Category: Hacking

Posted on by

Cracking Wifi passwords automatically with Wifite

Hello aspiring ethical hackers. In this article, you will learn about a tool named Wifite. It is an automatic Wireless password cracking tool that tries almost all known methods of wireless cracking like Pixie-Dust attack, Brute-Force PIN attack, NULL PIN attack, WPA Handshake Capture + offline crack, The PMKID Hash Capture + offline crack and various WEP cracking attacks.
Wifite is installed by default on Kali Linux. Just like any wireless password cracking method, Wifite needs monitor mode to be enabled on the wireless interface as shown below. However, it automatically enables this monitor mode but if it fails to enable it, you can enable it manually as shown below.

Wifite Wep 2
Wifite Wep 3

Let’s see how Wifite works in cracking WEP, WPA and WPS enabled networks. Once everything is ready, open terminal and start Wifite using command as shown below.

wifite

It starts displaying all the wireless networks in your vicinity as shown below.

Wifite Wep 6

Let’s target the Access Point “Hack_Me_If_You_Can” which has WEP security enabled. Once you select the access point you want to target, hit CTRl + C and enter the number of that access point. In our case it is “1”.

As soon as you enter the number of that access point, Wifite tries out various attacks against the access point and grabs its password as shown below.

Wifite Wep 7

WEP is too easy. Let’s see how it fares in cracking WPA password. We start Wifite as shown above. Our target is once again “Hack_Me_If_You_Can”. However, as you can see it is secured with WPA now.

Wifite Wpa 3

It starts attacking employing various methods as shown below.

Wifite Wpa 5 1024x561

Now, let’s target a Access Point with WPS pin enabled.

Wifi Wps 7 1024x421
Wifi Wps 8 1024x374

As you can see, Wifite is successful in cracking WEP, WPA and WPS keys automatically without running any complex commands . Learn how to crack Wifi passwords with Besside-ng.

Posted on by 1 Comment

Besside -ng : A tool to hack Wi – Fi automatically

Hello aspiring Ethical hackers. In this article, we will learn about a tool named Besside -ng, which can automatically crack WEP passwords and log WPA handshakes. This tool authored by Andrea Bittau is made in the line of another tool, Wesside-ng which only cracks WEP passwords automatically.

Before you run Besside-ng, monitor mode should be enabled on the wireless interface as shown below.

Besside Wep 2
Besside Wep 3

Once monitor mode is enabled on the wireless interface, we can run Besside-ng as shown below to automatically crack all the WEP passwords and log WPA handshakes.

Besside Wep A

If you want to crack the WEP password of a single Access Point, the command is as shown below

where “-c” is used to specify the channel the Wireless Access Point is running on and “-b” is the –bssid of the Wi -Fi access point.

how to use besside to crack wifi passwords

Besside-ng automatically starts creating traffic and cracking the WEP key as shown below.

Besside Wep 5
Besside Wep 6

As you can see in the above image, it cracked a 64bit ASCII WEP key in less than 1 minute. How about 64 bit hexadecimal WEP key that’s a bit complex.

Besside Wep 7

This key was cracked in 63 seconds. How long it will take to crack the same key we cracked earlier with aircrack?

Besside Wep 8

It took just 45 seconds to crack the password. This time, I generated a complex WEP key and tried again. The key was cracked in around 15 minutes as shown below.

Besside Wep 9

Here’s the WEP key I set.

Besside Wep 10

Just like cracking WEP, even Cracking WPA can be automated using tool besside-ng. To do this, we run besside-ng on the target wi-fi network.

Wpa Crack 16
Wpa Crack 17
Wpa Crack 18

Besside-ng automatically captures WPA handshake. Then all we have to do is run aircrack on the wpa.cap file.

Besside Wep B
Besside Wep C

The WPA key has been cracked successfully.

Posted on by

How to crack wpa2 psk wifi passwords

Hello aspiring ethical Hackers. In one of our previous blogposts, you learnt in detail about WiFi hacking, different wireless threats and security protocols used to secure WiFi. In this blogpost, you will learn how to crack different wireless security protocols with a tool named aircrack ng.

