\u3061\u3087\u3063\u3068\u53e4\u3044\u3082\u306e\u3067\u3059\u304cftp\/telnet\u306a\u3069\u304c\u958b\u3044\u3066\u3066\u8272\u3005\u904a\u3079\u308b\u3088\u3046\u3067\u3059\uff0ePQI Air Card(\u521d\u4ee3)\u3082\u6301\u3063\u3066\u3044\u307e\u3059\u304c\uff0c\u3053\u308c\u306f\u30d0\u30c3\u30c6\u30ea\u30fc\u5185\u8535\u3067AP\u6a5f\u80fd\u306a\u3069\u3082\u3042\u308a\u307e\u3059\uff0e<\/p>\n
dhcp\u306e\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b1\u30fc\u30d6\u30eb\u3092\u7e4b\u3044\u3067\u96fb\u6e90\u3092\u308c\u3066\u3061\u3087\u3063\u3068\u53e9\u3044\u3066\u307f\u307e\u3059\uff0e<\/p>\n
\u307e\u305a\u306fdhcp pool\u306eip\u304b\u3089\u63a2\u3057\u3066\u307f\u307e\u3059\uff0e<\/p>\n
\n
<\/span>$ sudo nmap -sP 192<\/span>.168.2.200-\r\nStarting Nmap 7<\/span>.40 (<\/span> https:\/\/nmap.org )<\/span> at 2017<\/span>-03-08 11<\/span>:33 JST\r\n :\r\nNmap scan report for<\/span> 192<\/span>.168.2.214\r\nHost is up (<\/span>0<\/span>.0012s latency)<\/span>.\r\nMAC Address: 80<\/span>:DB:31:01:A4:B8 (<\/span>Power Quotient International)<\/span>\r\n :\r\n<\/pre>\n<\/div>\n192.168.2.214\u3067\u3057\u305f\uff0e\u30dd\u30fc\u30c8\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u307f\u307e\u3059\uff0e<\/p>\n
\n
<\/span>$ nmap -A 192<\/span>.168.2.214\r\n\r\nStarting Nmap 7<\/span>.40 (<\/span> https:\/\/nmap.org )<\/span> at 2017<\/span>-03-08 11<\/span>:45 JST\r\nNmap scan report for<\/span> 192<\/span>.168.2.214\r\nHost is up (<\/span>0<\/span>.037s latency)<\/span>.\r\nNot shown: 995<\/span> closed ports\r\nPORT STATE SERVICE VERSION\r\n21<\/span>\/tcp open ftp vsftpd 2<\/span>.0.7\r\n23<\/span>\/tcp open telnet BusyBox telnetd 1<\/span>.0\r\n53<\/span>\/tcp open domain dnsmasq 2<\/span>.52\r\n|<\/span> dns-nsid:\r\n|<\/span>_ bind.version: dnsmasq-2.52\r\n80<\/span>\/tcp open http Brivo EdgeReader access control http interface\r\n|<\/span>_http-title: PQI Air Pen\r\n8080<\/span>\/tcp open http Mongoose httpd 3<\/span>.7 (<\/span>directory listing)<\/span>\r\n|<\/span>_http-title: Index of \/\r\nService Info: OS: Unix;<\/span> Device: security-misc\r\n\r\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\r\nNmap done<\/span>: 1<\/span> IP address (<\/span>1<\/span> host up)<\/span> scanned in 37<\/span>.14 seconds\r\n$ nmap -P 0<\/span>-65536 192<\/span>.168.2.214\r\n\r\nStarting Nmap 7<\/span>.40 (<\/span> https:\/\/nmap.org )<\/span> at 2017<\/span>-03-08 11<\/span>:37 JST\r\nNmap scan report for<\/span> 192<\/span>.168.2.214\r\nHost is up (<\/span>0<\/span>.035s latency)<\/span>.