Author: kanishka10

Posted on by

Aircrack-ng: Complete guide to beginners

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what is Wifi hacking and different techniques to hack wireless networks. In most of these hacking techniques, a tool named aircrack plays a very important role.

In this blogpost, you will learn about this tool. Aircrack-ng or aircrack ng is a complete suite of tools used to test wi-fi network security. The various functions of aircrack include,

  1. Monitoring: It can be used to capture wireless packets and save data in text file which can be processes by third party tools.
  2. Attacking: We can use it too perform various wireless attack like Replay attacks, DE authentication access points and other attacks.
  3. Testing: Checking Wi-Fi cards and capability of the drivers. (capture and injection)
  4. Cracking: For cracking WEF and WPA PSK (WPA 1 and WPA 1) passwords.

Just now, we have learnt that aircrack-ng is a combination of tools. Let’s understand what those tools are and what are they used for.

1. airbase-ng:

It is a multi purpose tool that can be used to attack the Wi Fi client instead of the Wi Fi access point.

2. airdecap-ng:

With this tool, you can decrypt WEP/WPA/WPA2 capture files. It is also used to remove the wireless headers from an unencrypted wireless capture.

3. aircrack-ng:

It is key cracking program.

4. airdecloak-ng:

Some wireless Intrusion Prevention System (WIPS) prevent WEP from being cracked by using fake WEP frames. This tool removes the WEP cloaking frame a captured pcap file.

5. airdrop-ng:

airdrop-ng is a program used to de authenticate users from access points. It uses rule based de authentication techniques that can be MAC address, type of hardware, etc.

4. aireplay-ng:

This tool is used to inject frames. It is used to generate traffic which can be used later by aircrack-ng for WEP and WPA-PSK key cracking.

5. airmon-ng:

It is used to enable monitor mode on wireless interfaces.

6. airodump-ng:

This tool is used to capture raw 802.11 packets. It is used particularly for collecting WEP IVS or WPA handshakes to crack later with aircrack.

7. airolib-ng:

This is a tool designed to store and manage ESSID and password lists. calculate their Pairwise Master Keys (PMK’s) and use them in WPA/WPA2 cracking.

8. airtun-ng:

This tool creates a virtual tunnel interface. It has two basic functions. They are, allowing all encrypted traffic to be monitored for wireless interface detection system (WIDS) and injecting arbitrary traffic into a network.

9. Besside-ng:

It is used to automatically crack WEP and WPA networks . See how to automatically crack WEP and WPA networks with Besside. Learn more about it .

10. dcrack-ng:

dcrack is used to distribute WPA2 / PSK cracking process across multiple servers.

11. easside-ng:

This tool is a magic tool that allows you to communicate with a WEP access point without knowing its WEP key.

12. packetforge-ng:

This tool is used to create encrypted packets to be used for packet injection. Using this tool, we can create various types of packets like ARP requests, UDP, ICMP and custom packets.

13. tkiptun-ng:

This tool is used to inject a few frames into a WPA TKIP network.

14. wesside-ng:

Wesside-ng is another auto-magic tool that uses a variety of techniques to get the WEP key.

    Cracking WEP passwords with aircrack

    Let’s see how to crack WEP passwords with aircrack. All wifi hacking attacks require a wireless adapter that supports packet injection. For this tutorial, I am using ALFA Wireless USB adapter. My attacker machine is Kali Linux which is installed on VMware. So I first connected the ALFA wireless adapter to my laptop and make sure it is connected to the Kali Linux virtual machine. Now, I open a terminal in Kali Linux and type command shown below that shows all the wireless interfaces connected to the machine. 

    iwconfig

    Then I start monitor mode on the wireless interface. Monitor mode is just like promiscuous mode on wired interfaces. When in monitor mode, the wireless adapter sniffs on all the wireless traffic around.

    I once again run the “iwconfig” command to have a look at the wireless interfaces to confirm monitor mode started on the Wireless interface.

