Monday, 12 October 2015

Hacking: Wifi Password WPA2 - Aircrack-Ng & Kali Linux


Please use this is for legal purpose only


Aircrack-Ng 

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.


1. First Step :

Disconnect from all wireless networks, and open terminal.

Type command "ifconfig" and "iwconfig"

a) ifconfig - To make sure that you have wireless card adapter installed in your laptop:



b) iwconfig - To check the network adapter mode (by default : Managed)






c) Type in command "airmon-ng start wlan0"



The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Somehow in my case we have to manually put into monitor mode to new monitor interface named wlan0mon(name might be different for your case) using command below :




Check again, to verify that it is in Mode : Monitor




2. Second step :

Type command airodump-ng followed by new monitor interface, wlan0mon.



Airodump will list all the wireless SSID networks. Now, on your target channel network, copy the BSSID  and type in command airodump-ng -c[channel] --bssid [AP bssid] -w /root/Desktop/ [wlan0mon] .

Some words that we need to familiar with are :

BSSID  : The MAC of the AP this user is associated to 
STATION : The MAC of the client itself
CH : Channel the AP is operating on
BEACONS : Number of beacon  frames received. The more beacons, the more signal quality
PWR : Signal strength.


Now we can see below listed of a few user that currently connected to the target machine. 


In order for this tool to work, we need someone else to connect or reconnect to the target network so that it will force router to send 4-way handshake that we need to capture to crack the password. However there is another technique to force user to disconnect and reconnect back to the network called Aireplay .

3. Third step :

Type command aireplay-ng -0 2 -a[AP BSSID] -c[user bssid] wlan0mon 




Once we executed the code, it will force the user's device to disconnect and reconnect again, and he/she will never realise that they are being hacked.

Then, after a few moments, if you can verify on the airodump terminal, WPA handshake message will appear as per below :


3. Third Step :

Now we have successful collect all the information we need. The next step is to crack the handshake using wordlist so that we can know the actual password by using aircrack command: aircrack-ng -a2 -b[AP bssid] -w[wordlist path] /root/Desktop/*.cap

-a  :  Force attack mode (1 = static WEP, 2 = WPA/WPA2-PSK)
-b  :  Short term of BSSID.
-w : Stands for wordlist (path of the wordlist)
*.cap : wildcard for the name of the .cap type


4. Fourth Step :

Aircrack-ng will launch the cracking processes by checking in the wordlist database for the matching password. How long it takes to crack is depending on the complexity of the password and the wordlist databases itself.

Once it found the matching password, message will be appear like shown below



  






Sunday, 11 October 2015

Hacking: Information Gathering - Nmap

Information Gathering Nmap & Nessus 

Nmap is a veritable tool-shed of functionality to perform network scans. It can used for security scans, simply to identify what services a host is running, to 'fingerprint' the operating system and applications on a host,the type of firewall a host is using, or to do a quick inventory of a local network.

To show the the lab I am using  VM  connect with Windows XP ( target machine) and Kali Linux (hacker machine)

The main goal of this lab is to cover the following tasks:

-Host discovery
-Scanning for open ports
-Service and version detection
-OS detection

WinXP - IP :192.168.0.108
Kali Linux - IP : 192.168.0.109

Scan Types :


a) nmap 192.168.0.108 ( a single host or subnet eg. /24)


b) nmap -sV 192.168.0.108 (running services & version detection)



c) nmap -O 192.168.0.108(os detection)



d) -sT : TCP connect scan
e) -sS : Half open scan - used to bypass firewall rules,logging mechanism and hide as usual network               traffic
f) -sX : Xmas scan send a TCP frame with URG, ACK, RST, SYN and FIN flag
g) -sF : FIN scan send a TCP frame with a FIN flag set.
h) -sN : NULL scan send a TCP packet with NO flag set
i) -f    : The TCP header is split up into several packets so that the packet filters are not able to detect what the packet intend to do,
j) -sU : UDP scan send a 0-byte UDP packet to a PORT
k) -sP : Determine the live hosts from a range of IP addresses by sending ICMP ECHO request to multiple hosts.
l ) Outputting Logs :-
     -oN : outputs a human readable log - Plain text (eg : nmap -v -oN normal.nmap)
     -oX : outputs an XML Log
     -oG : outputs a grepable log
     -oA : option outputs in all 3 formats with same name