Posted on 1 Comment

Besside -ng : A tool to hack Wi – Fi automatically

Hello aspiring Ethical hackers. In this article, we will learn about a tool named Besside -ng, which can automatically crack WEP passwords and log WPA handshakes. This tool authored by Andrea Bittau is made in the line of another tool, Wesside-ng which only cracks WEP passwords automatically.

Before you run Besside-ng, monitor mode should be enabled on the wireless interface as shown below.

Once monitor mode is enabled on the wireless interface, we can run Besside-ng as shown below to automatically crack all the WEP passwords and log WPA handshakes.

If you want to crack the WEP password of a single Access Point, the command is as shown below

where “-c” is used to specify the channel the Wireless Access Point is running on and “-b” is the –bssid of the Wi -Fi access point.

Besside-ng automatically starts creating traffic and cracking the WEP key as shown below.

As you can see in the above image, it cracked a 64bit ASCII WEP key in less than 1 minute. How about 64 bit hexadecimal WEP key that’s a bit complex.

This key was cracked in 63 seconds. How long it will take to crack the same key we cracked earlier with aircrack?

It took just 45 seconds to crack the password. This time, I generated a complex WEP key and tried again. The key was cracked in around 15 minutes as shown below.

Here’s the WEP key I set.

Just like cracking WEP, even Cracking WPA can be automated using tool besside-ng. To do this, we run besside-ng on the target wi-fi network.

Besside-ng automatically captures WPA handshake. Then all we have to do is run aircrack on the wpa.cap file.

The WPA key has been cracked successfully.

Posted on Leave a comment

Buffer Overflow for Beginners : Part 2

Hello aspiring Ethical Hackers. In Part 2 of Buffer Overflow foe beginners, we will see how to write an exploit for a buffer overflow vulnerability. In Part 1 of this article, readers have learnt practically as to what buffer overflow is and how a buffer overflow vulnerability can be identified in a program using fuzzing. Our readers have also seen how we exploited it.
But manually fuzzing the program can be tiresome sometimes. In the example we have shown in the previous article, the buffer only needed 32 characters to be overflown but what if the buffer has a very large (let’s say 1000) size. Manual fuzzing in such cases becomes a tiresome process.

We need some automation and simplification. It’s time to introduce PEDA. PEDA is a Python Exploit Development Assistance for GNU Debugger. It enhances the functionality of the GNU Debugger by displaying disassembly codes, `registers and memory information during debugging. It also allows users to create a random pattern within the gdb console and also find the offset etc. We will learn more about the tool practically. This tool can be installed as shown below.

Now let’s go into our C lab and load the program “second” with GDB normally as shown below. This is the same program we have used in Part1 of this article. As the program loads, you will see that the interface now shows “gdb-peda” instead of just “gdb” as in the previous article.

Let us test this program once again for the buffer overflow vulnerability. Here’s the disassembled code of the program “second”.

Let’s create a string of random characters of a specific length, say 50. This can be done using the “pattern_create” command in peda. Copy the random string.

Now let’s run the program. When it prompts you the question, “Name which superhero you want to be”, paste the string we just copied and click on “Enter”. Gdb-peda gives us information about the memory registers as shown below.

It also shows us the code being executed but the most important thing it shows is the memory stack.

If you observe the stack of the program above, you can see that the string of random characters we provided as input is allocated into two memory areas. The highlighted part went into first buffer and the rest of the random characters went into the second memory area.

Instead of counting how many characters are in the first memory area, we can find the number of characters using “pattern_offset” command. We copy the random characters that went into the first buffer and use it as shown below to find the offset.

We call it as offset as we need to fill this area with random characters as no code will be executed in this offset area (as in the Part 1 of this article). The offset is 32. Well, since we no- w know the offset, let’s write an exploit for this vulnerable program. Open a new file and write the exploit as shown below.

This is a simple python exploit and the comments should explain you what it does. Let us give you more information about it. The first line of the code is basically telling the exploit to launch a python interpreter. In the second and third line, we are importing pwntools and OS modules respectively. The pwntools library has all the functions needed in penetration testing and OS module has operating system functions. In the next line we declare a variable named “path” and assign it a function os.getcwd() . This function gets the current working directory (If the OS module is not imported, this line will not work).

In the next line, another variable is declared with the name “program” and we assign it the program we want this exploit to target. As our target program is named “second” we give that name. In the next line, the “full_path” variable combines both the “path” and “program” variables to get the full working path of the program. Till this part of the code, we have reached the program we want to exploit.