    As you can see the name of the wireless interface changed from waln0 to wlan0mon. The monitor mode is on. To see all the traffic being observed by the wireless interface, I run the command airodump-ng on the wireless interface.

    how to crack wep with aircarck

    As you can see, this shows all the wireless traffic around us. There are many wireless networks available but my target is the Wi-Fi Access point I named “Hack_Me_If_You_Can”. I use the same airodump-ng to target the MAC address of target’s Access point and route all the traffic it has to a file named wep_hc_crack.

    In the above image, you can see the clients connected to the targeted Wi-Fi Access point. All the traffic belonging to the Wi-Fi access point “Hack_Me_If_You_Can” will be saved in the file “wep_hc_crack.cap”. What I am looking for is the initialization vectors that are useful in cracking WEP. This initialization vectors play a key role in cracking the password of any WEP enabled Wi-Fi access point.

    Just remember the more IV’s we have, the more the chances of cracking the WEP password. Since I need more traffic to crack the WEP password fast, I can use some tricks to create more traffic. A feature of aircrack-ng, aireplay-ng helps us to create more traffic. It has various methods of creating additional traffic. One such method is ARP request replay attack.

    The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a ne- w IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key. This attack can be started as shown below.

    where “-h” option is used to specify the MAC address of any client we want to use. Here is another way in which you can start the ARP replay attack.

    As initialization vectors start collecting in the wep_hc_crack file, I can use aircrack to try cracking the password. The command is “aircrack-ng wep_hc_crack.cap“.

    If the initialization vectors are too less (in this case I have a new 20) aircrack wait for enough initialization vectors. I continue the ARP request replay attack until traffic increases.

    You can see the traffic increasing. All have to do is play the game of patience now .

    After collecting almost 25000 IV’s aircrack finally cracked the WEP password. The password of the Wi-Fi access point is 1234567899. It’s a 64bit hexadecimal key. As you can see, it took me around one hour thirty five minutes for me to crack the password.

    Cracking WPA / WPA2 passwords with aircrack

    Now, let’s see how to crack WPA / WPA2 with aircrack. WPA stands for Wifi Protected Access. It is an encryption system to secure WLAN networks. It eliminates all known vulnerabilities in WEP(Wired Equivalent Privacy).  WPA uses 128 bit key and  48 bit initialization vector while WEP uses 108 bit key with 24 bit initialization vector. WPA2 is the successor of WPA. Both WPA and WPA2 use temporal key integrity protocol(TKIP) for encryption and  pre-shared key(PSK) authentication.  The only difference between WPA and WPA2 is that they use Rivest Cipher(RC4) and Advanced Encryption Standard(AES) encryption algorithms respectively. Both can be configured to use counter cipher block chaining mode(CCM) though. They are by far considered  most secure for Wifi networks.

    I am using the same arrangement I used for cracking WEP above. So let’s start. Once you have booted into Kali Linux, open terminal and type command “iwconfig”. It lists your wireless interfaces just like ifconfig shows wired interfaces.

    We can see that we have a wireless interface wlan0. Now we are going to start monitor mode on our wireless interface. Monitor mode is same as promiscuous mode in wired sniffing. Type command shown below. We can see below that monitor mode has been enabled on “mon0″.

    airmon-ng start wlan0

    Now let’s see all the traffic collected by our wireless interface. Type command airodump-ng mon0.

    Hit Enter. We can see all the wireless networks available as shown below.

    crack wpa

    We can see that all the wifi networks are configured with  WPA2 or WPA. We are going to hack the network “shunya”. We will collect the shunya’s network traffic into a file. Open a terminal and type command “airodump-ng –bssid <Mac address of wifi access point> -c 13 –write wpacrack mon0″.

    where

    • –bssid stands for base station security identifier
    • <MAC address> is the Mac address of access point.
    • -c is used to specify the channel the wifi network is operating on.
    • –write to write to a file.
    • “wpacrack”  is the file name we are writing into.
    • mon0 is the interface.

    Hit Enter. We will see the result as below.

