089\u306a\u304b\u3063\u305f\u3067\u3059\uff0e
\n\u3068\u308a\u3042\u3048\u305a\u3053\u3093\u306a\u611f\u3058\u3067\u6a2a\u306e\u540c\u671f\u30dc\u30bf\u30f3\u3092\u62bc\u3059\u3068LEDx2\u3092\u5149\u3089\u305b\u308b\u3068\u3044\u3046\u3053\u3068\u304c\u51fa\u6765\u307e\u3059\uff0e
~ # while :\r\n> do\r\n> if [ `cat /proc/gpio/gpio22_in` = '0' ]; then\r\n> echo on\r\n> echo 0 > /proc/gpio/gpio7_out\r\n> echo 1 > /proc/gpio/gpio23_out\r\n> break\r\n> fi\r\n> sleep 1\r\n> done\r\n\n
\u9001\u6599\u8fbc\u307f500\u5186\u3060\u3063\u305f\u306e\u3067\u30dd\u30c1\u3063\u3066\u3057\u307e\u3044\u307e\u3057\u305f\uff0eX200\u306e\u30b8\u30e3\u30f3\u30af\u4ee5\u6765\u306e\u30b3\u306e\u624b\u306e\u8cb7\u3044\u7269\uff0e
\n\n\u3061\u3087\u3063\u3068\u53e4\u3044\u3082\u306e\u3067\u3059\u304cftp/telnet\u306a\u3069\u304c\u958b\u3044\u3066\u3066\u8272\u3005\u904a\u3079\u308b\u3088\u3046\u3067\u3059\uff0ePQI Air Card(\u521d\u4ee3)\u3082\u6301\u3063\u3066\u3044\u307e\u3059\u304c\uff0c\u3053\u308c\u306f\u30d0\u30c3\u30c6\u30ea\u30fc\u5185\u8535\u3067AP\u6a5f\u80fd\u306a\u3069\u3082\u3042\u308a\u307e\u3059\uff0e
\ndhcp\u306e\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b1\u30fc\u30d6\u30eb\u3092\u7e4b\u3044\u3067\u96fb\u6e90\u3092\u308c\u3066\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u307e\u3059\uff0e
\n\u307e\u305a\u306fdhcp pool\u306eip\u304b\u3089\u63a2\u3057\u3066\u307f\u307e\u3059\uff0e
\n$ sudo nmap -sP 192.168.2.200-\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:33 JST\r\n :\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.0012s latency).\r\nMAC Address: 80:DB:31:01:A4:B8 (Power Quotient International)\r\n :\r\n\n
192.168.2.214\u3067\u3057\u305f\uff0e\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u307f\u307e\u3059\uff0e
\n$ nmap -A 192.168.2.214\r\n\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:45 JST\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.037s latency).\r\nNot shown: 995 closed ports\r\nPORT STATE SERVICE VERSION\r\n21/tcp open ftp vsftpd 2.0.7\r\n23/tcp open telnet BusyBox telnetd 1.0\r\n53/tcp open domain dnsmasq 2.52\r\n| dns-nsid:\r\n|_ bind.version: dnsmasq-2.52\r\n80/tcp open http Brivo EdgeReader access control http interface\r\n|_http-title: PQI Air Pen\r\n8080/tcp open http Mongoose httpd 3.7 (directory listing)\r\n|_http-title: Index of /\r\nService Info: OS: Unix; Device: security-misc\r\n\r\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\r\nNmap done: 1 IP address (1 host up) scanned in 37.14 seconds\r\n$ nmap -P 0-65536 192.168.2.214\r\n\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:37 JST\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.035s latency).\r\nNot shown: 995 closed ports\r\nPORT STATE SERVICE\r\n21/tcp open ftp\r\n23/tcp open telnet\r\n53/tcp open domain\r\n80/tcp open http\r\n8080/tcp open http-proxy\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 0.61 seconds\r\n\n