Aircrack-ng is a complete suite of tools to assess WiFi network security. It is a command line tool focusing on different areas of WiFi security like

  • Monitoring: Packet capture and export of data to text files for further processing by third party tools.
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
  • Testing: Checking WiFi cards and driver capabilities (capture and injection).
  • Cracking: WEP and WPA PSK (WPA 1 and 2).

Let’s see how to crack WEP passwords with aircrack. I bought a new Alfa Wireless Adapter and I want to get straight away into cracking a WEP password. My Attacker machine is Kali Linux which is installed on VMware. So I first connected the GOD given ALFA Wireless adapter to my laptop, make sure it is connected to the virtual machine, open a terminal in Kali Linux and type command “iwconfig” to make sure my wireless adapter is connected.

Wep Crack 1

Then I start monitor mode on the wireless interface. Monitor mode is just like promiscuous mode on wired interfaces. When in monitor mode, the wireless adapter sniffs on all the wireless traffic around.

Wep Crack 2

I once again run the “iwconfig” command to have a look at the wireless interfaces to confirm monitor mode started on the Wireless interface.

Wep Crack 4

As you can see the name of the wireless interface changed from waln0 to wlan0mon. The monitor mode is on. To see all the traffic being observed by the wireless interface, I run the command airodump-ng on the wireless interface.

how to crack wep with aircarck

As you can see, this shows all the wireless traffic. There are many wireless networks available but my target is the Wi-Fi Access point I named “Hack_Me_If_You_Can”. I use the same airodump-ng to target the MAC address of target’s Access point and route all the traffic it has to a file named wep_hc_crack.

Wep Crack 7 1024x426

In the above image, you can see the clients connected to the targeted Wi-Fi Access point. All the traffic belonging to the Wi-Fi access point hack me if you can will be saved in the file wep_hc_crack.cap. What I am looking for is the initialization vectors that are used in cracking WEP. This initialization vectors play a key role in cracking the password of this Wi-Fi access point.

How? As I already told you, I will not tell you the technical jargon of this article for now. Just remember the more IV’s we have, the more the chances of cracking the WEP password. Since I need more traffic to crack the WEP password fast, I can use some Jugaad to create more traffic. A feature of aircrack-ng, aireplay-ng helps us to create more traffic. It has various methods of creating additional traffic. One such method is ARP request replay attack. According to the website of aircrack,

The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a ne- w IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key. This attack can be started as shown below.

Wep Crack 9

where “-h” option is used to specify the MAC address of any client we want to use. Here is another way in which you can start the ARP replay attack.

Wep Crack 15

As initialization vectors start collecting in the wep_hc_crack file, I can use aircrack to try cracking the password. The command is “aircrack-ng wep_hc_crack.cap“.

Wep Crack 10 1024x267

If the initialization vectors are too less (in this case I have a new 20) aircrack wait for enough initialization vectors. I continue the ARP request replay attack until traffic increases.

Wep Crack 12 1024x276
Wep Crack 14 1024x281

You can see the traffic increasing. All have to do is play the game of patience now .

Wep Crack 18 1024x316
Wep Crack 19 1024x306
Wep Crack 20 1024x286
Wep Crack 21 1024x297

After collecting almost 25000 IV’s aircrack finally cracked the WEP password. The password of the Wi-Fi access point is 1234567899. It’s a 64bit hexadecimal key. As you can see, it took me around one hour thirty five minutes for me to crack the password.

Now let’s see how to crack WPA/WPA2 with aircrack. WPA stands for Wifi Protected Access. It is an encryption system to secure WLAN networks. It eliminates all known vulnerabilities in WEP(Wired Equivalent Privacy). WPA uses 128 bit key and 48 bit initialization vector while WEP uses 108 bit key with 24 bit initialization vector. WPA2 is the successor of WPA. Both WPA and WPA2 use temporal key integrity protocol(TKIP) for encryption and pre-shared key(PSK) authentication. The only difference between WPA and WPA2 is that they use Rivest Cipher(RC4) and Advanced Encryption Standard(AES) encryption algorithms respectively. Both can be configured to use counter cipher block chaining mode(CCM) though. They are by far considered most secure for Wifi networks.

On Kali Linux, open terminal and type command “iwconfig”. It lists your wireless interfaces just like ifconfig shows wired interfaces.

Wpacrack1

We can see that we have a wireless interface wlan0. Now we are going to start monitor mode on our wireless interface. Monitor mode is same as promiscuous mode in wired sniffing. Type commandairmon-ng start wlan0″. We can see below that monitor mode has been enabled on “mon0″.