Now the exploitation part. The “fill_buffer” variable fills the offset area with 32 iterations of “C” (It can be any character of your choice, but make sure its 32 for this program). In the next line we are specifying the command to be executed after the buffer is filled. Here its is “whoami”.

The exploit only works when the buffer is filled and then the command is executed. So we need to combine the “fill_buffer” and “cmd” results. The process() command start the target program while the p.sendline(bof) command sends the output of “bof” to the program already started. The p.interactive() gives the user the control after the exploit runs. Once coding is finished, save the exploit with any name you want. We named it bof1.py. Then run it as shown.

As you can see in the above image, after filling the buffer the exploit was successful in executing the command “whoami”. Now change the command to be executed and run the exploit again.

Once again it runs successfully and executes the command. This gives us a shell. This is how buffer overflow exploits are written.

When most of our readers ask as to which programming language to start learning with in the journey of ethical hacking or penetration testing, Our suggestion is always python and yo -u now know why? Python is very simple but still effective. It has a readable and easily maintainable code compared to other programming languages. Hence, it is very easy to learn. In just about ten lines, you have written the first buffer overflow exploit although its for a intentionally vulnerable program.

Posted on Leave a comment

Crack WEP passwords with aircrack

Hello aspiring Ethical Hackers. In this post, we will see how to crack WEP passwords with aircrack. I bought a new Alfa Wireless Adapter and I want to get straight away into cracking a WEP password. My Attacker machine is Kali Linux which is installed on VMware. So I first connected the GOD given ALFA Wireless adapter to my laptop, make sure it is connected to the virtual machine, open a terminal in Kali Linux and type command “iwconfig” to make sure my wireless adapter is connected.

Then I start monitor mode on the wireless interface. Monitor mode is just like promiscuous mode on wired interfaces. When in monitor mode, the wireless adapter sniffs on all the wireless traffic around.

I once again run the “iwconfig” command to have a look at the wireless interfaces to confirm monitor mode started on the Wireless interface.

As you can see the name of the wireless interface changed from waln0 to wlan0mon. The monitor mode is on. To see all the traffic being observed by the wireless interface, I run the command airodump-ng on the wireless interface.

As you can see, this shows all the wireless traffic. There are many wireless networks available but my target is the Wi-Fi Access point I named “Hack_Me_If_You_Can”. I use the same airodump-ng to target the MAC address of target’s Access point and route all the traffic it has to a file named wep_hc_crack.

In the above image, you can see the clients connected to the targeted Wi-Fi Access point. All the traffic belonging to the Wi-Fi access point hack me if you can will be saved in the file wep_hc_crack.cap. What I am looking for is the initialization vectors that are used in cracking WEP. This initialization vectors play a key role in cracking the password of this Wi-Fi access point.

How? As I already told you, I will not tell you the technical jargon of this article for now. Just remember the more IV’s we have, the more the chances of cracking the WEP password. Since I need more traffic to crack the WEP password fast, I can use some Jugaad to create more traffic. A feature of aircrack-ng, aireplay-ng helps us to create more traffic. It has various methods of creating additional traffic. One such method is ARP request replay attack. According to the website of aircrack,

The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a ne- w IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key. This attack can be started as shown below.

where “-h” option is used to specify the MAC address of any client we want to use. Here is another way in which you can start the ARP replay attack.

As initialization vectors start collecting in the wep_hc_crack file, I can use aircrack to try cracking the password. The command is “aircrack-ng wep_hc_crack.cap“.

If the initialization vectors are too less (in this case I have a new 20) aircrack wait for enough initialization vectors. I continue the ARP request replay attack until traffic increases.

You can see the traffic increasing. All have to do is play the game of patience now .

After collecting almost 25000 IV’s aircrack finally cracked the WEP password. The password of the Wi-Fi access point is 1234567899. It’s a 64bit hexadecimal key. As you can see, it took me around one hour thirty five minutes for me to crack the password.

Posted on Leave a comment

Tomcat War Deployer : A tool to hack Tomcat

Hello aspiring Ethical Hackers. In this article you will learn about Tomcat War Deployer a tool used to pen test a Apache Tomcat system.

In the Real World Hacking Scenario of our HackercoolMag May2020 Issue, you will see how Hackercool exploits a Apache Tomcat system that is placed behind a Router. In that scenario, once Apache Tomcat credentials are compromised, he makes a war payload with Metasploit. Once the payload executes, he gets a shell on the target.