80\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u8a8d\u8a3c\u7121\u3057\u3067\u8a2d\u5b9a\u753b\u9762\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u307e\u3057\u305f\uff0e8080\u756a\u306f\u30d5\u30a1\u30a4\u30eb\u306e\u30a2\u30af\u30bb\u30b9\u304c\u51fa\u6765\u307e\u3059\uff0e\u3053\u3061\u3089\u3082\u8a8d\u8a3c\u306a\u3057\uff0e
\nftp/telnet\u306f\u6d41\u77f3\u306b\u672a\u8a8d\u8a3c\u3067\u306f\u99c4\u76ee\u306e\u3088\u3046\u3067\u3059\uff0e
\n$ nc 192.168.2.214 21\r\n220 (vsFTPd 2.0.7)\r\nUSER anonimouse\r\n331 Please specify the password.\r\nPASS matoken@gmail.com\r\n530 Login incorrect.\r\n$ nc 192.168.2.214 23\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd (none) login: \r\n\r\n(none) login: \r\n\n
\u30d1\u30c3\u30b1\u30fc\u30b8\u306e\u4e2d\u306b\u5165\u3063\u3066\u3044\u305f\u30de\u30cb\u30e5\u30a2\u30eb\u306b\u306f\u7279\u306bID/PASS\u307d\u3044\u3082\u306e\u306e\u60c5\u5831\u306f\u3042\u308a\u307e\u305b\u3093\uff0e
\n\u3067\u3082\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u7528\u30a2\u30d7\u30ea\u3067\u30d5\u30a1\u30a4\u30eb\u306e\u3084\u308a\u53d6\u308a\u304c\u53ef\u80fd\u306a\u3088\u3046\u306a\u306e\u3067\u305d\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u8997\u3051\u3070\u308f\u304b\u308a\u305d\u3046\u3067\u3059\uff0e
\n\uff03\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3067\u691c\u7d22\u3059\u308b\u3068ID/PASS\u306f\u898b\u3064\u304b\u308b\u306e\u3067\u3059\u304c\uff0c\u305b\u3063\u304b\u304f\u306a\u306e\u3067?
\n\uff03\uff03\u305d\u3046\u3044\u3048\u3070PENTAX KP\u306e\u30a2\u30d7\u30ea\u306e\u30d1\u30b1\u30c3\u30c8\u3082\u8997\u3044\u3066\u307f\u305f\u3044\uff0e
\u9069\u5f53\u306aWi-Fi\u306e\u4f7f\u3048\u308bPC\u3092\u7528\u610f\u3057\u3066\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30ab\u30fc\u30c9\u3092monitor mode\u306b\u3057\u3066\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u307e\u3059\uff0e
\n\u4eca\u56de\u306f\u3053\u3093\u306a\u611f\u3058\uff0e
$ nmcli d wifi | egrep 'SSID|PQI'\r\n* SSID \u30e2\u30fc\u30c9 CHAN \u30ec\u30fc\u30c8 \u4fe1\u53f7 \u30d0\u30fc \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \r\n PQI Air Pen \u30a4\u30f3\u30d5\u30e9 11 54 Mbit/s 100 \u2582\u2584\u2586\u2588 -- \r\n\n
$ sudo /sbin/iwlist wls1 scanning | grep -B 5 "PQI Air Pen"\r\n Cell 09 - Address: 80:DB:31:01:A4:B7\r\n Channel:11\r\n Frequency:2.462 GHz (Channel 11)\r\n Quality=70/70 Signal level=-28 dBm \r\n Encryption key:off\r\n ESSID:"PQI Air Pen"\r\n\n
$ /sbin/iw dev\r\nphy#0\r\n Interface wls1\r\n ifindex 8\r\n wdev 0x3\r\n addr 00:22:fa:33:45:6a\r\n type managed\r\n channel 8 (2447 MHz), width: 20 MHz, center1: 2447 MHz\r\n txpower 15.00 dBm\r\n\n
monitor\u306b\u306a\u308c\u306a\u3044\u5834\u5408\u306f\u30c9\u30e9\u30a4\u30d0\u3092\u5909\u66f4\u3059\u308b\u3068\u5bfe\u5fdc\u3067\u304d\u308b\u5834\u5408\u3082\u3042\u308a\u307e\u3059\uff0e