\r\nNot shown: 995<\/span> closed ports\r\nPORT STATE SERVICE\r\n21<\/span>\/tcp open ftp\r\n23<\/span>\/tcp open telnet\r\n53<\/span>\/tcp open domain\r\n80<\/span>\/tcp open http\r\n8080<\/span>\/tcp open http-proxy\r\n\r\nNmap done<\/span>: 1<\/span> IP address (<\/span>1<\/span> host up)<\/span> scanned in 0<\/span>.61 seconds\r\n<\/pre>\n<\/div>\n80\u756a\u30dd\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u8a8d\u8a3c\u7121\u3057\u3067\u8a2d\u5b9a\u753b\u9762\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u307e\u3057\u305f\uff0e8080\u756a\u306f\u30d5\u30a1\u30a4\u30eb\u306e\u30a2\u30af\u30bb\u30b9\u304c\u51fa\u6765\u307e\u3059\uff0e\u3053\u3061\u3089\u3082\u8a8d\u8a3c\u306a\u3057\uff0e<\/p>\n
ftp\/telnet\u306f\u6d41\u77f3\u306b\u672a\u8a8d\u8a3c\u3067\u306f\u99c4\u76ee\u306e\u3088\u3046\u3067\u3059\uff0e<\/p>\n
\n
<\/span>$ nc 192<\/span>.168.2.214 21<\/span>\r\n220<\/span> (<\/span>vsFTPd 2<\/span>.0.7)<\/span>\r\nUSER anonimouse\r\n331<\/span> Please specify the password.\r\nPASS matoken@gmail.com\r\n530<\/span> Login incorrect.\r\n$ nc 192<\/span>.168.2.214 23<\/span>\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd\ufffd (<\/span>none)<\/span> login: \r\n\r\n(<\/span>none)<\/span> login: \r\n<\/pre>\n<\/div>\n\u30d1\u30c3\u30b1\u30fc\u30b8\u306e\u4e2d\u306b\u5165\u3063\u3066\u3044\u305f\u30de\u30cb\u30e5\u30a2\u30eb\u306b\u306f\u7279\u306bID\/PASS\u307d\u3044\u3082\u306e\u306e\u60c5\u5831\u306f\u3042\u308a\u307e\u305b\u3093\uff0e
\n\u3067\u3082\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u7528\u30a2\u30d7\u30ea\u3067\u30d5\u30a1\u30a4\u30eb\u306e\u3084\u308a\u53d6\u308a\u304c\u53ef\u80fd\u306a\u3088\u3046\u306a\u306e\u3067\u305d\u306e\u30d1\u30b1\u30c3\u30c8\u3092\u8997\u3051\u3070\u308f\u304b\u308a\u305d\u3046\u3067\u3059\uff0e
\n\uff03\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3067\u691c\u7d22\u3059\u308b\u3068ID\/PASS\u306f\u898b\u3064\u304b\u308b\u306e\u3067\u3059\u304c\uff0c\u305b\u3063\u304b\u304f\u306a\u306e\u3067?
\n\uff03\uff03\u305d\u3046\u3044\u3048\u3070PENTAX KP\u306e\u30a2\u30d7\u30ea\u306e\u30d1\u30b1\u30c3\u30c8\u3082\u8997\u3044\u3066\u307f\u305f\u3044\uff0e<\/p>\n
\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3066\u307f\u308b<\/h2>\n
\u9069\u5f53\u306aWi-Fi\u306e\u4f7f\u3048\u308bPC\u3092\u7528\u610f\u3057\u3066\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30ab\u30fc\u30c9\u3092monitor mode\u306b\u3057\u3066\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u307e\u3059\uff0e
\n\u4eca\u56de\u306f\u3053\u3093\u306a\u611f\u3058\uff0e<\/p>\n
\n- PC : LENOVO Thinkpad X200<\/li>\n
- NIC : Intel Corporation PRO\/Wireless 5100 AGN<\/li>\n
- OS : Ubuntu 17.04 amd64<\/li>\n
- Driver : iwldvm, iwlwifi<\/li>\n<\/ul>\n
AQI Air Pen\u306e\u7121\u7dda\u30c1\u30e3\u30f3\u30cd\u30eb\u3092\u78ba\u8a8d\u3057\u3066\u304a\u304f<\/h3>\n\n- \u3053\u3053\u3067\u306f11<\/li>\n<\/ul>\n
\n
