Category: Hacking Tools

Posted on by

Beginners guide to Recon-ng

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about OSINT. In this article, you will learn about Recon-ng, a OSINT gathering tool.

Recon-ng is an open-source intelligence gathering tool aimed at reducing the time spent harvesting information from open sources. It is a full-featured reconnaissance framework designed to gather OSINT information very quickly.

Let’s see how this tool works. For this, we will be using Kali Linux as Recon-ng is installed by default on it. This tool can be started using command shown below.

recon-ng

If you notice the above images, the interface of Recon-ng is similar to Metasploit. It has been designed in such a way to decrease the learning curve. You can create different workspaces in Recon-ng. To create a new workspace, you have to use the command shown below.

workspaces create <name of workspace>

For example, we have created a new workspace named “hc_test”. The various framework items of Recon-ng that are useful to us can be seen using command shown below. 

show

For this tutorial, let’s gather information about a domain. To do this, we need to first add a domain. This can be done using command shown below.

db insert domains

Now, you can see the domains you added using command shown below.

show domains

Similarly you can add and view other items too in similar manner. Just like Metasploit, Recon-ng has various modules each performing a specific function. You need to first add these modules to Recon-ng to be able to use them. This modules are found in ‘marketplace’ and can be viewed using command shown below.

marketplace search

This will list all available modules. Searching for the module we want can be laborious and in some cases nothing less than searching for needle in haystack. But don’t worry. You can even search for modules you want. For example, let’s search for Whois related modules. This can be done as shown below.

marketplace search <search term>

From here, you can install any module we want. This can be done using command shown below. For example, let’s install the recon/domain-contents/ whois-pocs/ module.

marketplace install <module>

Similarly, you can install other modules we want in the same way from the market place. Once they are installed, you can search for all installed modules using the command shown below.

modules search

To load a module, we use command as shown below. 

modules load <module_name>

For example. let’s load the module we just installed.

Once the modules is loaded, you can view information about the module using the “info” command as shown below.

As you can read in the above module, this module retrieve poc data about a domain for Whois queries. Since we have already added a domain, all you have to do is execute the module using command “run”.

As you can see, the module retrieved contact information belonging to the domain we queried. This information contains first name, second name and email addresses of 46 contacts belonging to the domain (The retrieved data has been hidden for the purpose of privacy). This information can be useful while phishing or spear-phishing our targets.

In the same manner, we can retrieve other OSINT information using recon-ng. Next, learn how to perform OSINT using Maltego.

Posted on by

Sparrow-wifi: a complete guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about LinSSID, the graphical wifi scanner for Linux. In this article, you will learn about sparrow-wifi, a graphical wifi analyzer. Sparrow-wifi is a Python tool that provides a comprehensive GUI based alternative to tools like InSSIder. . This tool can be used to analyze WiFi, software defined radio, bluetooth and GPS etc.

Its features include,

1. Basic wifi SSID identification.
2. Wifi source hunt: Switch from normal to hunt mode to get multiple samples per second and use the telemetry windows to track a wifi source.
3. 2.4 GHz and 5 GHz spectrum view: Overlay spectrums from Ubertooth (2.4 GHz) or HackRF (2.4 GHz and 5 GHz) in real time on top of the wifi spectrum (invaluable in poor connectivity troubleshooting when overlapping wifi doesn’t seem to be the cause).
4. Bluetooth identification: LE advertisement listening with standard bluetooth, full promiscuous mode in LE and classic bluetooth with Ubertooth.
5. Bluetooth source hunt: Track LE advertisement sources or iBeacons with the telemetry window.
6. iBeacon advertisement: Advertise your own iBeacons.
7. Remote operations: An agent is included that provides all of the GUI functionality via a remote agent the GUI can talk to.
8. Drone/Rover operations: The agent can be run on systems such as a Raspberry Pi and flown on a drone (its made several flights on a Solo 3DR), or attached to a rover in either GUI-controlled or autonomous scan/record modes.
9. The remote agent is JSON-based so it can be integrated with other applications.
10. Import/Export : Ability to import and export to/from CSV and JSON for easy integration and revisualization. You can also just run ‘iw dev scan’ and save it to a file and import that as well.
11. Produce Google maps when GPS coordinates are available for both discovered SSID’s / bluetooth devices or to plot the wifi telemetry over time.
12. Integration with Elasticsearch to feed wireless and optionally bluetooth scan data into Elastic Common Schema compliant indices.

    Let’s see how this tool works. For this, we will be using Kali Linux as sparrow-wifi is available by default in its repositories. We will also be needing a wireless adapter that can monitor wireless packets. I am using ALFA AWUS036NHA adapter for this article.

    Note that Sparrow-frim needs SUDO root privileges to work.

    This is how the interface of sparrow-wifi looks.

    To start scanning for wireless networks click on “scan” button.

    It will display the available wifi networks in 2.5ghz and 5ghz frequencies separately. From the telemetry menu, you can see the telemetry information about any wireless access point. For example, let’s see telemetry of target network “Hackercool_Labs”.

    As you have already read at the beginning of this article, Sparrow-wifi has a hunt mode in which multiple samples per second are grabbed and used to track a wifi source.

    Recently they added a new Falcon Plugin to this tool. Falcon provides the following features.

