{ "version": "https://jsonfeed.org/version/1.1", "user_comment": "This feed allows you to read the posts from this site in any feed reader that supports the JSON Feed format. To add this feed to your reader, copy the following URL -- https://matoken.org/blog/tag/pqi-air-pen/feed/json -- and add it your reader.", "home_page_url": "https://matoken.org/blog/tag/pqi-air-pen", "feed_url": "https://matoken.org/blog/tag/pqi-air-pen/feed/json", "language": "ja", "title": "PQI Air Pen – matoken's meme", "items": [ { "id": "http://matoken.org/blog/?p=1555", "url": "https://matoken.org/blog/2017/03/12/try-pqi-air-pen-gpio/", "title": "PQI Air Pen\u306eGPIO\u3092\u89e6\u3063\u3066\u307f\u308b", "content_html": "

ID/PASSWORD\u304c\u308f\u304b\u3063\u3066telnet\u3067\u4e2d\u306b\u5165\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u306e\u3067\u4e2d\u3092\u8997\u3044\u3066\u3044\u308b\u3068gpio\u304c\u898b\u3048\u3066\u307e\u3057\u305f\uff0e

\n\n
\n
# ls -lA /proc/gpio/\r\nls -lA /proc/gpio/\r\n-r--r--r--    1 root     root            0 Jan  1 07:22 gpio12_in\r\n-r--r--r--    1 root     root            0 Jan  1 07:22 gpio22_in\r\n-rw-r--r--    1 root     root            0 Jan  1 07:22 gpio23_out\r\n-rw-r--r--    1 root     root            0 Jan  1 07:22 gpio27_out\r\n-r--r--r--    1 root     root            0 Jan  1 07:22 gpio6_in\r\n-rw-r--r--    1 root     root            0 Jan  1 07:22 gpio7_out\r\n-r--r--r--    1 root     root            0 Jan  1 07:22 gpio8_in\r\n
\n
\n

\u3066\u3053\u3068\u3067\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u307e\u3057\u305f\uff0e

\n\n
\n
/proc/gpio # echo 1 > gpio7_out\r\necho 1 > gpio7_out\r\n/proc/gpio # echo 0 > gpio7_out\r\necho 0 > gpio7_out\r\n
\n
\n\n
\n
/proc/gpio # echo 0 > gpio23_out\r\necho 0 > gpio23_out\r\n/proc/gpio # echo 1 > gpio23_out\r\necho 1 > gpio23_out\r\n
\n
\n\n
\n
/proc/gpio # cat gpio22_in\r\ncat gpio22_in\r\n0\r\n/proc/gpio # cat gpio22_in\r\ncat gpio22_in\r\n1\r\n
\n
\n

\u3068\u3044\u3046\u611f\u3058\u30672\u3064\u306eLED\u30681\u3064\u306e\u30dc\u30bf\u30f3\u306f\u7c21\u5358\u306b\u5229\u7528\u3067\u304d\u307e\u3057\u305f\uff0e\u4ed6\u306f\u3061\u3087\u3063\u3068\u53e9\u3044\u305f\u3060\u3051\u3067\u306f\u89e3\u3089\u306a\u304b\u3063\u305f\u3067\u3059\uff0e
\n\u3068\u308a\u3042\u3048\u305a\u3053\u3093\u306a\u611f\u3058\u3067\u6a2a\u306e\u540c\u671f\u30dc\u30bf\u30f3\u3092\u62bc\u3059\u3068LEDx2\u3092\u5149\u3089\u305b\u308b\u3068\u3044\u3046\u3053\u3068\u304c\u51fa\u6765\u307e\u3059\uff0e

\n
\n
~ # while :\r\n> do\r\n> if [ `cat /proc/gpio/gpio22_in` = '0' ]; then\r\n> echo on\r\n> echo 0 > /proc/gpio/gpio7_out\r\n> echo 1 > /proc/gpio/gpio23_out\r\n> break\r\n> fi\r\n> sleep 1\r\n> done\r\n
\n
\n