However, Metasploit is not the only tool that is used to make malicious WAR payloads. The Tomcat War Deployer is another tool that can be used to make WAR payloads which can be used for penetration testing. A WAR stands for Web Archive. It can include servlet, xml , jsp, image, html, css and js files etc. This files are created in Java.
The Tomcat War Deployer can be used from Kali Linux and can be cloned from this Github link as shown below.

Once the cloning is done, you should see a new directory named tomcatWarDeployer in the directory from which you cloned. Move into that directory and type the command highlighted in the image given below. The “-h” option is help and it displays all the commands that can be used with this tool.

Now, let’s see how to create a payload with Tomcat WarDeployer.

The “-H” option is used to specify the host IP address to which we want our shell to be connected (i.e the attacker system’s IP address). The “-p” option specifies the port on which the shell should connect to (we specified port 4646 here). The “-G” option is used to specify the name of the output file. We named it tomcat_shell for this article.

Let’s upload this shell to the target. We are using the same target that we have used in the Real World Hacking Scenario of the Hackercool Magazine May 2020 Issue.

Before executing it, let’s start a Netcat listener on port 4646.

When you click on the payload on the target, you will see something as shown below. Your payload is protected with a password to prevent its misuse from others (read hackers). However this password is randomly generated and even you will lose access if you don’t know it.

The “-X” option is used to set the password for our payload. Setting it to “None” as shown below will not set any password for our payload.

You can set any password you want as shown below. Here, we set it to “hcool”.

The “-v” option is used to set the verbose mode. This gives more clear details about the creation of payloads. You can see it below.

Now, let’s create a payload named “tomcat_shell.war” without any password.

Here’s how its looks.

Let’s create the payload with password “123456”. It is wise to generate a payload with a password while penetration testing to avoid misuse.

The “-s” option simulates the breach without performing any offensive actions.

Simulation helps us to verify if the attack works without changing anything on the target system. The “-U” option is used to set the username and “-P” option is used to set the password. These are the credentials we need to login into the target.

In the above image, the simulations says that it reached the target, validated the credentials and did everything to prove that the attack works. But it did not deploy the payload.
The “-C” option specifies not to connect to the spawned shell immediately. By default, it connects to the spawned shell immediately. This option stops that letting us use other handlers like Metasploit or Netcat. Since we already started a Netcat listener, we will use this option for now. We can specify the target IP address and port at the end of the command as shown below.

At our Netcat listener, we already have a shell as you can see in the image below.

If you don’t specify the “-C” option, shell will be automatically spawned as shown below.

Finally, after the penetration test is completed, you can delete the uploaded payload using the “-R” option. You need to specify the name of the payload with the “-n” option. The example is shown below.

Posted on Leave a comment

PrintNightmare, Privilege Escalation in Powershell

PrintNightmare is a critical vulnerability affecting the Microsoft Windows operating systems. The recently disclosed vulnerability is present in the print spooler service of Microsoft Windows. The printer spooler service is used for printing services and is turned on by default. The versions of Windows vulnerable to PrintNightmare include Windows 7 to Windows 10 and windows Server 2008 to the latest version of Windows Servers.

The PrintNightmare vulnerability has two variants : one is enabling remote code execution (CVE-2021-34527) and the other privilege escalation (CVE-2021-1675). In this article, readers will see a demonstration of exploiting the privilege escalation vulnerability in PrintNightmare.
For this demonstration, we will use Windows 10 version 1809. The Powershell Script we used in this demo can be downloaded from Github.

In this scenario, imagine I already have access to the target machine as a user with low privileges. Let me demonstrate it to you. The first thing I need to confirm is whether the printer spooler service is running on the target system or not. This can be done using powershell command “Get-Service -Name “spooler”“.

The print spooler service is running. Now I can exploit it. Before that let me show you that I am a user with limited privileges i.e as “user 1” with very limited privileges.

Next, I already downloaded the Powershell script I need to exploit the Printnightmare vulnerability .So I moved to the Downloads folder where the Powershell script is saved. Once I am inside that folder, I run the command

Import-Module .\ <script Name>“as shown below.

Once the Powershell module is imported, I can execute the script with command
Invoke-Nightmare -NewUser “<username to create >” -NewPassword <password for that new user> DriverName “PrintMe”
This command will create a new user with administrator privileges.

In the image above, you can see the existence of new user named “hacker” which I created. Now, let’s check the privileges of this user.

As readers can see, the new user I created belongs to the local administrators group. I reboot the system and try to login as that user.

The exploitation is successful.