Wpacrack2

Now let’s see all the traffic collected by our wireless interface. Type command airodump-ng mon0.

Wpacrack3

Hit Enter. We can see all the wireless networks available as shown below.

Wpacrack4

We can see that all the wifi networks are configured with WPA2 or WPA. We are going to hack the network “shunya”. We will collect the shunya’s network traffic into a file. Open a terminal and type command “airodump-ng –bssid <Mac address of wifi access point> -c 13 –write wpacrack mon0″.

Wpacrack5

where

–bssid stands for base station security identifier

<MAC address> is the Mac address of access point.

-c is used to specify the channel the wifi network is operating on.

–write to write to a file.

wpacrack is the file name we are writing into.

mon0 is the interface

Hit Enter. We will see the result as below.

Wpacrack6

We can only hack a WPA/WPA2 protected wifi network by capturing it’s handshake process or association( when the client is trying to connect to the wifi network.). So let’s try to disconnect all the clients connected to the wifi network “shunya” first. Open a new terminal and type the command “aireplay-ng –deauth 100 -a <MAC> –ignore-negative-one mon0″.

where

–deauth are the deauthentication packets,

100 are the number of deauthentication packets we want to send.

-a stands for access point.

<MAC> is the MAC address of the wifi access point.

Wpacrack7

This command will send 100 DE authentication packets to the broadcast address of the wifi access point. This will make all the clients connected to the shunya get disconnected. As soon as this happens, all the clients will try to connect back to the wifi network once again. We can see that a WPA handshake has happened in the previous terminal.

Wpacrack8

Now let’s see where our capture file is located. Type “ls”. We will do dictionary password cracking here. So let’s find out where the dictionaries are. Type commandlocate wordlists”. This will show us a number of wordlists available by default in kali linux.

Wpacrack9

Our captured traffic is stored in .cap file. We will use the wordlist big.txt for cracking the password. Open a new terminal and type command “aircrack-ng wpacrack-01.cap -w /usr/share/dirb/wordlists/big.txt”.

Wpacrack10

Hit Enter. If our dictionary has the password, the result will be as below. If our dictionary doesn’t have the password, we have to use another dictionary.

Wpacrack11

Remember that the choice of dictionary will play a key role in WPA/WPA2 password cracking. So that is one way in which we crack wpa wpa2 password with aircrack for you. Hope this was helpful. Learn how to crack WiFi passwords with Fern WiFi Cracker.

Posted on by

Tomcat War Deployer : A tool to hack Tomcat

Hello aspiring Ethical Hackers. In this article you will learn about Tomcat War Deployer a tool used to pen test a Apache Tomcat system.

In the Real World Hacking Scenario of our HackercoolMag May2020 Issue, you will see how Hackercool exploits a Apache Tomcat system that is placed behind a Router. In that scenario, once Apache Tomcat credentials are compromised, he makes a war payload with Metasploit. Once the payload executes, he gets a shell on the target.

However, Metasploit is not the only tool that is used to make malicious WAR payloads. The Tomcat War Deployer is another tool that can be used to make WAR payloads which can be used for penetration testing. A WAR stands for Web Archive. It can include servlet, xml , jsp, image, html, css and js files etc. This files are created in Java.
The Tomcat War Deployer can be used from Kali Linux and can be cloned from this Github link as shown below.

Wardeployer1

Once the cloning is done, you should see a new directory named tomcatWarDeployer in the directory from which you cloned. Move into that directory and type the command highlighted in the image given below. The “-h” option is help and it displays all the commands that can be used with this tool.

how to use tomcat war deployer to hack tomcat targets
Wardeployer3
Wardeployer4

Now, let’s see how to create a payload with Tomcat WarDeployer.

Wardeployer5a
Wardeployer5

The “-H” option is used to specify the host IP address to which we want our shell to be connected (i.e the attacker system’s IP address). The “-p” option specifies the port on which the shell should connect to (we specified port 4646 here). The “-G” option is used to specify the name of the output file. We named it tomcat_shell for this article.

Wardeployer6

Let’s upload this shell to the target. We are using the same target that we have used in the Real World Hacking Scenario of the Hackercool Magazine May 2020 Issue.