\n

\n", "content_text": "ID/PASSWORD\u304c\u308f\u304b\u3063\u3066telnet\u3067\u4e2d\u306b\u5165\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u306e\u3067\u4e2d\u3092\u8997\u3044\u3066\u3044\u308b\u3068gpio\u304c\u898b\u3048\u3066\u307e\u3057\u305f\uff0e\n\n\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3066PQI Air Pen\u306eID/PASS\u3092\u8abf\u3079\u308b | matoken’s meme\n\n\n# ls -lA /proc/gpio/\r\nls -lA /proc/gpio/\r\n-r--r--r-- 1 root root 0 Jan 1 07:22 gpio12_in\r\n-r--r--r-- 1 root root 0 Jan 1 07:22 gpio22_in\r\n-rw-r--r-- 1 root root 0 Jan 1 07:22 gpio23_out\r\n-rw-r--r-- 1 root root 0 Jan 1 07:22 gpio27_out\r\n-r--r--r-- 1 root root 0 Jan 1 07:22 gpio6_in\r\n-rw-r--r-- 1 root root 0 Jan 1 07:22 gpio7_out\r\n-r--r--r-- 1 root root 0 Jan 1 07:22 gpio8_in\r\n\n\n\u3066\u3053\u3068\u3067\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u307e\u3057\u305f\uff0e\n\n\u8d64LED : /proc/gpio/gpio7_out\n\n0 : On\n1 : Off\n\n\n\n\n/proc/gpio # echo 1 > gpio7_out\r\necho 1 > gpio7_out\r\n/proc/gpio # echo 0 > gpio7_out\r\necho 0 > gpio7_out\r\n\n\n\n\u9ec4\u7dd1LED : /proc/gpio/gpio23_out\n\n0 : Off\n1 : On\n\n\n\n\n/proc/gpio # echo 0 > gpio23_out\r\necho 0 > gpio23_out\r\n/proc/gpio # echo 1 > gpio23_out\r\necho 1 > gpio23_out\r\n\n\n\n\u6a2a\u9762\u540c\u671f\u30dc\u30bf\u30f3 : /proc/gpio/gpio22_in\n0 : On\n1 : Off\n\n\n/proc/gpio # cat gpio22_in\r\ncat gpio22_in\r\n0\r\n/proc/gpio # cat gpio22_in\r\ncat gpio22_in\r\n1\r\n\n\n\u3068\u3044\u3046\u611f\u3058\u30672\u3064\u306eLED\u30681\u3064\u306e\u30dc\u30bf\u30f3\u306f\u7c21\u5358\u306b\u5229\u7528\u3067\u304d\u307e\u3057\u305f\uff0e\u4ed6\u306f\u3061\u3087\u3063\u3068\u53e9\u3044\u305f\u3060\u3051\u3067\u306f\u89e3\u3089\u306a\u304b\u3063\u305f\u3067\u3059\uff0e\n\u3068\u308a\u3042\u3048\u305a\u3053\u3093\u306a\u611f\u3058\u3067\u6a2a\u306e\u540c\u671f\u30dc\u30bf\u30f3\u3092\u62bc\u3059\u3068LEDx2\u3092\u5149\u3089\u305b\u308b\u3068\u3044\u3046\u3053\u3068\u304c\u51fa\u6765\u307e\u3059\uff0e\n\n~ # while :\r\n> do\r\n> if [ `cat /proc/gpio/gpio22_in` = '0' ]; then\r\n> echo on\r\n> echo 0 > /proc/gpio/gpio7_out\r\n> echo 1 > /proc/gpio/gpio23_out\r\n> break\r\n> fi\r\n> sleep 1\r\n> done", "date_published": "2017-03-12T11:31:56+09:00", "date_modified": "2017-03-12T11:32:42+09:00", "authors": [ { "name": "matoken", "url": "https://matoken.org/blog/author/matoken/", "avatar": "https://secure.gravatar.com/avatar/e34dfb243cc4baa2f1d4306941d9cfd8?s=512&d=mm&r=g" } ], "author": { "name": "matoken", "url": "https://matoken.org/blog/author/matoken/", "avatar": "https://secure.gravatar.com/avatar/e34dfb243cc4baa2f1d4306941d9cfd8?s=512&d=mm&r=g" }, "tags": [ "GPIO", "PQI Air Pen", "Linux" ] }, { "id": "http://matoken.org/blog/?p=1548", "url": "https://matoken.org/blog/2017/03/08/packet-capture-and-check-id-pass-of-pqi-air-pen/", "title": "\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3066PQI Air Pen\u306eID/PASS\u3092\u8abf\u3079\u308b", "content_html": "

\u9001\u6599\u8fbc\u307f500\u5186\u3060\u3063\u305f\u306e\u3067\u30dd\u30c1\u3063\u3066\u3057\u307e\u3044\u307e\u3057\u305f\uff0eX200\u306e\u30b8\u30e3\u30f3\u30af\u4ee5\u6765\u306e\u30b3\u306e\u624b\u306e\u8cb7\u3044\u7269\uff0e

\n\n

\u3061\u3087\u3063\u3068\u53e4\u3044\u3082\u306e\u3067\u3059\u304cftp/telnet\u306a\u3069\u304c\u958b\u3044\u3066\u3066\u8272\u3005\u904a\u3079\u308b\u3088\u3046\u3067\u3059\uff0ePQI Air Card(\u521d\u4ee3)\u3082\u6301\u3063\u3066\u3044\u307e\u3059\u304c\uff0c\u3053\u308c\u306f\u30d0\u30c3\u30c6\u30ea\u30fc\u5185\u8535\u3067AP\u6a5f\u80fd\u306a\u3069\u3082\u3042\u308a\u307e\u3059\uff0e

