Category: Hacking

Posted on by

Beginners guide to wifipumpkin 3

Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt what is a rogue access point and why hackers or pentesters use it. In this article, you will learn about Wifipumpkin 3, a powerful framework for creating rogue access points. The features of wifipumpkin 3 are,

  • 1. Creating Rogue access point attack
  • 2. Performing Man-in-the-middle attack
  • 3. Performing deauthentication attack
  • 4. Module for extra-captiveflask templates
  • 5. Creating Rogue DNS server
  • 6. Performing captive portal attack (captiveflask)
  • 7. Intercepting, inspecting, modifying and replay web traffic
  • 8. WIFI networks scanning
  • 9. DNS monitoring service
  • 10. Credentials harvesting
  • 11. Phishkin3 (Support MFA phishing attack via captive portal)
  • 12. EvilQR3 (Support Phishing QR code attack)
  • 13. Transparent Proxies
  • 14. RestFulAPI (new)
  • and more!

Let’s see how to create a rogue access point using this tool. For this, we will be using Kali Linux as this tool is present in its repositories by default in it. We will also need a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

It can be started using command as shown below.

sudo wifipumpkin3

Here’s its nice artwork once started.

To see all the commands that can be run using wifipumpki3, use the command shown below. 

help

To see all the available modules of Wifipumpkin3, use the “show” command.

show

To use any module, we have to use the command “use” literally.

use <module name>

For example, let’s load the wifi-wifiscan module. As its name implies, this module of wifipumpkin scans for all wireless access points and devices trying to connect to them.

We can see all options of a module by using the “options” command as shown below.

This module just requires the name of the wireless interface which can be set as shown below.

After all options are set, we need to use “run” command to execute the module. Then, the module displays all access points as shown below.

Select the access point you want to target. For this blogpost, we will select “Hackercool_Labs” access point. We want to create a rogue access point for this access point. For this, go back and use “Proxies” command to see all the available proxies.

As you can see, a proxy named pumpkinproxy is enabled by default. A rogue access point should provide internet just as the original wifi access point of which we are creating a rogue in order not to raise suspicions. Use “ap” command to view all the settings for our rogue access point.

We can change any options we want as shown below. Let’s change the SSID to “Hackercool_Labss” from “Wifi Pumpkin”. The name of the rogue access point should be almost similar to the original one. Here, we added extra “s” so that you can differentiate easily.

We can use “start” command to start the access point. Note that this access point is “open” and has no password. When any client connects to the rogue access point assuming it as the original one, the tool identifies the device as shown below.

We can see their browsing data to some extent. For example, our client is trying to visit Facebook.

Instead of allowing clients to directly connect to our rogue access point, we can present a login page to the client. For this, we have to use the captiveflask proxy.

Now, as soon as anybody connects to our rogue access point, he/she will be presented with a login screen as shown below.

As soon as the user enters credentials assuming that he connected to the original access point and it was prompting for credentials for some reason,

wifipumpkin 3 captures and displays the credentials as shown below.

Thus, we can capture credentials using this. To see all the devices connected to our rogue access point, we can use “clients” command.

We can even see all the information about connected devices using “dump” command.

Posted on by

Beginners guide to reaver

Hello, aspiring ethical hackers. In our previous blogpost on wifi hacking, you learnt what is a WPS pin, why it is used, it’s strengths and weaknesses etc. In this article, you will learn about Reaver, a tool that brute force attacks WPS pins in order to retrieve WPA/WPA2 passphrases.

Let’s see how this tool works. For this we will be using Kali Linux as reaver is installed by default on it. We will also need a wifi adapter that allows packet monitoring. For this, we will be using ALFA AWVS036NHA wifi adapter.

After turning on Kali and plugging in the wireless adapter, the first thing we need to do is enable monitoring mole on our wireless adapter as shown below. Monitoring mode allows the wifi adapter to see all the available wireless networks.