\n$ /sbin/iw phy phy0 info | lv\r\n :\r\n Supported interface modes:\r\n * IBSS\r\n * managed\r\n * monitor\r\n :\r\n software interface modes (can always be added):\r\n * monitor\r\n\n
$ sudo iw phy phy0 interface add mon0 type monitor\r\n
\n$ sudo iw dev wls1 del\r\n\n
$ sudo ifconfig mon0 up\r\n\n
\u4e0a\u306e\u65b9\u306711\u30c1\u30e3\u30f3\u30cd\u30eb\u3060\u3063\u305f\u306e\u30672462\u306b\u8a2d\u5b9a\u3057\u307e\u3059\uff0e
\n$ sudo iw dev mon0 set freq 2462\r\n\n
\u4ed6\u306e\u30c1\u30e3\u30f3\u30cd\u30eb\u306f\u3053\u3093\u306a\u611f\u3058
\n\n\nch1 : 2412
\n
\nch2 : 2417
\nch3 : 2422
\nch4 : 2427
\nch5 : 2432
\nch6 : 2437
\nch7 : 2442
\nch8 : 2447
\nch9 : 2452
\nch10 : 2457
\nch11 : 2462
\nch12 : 2467
\nch13 : 2472
\nch14 : 2484
$ /sbin/iwconfig mon0\r\n\n
\u203b\u30d1\u30b1\u30c3\u30c8\u304c\u305f\u304f\u3055\u3093\u98db\u3093\u3067\u3044\u308b\u3088\u3046\u306a\u5834\u5408\u306f\u30d5\u30a3\u30eb\u30bf\u3092\u66f8\u3044\u305f\u308aWireshark\u306a\u3069\u3092\u4f7f\u3046\u3068\u4fbf\u5229\u3067\u3059\uff0e
\n\u30d1\u30b1\u30c3\u30c8\u3092\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u3067PQi Air Pen\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u7e4b\u3044\u3060\u72b6\u614b\u3067\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u8d77\u52d5\u3057\u3066\u66f4\u65b0\u306a\u3069\u3092\u884c\u3044\u307e\u3059\uff0e
\n$ sudo tcpdump -i mon0 -n -A -s0\r\n :\r\n01:26:05.670158 1.0 Mb/s 2462 MHz 11b -34dBm signal antenna 3 IP 192.168.200.1.21 > 192.168.200.102.50504: Flags [P.], seq 1:21, ack 0, win 2896, options [nop,nop,TS val 194874 ecr 35416851], length 20: FTP: 220 (vsFTPd 2.0.7)\r\nE..Hv.@.@..-.......f...H.[.....;...P.P.....\r\n...:..k.220 (vsFTPd 2.0.7)\r\n...e\r\n :\r\n01:26:05.791087 2462 MHz 11n -39dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz s\r\nhort GI mixed IP 192.168.200.102.50396 > 192.168.200.1.21: Flags [P.], seq 1:\r\n12, ack 20, win 115, options [nop,nop,TS val 35410347 ecr 178581], length 11:\r\n FTP: USER root\r\nE..?O.@.@..z...f.............wu....s ......\r\n..Q.....USER root\r\n...2\r\n :\r\n01:26:05.792197 2462 MHz 11n -41dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz s\r\nhort GI mixed IP 192.168.200.1.21 > 192.168.200.102.50396: Flags [P.], seq 20\r\n:54, ack 12, win 2896, options [nop,nop,TS val 178613 ecr 35410347], length 34: FTP: 331 Please specify the password.\r\nE..V.b@.@.\\........f.....wu........P`......\r\n......Q.331 Please specify the password.\r\nu`a.\r\n :\r\n01:27:11.238673 2462 MHz 11n -40dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz short GI mixed IP 192.168.200.102.50504 > 192.168.200.1.21: Flags [P.], seq 11:23, ack 55, win 115, options [nop,nop,TS val 35416878 ecr 194908], length 12: FTP: PASS pqiap\r\nE..@.@@.@./....f.....H.....F.[.&...s.......\r\n..k....\\PASS pqiap\r\n.5.Z\r\n\n
FTP\u63a5\u7d9a\u3067root:pqiap
