Hacking tools, CTF write-ups, Tutorials, etc…

ad-hoc wifi connection between 2 linux stations

In this post I will show you how simple it is to connect two clients (linux, of course) ad-hoc via wifi without needing additional tools.

What you need: root access on the machines!

First, identify your wifi nic:

root@host:~$ iw dev
	Interface wlan0
		ifindex 4
		type managed

In this case we’ve identyfied wlan0 as our wireless interface. As you see, the type of this interface is managed. We have to change the type to ibss:

root@host:~$ iw dev wlan0 set type ibss

Let’s verify this:

root@host:~$ iw dev
	Interface wlan0
		ifindex 4
		type ibss

Now let’s join a network. In this case to join means if there’s already a network then join it, otherwise create a new one. The manpage of iw says

dev ibss join [HT20|HT40+|HT40-|NOHT] [fixed-freq] [] [beacon-interval ] [basic-rates ] [mcast-rate ] [key d:0:abcde]

In this example we choose MyNetwork as SSID and frequency 2417 GHz as channel 2.
So, the following command on both machines will let them talk to each other.

root@host:~$ iw wlan0 ibss join MyNetwork 2417 key d:0:f00b4r

But, what do we need for network communication? Alright, ip addresses 😉
First flush the adapter (this step is not mandatory):

root@host:~$ ip address flush wlan0

Next, set up ip addresses (for example &

root@host:~$ ip address add dev wlan0

If not done already, bring up the device:

root@host:~$ ip link set wlan0 up

Now you should be able to ping each other:

root@host:~$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=64 time=0.766 ms
64 bytes from icmp_req=2 ttl=64 time=0.773 ms
64 bytes from icmp_req=3 ttl=64 time=0.694 ms
64 bytes from icmp_req=4 ttl=64 time=0.705 ms

--- ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.694/0.734/0.773/0.044 ms

Et voilà, that’s it!

Take care: The connection is only wep encrypted. Don’t share sensitive data through this channel!!!
Another note: In many linux distribution NetworkManager is responsible for managing network devices. Often this causes in trouble, to avoid this you can tell the NetworkManager to ignore devices. But in the above example it’s not recommended because an ad-hoc connection is only a temporary solution. It’s easier to stop the service performing the following command:

root@host:~$ /etc/init.d/network-manager stop

Killing instances of wpa_supplicant and dhclient is also recommended:

root@host:~$ killall dhclient && killall wpa_supplicant

nullcon #ackIM CTF – Crypto 100 Writeup

The task was to “find the key” in the given ciphertext:


Analyzing it leads to the fact, that there’re alway one uppercase and one lowercase letter pair. After struggling around I’ve recognized that some of the pairs are repeating frequently, ‘Ge’ for example. I thought about a character substitution chiffre and started with replacing ‘Ge’ to ‘ ‘ (blank):

TaPo TaBi PoHfTm YbAtPtHoPoTaAuPt AuYb BiHoTaTmPtHoTm PoAu ErTaBiHoAuRnTmPb PoHfTm TmRaTaBiPoTmPtHoTm AuYb Tb LuTmPtTmPbTbOs PbTmTaLuPt AuYb AuPbErTmPb TaPt PtTbPoAtPbTm TbPtEr PoAu YbTaPtEr PoHfTm HoTbAtBiTmBi LuAuRnTmPbPtTaPtLu PoHfTaBi AuPbErTmPbPd TbPtEr PoHfTaBi PbTmYbTmPbBi TaPt TmTlAtTbOs IrTmTbBiAtPbTm PoAu PoHfTm PbTmOsTbPoTaAuPtBi AuYb IrTbPt Rh BiAuHoTaTbOs TbPtEr HgAuOsTaPoTaHoTbOs Rh TbPtEr PoAu PoHfTm TmPtPoTaPbTm AtPtTaRnTmPbBiTm TbBi Tb FrHfAuOsTmPd

Seems like these are words, the idea about character substitution seems right. I continued with an analysis of letter frequency. After all the cipher text could be translated to:

it is the function of science to discover the existence of a general reign of order in nature and to find the causes governing this order. and this refers in equal measure to the relations of man , social and political , and to the entire universe as a whole.