    We can only hack a WPA/WPA2 protected Wifi network by capturing its handshake process or association( when the client is trying to connect to the wifi network.).  So let’s try to disconnect all the clients connected to the wireless network “shunya” first. Open a new terminal and type the command 

    aireplay-ng –deauth 100 -a <MAC> –ignore-negative-one mon0

    where

    –deauth are the de authentication packets,

    100 are the number of de authentication packets we want to send.

    -a stands for access point.

    <MAC> is the MAC address of the wireless access point.

    This command will send 100 de authentication packets to the broadcast address of the wireless access point. This will make all the clients connected to the “shunya” get disconnected. As soon as this happens, all the clients will try to connect back to the wireless network once again. We can see that a WPA handshake has happened in the previous terminal.

    Now let’s see where our capture file is located. Type “ls”. We will do dictionary password cracking here. So let’s find out where the dictionaries are.  Type command “locate wordlists”. This will show us a number of wordlists available by default in Kali Linux.

    Our captured traffic is stored in .cap file. We will use the wordlist big.txt for cracking the password. Open a new terminal and type command 

    aircrack-ng wpacrack-01.cap -w /usr/share/dirb/wordlists/big.txt

    Hit Enter. If our dictionary or wordlist has this password, the result will be as below. If our dictionary doesn’t have the password, we have to use another dictionary or wordlist.

    Remember that the choice of dictionary or wordlist will play a key role in WPA/WPA2 password cracking. So that is one way in which we crack wpa wpa2 password  with aircrack for you. Hope this was helpful. Learn how to crack WPA WPA2 with Fern Wifi cracker.

    Posted on by

    BeEF Browser exploitation tool: Beginners guide

    Hello, aspiring ethical hackers. In our previous blogposts, you learnt about Windows hacking techniques, Linux hacking techniques etc. In this blogpost, you will learn about BeEF tool that focuses on exploiting a software or program extensively used in both Linux and Windows operating systems. We are talking about web browser. BeEF is short for “The Browser Exploitation Framework”. It is a penetration testing tool focusing on the web browser.

    In the noise of ever increasing cases of web server hacking and web application hacking, one that is often ignored is the exploitation of web clients, aka browser. Browsers once compromised, provide a easy way of gaining access to hackers. No doubt, attacks targeting web clients are on the rise. BeEF helps pen testers to understand the security posture of web browsers in an organization.

    Let’s see how to use it. BeEF is present in the repositories of Kali Linux. We will be using the same for this tutorial. It can be installed on Kali as shown below.

    After BeEF is successfully installed, don’t forget to run it with root privileges. Otherwise, it will not start.

    After running for the first time, BeEF will ask you to setup a new password. Set it. Once you set it, it will start a web interface by default. Before that, it will display a hook as shown below.

    Before you use BeEF further, you need to understand two terms related to it. They are,

    1. Hook: A hook is something used to trap a browser.
    2. Zombie: A trapped browser is known as a Zombie.

    Once the web interface of BeEF opens, login with username “beef” and the password you set earlier.

    Once you login, you will be greeted with the dashboard of BeEF. The interface can be divided into two parts. On the left, you will see hooked browsers section. All those browsers that are compromised by BeEF are shown here. On the right, you can see the general interface of BeEF.

    It has three tabs. The “Logs” tab show all the activity happening with BeEF.

    The “Zombies” tab, as you expected will display all the compromised browsers.

    BeEF also has “Getting started” tab. Now, let’s see how to hook a browser. Browsers can be hooked by using the hooks shown at the beginning. You have to somehow make users click on this hook script. Of course, this requires social engineering.

    For demonstration purpose, BeEF has two demo pages that work as hooks. One is basic and advanced. They can be found in “Getting Started” tab as highlighted in the above image. Here is the basic demo page and advanced demo page.

    All we have to do is copy the links of the pages and make target users click on these links. As soon as they do it, the browser gets hooked as shown below.

    When you click on the IP, the “current browser” tab opens, displaying general information about the target OS on which that browser is installed.

    The “Current browser” tab opens a few sub-tabs of itself. You have seen about the “details” tab above. The “Logs” sub-tab shows all the logs belonging to the current browser.

