Hello, aspiring ethical hackers. In our previous blogpost on WiFi hacking, you learnt about different ways wireless networks are compromised. In this article, you will learn about airgeddon, a multi use bash script to audit wireless networks.
Using airgeddon, we can perform DoS stress testing, deacloaking, offline WPA/WPA 2 password cracking, evil twin attack, WPS attack and WEP attacks on target wireless network.
Let’s see how this tool works. For this, we will be using Kali Linux as airgeddon is available by default in its repositories. We will also need a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.
If you get any error regarding “caplets” while installing airgeddon, you can install it from GitHub as shown below.
Note that airgeddon requires SUDO privileges to work. It can be started using command shown below.
sudo airgeddon
Airgeddon will check if all the essential tools it requires are present on the system.
Then, it will prompt you to select the interface you want to work with.
After selecting the network interface, menu of airgeddon is displayed.
First, let’s put our interface in monitor mode. That would be option 2.
As you can see in the Airgeddon’s menu, many attacks can be performed using this tool. For this article, let’s select the WPS pin attacks. This will display the sub menu of WPS attacks as shown below.
You can see various WPS pin attacks that you can perform using this tool. Let’s first scan the targets. Use option ‘1’.
After scanning and selecting your target, let’s crack the WPS pin using install Pixie dust attack with Bully.
Assign the BSSID, channel, timeout and other options as shown below.
This will start cracking the WPS pin. Note that cracking of WPS pin can sometimes take many hours. Next, learn about wifipumpkin, a wireless rogue access point creation framework.
Hello, aspiring ethical hackers. In our previous blogpost, you have learnt how to crack a WPA/WPA2 passphrase with aircrack. In this article, you will learn about another such tool cowpatty.
Cowpatty is a WPA-PSK, WPA2-PSK auditing tool that can be used to identify weak passphrases of an SSID with WPA, WPA2 enabled. Cowpatty does offline cracking of passwords and as it works offline, it needs packet capture file (pcap) with WPA handshake captured.
Let’s see how this tool works. For this, we will be using Kali Linux as cowpatty is installed by default on it. We will also need a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.
The role of Cowpatty in Wi-Fi auditing starts after the wireless networks data is captured in a PCAP file. Notably, this data should include a WPA handshake, a process where a client connects to the wireless access point with WPA/WPA2 enabled. This can be done with airodump-ng (a tool included with aircrack) or kismet or Fern wifi cracker.
Before beginning to crack the passphrase, cowpatty can be used to check if the packet capture file has all the necessary data to start cracking against WPA2?PSK passphrases. For example, here we are trying to capture wireless traffic of a network named “Hackercool_Labs” and saving the capture data to a file named “wpa-crack-03.cap.
Once all necessary data is collected, we can crack the WPA2 passphrase as shown below. As you can see, the passphrase is “Snowwhite”.
Here is the explanation for the options specified in the above image.
-r: This option is used to specify the the packet capture file.
-f: path to the wordlist to be used for dictionary cracking (here we are using rockyou.txt).
-s: SSID of the wifi access point you are trying to crack.
If cowpatty succeeds is cracking WPA2 passphrase, it means the wifi security is weak and the password needs to be changed immediately.
Next, learn how to crack any WIFI password automatically with Besside.
Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt what is a rogue access point and why hackers or pentesters use it. In this article, you will learn about Wifipumpkin 3, a powerful framework for creating rogue access points. The features of wifipumpkin 3 are,
7. Intercepting, inspecting, modifying and replay web traffic
8. WIFIÂ networks scanning
9. DNSÂ monitoring service
10. Credentials harvesting
11. Phishkin3 (Support MFA phishing attack via captive portal)
12. EvilQR3 (Support Phishing QR code attack)
13. Transparent Proxies
14. RestFulAPI (new)
and more!
Let’s see how to create a rogue access point using this tool. For this, we will be using Kali Linux as this tool is present in its repositories by default in it. We will also need a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.
It can be started using command as shown below.
sudo wifipumpkin3
Here’s its nice artwork once started.
To see all the commands that can be run using wifipumpki3, use the command shown below.
help
To see all the available modules of Wifipumpkin3, use the “show” command.
show
To use any module, we have to use the command “use” literally.
use <module name>
For example, let’s load the wifi-wifiscan module. As its name implies, this module of wifipumpkin scans for all wireless access points and devices trying to connect to them.
We can see all options of a module by using the “options” command as shown below.
This module just requires the name of the wireless interface which can be set as shown below.
After all options are set, we need to use “run” command to execute the module. Then, the module displays all access points as shown below.
Select the access point you want to target. For this blogpost, we will select “Hackercool_Labs” access point. We want to create a rogue access point for this access point. For this, go back and use “Proxies” command to see all the available proxies.
As you can see, a proxy named pumpkinproxy is enabled by default. A rogue access point should provide internet just as the original wifi access point of which we are creating a rogue in order not to raise suspicions. Use “ap” command to view all the settings for our rogue access point.
We can change any options we want as shown below. Let’s change the SSID to “Hackercool_Labss” from “Wifi Pumpkin”. The name of the rogue access point should be almost similar to the original one. Here, we added extra “s” so that you can differentiate easily.
We can use “start” command to start the access point. Note that this access point is “open” and has no password. When any client connects to the rogue access point assuming it as the original one, the tool identifies the device as shown below.
We can see their browsing data to some extent. For example, our client is trying to visit Facebook.
Instead of allowing clients to directly connect to our rogue access point, we can present a login page to the client. For this, we have to use the captiveflask proxy.
Now, as soon as anybody connects to our rogue access point, he/she will be presented with a login screen as shown below.
As soon as the user enters credentials assuming that he connected to the original access point and it was prompting for credentials for some reason,
wifipumpkin 3 captures and displays the credentials as shown below.