\u306e\u3088\u3046\u3067\u3059\uff0e
sudo iw dev mon0 del\r\nsudo iw phy phy0 interface add wls1 type managed\r\n\n
$ nc 192.168.200.1 21\r\n220 (vsFTPd 2.0.7)\r\nuser root\r\n331 Please specify the password.\r\npass pqiap\r\n230 Login successful.\r\n\n
$ nc 192.168.200.1 23\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd(none) login: \r\n\r\n(none) login: root\r\nroot\r\nPassword: pqiap\r\n\r\n\r\n\r\nBusyBox v1.01 (2013.01.03-08:27+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n~ # uname -a\r\nuname -a\r\nLinux (none) 2.6.31.AirPen_V0.1.22-g5eca71a #319 Thu Jan 3 16:27:02 CST 2013 mips unknown\r\n\n
\u3068\u3044\u3046\u3053\u3068\u3067\u4e2d\u306b\u5165\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f :)
\n\n", "content_text": "\u9001\u6599\u8fbc\u307f500\u5186\u3060\u3063\u305f\u306e\u3067\u30dd\u30c1\u3063\u3066\u3057\u307e\u3044\u307e\u3057\u305f\uff0eX200\u306e\u30b8\u30e3\u30f3\u30af\u4ee5\u6765\u306e\u30b3\u306e\u624b\u306e\u8cb7\u3044\u7269\uff0e\n\n\u300cPQI Air Pen\u300dLinux\u642d\u8f09\u3067telnet\u3067\u304d\u308b\u30ef\u30a4\u30e4\u30ec\u30b9\u30a2\u30af\u30bb\u30b9\u30dd\u30a4\u30f3\u30c8\u304c500\u5186\n\n\u3061\u3087\u3063\u3068\u53e4\u3044\u3082\u306e\u3067\u3059\u304cftp/telnet\u306a\u3069\u304c\u958b\u3044\u3066\u3066\u8272\u3005\u904a\u3079\u308b\u3088\u3046\u3067\u3059\uff0ePQI Air Card(\u521d\u4ee3)\u3082\u6301\u3063\u3066\u3044\u307e\u3059\u304c\uff0c\u3053\u308c\u306f\u30d0\u30c3\u30c6\u30ea\u30fc\u5185\u8535\u3067AP\u6a5f\u80fd\u306a\u3069\u3082\u3042\u308a\u307e\u3059\uff0e\n\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u308b\ndhcp\u306e\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b1\u30fc\u30d6\u30eb\u3092\u7e4b\u3044\u3067\u96fb\u6e90\u3092\u308c\u3066\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u307e\u3059\uff0e\n\u307e\u305a\u306fdhcp pool\u306eip\u304b\u3089\u63a2\u3057\u3066\u307f\u307e\u3059\uff0e\n\n$ sudo nmap -sP 192.168.2.200-\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:33 JST\r\n :\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.0012s latency).\r\nMAC Address: 80:DB:31:01:A4:B8 (Power Quotient International)\r\n :\r\n\n\n192.168.2.214\u3067\u3057\u305f\uff0e\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u307f\u307e\u3059\uff0e\n\n$ nmap -A 192.168.2.214\r\n\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:45 JST\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.037s latency).\r\nNot shown: 995 closed ports\r\nPORT STATE SERVICE VERSION\r\n21/tcp open ftp vsftpd 2.0.7\r\n23/tcp open telnet BusyBox telnetd 1.0\r\n53/tcp open domain dnsmasq 2.52\r\n| dns-nsid:\r\n|_ bind.version: dnsmasq-2.52\r\n80/tcp open http Brivo EdgeReader access control http interface\r\n|_http-title: PQI Air Pen\r\n8080/tcp open http Mongoose httpd 3.7 (directory listing)\r\n|_http-title: Index of /\r\nService Info: OS: Unix; Device: security-misc\r\n\r\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\r\nNmap done: 1 IP address (1 host up) scanned in 37.14 seconds\r\n$ nmap -P 0-65536 192.168.2.214\r\n\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:37 JST\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.035s latency).