    The most powerful part of BeEF in its command section.

    This section includes all the commands that can be executed on the target system.

    For example, let’s execute a command “Detect Antivirus” as shown below. This command as its name suggests tries to detect if Antivirus is installed on target system or not. We can execute this module by clicking on “Execute” as shown below.

    To see the result of the executed command, click on the command in history. It will display the result in command results window to the right.

    In our case, it’s true that Antivirus is not installed on the target system. If you click on the “Zombies” tab you have learnt above earlier, your hooked browser can be seen, as shown below.

    Posted on by

    Beginners guide to Steghide

    Hello, aspiring ethical hackers. In one of our previous blogposts, you have learnt in detail about steganography and types of steganography techniques. In this blogpost, you will learn about steghide, a tool that can perform image steganography and audio steganography.

    Let’s see how this tool works. This tool is installed by default in Kali Linux. The command to use steghide is shown below. If it is not installed yet, the system will prompt you to install it as shown below.

    After steghide is successfully installed, let’s get ready our files. To perform steganography, we need two files: a file we want to hide (hereby called as secret file to avoid confusion) and another file to hide this secret file. So, first let’s create file which we want to hide (I mean, secret file). Let’s create a text file named “secret.txt” with some text inside as shown below.

    Now, we need a file in which we can hide this “secret.txt” file. With Steghide, we can hide secret data in JPEG, BMP and audio files of WAV and Au formats. For this tutorial, let’s just download a hot pic in jpeg format from Freepix as shown below. 

    What can be hotter than an erupting volcano. Since both files are ready, we can start working with steghide. Here’s the command.

    Here is the explanation of the options used:

    –embed: for embedding a file into another (in this case, embedding secret.txt into volcano.jpg).

    -ef: file that needs to be hidden or embedded

    -cf: file in which the above file is to be hidden.

    -sf: resultant file after embedding.

    You can embed a file even without using the ‘-sf’ option but when you do that, the original file (in our case, volcano.jpg) will be overwritten. Steghide will ask you to set a password while embedding a file, you can continue without setting the password too, but that would make it easy for right people to see the secret message. This is the image with secret data hidden beside it.

    It is looking just like any normal image, right. We can use steghide to specify additional options while embedding but before that let’s learn how to extract this secret data from the image file. To retrieve hidden data from the image file, we use the “extract” command of steghide is used.

    You can even specify a separate file to extract the secret data from using the ‘-xf’ option below.

    Whatever the case, you have to enter the correct password while extracting. Steghide also has a ‘info” command to display the information about the image file with secret data. Here it is how it works on a normal image file.

    Now, let’s get information about our “volcano_with_secret.jpg file.

    As you can see, steghide reveals that the above file (volcano_with_secret.jpg) is embedding a file named “secret.txt, it is compressed and encrypted with rijndael-128, cbc encryption. Now, let’s learn about additional options that can be used with steghide while embedding a file. We have seen while using “info” command that the name of the embedded file was displayed using the “-N” option, you can stop this name from being displayed.

    Now, let’s observe this file using the “info” command as shown below.

    As you can see, the name of the hidden file is not being displayed now. You can even encrypt a file with steghide using the “-z” option.

    By default, steghide uses rijndael-128 cbc encryption to encrypt the file. We can even specify the encryption algorithm we want. The encryption algorithms supported by steghide can be viewed using the “encinfo” command.

    We can set our own encryption algorithm we want using the ‘-e’ option. For example, let’s set the DES algorithm with cbc cipher.

    That is how we use steghide to hide a file.

    Posted on by

    Beginners guide to Shodan

    Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt in detail about footprinting or information gathering and the various methods of reconnaissance. In another blogpost, you learnt what is OSINT. In this blogpost, you will learn about a resource that falls into the above categories. Its named Shodan, I prefer to call it the hackers search engine

    What is Shodan?