Let’s use airodump to dump all the wifi access points it is monitoring.

Here are the wifi access points detected by our adapter.

We can also use wash to detect WPS enabled access points.

Next, we have to set our target. For this tutorial, we will be setting “Hackercool_Labs” access point as our target. We need to note its MAC address. Then, use reaver as shown below.

Here is the explanation for the options we set.

-i: interface

-b: -bssid or MAC address of the wireless access point.

-c: Channel on which this access point is advertising.

-V: Verbose output

Reaver starts trying to crack the WPS pin as shown below.

You can even use Pixiedust attack to crack WPS pins by specifying the “-k” option.

You can even specify the channel of the wifi access point for quicker cracking using the ‘-c’ option as shown below.

Depending on the access point, reaver can take between 4-10 hours to retrieve the WPA/WPA2 passphrase from the WPS pin while it takes around half of this time to crack the WPS pin itself. Learn how to crack WPS pins with Bully tool.

Posted on by

Beginners guide to Kismet

Hello, aspiring ethical hackers. In our previous blogpost, you learnt everything about wifi hacking. In this article, you will learn about kismet, a wifi security assessment tool.

Kismet is a wireless network and device detector, sniffer, war driving tool and intrusion detection system (WIDs) for not just wifi but also Bluetooth, Zigbee, RF and more. Let’s see the working of this tool. For this, I will be using Kali Linux as kismet is installed by default on Kali or is present in its repositories. We will also be needing a wireless adapter that can monitor wireless packets. I am using ALFA AWVS036NHA adapter for this article.

First thing we do is to plugin the adapter to the system and check if it is connected to the device using command shown below.

iwconfig

In the above image, you can see our wireless interface is named “wlan0”. Next, we start monitor mode on our wireless adapter using command as shown below. Monitor mode allows the adapter to scan for all wireless networks in the air. 

sudo airmon-ng start wlan0

We can confirm if monitor mode is enabled on the adapter by once again using “iwconfig” command.

As you can see in the above image, the mode of the adapter changed from managed to monitor and its name changed to wlan0mon from wlan0. Now we have to start kismet on this interface. It can be done as shown below.

sudo kismet -c <wireless interface>

kismet starts capturing data immediately as shown below.

You can see the wireless network and wireless devices in a browser with the link given at the beginning of the capture. The URL is “localhost:2501”. Go to the URL using a browser. As soon as you do that, you will be faced with a login screen as shown below.

Since you are setting up kismet for the first time, set a username and password and most importantly don’t forget them.

Then click on “Continue” to see the interface of kismet.

Kismet will show you all the wireless access points it has detected.

While the top shows all the wifi access points and client devices, in the bottom you can see messages. Just beside the “messages” tab there is a “Channels” tab where you can see all the channels and active devices on each channel.

Coming to the top, while devices tab shows you all the wireless devices, clicking on the SSIDs tab displays all wireless access points. You can even search for a access point of your choice. For example, let’s search for wifi access point named “Hackercool_Labs”.

Clicking on the resulting entry shows more details about the wireless access point as shown below. We can see that the access point is a router from TP-Link.

It will also show the MAC addresses of the devices or clients connecting to this particular access point as shown below.

We can even learn more about the devices connecting to this access point. For example, the device that connected to our target access point is a mobile from Xiaomi. Similarly, we can identify other devices like cameras, smart devices etc.

We can learn the channel on which it is running and its frequency.

To the top left, there is a kismet menu.

Click on “Data sources”. This will give you information from where your data is coming.

By default kismet hops from one channel to another channel (channels are explained in our wifi hacking article) to collect information. You can even lock kismet to a single channel. For example, say 7.

That’s all for now. In our future updates we will show you what more you can do with kismet. Learn about wifipumpkin3 tool.

Posted on by

Linux exploit suggester: Complete guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about various linux privilege escalation techniques. In this article, you will learn about Linux exploit suggester, a script that helps us in elevating privileges on a Linux system.