    1. aircrack-ng integration which allows for the enumeration of hidden SSIDs
    2. client station enumeration
    3. client station probed SSID enumeration
    4. client station connected access point and channel
    5. deauthentication right-click capabilities (single and continuous, targeted and broadcast)
    6. WEP IV captures
    7. WPA password hash capture and hash capture detection

    Falcon Plugin can be accessed from Falcon menu as shown in the above image. First, let’s enable monitoring mode on this tool by clicking “Create monitoring interface” button.

    Immediately, all available wireless access points and clients are displayed. You can export clients to a CSV file using the “Export clients” button.

    Select a wifi access point to target. For example, I select “Hackercool_Labs” as shown.

    Stop the scan. Right clicking on the selected wifi network opens a menu which contains the following options.

    • Copy
    • Telemetry
    • Deauth Broadcast-single
    • Deauth Broadcast-continuous
    • Capture WPA key.

    Let’s select “Capture WPA keys”. After selecting this, you can once again right click on the target access point and select any deauth broadcast. What this does is it with deauthenticates all the clients connected to our access point. Why are we doing this? This will force all the clients to connect to our access point again and hence we get a WPA handshake. Once a key is captured, sparrow wifi will display a message as shown below.

    You can save it to the location you want.

    Then, it will display information on how to crack the key. You can use aircrack or Cowpatty to crack the passphrase.

    That’s all about sparrow-wifi. Next, learn about airgeddon, a multi purpose wireless auditing tool.

    Posted on by

    Beginners guide to LinSSID

    Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt everything about wireless networks, their security and different types of attacks. In this article, you will learn about a tool named LinSSID.

    LinSSID is a simple graphical tool that can be used to scan and find all the available wireless networks in the vicinity. Let’s see how this tool works. For this, we will be using Kali Linux, as this tool is available by default in its repositories. We will also be needing a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

    Make sure that you don’t enable monitor mode on the wireless adapter.

    When the GUI of LinSSID opens, start scanning by clicking on “Run” button.

    Very soon LinSSID will display all the wireless access points available along with their MAC addresses, channel on which they are operatng, type of security they use used and the strength of their signal.

    You can also see whether wifi access points are running on 2.4ghz and 5ghz.

    From the “view” menu, you can also decide what information about the wifi access point you want to see.

    After detecting the available wireless networks, the information can be used to select the wireless access point whose security you want to audit. You can audit its password strength using tools like aircrack, Fern wifi cracker, Besside or wifite. If you want to create a rogue access point or an evil twin, learn how to do them with wifipumpkin or wifi phisher.

    Posted on by

    Beginners guide to wifi phisher

    Hello, aspiring ethical hackers. In our previous blogpost on Wifi hacking, you learnt about what is a evil twin attack. In this article, you will learn about wifiphisher. Wifi phisher is a rogue access point and evil twin creation framework for conducting wireless security testing. Let’s see how this tool works. For this, we will be using Kali Linux as wifiphisher is available by default in its repositories. We will also be needing a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

    Note that Wifi phisher needs root privileges to work.

    After starting, wifi phisher starts scanning for all the access points it can detect.

    Select the wifi access point you want to target. For example, here I select “Hackercool Labs”. Then, this tool will display the available phishing scenarios (Actually, there’s only one here). Select it.

    Then this tool will create a evil twin of this network.

    This is how it looks for any client or users trying to to connect to “Hackercool_Labs” access point.

    Wifi phisher tries to de-authenticate all clients connected to the genuine access point.

    You can see the connected clients.

    When any of the clients tries to connect to the evil twin instead of genuine access point, he will be asked to type password of the genuine access point as shown below.

    Wifi phisher will log all HTTP requests. So you can see password the user is typing.

    Next, learn about wifipumpkin, another powerful wifi rogue access point framework.

    Posted on by

    Beginners guide to airgeddon

    Hello, aspiring ethical hackers. In our previous blogpost on WiFi hacking, you learnt about different ways wireless networks are compromised. In this article, you will learn about airgeddon, a multi use bash script to audit wireless networks.

    Using airgeddon, we can perform DoS stress testing, deacloaking, offline WPA/WPA 2 password cracking, evil twin attack, WPS attack and WEP attacks on target wireless network.

    Let’s see how this tool works. For this, we will be using Kali Linux as airgeddon is available by default in its repositories. We will also need a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

    If you get any error regarding “caplets” while installing airgeddon, you can install it from GitHub as shown below.

    Note that airgeddon requires SUDO privileges to work. It can be started using command shown below.

    sudo airgeddon

    Airgeddon will check if all the essential tools it requires are present on the system.

    Then, it will prompt you to select the interface you want to work with.

    After selecting the network interface, menu of airgeddon is displayed.

    First, let’s put our interface in monitor mode. That would be option 2.

    As you can see in the Airgeddon’s menu, many attacks can be performed using this tool. For this article, let’s select the WPS pin attacks. This will display the sub menu of WPS attacks as shown below.

    You can see various WPS pin attacks that you can perform using this tool. Let’s first scan the targets. Use option ‘1’.

    After scanning and selecting your target, let’s crack the WPS pin using install Pixie dust attack with Bully.

    Assign the BSSID, channel, timeout and other options as shown below.

    This will start cracking the WPS pin. Note that cracking of WPS pin can sometimes take many hours. Next, learn about wifipumpkin, a wireless rogue access point creation framework.