<\/span>$ nmcli d wifi |<\/span> egrep 'SSID|PQI'<\/span>\r\n* SSID \u30e2\u30fc\u30c9 CHAN \u30ec\u30fc\u30c8 \u4fe1\u53f7 \u30d0\u30fc \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \r\n PQI Air Pen \u30a4\u30f3\u30d5\u30e9 11<\/span> 54<\/span> Mbit\/s 100<\/span> \u2582\u2584\u2586\u2588 -- \r\n<\/pre>\n<\/div>\n\n
<\/span>$ sudo \/sbin\/iwlist wls1 scanning |<\/span> grep -B 5<\/span> "PQI Air Pen"<\/span>\r\n Cell 09<\/span> - Address: 80<\/span>:DB:31:01:A4:B7\r\n Channel:11\r\n Frequency:2.462 GHz (<\/span>Channel 11<\/span>)<\/span>\r\n Quality<\/span>=<\/span>70<\/span>\/70 Signal level<\/span>=<\/span>-28 dBm \r\n Encryption key:off\r\n ESSID:"PQI Air Pen"<\/span>\r\n<\/pre>\n<\/div>\nphy\u3068\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u78ba\u8a8d<\/h3>\n\n
<\/span>$ \/sbin\/iw dev\r\nphy#0\r\n Interface wls1\r\n ifindex 8<\/span>\r\n wdev 0x3\r\n addr 00<\/span>:22:fa:33:45:6a\r\n type<\/span> managed\r\n channel 8<\/span> (<\/span>2447<\/span> MHz)<\/span>, width: 20<\/span> MHz, center1: 2447<\/span> MHz\r\n txpower 15<\/span>.00 dBm\r\n<\/pre>\n<\/div>\n\u30c7\u30d0\u30a4\u30b9\u304cmonitor mode\u306b\u306a\u308c\u308b\u304b\u78ba\u8a8d\u3059\u308b<\/h3>\n
monitor\u306b\u306a\u308c\u306a\u3044\u5834\u5408\u306f\u30c9\u30e9\u30a4\u30d0\u3092\u5909\u66f4\u3059\u308b\u3068\u5bfe\u5fdc\u3067\u304d\u308b\u5834\u5408\u3082\u3042\u308a\u307e\u3059\uff0e<\/p>\n
\n
<\/span>$ \/sbin\/iw phy phy0 info |<\/span> lv\r\n :\r\n Supported interface modes:\r\n * IBSS\r\n * managed\r\n * monitor\r\n :\r\n software interface modes (<\/span>can always be added)<\/span>:\r\n * monitor\r\n<\/pre>\n<\/div>\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u4f5c\u308b<\/h3>\n\n
<\/span>$ sudo iw phy phy0 interface add mon0 type<\/span> monitor\r\n<\/pre>\n<\/div>\nmanaged mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u3092\u524a\u9664\u3059\u308b<\/h3>\n\n
<\/span>$ sudo iw dev wls1 del\r\n<\/pre>\n<\/div>\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9(mon0)\u3092Up\u3059\u308b<\/h3>\n\n
<\/span>$ sudo ifconfig mon0 up\r\n<\/pre>\n<\/div>\nmonitor mode\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u7121\u7dda\u30c1\u30e3\u30f3\u30cd\u30eb\u3092\u8a2d\u5b9a\u3059\u308b<\/h3>\n
\u4e0a\u306e\u65b9\u306711\u30c1\u30e3\u30f3\u30cd\u30eb\u3060\u3063\u305f\u306e\u30672462\u306b\u8a2d\u5b9a\u3057\u307e\u3059\uff0e<\/p>\n
\n
<\/span>$ sudo iw dev mon0 set<\/span> freq 2462<\/span>\r\n<\/pre>\n<\/div>\n\u4ed6\u306e\u30c1\u30e3\u30f3\u30cd\u30eb\u306f\u3053\u3093\u306a\u611f\u3058<\/p>\n
\nch1 : 2412
\nch2 : 2417
\nch3 : 2422
\nch4 : 2427
\nch5 : 2432
\nch6 : 2437
\nch7 : 2442
\nch8 : 2447
\nch9 : 2452
\nch10 : 2457
\nch11 : 2462
\nch12 : 2467
\nch13 : 2472
\nch14 : 2484 <\/p>\n<\/blockquote>\n
\u78ba\u8a8d<\/h3>\n\n