\n

\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u308b

\n

dhcp\u306e\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b1\u30fc\u30d6\u30eb\u3092\u7e4b\u3044\u3067\u96fb\u6e90\u3092\u308c\u3066\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u307e\u3059\uff0e

\n

\u307e\u305a\u306fdhcp pool\u306eip\u304b\u3089\u63a2\u3057\u3066\u307f\u307e\u3059\uff0e

\n
\n
$ sudo nmap -sP 192.168.2.200-\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:33 JST\r\n  :\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.0012s latency).\r\nMAC Address: 80:DB:31:01:A4:B8 (Power Quotient International)\r\n  :\r\n
\n
\n

192.168.2.214\u3067\u3057\u305f\uff0e\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u307f\u307e\u3059\uff0e

\n
\n
$ nmap -A 192.168.2.214\r\n\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:45 JST\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.037s latency).\r\nNot shown: 995 closed ports\r\nPORT     STATE SERVICE VERSION\r\n21/tcp   open  ftp     vsftpd 2.0.7\r\n23/tcp   open  telnet  BusyBox telnetd 1.0\r\n53/tcp   open  domain  dnsmasq 2.52\r\n| dns-nsid:\r\n|_  bind.version: dnsmasq-2.52\r\n80/tcp   open  http    Brivo EdgeReader access control http interface\r\n|_http-title: PQI Air Pen\r\n8080/tcp open  http    Mongoose httpd 3.7 (directory listing)\r\n|_http-title: Index of /\r\nService Info: OS: Unix; Device: security-misc\r\n\r\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\r\nNmap done: 1 IP address (1 host up) scanned in 37.14 seconds\r\n$ nmap -P 0-65536 192.168.2.214\r\n\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:37 JST\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.035s latency).\r\nNot shown: 995 closed ports\r\nPORT     STATE SERVICE\r\n21/tcp   open  ftp\r\n23/tcp   open  telnet\r\n53/tcp   open  domain\r\n80/tcp   open  http\r\n8080/tcp open  http-proxy\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 0.61 seconds\r\n
\n
\n

80\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u8a8d\u8a3c\u7121\u3057\u3067\u8a2d\u5b9a\u753b\u9762\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u307e\u3057\u305f\uff0e8080\u756a\u306f\u30d5\u30a1\u30a4\u30eb\u306e\u30a2\u30af\u30bb\u30b9\u304c\u51fa\u6765\u307e\u3059\uff0e\u3053\u3061\u3089\u3082\u8a8d\u8a3c\u306a\u3057\uff0e

\n

ftp/telnet\u306f\u6d41\u77f3\u306b\u672a\u8a8d\u8a3c\u3067\u306f\u99c4\u76ee\u306e\u3088\u3046\u3067\u3059\uff0e

\n
\n
$ nc 192.168.2.214 21\r\n220 (vsFTPd 2.0.7)\r\nUSER anonimouse\r\n331 Please specify the password.\r\nPASS matoken@gmail.com\r\n530 Login incorrect.\r\n$ nc 192.168.2.214 23\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd          (none) login: \r\n\r\n(none) login: \r\n
\n
\n

\u30d1\u30c3\u30b1\u30fc\u30b8\u306e\u4e2d\u306b\u5165\u3063\u3066\u3044\u305f\u30de\u30cb\u30e5\u30a2\u30eb\u306b\u306f\u7279\u306bID/PASS\u307d\u3044\u3082\u306e\u306e\u60c5\u5831\u306f\u3042\u308a\u307e\u305b\u3093\uff0e
\n\u3067\u3082\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u7528\u30a2\u30d7\u30ea\u3067\u30d5\u30a1\u30a4\u30eb\u306e\u3084\u308a\u53d6\u308a\u304c\u53ef\u80fd\u306a\u3088\u3046\u306a\u306e\u3067\u305d\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u8997\u3051\u3070\u308f\u304b\u308a\u305d\u3046\u3067\u3059\uff0e
\n\uff03\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3067\u691c\u7d22\u3059\u308b\u3068ID/PASS\u306f\u898b\u3064\u304b\u308b\u306e\u3067\u3059\u304c\uff0c\u305b\u3063\u304b\u304f\u306a\u306e\u3067?
\n\uff03\uff03\u305d\u3046\u3044\u3048\u3070PENTAX KP\u306e\u30a2\u30d7\u30ea\u306e\u30d1\u30b1\u30c3\u30c8\u3082\u8997\u3044\u3066\u307f\u305f\u3044\uff0e