Wardeployer7 1024x399
Wardeployer8 1024x463

Before executing it, let’s start a Netcat listener on port 4646.

Wardeployer9

When you click on the payload on the target, you will see something as shown below. Your payload is protected with a password to prevent its misuse from others (read hackers). However this password is randomly generated and even you will lose access if you don’t know it.

Wardeployer10 1024x327

The “-X” option is used to set the password for our payload. Setting it to “None” as shown below will not set any password for our payload.

Wardeployer11

You can set any password you want as shown below. Here, we set it to “hcool”.

Wardeployer12

The “-v” option is used to set the verbose mode. This gives more clear details about the creation of payloads. You can see it below.

Wardeployer13
Wardeployer14

Now, let’s create a payload named “tomcat_shell.war” without any password.

Wardeployer15

Here’s how its looks.

Wardeployer16 1024x325
Wardeployer17 1024x349

Let’s create the payload with password “123456”. It is wise to generate a payload with a password while penetration testing to avoid misuse.

Wardeployer18
Wardeployer19 1024x335

The “-s” option simulates the breach without performing any offensive actions.

Wardeployer20

Simulation helps us to verify if the attack works without changing anything on the target system. The “-U” option is used to set the username and “-P” option is used to set the password. These are the credentials we need to login into the target.

Wardeployer21
Wardeployer22

In the above image, the simulations says that it reached the target, validated the credentials and did everything to prove that the attack works. But it did not deploy the payload.
The “-C” option specifies not to connect to the spawned shell immediately. By default, it connects to the spawned shell immediately. This option stops that letting us use other handlers like Metasploit or Netcat. Since we already started a Netcat listener, we will use this option for now. We can specify the target IP address and port at the end of the command as shown below.

Wardeployer23
Wardeployer25

At our Netcat listener, we already have a shell as you can see in the image below.

Wardeployer28

If you don’t specify the “-C” option, shell will be automatically spawned as shown below.

Wardeploy29 1
Wardeploy31

Finally, after the penetration test is completed, you can delete the uploaded payload using the “-R” option. You need to specify the name of the payload with the “-n” option. The example is shown below.

Wardeploy32

Posted on by

PrintNightmare, Privilege Escalation in Powershell

PrintNightmare is a critical vulnerability affecting the Microsoft Windows operating systems. The recently disclosed vulnerability is present in the print spooler service of Microsoft Windows. The printer spooler service is used for printing services and is turned on by default. The versions of Windows vulnerable to PrintNightmare include Windows 7 to Windows 10 and windows Server 2008 to the latest version of Windows Servers.

The PrintNightmare vulnerability has two variants : one is enabling remote code execution (CVE-2021-34527) and the other privilege escalation (CVE-2021-1675). In this article, readers will see a demonstration of exploiting the privilege escalation vulnerability in PrintNightmare.
For this demonstration, we will use Windows 10 version 1809. The Powershell Script we used in this demo can be downloaded from Github.

In this scenario, imagine I already have access to the target machine as a user with low privileges. Let me demonstrate it to you. The first thing I need to confirm is whether the printer spooler service is running on the target system or not. This can be done using powershell command “Get-Service -Name “spooler”“.

PNm Powershell Lpe 1

The print spooler service is running. Now I can exploit it. Before that let me show you that I am a user with limited privileges i.e as “user 1” with very limited privileges.

PNm Powershell Lpe 3
PNm Powershell Lpe 4

Next, I already downloaded the Powershell script I need to exploit the Printnightmare vulnerability .So I moved to the Downloads folder where the Powershell script is saved. Once I am inside that folder, I run the command

Import-Module .\ <script Name>“as shown below.

PNm Powershell Lpe 5

Once the Powershell module is imported, I can execute the script with command
Invoke-Nightmare -NewUser “<username to create >” -NewPassword <password for that new user> DriverName “PrintMe”
This command will create a new user with administrator privileges.

How to exploit printnightmare

In the image above, you can see the existence of new user named “hacker” which I created. Now, let’s check the privileges of this user.

PNm Powershell Lpe 7

As readers can see, the new user I created belongs to the local administrators group. I reboot the system and try to login as that user.

PNm Powershell Lpe 9 1024x576
PNm Powershell Lpe 10

The exploitation is successful.