\r\nNot shown: 995 closed ports\r\nPORT STATE SERVICE\r\n21/tcp open ftp\r\n23/tcp open telnet\r\n53/tcp open domain\r\n80/tcp open http\r\n8080/tcp open http-proxy\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 0.61 seconds\r\n\n\n80\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u8a8d\u8a3c\u7121\u3057\u3067\u8a2d\u5b9a\u753b\u9762\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u307e\u3057\u305f\uff0e8080\u756a\u306f\u30d5\u30a1\u30a4\u30eb\u306e\u30a2\u30af\u30bb\u30b9\u304c\u51fa\u6765\u307e\u3059\uff0e\u3053\u3061\u3089\u3082\u8a8d\u8a3c\u306a\u3057\uff0e\nftp/telnet\u306f\u6d41\u77f3\u306b\u672a\u8a8d\u8a3c\u3067\u306f\u99c4\u76ee\u306e\u3088\u3046\u3067\u3059\uff0e\n\n$ nc 192.168.2.214 21\r\n220 (vsFTPd 2.0.7)\r\nUSER anonimouse\r\n331 Please specify the password.\r\nPASS matoken@gmail.com\r\n530 Login incorrect.\r\n$ nc 192.168.2.214 23\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd (none) login: \r\n\r\n(none) login: \r\n\n\n\u30d1\u30c3\u30b1\u30fc\u30b8\u306e\u4e2d\u306b\u5165\u3063\u3066\u3044\u305f\u30de\u30cb\u30e5\u30a2\u30eb\u306b\u306f\u7279\u306bID/PASS\u307d\u3044\u3082\u306e\u306e\u60c5\u5831\u306f\u3042\u308a\u307e\u305b\u3093\uff0e\n\u3067\u3082\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u7528\u30a2\u30d7\u30ea\u3067\u30d5\u30a1\u30a4\u30eb\u306e\u3084\u308a\u53d6\u308a\u304c\u53ef\u80fd\u306a\u3088\u3046\u306a\u306e\u3067\u305d\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u8997\u3051\u3070\u308f\u304b\u308a\u305d\u3046\u3067\u3059\uff0e\n\uff03\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3067\u691c\u7d22\u3059\u308b\u3068ID/PASS\u306f\u898b\u3064\u304b\u308b\u306e\u3067\u3059\u304c\uff0c\u305b\u3063\u304b\u304f\u306a\u306e\u3067?\n\uff03\uff03\u305d\u3046\u3044\u3048\u3070PENTAX KP\u306e\u30a2\u30d7\u30ea\u306e\u30d1\u30b1\u30c3\u30c8\u3082\u8997\u3044\u3066\u307f\u305f\u3044\uff0e\n\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3066\u307f\u308b\n\u9069\u5f53\u306aWi-Fi\u306e\u4f7f\u3048\u308bPC\u3092\u7528\u610f\u3057\u3066\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30ab\u30fc\u30c9\u3092monitor mode\u306b\u3057\u3066\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u307e\u3059\uff0e\n\u4eca\u56de\u306f\u3053\u3093\u306a\u611f\u3058\uff0e\n\nPC : LENOVO Thinkpad X200\nNIC : Intel Corporation PRO/Wireless 5100 AGN\nOS : Ubuntu 17.04 amd64\nDriver : iwldvm, iwlwifi\n\nAQI Air Pen\u306e\u7121\u7dda\u30c1\u30e3\u30f3\u30cd\u30eb\u3092\u78ba\u8a8d\u3057\u3066\u304a\u304f\n\n\u3053\u3053\u3067\u306f11\n\n\n$ nmcli d wifi | egrep 'SSID|PQI'\r\n* SSID \u30e2\u30fc\u30c9 CHAN \u30ec\u30fc\u30c8 \u4fe1\u53f7 \u30d0\u30fc \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \r\n PQI Air Pen \u30a4\u30f3\u30d5\u30e9 11 54 Mbit/s 100 \u2582\u2584\u2586\u2588 -- \r\n\n\n\n$ sudo /sbin/iwlist wls1 scanning | grep -B 5 "PQI Air Pen"\r\n Cell 09 - Address: 80:DB:31:01:A4:B7\r\n Channel:11\r\n Frequency:2.462 GHz (Channel 11)\r\n Quality=70/70 Signal level=-28 dBm \r\n Encryption key:off\r\n ESSID:"PQI Air Pen"\r\n\n\nphy\u3068\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u78ba\u8a8d\n\n$ /sbin/iw dev\r\nphy#0\r\n Interface wls1\r\n ifindex 8\r\n wdev 0x3\r\n addr 00:22:fa:33:45:6a\r\n type managed\r\n channel 8 (2447 MHz), width: 20 MHz, center1: 2447 MHz\r\n txpower 15.00 dBm\r\n\n\n\u30c7\u30d0\u30a4\u30b9\u304cmonitor mode\u306b\u306a\u308c\u308b\u304b\u78ba\u8a8d\u3059\u308b\nmonitor\u306b\u306a\u308c\u306a\u3044\u5834\u5408\u306f\u30c9\u30e9\u30a4\u30d0\u3092\u5909\u66f4\u3059\u308b\u3068\u5bfe\u5fdc\u3067\u304d\u308b\u5834\u5408\u3082\u3042\u308a\u307e\u3059\uff0e\n\n$ /sbin/iw phy phy0 info | lv\r\n :\r\n Supported interface modes:\r\n * IBSS\r\n * managed\r\n * monitor\r\n :\r\n software interface modes (can always be added):\r\n * monitor\r\n\n\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u4f5c\u308b\n\n$ sudo iw phy phy0 interface add mon0 type monitor\r\n\n\nmanaged mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u524a\u9664\u3059\u308b\n\n$ sudo iw dev wls1 del\r\n\n\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9(mon0)\u3092Up\u3059\u308b\n\n$ sudo ifconfig mon0 up\r\n\n\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u7121\u7dda\u30c1\u30e3\u30f3\u30cd\u30eb\u3092\u8a2d\u5b9a\u3059\u308b\n\u4e0a\u306e\u65b9\u306711\u30c1\u30e3\u30f3\u30cd\u30eb\u3060\u3063\u305f\u306e\u30672462\u306b\u8a2d\u5b9a\u3057\u307e\u3059\uff0e\n\n$ sudo iw dev mon0 set freq 2462\r\n\n\n\u4ed6\u306e\u30c1\u30e3\u30f3\u30cd\u30eb\u306f\u3053\u3093\u306a\u611f\u3058\n\nch1 : 2412\nch2 : 2417\nch3 : 2422\nch4 : 2427\nch5 : 2432\nch6 : 2437\nch7 : 2442\nch8 : 2447\nch9 : 2452\nch10 : 2457\nch11 : 2462\nch12 : 2467\nch13 : 2472\nch14 : 2484 \n\n\u78ba\u8a8d\n\n$ /sbin/iwconfig mon0\r\n\n\n\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u4f7f\u3063\u3066\u307f\u308b\n\u203b\u30d1\u30b1\u30c3\u30c8\u304c\u305f\u304f\u3055\u3093\u98db\u3093\u3067\u3044\u308b\u3088\u3046\u306a\u5834\u5408\u306f\u30d5\u30a3\u30eb\u30bf\u3092\u66f8\u3044\u305f\u308aWireshark\u306a\u3069\u3092\u4f7f\u3046\u3068\u4fbf\u5229\u3067\u3059\uff0e\n\u30d1\u30b1\u30c3\u30c8\u3092\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u3067PQi Air Pen\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u7e4b\u3044\u3060\u72b6\u614b\u3067\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u8d77\u52d5\u3057\u3066\u66f4\u65b0\u306a\u3069\u3092\u884c\u3044\u307e\u3059\uff0e\n\n$ sudo tcpdump -i mon0 -n -A -s0\r\n :\r\n01:26:05.670158 1.0 Mb/s 2462 MHz 11b -34dBm signal antenna 3 IP 192.168.200.1.21 > 192.168.200.102.50504: Flags [P.], seq 1:21, ack 0, win 2896, options [nop,nop,TS val 194874 ecr 35416851], length 20: FTP: 220 (vsFTPd 2.0.7)\r\nE..Hv.