\n

\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3066\u307f\u308b

\n

\u9069\u5f53\u306aWi-Fi\u306e\u4f7f\u3048\u308bPC\u3092\u7528\u610f\u3057\u3066\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30ab\u30fc\u30c9\u3092monitor mode\u306b\u3057\u3066\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u307e\u3059\uff0e
\n\u4eca\u56de\u306f\u3053\u3093\u306a\u611f\u3058\uff0e

\n\n

AQI Air Pen\u306e\u7121\u7dda\u30c1\u30e3\u30f3\u30cd\u30eb\u3092\u78ba\u8a8d\u3057\u3066\u304a\u304f

\n\n
\n
$ nmcli d wifi | egrep 'SSID|PQI'\r\n*  SSID                \u30e2\u30fc\u30c9    CHAN  \u30ec\u30fc\u30c8     \u4fe1\u53f7  \u30d0\u30fc  \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \r\n   PQI Air Pen         \u30a4\u30f3\u30d5\u30e9  11    54 Mbit/s  100   \u2582\u2584\u2586\u2588  --           \r\n
\n
\n
\n
$ sudo /sbin/iwlist wls1 scanning | grep -B 5 "PQI Air Pen"\r\n          Cell 09 - Address: 80:DB:31:01:A4:B7\r\n                    Channel:11\r\n                    Frequency:2.462 GHz (Channel 11)\r\n                    Quality=70/70  Signal level=-28 dBm  \r\n                    Encryption key:off\r\n                    ESSID:"PQI Air Pen"\r\n
\n
\n

phy\u3068\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u78ba\u8a8d

\n
\n
$ /sbin/iw dev\r\nphy#0\r\n        Interface wls1\r\n                ifindex 8\r\n                wdev 0x3\r\n                addr 00:22:fa:33:45:6a\r\n                type managed\r\n                channel 8 (2447 MHz), width: 20 MHz, center1: 2447 MHz\r\n                txpower 15.00 dBm\r\n
\n
\n

\u30c7\u30d0\u30a4\u30b9\u304cmonitor mode\u306b\u306a\u308c\u308b\u304b\u78ba\u8a8d\u3059\u308b

\n

monitor\u306b\u306a\u308c\u306a\u3044\u5834\u5408\u306f\u30c9\u30e9\u30a4\u30d0\u3092\u5909\u66f4\u3059\u308b\u3068\u5bfe\u5fdc\u3067\u304d\u308b\u5834\u5408\u3082\u3042\u308a\u307e\u3059\uff0e

\n
\n
$ /sbin/iw phy phy0 info | lv\r\n  :\r\n        Supported interface modes:\r\n                 * IBSS\r\n                 * managed\r\n                 * monitor\r\n  :\r\n        software interface modes (can always be added):\r\n                 * monitor\r\n
\n
\n

monitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u4f5c\u308b

\n
\n
$ sudo iw phy phy0 interface add mon0 type monitor\r\n
\n
\n

managed mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u524a\u9664\u3059\u308b

\n
\n
$ sudo iw dev wls1 del\r\n
\n
\n

monitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9(mon0)\u3092Up\u3059\u308b

\n
\n
$ sudo ifconfig mon0 up\r\n
\n
\n

monitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u7121\u7dda\u30c1\u30e3\u30f3\u30cd\u30eb\u3092\u8a2d\u5b9a\u3059\u308b

\n

\u4e0a\u306e\u65b9\u306711\u30c1\u30e3\u30f3\u30cd\u30eb\u3060\u3063\u305f\u306e\u30672462\u306b\u8a2d\u5b9a\u3057\u307e\u3059\uff0e

\n
\n
$ sudo iw dev mon0 set freq 2462\r\n
\n
\n

\u4ed6\u306e\u30c1\u30e3\u30f3\u30cd\u30eb\u306f\u3053\u3093\u306a\u611f\u3058

\n
\n

ch1 : 2412
\nch2 : 2417
\nch3 : 2422
\nch4 : 2427
\nch5 : 2432
\nch6 : 2437
\nch7 : 2442
\nch8 : 2447
\nch9 : 2452
\nch10 : 2457
\nch11 : 2462
\nch12 : 2467
\nch13 : 2472
\nch14 : 2484

\n
\n

\u78ba\u8a8d

\n
\n
$ /sbin/iwconfig mon0\r\n
\n
\n

\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u4f7f\u3063\u3066\u307f\u308b

\n

\u203b\u30d1\u30b1\u30c3\u30c8\u304c\u305f\u304f\u3055\u3093\u98db\u3093\u3067\u3044\u308b\u3088\u3046\u306a\u5834\u5408\u306f\u30d5\u30a3\u30eb\u30bf\u3092\u66f8\u3044\u305f\u308aWireshark\u306a\u3069\u3092\u4f7f\u3046\u3068\u4fbf\u5229\u3067\u3059\uff0e

