Category: Hacking

Posted on by

Beginners guide to Recon-ng

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about OSINT. In this article, you will learn about Recon-ng, a OSINT gathering tool.

Recon-ng is an open-source intelligence gathering tool aimed at reducing the time spent harvesting information from open sources. It is a full-featured reconnaissance framework designed to gather OSINT information very quickly.

Let’s see how this tool works. For this, we will be using Kali Linux as Recon-ng is installed by default on it. This tool can be started using command shown below.

recon-ng

If you notice the above images, the interface of Recon-ng is similar to Metasploit. It has been designed in such a way to decrease the learning curve. You can create different workspaces in Recon-ng. To create a new workspace, you have to use the command shown below.

workspaces create <name of workspace>

For example, we have created a new workspace named “hc_test”. The various framework items of Recon-ng that are useful to us can be seen using command shown below. 

show

For this tutorial, let’s gather information about a domain. To do this, we need to first add a domain. This can be done using command shown below.

db insert domains

Now, you can see the domains you added using command shown below.

show domains

Similarly you can add and view other items too in similar manner. Just like Metasploit, Recon-ng has various modules each performing a specific function. You need to first add these modules to Recon-ng to be able to use them. This modules are found in ‘marketplace’ and can be viewed using command shown below.

marketplace search

This will list all available modules. Searching for the module we want can be laborious and in some cases nothing less than searching for needle in haystack. But don’t worry. You can even search for modules you want. For example, let’s search for Whois related modules. This can be done as shown below.

marketplace search <search term>

From here, you can install any module we want. This can be done using command shown below. For example, let’s install the recon/domain-contents/ whois-pocs/ module.

marketplace install <module>

Similarly, you can install other modules we want in the same way from the market place. Once they are installed, you can search for all installed modules using the command shown below.

modules search

To load a module, we use command as shown below. 

modules load <module_name>

For example. let’s load the module we just installed.

Once the modules is loaded, you can view information about the module using the “info” command as shown below.

As you can read in the above module, this module retrieve poc data about a domain for Whois queries. Since we have already added a domain, all you have to do is execute the module using command “run”.

As you can see, the module retrieved contact information belonging to the domain we queried. This information contains first name, second name and email addresses of 46 contacts belonging to the domain (The retrieved data has been hidden for the purpose of privacy). This information can be useful while phishing or spear-phishing our targets.

In the same manner, we can retrieve other OSINT information using recon-ng. Next, learn how to perform OSINT using Maltego.

Posted on by

Beginners guide to Nuclei vulnerability scanner

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about vulnerability scanning. In this article, you will learn about Nuclei, a high performance, fast and customizable vulnerability scanner that uses YAML based templates. Its features include,

  • Simple YAML format for creating and customizing vulnerability templates.
  • Contributions from thousands of security professionals to tackle trending vulnerabilities.
  • Reduced false positives by simulating real-world steps to verify a vulnerability.
  • Ultra-fast parallel scan processing and request clustering.
  • Integration into CI/CD pipelines for vulnerability detection and regression testing.
  • Supports multiple protocols like TCP, DNS, HTTP, SSL, WHOIS JavaScript, code and more.
  • Integration with Jira, Splunk, GitHub, Elastic, GitLab.

Let’s see how this tool works. For this, we will be using Kali Linux as attacker system as Nuclei is available by default in its repositories. As target, we will be using Metasploitable 2. Both these systems are part of our Simple Hacking Lab. Nuclei can be installed on Kali as shown below.

Scanning (-u, -t)

Nuclei can be specified with a target URL or IP to scan as shown below.

Here’s how its output looks like.

See all available templates (-tl)

While studying about its features, you have read that Nuclei uses lot of vulnerability templates for performing a vulnerability scan. At the time of scan initialization, Nuclei installs and uses these templates. Templates form a very important part of Nuclei. You can see all the available templates of Nuclei using command shown below.

nuclei -tl

As already mentioned, these templates are in YAML format.

Run a particular template (-t)

If you want to run a specific template instead of all the templates, you can do so with this option. For example, let’s just run phpmyadmin-misconfiguration template as shown below.