    You know about Google search engine and its power. It allows you search for images, videos, news etc. what if there was a search engine to search for various types of devices connected to the internet. These devices can be webcams, routers and different servers like web server, FTP server, Telnet, SSH, SNMP, IMAP, SMTP etc. In fact, everything connected to internet. Well, the answer is Shodan.

    Let’s learn more about it. Go to the official website of it here and in the search field, search for Apache.

    It will start displaying all the Apache servers connected to internet as shown below.

    But as you try to go to the next page to see more entries, you should see the below error.

    You can search for anything you want but the results are limited if you are not registered. You can create an account on Shodan by going to the Register page. Registration is free and after you confirm your registration from your email, you are ready to use the power of this awesome search engine.

    You can login into your Shodan account and search for whatever you want.

    Let’s search for SSH servers running on ports 22 and 3333.

    Sometimes, administrators just change the operating port of a server to prevent hacking attacks. We can even search for them. For example, let’s search for SSH servers running on ports other than 22 and 3333.

    Let’s search for Redis servers.

    In fact, you can search for anything connected to the internet using Shodan. Seeing the use of this tool for pen testers, the makers of Kali Linux have included Shodan-cli, a command line version in their repository.

    Before using the command line version of Shodan, you need to add the API key of Shodan. It can be added as shown below.

    This key can be seen in the Account section of Shodan. Once the API key is entered, you can use Shodan-cli.  This API key can also be used with tools like SpiderFoot used for OSINT. Note that the features are dependent on the types of account you have at Shodan. Free account has limited features. Let’s see how many open SSH and Filezilla servers are exposed to the internet.

    After seeing all this, you may wonder how Shodan works or is it legal to use it. Shodan works by using a technique called banner grabbing. It captures banners of all the devices connected to the internet and then stores them in its database. Although it is legal to use Shodan for querying, it is not to do anything on the exposed servers without their permission. It is used by pen testers to see what devices are exposed and what information they are leaking to the internet.

    Posted on by

    John password cracker: Beginners guide

    Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt about password cracking and different types of password cracking techniques. In this blogpost, you will learn about a password cracking tool called John password cracker. Originally, called John the Ripper, John password cracker is a cross-platform software and a very popular password cracker.

    In one of our previous blogposts, you learnt in detail about encryption. Hashing is a method of encryption in which a plain string of text is converted into an encrypted hash. This is a one-way function and hashes cannot easily be converted back to plain string. This technique is often used for storing passwords.

    Being one of the most popular password hash cracking tools, John is installed by default in Kali Linux and I will be using the same for this tutorial. To demonstrate the power of John, first we need to create a hash. This can be done using online services like md5encrypt. I copy the generated MD5 hash to a text file named hash.txt as shown below.

    Then all we have to do is submit this file to John as shown below.

    Then John begins to crack the hash in the file. In most of the real-world cases, this will consume lot of time. So, it is good to specify the format of the hash using the ‘–format’ option as shown below. The format of the hash can be identified using hash identification.

    As you can see in the above image, John successfully cracked the password hash. Let’s add a SHA-1 hash now to the same file and try cracking it.

    The list of all the hash formats John can crack are many. John can crack a number of password hashes at once. However, they should all be of same format. Let’s add another MD5 hash to the hash.txt file.

    Once a hash is cracked by John, it can be viewed using the ‘–show’ option. For example, all the hashes in file “hash.txt” can be viewed as shown below.

    Single mode

    As already mentioned at the beginning of this article, John can use different techniques to crack password hashes. One of them is single mode. People in some cases use the username as a password (or a variation of username as password). Single mode is mostly useful in these cases. When single mode is specified, it tries all the variations of the username to crack the hash. Let’s try it out. I add a password hash along with the username to the file hash.txt.

    Then, specifying single mode does this.

    Wordlist mode or Dictionary mode

    John can also use dictionary mode to crack the hash. I add a new hash to the file hash.txt.

    Then all we need to do is specify a wordlist as shown below.

    Incremental mode

    If all those options fail, John still has incremental mode in which the combination of all the techniques are used. But this may take lot of time and resources.

    But password cracking is all about patience. Learn how to crack hashes with hashcat.