\n

\u30d1\u30b1\u30c3\u30c8\u3092\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u3067PQi Air Pen\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u7e4b\u3044\u3060\u72b6\u614b\u3067\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u8d77\u52d5\u3057\u3066\u66f4\u65b0\u306a\u3069\u3092\u884c\u3044\u307e\u3059\uff0e

\n
\n
$ sudo tcpdump -i mon0 -n -A -s0\r\n    :\r\n01:26:05.670158 1.0 Mb/s 2462 MHz 11b -34dBm signal antenna 3 IP 192.168.200.1.21 > 192.168.200.102.50504: Flags [P.], seq 1:21, ack 0, win 2896, options [nop,nop,TS val 194874 ecr 35416851], length 20: FTP: 220 (vsFTPd 2.0.7)\r\nE..Hv.@.@..-.......f...H.[.....;...P.P.....\r\n...:..k.220 (vsFTPd 2.0.7)\r\n...e\r\n    :\r\n01:26:05.791087 2462 MHz 11n -39dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz s\r\nhort GI mixed IP 192.168.200.102.50396 > 192.168.200.1.21: Flags [P.], seq 1:\r\n12, ack 20, win 115, options [nop,nop,TS val 35410347 ecr 178581], length 11:\r\n FTP: USER root\r\nE..?O.@.@..z...f.............wu....s    ......\r\n..Q.....USER root\r\n...2\r\n    :\r\n01:26:05.792197 2462 MHz 11n -41dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz s\r\nhort GI mixed IP 192.168.200.1.21 > 192.168.200.102.50396: Flags [P.], seq 20\r\n:54, ack 12, win 2896, options [nop,nop,TS val 178613 ecr 35410347], length 34: FTP: 331 Please specify the password.\r\nE..V.b@.@.\\........f.....wu........P`......\r\n......Q.331 Please specify the password.\r\nu`a.\r\n    :\r\n01:27:11.238673 2462 MHz 11n -40dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz short GI mixed IP 192.168.200.102.50504 > 192.168.200.1.21: Flags [P.], seq 11:23, ack 55, win 115, options [nop,nop,TS val 35416878 ecr 194908], length 12: FTP: PASS pqiap\r\nE..@.@@.@./....f.....H.....F.[.&...s.......\r\n..k....\\PASS pqiap\r\n.5.Z\r\n
\n
\n

FTP\u63a5\u7d9a\u3067root:pqiap\u306e\u3088\u3046\u3067\u3059\uff0e

\n

\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u623b\u3059

\n
\n
sudo iw dev mon0 del\r\nsudo iw phy phy0 interface add wls1 type managed\r\n
\n
\n

ftp\u63a5\u7d9a\u3092\u8a66\u3057\u3066\u307f\u308b

\n
\n
$ nc 192.168.200.1 21\r\n220 (vsFTPd 2.0.7)\r\nuser root\r\n331 Please specify the password.\r\npass pqiap\r\n230 Login successful.\r\n
\n
\n

telnet\u3092\u8a66\u3057\u3066\u307f\u308b

\n
\n
$ nc 192.168.200.1 23\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd(none) login: \r\n\r\n(none) login: root\r\nroot\r\nPassword: pqiap\r\n\r\n\r\n\r\nBusyBox v1.01 (2013.01.03-08:27+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n~ # uname -a\r\nuname -a\r\nLinux (none) 2.6.31.AirPen_V0.1.22-g5eca71a #319 Thu Jan 3 16:27:02 CST 2013 mips unknown\r\n
\n
\n

\u3068\u3044\u3046\u3053\u3068\u3067\u4e2d\u306b\u5165\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f :)