Googling this text returned that it is a quote from Dmitri Mendeleev who has invented the periodic table which finally was the flag.

FLAG: “periodic table”

nullcon #ackIM CTF – Web100 Writeup

In this challenge a link was given ToErrisHuman.php. Visiting this url shows a webpage looking like a 404-error page from apache web-server. Additionally there’s a random looking Error-Code embedded.
After reloading the page a few times, the error code changes every time. It turns out, that the error codes aren’t random. Every 16 times the code sequence repeats.

Guessing around and doing some crazy xor operations were not the trick.
It took me a lot of time after I tried a simple base64 decode -.-

Here’s my solution written in python:

#!/usr/bin/env python

import requests
import re
from base64 import b64decode

URL = ""
pat_code = "Error Code: [a-zA-Z0-9]{2}"
pat_cookie = "PHPSESSID=[a-zA-Z0-9]{26}"

codes = list()

data = requests.get(URL)
for i in range(16):
    newcookie = data.headers['set-cookie']
    newcookie = re.search(pat_cookie,newcookie).group(0)
    newcookie = re.sub("PHPSESSID=","",newcookie)
    cookie = dict(PHPSESSID=newcookie)
    data = requests.get(URL, cookies=cookie)
    errcode = re.search(pat_code,data.text).group(0)
    errcode = re.sub("Error Code: ","",errcode)
    print "({}) -> {}".format(i,errcode)
cipher = ''.join([x for x in codes])
# encrypted: TnVsbGNvbkdvYTIwMTVAV0VCMDAxMTAw
print "[*] encrypted: {}".format(cipher)
# decrypted: NullconGoa2015@WEB001100
print "[*] decrypted: {}".format(b64decode(cipher))

I know, it’s kinda dirty code, especially the cookie lines. I had to accept every new cookie. Maybe there’s a more elegant way to accept those, but hey… String operations in python work fine ^^

FLAG: NullconGoa2015@WEB001100

bash ip scanner

With /bin/bash you can scan a whole subnet for alive clients, no need for an icmp-reply, just using arp:

for i in {1..3}; do echo $i; done

results in:


So, let’s try pinging the whole subnet with the following command:

for i in {1..254}; do ping -c 1 192.168.0.$i 2>&1 > /dev/null & /bin/true; done

What will happen:

  • for i in {1..254}; do…
    A simple for loop, means do something (…) 254 times.
  • …ping -c 1 192.168.0.$i…
    For every “round” in the loop send a ping, -c 1 means only one request. The $i will be replaced to the actual number between 1 and 254 in the loop.
  • …2>&1 > /dev/null…
    Pipe everyting (STDERR and STDOUT) to /dev/null, a block device you can imagine as “trash”
  • …& /bin/true; done
    Now it’s getting tricky… The ampersand “sends” the actual process to background. /bin/true is a binary in linux which does nothing but return true. It has no further meaning. We need this step, because the ampersand can’t be the last “item” in the loop before the done statement. Otherwise we had to wait for every process to finish, which costs time.

Now wait a few seconds to finish all 254 processes. After 2-3 seconds you you’ll see something like:

[251] 7049
[252] 7051
[253] 7053
[254] 7055

The bash shows you for each process which was pushed to background, the associated process-ID. Now press 2-3 times ENTER and ignore the lines containing EXIT.

Above I told that we don’t need icmp to be activated on the clients. Instead of waiting for icmp-replies, we take advantage of ARP (RFC826). Therefore before each communication (in the local subnet!) the client will ask via ARP for the MAC address associated to an IP address. The requested computer will answer with an arp-reply. If the client gets an arp-reply, communication will be established. Communication in this case means pinging.

Now lets view the local arp cache:

  • ip neigh show
  • Will show the local arp cache, but you’ll see it’s not easy to read.

    Let’s parse this output and exclude every failed request:

  • ip neigh show | grep -v FAILED
  • Now you have a list, with all clients in your local subnet.

    Thx for reading, share it if you like.