<\/span>$ \/sbin\/iwconfig mon0\r\n<\/pre>\n<\/div>\n\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u4f7f\u3063\u3066\u307f\u308b<\/h2>\n
\u203b\u30d1\u30b1\u30c3\u30c8\u304c\u305f\u304f\u3055\u3093\u98db\u3093\u3067\u3044\u308b\u3088\u3046\u306a\u5834\u5408\u306f\u30d5\u30a3\u30eb\u30bf\u3092\u66f8\u3044\u305f\u308aWireshark\u306a\u3069\u3092\u4f7f\u3046\u3068\u4fbf\u5229\u3067\u3059\uff0e<\/p>\n
\u30d1\u30b1\u30c3\u30c8\u3092\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u306a\u304c\u3089\u30b9\u30de\u30fc\u30c8\u30d5\u30a9\u30f3\u3067PQi Air Pen\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b\u7e4b\u3044\u3060\u72b6\u614b\u3067\u516c\u5f0f\u30a2\u30d7\u30ea\u3092\u8d77\u52d5\u3057\u3066\u66f4\u65b0\u306a\u3069\u3092\u884c\u3044\u307e\u3059\uff0e<\/p>\n
\n
<\/span>$ sudo tcpdump -i mon0 -n -A -s0\r\n :\r\n01<\/span>:26:05.670158 1<\/span>.0 Mb\/s 2462<\/span> MHz 11b -34dBm signal antenna 3<\/span> IP 192<\/span>.168.200.1.21 > 192<\/span>.168.200.102.50504: Flags [<\/span>P.]<\/span>, seq 1<\/span>:21, ack 0<\/span>, win 2896<\/span>, options [<\/span>nop,nop,TS val 194874<\/span> ecr 35416851<\/span>]<\/span>, length 20<\/span>: FTP: 220<\/span> (<\/span>vsFTPd 2<\/span>.0.7)<\/span>\r\nE..Hv.@.@..-.......f...H.[<\/span>.....;<\/span>...P.P.....\r\n...:..k.220 (<\/span>vsFTPd 2<\/span>.0.7)<\/span>\r\n...e\r\n :\r\n01<\/span>:26:05.791087 2462<\/span> MHz 11n -39dBm signal antenna 3<\/span> 72<\/span>.2 Mb\/s MCS 7<\/span> 20<\/span> MHz s\r\nhort GI mixed IP 192<\/span>.168.200.102.50396 > 192<\/span>.168.200.1.21: Flags [<\/span>P.]<\/span>, seq 1<\/span>:\r\n12<\/span>, ack 20<\/span>, win 115<\/span>, options [<\/span>nop,nop,TS val 35410347<\/span> ecr 178581<\/span>]<\/span>, length 11<\/span>:\r\n FTP: USER root\r\nE..?O.@.@..z...f.............wu....s ......\r\n..Q.....USER root\r\n...2\r\n :\r\n01<\/span>:26:05.792197 2462<\/span> MHz 11n -41dBm signal antenna 3<\/span> 72<\/span>.2 Mb\/s MCS 7<\/span> 20<\/span> MHz s\r\nhort GI mixed IP 192<\/span>.168.200.1.21 > 192<\/span>.168.200.102.50396: Flags [<\/span>P.]<\/span>, seq 20<\/span>\r\n:54, ack 12<\/span>, win 2896<\/span>, options [<\/span>nop,nop,TS val 178613<\/span> ecr 35410347<\/span>]<\/span>, length 34<\/span>: FTP: 331<\/span> Please specify the password.\r\nE..V.b@.@.\\.<\/span>.......f.....wu........P`<\/span>......\r\n......Q.331 Please specify the password.\r\nu`<\/span>a.\r\n :\r\n01<\/span>:27:11.238673 2462<\/span> MHz 11n -40dBm signal antenna 3<\/span> 72<\/span>.2 Mb\/s MCS 7<\/span> 20<\/span> MHz short GI mixed IP 192<\/span>.168.200.102.50504 > 192<\/span>.168.200.1.21: Flags [<\/span>P.]<\/span>, seq 11<\/span>:23, ack 55<\/span>, win 115<\/span>, options [<\/span>nop,nop,TS val