\n

\n", "content_text": "\u9001\u6599\u8fbc\u307f500\u5186\u3060\u3063\u305f\u306e\u3067\u30dd\u30c1\u3063\u3066\u3057\u307e\u3044\u307e\u3057\u305f\uff0eX200\u306e\u30b8\u30e3\u30f3\u30af\u4ee5\u6765\u306e\u30b3\u306e\u624b\u306e\u8cb7\u3044\u7269\uff0e\n\n\u300cPQI Air Pen\u300dLinux\u642d\u8f09\u3067telnet\u3067\u304d\u308b\u30ef\u30a4\u30e4\u30ec\u30b9\u30a2\u30af\u30bb\u30b9\u30dd\u30a4\u30f3\u30c8\u304c500\u5186\n\n\u3061\u3087\u3063\u3068\u53e4\u3044\u3082\u306e\u3067\u3059\u304cftp/telnet\u306a\u3069\u304c\u958b\u3044\u3066\u3066\u8272\u3005\u904a\u3079\u308b\u3088\u3046\u3067\u3059\uff0ePQI Air Card(\u521d\u4ee3)\u3082\u6301\u3063\u3066\u3044\u307e\u3059\u304c\uff0c\u3053\u308c\u306f\u30d0\u30c3\u30c6\u30ea\u30fc\u5185\u8535\u3067AP\u6a5f\u80fd\u306a\u3069\u3082\u3042\u308a\u307e\u3059\uff0e\n\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u308b\ndhcp\u306e\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b1\u30fc\u30d6\u30eb\u3092\u7e4b\u3044\u3067\u96fb\u6e90\u3092\u308c\u3066\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u307e\u3059\uff0e\n\u307e\u305a\u306fdhcp pool\u306eip\u304b\u3089\u63a2\u3057\u3066\u307f\u307e\u3059\uff0e\n\n$ sudo nmap -sP 192.168.2.200-\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:33 JST\r\n :\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.0012s latency).\r\nMAC Address: 80:DB:31:01:A4:B8 (Power Quotient International)\r\n :\r\n\n\n192.168.2.214\u3067\u3057\u305f\uff0e\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u307f\u307e\u3059\uff0e\n\n$ nmap -A 192.168.2.214\r\n\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:45 JST\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.037s latency).\r\nNot shown: 995 closed ports\r\nPORT STATE SERVICE VERSION\r\n21/tcp open ftp vsftpd 2.0.7\r\n23/tcp open telnet BusyBox telnetd 1.0\r\n53/tcp open domain dnsmasq 2.52\r\n| dns-nsid:\r\n|_ bind.version: dnsmasq-2.52\r\n80/tcp open http Brivo EdgeReader access control http interface\r\n|_http-title: PQI Air Pen\r\n8080/tcp open http Mongoose httpd 3.7 (directory listing)\r\n|_http-title: Index of /\r\nService Info: OS: Unix; Device: security-misc\r\n\r\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\r\nNmap done: 1 IP address (1 host up) scanned in 37.14 seconds\r\n$ nmap -P 0-65536 192.168.2.214\r\n\r\nStarting Nmap 7.40 ( https://nmap.org ) at 2017-03-08 11:37 JST\r\nNmap scan report for 192.168.2.214\r\nHost is up (0.035s latency).\r\nNot shown: 995 closed ports\r\nPORT STATE SERVICE\r\n21/tcp open ftp\r\n23/tcp open telnet\r\n53/tcp open domain\r\n80/tcp open http\r\n8080/tcp open http-proxy\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 0.61 seconds\r\n\n\n80\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u8a8d\u8a3c\u7121\u3057\u3067\u8a2d\u5b9a\u753b\u9762\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u307e\u3057\u305f\uff0e8080\u756a\u306f\u30d5\u30a1\u30a4\u30eb\u306e\u30a2\u30af\u30bb\u30b9\u304c\u51fa\u6765\u307e\u3059\uff0e\u3053\u3061\u3089\u3082\u8a8d\u8a3c\u306a\u3057\uff0e\nftp/telnet\u306f\u6d41\u77f3\u306b\u672a\u8a8d\u8a3c\u3067\u306f\u99c4\u76ee\u306e\u3088\u3046\u3067\u3059\uff0e\n\n$ nc 192.168.2.214 21\r\n220 (vsFTPd 2.0.7)\r\nUSER anonimouse\r\n331 Please specify the password.\r\nPASS matoken@gmail.com\r\n530 Login incorrect.