Linux exploit suggester assists in detecting security deficiencies of a Linux kernel or Linux machine and suggests exploits for the vulnerabilities detected. It does this by assessing exposure of kernel to publicly known exploits. Obviously, this script should be run on target system after gaining access. Let’s see how this tool works. For this, I will be running this script after transferring it to target Ubuntu 20.04 machine after gaining a shell. The simplest way to run this script is using the command shown below.

./linux exploit suggester

As you can see in the above images, this script found 81 kernel exploits and 49 user space exploits. Moreover. it suggested the vulnerability and also an exploit for this. For example, in this case, the target system is vulnerable to DirtyPipe, Pwnkit vulnerabilities etc.

You can even run Linux exploit suggester by supplying the kernel information as shown below.

You can even supply the entire output of “uname-a” command by using the “-u” option.

Check security settings of the target system (–checksec)

This tool can also check most security settings in your Linux kernel using this option.

View only kernel space exploits

Setting this option shows only kernel related exploits for the target kernel.

View only userspace exploits

Setting this option shows only userspace exploits.

Display sources (-s)

Setting this option not only lists the exploits but also downloads the source code of the exploits.

The sources of the exploit are in the format of zip archive.

Download binaries (-b)

Setting this option downloads binaries of the exploit code if available. Binary exploits can be executed directly.

Get more detailed view (-f)

Setting this option displays a more detailed view of the exploit.

Get a brief view (-g)

Setting this option displays only brief information about found exploits.

After getting the exploit information, all you have to do is execute the exploit to elevate privileges on the target linux system. Next, learn about linux post exploitation after gaining elevated privileges.

Posted on by

Windows privesc check: Complete guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about Windows privilege escalation in detail and various techniques used for achieving this. In this article, you will learn about windows-privesc-check, a standard executable that helps users in elevating privileges on a Windows system.

Windows-privesc-check is a executable that can find misconfigurations in target systems that can help in elevating privileges on a Windows system. Let’s see how this tool is used. This tool needs to be run on the target Windows system after gaining access.

Windows-privesc-check can dump target system information in four formats. They are

  1. Dump: This option dumps information for you to analyze manually.
  2. Dumptab: This option dumps information in tab -data limited format.
  3. audit: Setting this option identifies and reports security weaknesses.
  4. Pyshell: This option starts an interactive Python shell.

Dump the drives (-D)

Setting this option dumps all the partition drives on the target windows system.

Dump event logs (-E)

Setting this option dumps all event logs on the target Windows system.

Dump user groups (-G)

Setting this option dumps all user groups present on the target system.

Dump all shares (-H)

Setting this option dumps all the network shares on the target system.

View installed software (-I)

All the programs that are installed on the target Windows system can be viewed using this option.

View all scheduled tasks (-j)

This option shows all scheduled tasks if any on the target system.

View driver kernel (-k)

This option shows kernel information of drivers on the target system.

View logged in users (-L)

View NT objects (-O)

View directory tree of program files (-p)

View Registry settings and permissions (-r)

View processes running on target system (-R)

View all users on the target system (-U)

View all files and directories (-A)

This option shows all the files and directories on the target system and saves the ouput into a file named wpc.

Perform all simple checks (-a)

This option is used to performs all simple checks on the target system.

Saving report

Windows-privesc-check has lot of options while saving the output.

Report only privilege escalation issues relating to current user (-c)

Setting this option reports only the privilege escalation issues that can be exploited by users specified by you.

Same as above but users are specified in a file.

Setting this option allows you to ignore vulnerabilities that can be exploited by specific users. Windows-privesc-check ignores privilege escalation issues that are exploitable by users in the you set.

Same as above but the ignored list is specified is a file.

Setting the above option reports all weaknesses that are exploitable by all the users. This is known as zero-trust policy.

Learn about Unix-privesc-check, a tool that helps in elevating privileges on a Linux system.