@.@..-.......f...H.[.....;...P.P.....\r\n...:..k.220 (vsFTPd 2.0.7)\r\n...e\r\n :\r\n01:26:05.791087 2462 MHz 11n -39dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz s\r\nhort GI mixed IP 192.168.200.102.50396 > 192.168.200.1.21: Flags [P.], seq 1:\r\n12, ack 20, win 115, options [nop,nop,TS val 35410347 ecr 178581], length 11:\r\n FTP: USER root\r\nE..?O.@.@..z...f.............wu....s ......\r\n..Q.....USER root\r\n...2\r\n :\r\n01:26:05.792197 2462 MHz 11n -41dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz s\r\nhort GI mixed IP 192.168.200.1.21 > 192.168.200.102.50396: Flags [P.], seq 20\r\n:54, ack 12, win 2896, options [nop,nop,TS val 178613 ecr 35410347], length 34: FTP: 331 Please specify the password.\r\nE..V.b@.@.\\........f.....wu........P`......\r\n......Q.331 Please specify the password.\r\nu`a.\r\n :\r\n01:27:11.238673 2462 MHz 11n -40dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz short GI mixed IP 192.168.200.102.50504 > 192.168.200.1.21: Flags [P.], seq 11:23, ack 55, win 115, options [nop,nop,TS val 35416878 ecr 194908], length 12: FTP: PASS pqiap\r\nE..@.@@.@./....f.....H.....F.[.&...s.......\r\n..k....\\PASS pqiap\r\n.5.Z\r\n\n\nFTP\u63a5\u7d9a\u3067root:pqiap\u306e\u3088\u3046\u3067\u3059\uff0e\n\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u623b\u3059\n\nsudo iw dev mon0 del\r\nsudo iw phy phy0 interface add wls1 type managed\r\n\n\nftp\u63a5\u7d9a\u3092\u8a66\u3057\u3066\u307f\u308b\n\n$ nc 192.168.200.1 21\r\n220 (vsFTPd 2.0.7)\r\nuser root\r\n331 Please specify the password.\r\npass pqiap\r\n230 Login successful.\r\n\n\ntelnet\u3092\u8a66\u3057\u3066\u307f\u308b\n\n$ nc 192.168.200.1 23\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd(none) login: \r\n\r\n(none) login: root\r\nroot\r\nPassword: pqiap\r\n\r\n\r\n\r\nBusyBox v1.01 (2013.01.03-08:27+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n~ # uname -a\r\nuname -a\r\nLinux (none) 2.6.31.AirPen_V0.1.22-g5eca71a #319 Thu Jan 3 16:27:02 CST 2013 mips unknown\r\n\n\n\u3068\u3044\u3046\u3053\u3068\u3067\u4e2d\u306b\u5165\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f :)", "date_published": "2017-03-08T19:28:59+09:00", "date_modified": "2017-03-08T19:35:33+09:00", "authors": [ { "name": "matoken", "url": "https://matoken.org/blog/author/matoken/", "avatar": "https://secure.gravatar.com/avatar/e34dfb243cc4baa2f1d4306941d9cfd8?s=512&d=mm&r=g" } ], "author": { "name": "matoken", "url": "https://matoken.org/blog/author/matoken/", "avatar": "https://secure.gravatar.com/avatar/e34dfb243cc4baa2f1d4306941d9cfd8?s=512&d=mm&r=g" }, "tags": [ "packet capture", "PQI Air Pen", "tcpdump", "Linux" ] } ] }