\r\n$ nc 192.168.2.214 23\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd (none) login: \r\n\r\n(none) login: \r\n\n\n\u30d1\u30c3\u30b1\u30fc\u30b8\u306e\u4e2d\u306b\u5165\u3063\u3066\u3044\u305f\u30de\u30cb\u30e5\u30a2\u30eb\u306b\u306f\u7279\u306bID/PASS\u307d\u3044\u3082\u306e\u306e\u60c5\u5831\u306f\u3042\u308a\u307e\u305b\u3093\uff0e\n\u3067\u3082\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u7528\u30a2\u30d7\u30ea\u3067\u30d5\u30a1\u30a4\u30eb\u306e\u3084\u308a\u53d6\u308a\u304c\u53ef\u80fd\u306a\u3088\u3046\u306a\u306e\u3067\u305d\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u8997\u3051\u3070\u308f\u304b\u308a\u305d\u3046\u3067\u3059\uff0e\n\uff03\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3067\u691c\u7d22\u3059\u308b\u3068ID/PASS\u306f\u898b\u3064\u304b\u308b\u306e\u3067\u3059\u304c\uff0c\u305b\u3063\u304b\u304f\u306a\u306e\u3067?\n\uff03\uff03\u305d\u3046\u3044\u3048\u3070PENTAX KP\u306e\u30a2\u30d7\u30ea\u306e\u30d1\u30b1\u30c3\u30c8\u3082\u8997\u3044\u3066\u307f\u305f\u3044\uff0e\n\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3066\u307f\u308b\n\u9069\u5f53\u306aWi-Fi\u306e\u4f7f\u3048\u308bPC\u3092\u7528\u610f\u3057\u3066\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30ab\u30fc\u30c9\u3092monitor mode\u306b\u3057\u3066\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u307e\u3059\uff0e\n\u4eca\u56de\u306f\u3053\u3093\u306a\u611f\u3058\uff0e\n\nPC : LENOVO Thinkpad X200\nNIC : Intel Corporation PRO/Wireless 5100 AGN\nOS : Ubuntu 17.04 amd64\nDriver : iwldvm, iwlwifi\n\nAQI Air Pen\u306e\u7121\u7dda\u30c1\u30e3\u30f3\u30cd\u30eb\u3092\u78ba\u8a8d\u3057\u3066\u304a\u304f\n\n\u3053\u3053\u3067\u306f11\n\n\n$ nmcli d wifi | egrep 'SSID|PQI'\r\n* SSID \u30e2\u30fc\u30c9 CHAN \u30ec\u30fc\u30c8 \u4fe1\u53f7 \u30d0\u30fc \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \r\n PQI Air Pen \u30a4\u30f3\u30d5\u30e9 11 54 Mbit/s 100 \u2582\u2584\u2586\u2588 -- \r\n\n\n\n$ sudo /sbin/iwlist wls1 scanning | grep -B 5 "PQI Air Pen"\r\n Cell 09 - Address: 80:DB:31:01:A4:B7\r\n Channel:11\r\n Frequency:2.462 GHz (Channel 11)\r\n Quality=70/70 Signal level=-28 dBm \r\n Encryption key:off\r\n ESSID:"PQI Air Pen"\r\n\n\nphy\u3068\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u78ba\u8a8d\n\n$ /sbin/iw dev\r\nphy#0\r\n Interface wls1\r\n ifindex 8\r\n wdev 0x3\r\n addr 00:22:fa:33:45:6a\r\n type managed\r\n channel 8 (2447 MHz), width: 20 MHz, center1: 2447 MHz\r\n txpower 15.00 dBm\r\n\n\n\u30c7\u30d0\u30a4\u30b9\u304cmonitor mode\u306b\u306a\u308c\u308b\u304b\u78ba\u8a8d\u3059\u308b\nmonitor\u306b\u306a\u308c\u306a\u3044\u5834\u5408\u306f\u30c9\u30e9\u30a4\u30d0\u3092\u5909\u66f4\u3059\u308b\u3068\u5bfe\u5fdc\u3067\u304d\u308b\u5834\u5408\u3082\u3042\u308a\u307e\u3059\uff0e\n\n$ /sbin/iw phy phy0 info | lv\r\n :\r\n Supported interface modes:\r\n * IBSS\r\n * managed\r\n * monitor\r\n :\r\n software interface modes (can always be added):\r\n * monitor\r\n\n\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u4f5c\u308b\n\n$ sudo iw phy phy0 interface add mon0 type monitor\r\n\n\nmanaged mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u524a\u9664\u3059\u308b\n\n$ sudo iw dev wls1 del\r\n\n\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9(mon0)\u3092Up\u3059\u308b\n\n$ sudo ifconfig mon0 up\r\n\n\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u7121\u7dda\u30c1\u30e3\u30f3\u30cd\u30eb\u3092\u8a2d\u5b9a\u3059\u308b\n\u4e0a\u306e\u65b9\u306711\u30c1\u30e3\u30f3\u30cd\u30eb\u3060\u3063\u305f\u306e\u30672462\u306b\u8a2d\u5b9a\u3057\u307e\u3059\uff0e\n\n$ sudo iw dev mon0 set freq 2462\r\n\n\n\u4ed6\u306e\u30c1\u30e3\u30f3\u30cd\u30eb\u306f\u3053\u3093\u306a\u611f\u3058\n\nch1 : 2412\nch2 : 2417\nch3 : 2422\nch4 : 2427\nch5 : 2432\nch6 : 2437\nch7 : 2442\nch8 : 2447\nch9 : 2452\nch10 : 2457\nch11 : 2462\nch12 : 2467\nch13 : 2472\nch14 : 2484 \n\n\u78ba\u8a8d\n\n$ /sbin/iwconfig