List all tags (-tgl)

The templates of Nuclei are also divided based on tags. A tag can be all the templates belonging to a specific software or technology. For example, let’s say WordPress, SSH etc. All the tags in Nuclei can be searched using command shown below. 

nuclei -tgl

Run templates belonging to a specific tag (-tags)

This option can be used to run all templates belonging to a specific tag. For example, let’s say we want to run all templates belonging to tag “ftp” on our target, we can do it as shown below.

Here’s its output.

Run code based templates (-Code)

This option can be used to run all “Code” protocol based templates.

Here’s its output.

Run file based templates (-file)

Just like code related templates, Nuclei has file based templates. This option can be used to run them.

Run templates based on severity (-s)

We can also run Nuclei templates based on the severity of vulnerabilities. The possible values it can take is info, low, medium, high and unknown. You have seen in the above scan results of Nuclei that vulnerabilities are being classified from info to critical etc.

For example, let’s just run templates with severity “critical”.

As you can see in the above image, it is only running templates with critical severity.

Silent mode (-silent)

Silent mode of Nuclei just displays results.

Scan multiple targets at once (-L)

Nuclei can also be used to scan multiple targets. For this, all you have to do is save all targets in a text file and use the command shown below.

nuclei -l <target_file>

Saving output (-o)

The output of Nuclei’s vulnerability scan can be saved to a file using the option as shown below.

Next, learn about Nessus vulnerability scanner.

Posted on by

Sparrow-wifi: a complete guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about LinSSID, the graphical wifi scanner for Linux. In this article, you will learn about sparrow-wifi, a graphical wifi analyzer. Sparrow-wifi is a Python tool that provides a comprehensive GUI based alternative to tools like InSSIder. . This tool can be used to analyze WiFi, software defined radio, bluetooth and GPS etc.

Its features include,

1. Basic wifi SSID identification.
2. Wifi source hunt: Switch from normal to hunt mode to get multiple samples per second and use the telemetry windows to track a wifi source.
3. 2.4 GHz and 5 GHz spectrum view: Overlay spectrums from Ubertooth (2.4 GHz) or HackRF (2.4 GHz and 5 GHz) in real time on top of the wifi spectrum (invaluable in poor connectivity troubleshooting when overlapping wifi doesn’t seem to be the cause).
4. Bluetooth identification: LE advertisement listening with standard bluetooth, full promiscuous mode in LE and classic bluetooth with Ubertooth.
5. Bluetooth source hunt: Track LE advertisement sources or iBeacons with the telemetry window.
6. iBeacon advertisement: Advertise your own iBeacons.
7. Remote operations: An agent is included that provides all of the GUI functionality via a remote agent the GUI can talk to.
8. Drone/Rover operations: The agent can be run on systems such as a Raspberry Pi and flown on a drone (its made several flights on a Solo 3DR), or attached to a rover in either GUI-controlled or autonomous scan/record modes.
9. The remote agent is JSON-based so it can be integrated with other applications.
10. Import/Export : Ability to import and export to/from CSV and JSON for easy integration and revisualization. You can also just run ‘iw dev scan’ and save it to a file and import that as well.
11. Produce Google maps when GPS coordinates are available for both discovered SSID’s / bluetooth devices or to plot the wifi telemetry over time.
12. Integration with Elasticsearch to feed wireless and optionally bluetooth scan data into Elastic Common Schema compliant indices.

    Let’s see how this tool works. For this, we will be using Kali Linux as sparrow-wifi is available by default in its repositories. We will also be needing a wireless adapter that can monitor wireless packets. I am using ALFA AWUS036NHA adapter for this article.

    Note that Sparrow-frim needs SUDO root privileges to work.

    This is how the interface of sparrow-wifi looks.

    To start scanning for wireless networks click on “scan” button.

    It will display the available wifi networks in 2.5ghz and 5ghz frequencies separately. From the telemetry menu, you can see the telemetry information about any wireless access point. For example, let’s see telemetry of target network “Hackercool_Labs”.