Thus, we can capture credentials using this. To see all the devices connected to our rogue access point, we can use “clients” command.
We can even see all the information about connected devices using “dump” command.
Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt what is a WPS pin, why it is used, it’s strengths and weaknesses etc. In this article, you will learn about Reaver, a tool that brute force attacks WPS pins in order to retrieve WPA/WPA2 passphrases.
Let’s see how this tool works. For this we will be using Kali Linux as reaver is installed by default on it. We will also need a wifi adapter that allows packet monitoring. For this, we will be using ALFA AWVS036NHA wifi adapter.
After turning on Kali and plugging in the wireless adapter, the first thing we need to do is enable monitoring mole on our wireless adapter as shown below. Monitoring mode allows the wifi adapter to see all the available wireless networks.
Let’s use airodump to dump all the wifi access points it is monitoring.
Here are the wifi access points detected by our adapter.
We can also use wash to detect WPS enabled access points.
Next, we have to set our target. For this tutorial, we will be setting “Hackercool_Labs” access point as our target. We need to note its MAC address. Then, use reaver as shown below.
Here is the explanation for the options we set.
-i: interface
-b: -bssid or MAC address of the wireless access point.
-c: Channel on which this access point is advertising.
-V: Verbose output
Reaver starts trying to crack the WPS pin as shown below.
You can even use Pixiedust attack to crack WPS pins by specifying the “-k” option.
You can even specify the channel of the wifi access point for quicker cracking using the ‘-c’ option as shown below.
Depending on the access point, reaver can take between 4-10 hours to retrieve the WPA/WPA2 passphrase from the WPS pin while it takes around half of this time to crack the WPS pin itself. Learn how to crack WPS pins with Bully tool.
Hello, aspiring ethical hackers. In our previous blogpost, you learnt about reverse engineering. In this article, you will learn about OllyDbg, a debugger that is used to reverse engineer programs.
OllyDbg is an X86 debugger that is used to perform binary code analysis even when source code is not available. It can trace registers, switches, tables, constants, strings, recognize procedures, API calls and can even locate routines, object files and libraries. At present, this debugger can only disassemble binaries compiled for 32 bit processors.
Let’s see how this tool works. For this, I will be using Kali Linux as OllyDbg is available in its repositories.
Note that OllyDbg can only run on Windows systems. To run it on Kali, you need to install wine.
After wine is successfully installed, you can start Ollydbg using command shown below.
ollydbg
If it shows up wine error like this, just use the command shown below to fix it.
mv ~/.wine ~/.wine.old
Now, OllyDbg should start normally. The interface looks as shown below.
To see the working of Ollydbg, we need an executable file to disassemble. To help you understand how OllyDbg works in detail, I have written a simple program in C. The program is nothing new. It just adds two numbers provided by the users and displays the result. I name it “hc_app.c”.
Then I compile it as shown below to get an exe file named “hc_app.exe”.
Let’s first check if the program works as expected.
The program “hc_app.exe” is working as expected. Now, let’s load this into OllyDbg. This can be done by dragging hc_app.exe to OllyDbg or by going to File menu>Open (F3) as shown below.
This will open file explorer.
Navigate to the location of the app we just created and select it.
Doing this will open a terminal as shown below.
Minimize the terminal window for now. After minimizing it, you will see this on OllyDbg.
If you are a normal human like me, you will not understand anything. This is assembly code. The interface of OllyDbg is divided into 4 sections.
The first section is CPU window. This contains all virtual addresses of instructions. This window is located to the upper left of OllyDbg.
The second section is located to the upper right of the program and contains CPU registers.
The third section is located to the lower left. This has data residing in memory.
The fourth section, located to the bottom right is the stack.
Apart from this, I have assigned number ‘5’ in yellow. It shows if the program we loaded (hc_app.exe) is paused or running. Before doing anything, go to the Debug menu and hit “Run”. Now, bring forward the the command window we minimized earlier. It will change to this.
That’s all good. Now, let’s make something sense out of what looks like gibberish. Right click inside the CPU window, a menu should open. Select “Search for” and in the sub menu “All referenced text strings” as shown below.
What we are doing is searching for all text strings referred to in the program. This will give output as shown below.
Here, you can see “Enter two integers:” and “The final number is :”. You remember something from the source code of the program. But note here that, we don’t have access to source code and only loaded the compiled program (hc_app.exe). To the left, highlighted in red, you can see the address at which this string is present. The address is “00401576”. Go to that address in CPU window.
See the disassembled code here. It is this.
MOV DWORD PTR SS: [ESP], hc_app.00411044
The important thing here is the address “00411044”. Pointers in C point to a memory address. So, this command is pointing to a memory address “00411044”. Once again right click in CPU window select “Go to” this time and select “Expression” (shortcut for this is CTRL+G).
In the window that opens, enter address value as shown below and click on “OK”.
You should see this in CPU window. At address “00411044”, you should see a command “INC EBP”. Right click on that command and go to Binary>Edit as shown below.
A new window opens as shown below.
Observe the ASCII value. It is ‘E’. Similarly do it for next four commands.
Here are the combined ASCII values. They are ‘E’ ‘n’ ‘te’ ‘r’. What does it become? “Enter”.. I think you have figured out where this is going. This is part of the text, “Enter two integers:”. Right.
Now let’s do one thing. Change the ASCII value of ‘E’ ‘n’ ‘te’ ‘r’ to ‘H’ ‘E’ ‘LL’, ‘O’. respectively as shown below.
Now, when we go to debug menu and run the code again, instead of “Enter Two integers” we got “HELLO two integers” as shown below.
Here, you can see that we have successfully altered the code of a program without even knowing its source code. Next, learn how to perform static analysis of a program or malware with PEframe.