mon0\r\n\n\n\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u4f7f\u3063\u3066\u307f\u308b\n\u203b\u30d1\u30b1\u30c3\u30c8\u304c\u305f\u304f\u3055\u3093\u98db\u3093\u3067\u3044\u308b\u3088\u3046\u306a\u5834\u5408\u306f\u30d5\u30a3\u30eb\u30bf\u3092\u66f8\u3044\u305f\u308aWireshark\u306a\u3069\u3092\u4f7f\u3046\u3068\u4fbf\u5229\u3067\u3059\uff0e\n\u30d1\u30b1\u30c3\u30c8\u3092\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u3067PQi Air Pen\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u7e4b\u3044\u3060\u72b6\u614b\u3067\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u8d77\u52d5\u3057\u3066\u66f4\u65b0\u306a\u3069\u3092\u884c\u3044\u307e\u3059\uff0e\n\n$ sudo tcpdump -i mon0 -n -A -s0\r\n :\r\n01:26:05.670158 1.0 Mb/s 2462 MHz 11b -34dBm signal antenna 3 IP 192.168.200.1.21 > 192.168.200.102.50504: Flags [P.], seq 1:21, ack 0, win 2896, options [nop,nop,TS val 194874 ecr 35416851], length 20: FTP: 220 (vsFTPd 2.0.7)\r\nE..Hv.@.@..-.......f...H.[.....;...P.P.....\r\n...:..k.220 (vsFTPd 2.0.7)\r\n...e\r\n :\r\n01:26:05.791087 2462 MHz 11n -39dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz s\r\nhort GI mixed IP 192.168.200.102.50396 > 192.168.200.1.21: Flags [P.], seq 1:\r\n12, ack 20, win 115, options [nop,nop,TS val 35410347 ecr 178581], length 11:\r\n FTP: USER root\r\nE..?O.@.@..z...f.............wu....s ......\r\n..Q.....USER root\r\n...2\r\n :\r\n01:26:05.792197 2462 MHz 11n -41dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz s\r\nhort GI mixed IP 192.168.200.1.21 > 192.168.200.102.50396: Flags [P.], seq 20\r\n:54, ack 12, win 2896, options [nop,nop,TS val 178613 ecr 35410347], length 34: FTP: 331 Please specify the password.\r\nE..V.b@.@.\\........f.....wu........P`......\r\n......Q.331 Please specify the password.\r\nu`a.\r\n :\r\n01:27:11.238673 2462 MHz 11n -40dBm signal antenna 3 72.2 Mb/s MCS 7 20 MHz short GI mixed IP 192.168.200.102.50504 > 192.168.200.1.21: Flags [P.], seq 11:23, ack 55, win 115, options [nop,nop,TS val 35416878 ecr 194908], length 12: FTP: PASS pqiap\r\nE..@.@@.@./....f.....H.....F.[.&...s.......\r\n..k....\\PASS pqiap\r\n.5.Z\r\n\n\nFTP\u63a5\u7d9a\u3067root:pqiap\u306e\u3088\u3046\u3067\u3059\uff0e\n\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u623b\u3059\n\nsudo iw dev mon0 del\r\nsudo iw phy phy0 interface add wls1 type managed\r\n\n\nftp\u63a5\u7d9a\u3092\u8a66\u3057\u3066\u307f\u308b\n\n$ nc 192.168.200.1 21\r\n220 (vsFTPd 2.0.7)\r\nuser root\r\n331 Please specify the password.\r\npass pqiap\r\n230 Login successful.\r\n\n\ntelnet\u3092\u8a66\u3057\u3066\u307f\u308b\n\n$ nc 192.168.200.1 23\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd(none) login: \r\n\r\n(none) login: root\r\nroot\r\nPassword: pqiap\r\n\r\n\r\n\r\nBusyBox v1.01 (2013.01.03-08:27+0000) Built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\n~ # uname -a\r\nuname -a\r\nLinux (none) 2.6.31.AirPen_V0.1.22-g5eca71a #319 Thu Jan 3 16:27:02 CST 2013 mips unknown\r\n\n\n\u3068\u3044\u3046\u3053\u3068\u3067\u4e2d\u306b\u5165\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f :)", "date_published": "2017-03-08T19:28:59+09:00", "date_modified": "2017-03-08T19:35:33+09:00", "authors": [ { "name": "matoken", "url": "https://matoken.org/blog/author/matoken/", "avatar": "https://secure.gravatar.com/avatar/e34dfb243cc4baa2f1d4306941d9cfd8?s=512&d=mm&r=g" } ], "author": { "name": "matoken", "url": "https://matoken.org/blog/author/matoken/", "avatar": "https://secure.gravatar.com/avatar/e34dfb243cc4baa2f1d4306941d9cfd8?s=512&d=mm&r=g" }, "tags": [ "packet capture", "PQI Air Pen", "tcpdump", "Linux" ] } ] }