    As you have already read at the beginning of this article, Sparrow-wifi has a hunt mode in which multiple samples per second are grabbed and used to track a wifi source.

    Recently they added a new Falcon Plugin to this tool. Falcon provides the following features.

    1. aircrack-ng integration which allows for the enumeration of hidden SSIDs
    2. client station enumeration
    3. client station probed SSID enumeration
    4. client station connected access point and channel
    5. deauthentication right-click capabilities (single and continuous, targeted and broadcast)
    6. WEP IV captures
    7. WPA password hash capture and hash capture detection

    Falcon Plugin can be accessed from Falcon menu as shown in the above image. First, let’s enable monitoring mode on this tool by clicking “Create monitoring interface” button.

    Immediately, all available wireless access points and clients are displayed. You can export clients to a CSV file using the “Export clients” button.

    Select a wifi access point to target. For example, I select “Hackercool_Labs” as shown.

    Stop the scan. Right clicking on the selected wifi network opens a menu which contains the following options.

    • Copy
    • Telemetry
    • Deauth Broadcast-single
    • Deauth Broadcast-continuous
    • Capture WPA key.

    Let’s select “Capture WPA keys”. After selecting this, you can once again right click on the target access point and select any deauth broadcast. What this does is it with deauthenticates all the clients connected to our access point. Why are we doing this? This will force all the clients to connect to our access point again and hence we get a WPA handshake. Once a key is captured, sparrow wifi will display a message as shown below.

    You can save it to the location you want.

    Then, it will display information on how to crack the key. You can use aircrack or Cowpatty to crack the passphrase.

    That’s all about sparrow-wifi. Next, learn about airgeddon, a multi purpose wireless auditing tool.

    Posted on by

    Beginners guide to LinSSID

    Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt everything about wireless networks, their security and different types of attacks. In this article, you will learn about a tool named LinSSID.

    LinSSID is a simple graphical tool that can be used to scan and find all the available wireless networks in the vicinity. Let’s see how this tool works. For this, we will be using Kali Linux, as this tool is available by default in its repositories. We will also be needing a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

    Make sure that you don’t enable monitor mode on the wireless adapter.

    When the GUI of LinSSID opens, start scanning by clicking on “Run” button.

    Very soon LinSSID will display all the wireless access points available along with their MAC addresses, channel on which they are operatng, type of security they use used and the strength of their signal.

    You can also see whether wifi access points are running on 2.4ghz and 5ghz.

    From the “view” menu, you can also decide what information about the wifi access point you want to see.

    After detecting the available wireless networks, the information can be used to select the wireless access point whose security you want to audit. You can audit its password strength using tools like aircrack, Fern wifi cracker, Besside or wifite. If you want to create a rogue access point or an evil twin, learn how to do them with wifipumpkin or wifi phisher.

    Posted on by

    Beginners guide to wifi phisher

    Hello, aspiring ethical hackers. In our previous blogpost on Wifi hacking, you learnt about what is a evil twin attack. In this article, you will learn about wifiphisher. Wifi phisher is a rogue access point and evil twin creation framework for conducting wireless security testing. Let’s see how this tool works. For this, we will be using Kali Linux as wifiphisher is available by default in its repositories. We will also be needing a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

    Note that Wifi phisher needs root privileges to work.

    After starting, wifi phisher starts scanning for all the access points it can detect.

    Select the wifi access point you want to target. For example, here I select “Hackercool Labs”. Then, this tool will display the available phishing scenarios (Actually, there’s only one here). Select it.

    Then this tool will create a evil twin of this network.

    This is how it looks for any client or users trying to to connect to “Hackercool_Labs” access point.

    Wifi phisher tries to de-authenticate all clients connected to the genuine access point.

    You can see the connected clients.

    When any of the clients tries to connect to the evil twin instead of genuine access point, he will be asked to type password of the genuine access point as shown below.

    Wifi phisher will log all HTTP requests. So you can see password the user is typing.

    Next, learn about wifipumpkin, another powerful wifi rogue access point framework.