Posted on

Beginners guide to Ettercap

Hello, aspiring ethical hackers. In our previous blogposts, you learnt what is sniffing and what is Man in the Middle (MITM) attacks etc. In this blogpost, you will learn about a tool named Ettercap. Ettercap is an open-source sniffer and a comprehensive suite for performing man in the middle attacks. With Ettercap we can perform both active and passive protocol analysis, data injection etc.

Let’s see how to use Ettercap for sniffing. For this tutorial, I will be using Kali Linux as my attacker system as ettercap is installed by default on it. As a target system, I am using Metasploitable 2 (see how to create a virtual hacking lab). Ettercap can be started in both command line and GUI. For this tutorial, let’s use the graphical version.

To start ettercap in graphical mode, start ettercap with the “-G” option as shown below.

sudo ettercap -G
Ettercap 1

The GUI version of Ettercap opens as shown below.

Ettercap 2 1

You can also open a network capture file (pcap file) using Ettercap. To start sniffing with ettercap, we have to click on the highlighted part as shown below after selecting the interface we want to sniff on.

Ettercap 3

As soon as you do this, Ettercap loads all its plugins and engines required for sniffing. By default, ettercap starts sniffing automatically. It can be stopped or started by clicking on the highlighted part as shown below.

Ettercap 4

Before you perform any attack, you need to know about all the devices on the LAN. Clicking on the tab highlighted in the image below makes this tool scan for all the LIVE hosts on the network.

Ettercap 5

After the scan is finished, ettercap adds the detected hosts.

Ettercap 6

The added hosts can be viewed by clicking of the tab highlighted below.

Ettercap 7

In our case five hosts have been added. I want to sniff the communication taking place between two machines. To do this, I right click on the IP of the client machine with IP 192.168.249.162 and add it as Target 2.

Ettercap 8

Similarly, I add the server machine with IP 192.168.249.149 as Target 1.

Ettercap 9

Needless to say, these two machines are the machines I want to perform sniffing on.

Ettercap 10

Then, I open the MiTM menu of this tool and select ARP poisoning as shown below.

Ettercap 11

This opens a new window as shown below.

Ettercap 12

I select “sniff remote connections” option and click on “OK”. This starts the ARP poisoning attack and all the traffic intending to go for 192.168.249.162 (client machine) to192.168.249.149 (server machine) will be sniffed. From the client machine, I make a telnet connection to target system.

Ettercap 13
Ettercap 14

Then on ettercap, I open the menu and go to view > connections.

Ettercap 15
Ettercap 16

This will show all the connections being made between client and the server.

Ettercap 17

In the above image, we can see one connection from IP 192.168.244.162 to port 23 of 192.168.249.149. Clicking on it will reveal the connection data exchanged between the two machines.

Ettercap 18

By default, the data from the client and server machines are shown in different tabs. You can see the credentials being exchanged between client and server. You can even join both the views for clarity.

Ettercap 19

Here, you can see the clear text credentials used to login into the telnet server.

Ettercap 20
Posted on

Beginners guide to tcpdump

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about packet sniffing and packet analyzing. A sniffer or a packet analyzer plays a very important role in packet sniffing. In this blogpost, you will learn about a sniffer or packet analyzing tool called tcpdump.

tcpdump is an open-source data-network packet analyzer that runs under a command line interface. It works on almost all Unix-type operating systems like Linux, Solaris, FreeBSD, macOS etc. Tcpdump was written by Van Jacobson, Sally Floyd, Van Paxson and Steven McCanne in 1998 while working in Lawrence Berkely Laboratory Network Research group. Let’s see how to perform packet sniffing with tcpdump. For this tutorial, we will be using Kali Linux as tcpdump is installed by default on it.

The command to start sniffing with tcpdump is given below.

tcpdump

if you are unable to start tcpdump with the above command, run tcpdump as sudo. On many UNIX operating systems, running this command requires SUDO privileges.

sudo tcpdump
Tcpdump 1
Tcpdump 2

As soon as you execute the above command, tcpdump starts sniffing on all the network interfaces connected to the machine. If you want tcpdump to perform sniffing on only a specific interface, you can specify the interface with the ‘-i’ option.

sudo tcpdump -i <network interface>
Tcpdump 3
Tcpdump 4 1

Depending on the number of devices connected to the interface, the packet analysis output may contain heavy or less traffic. To view traffic belonging to only one machine on the network, you can use the “host” option and specify the IP address. For example, let’s say we want to only see traffic belonging to device with IP 192.160.254.144 on the network. Here’s how to do it.

sudo tcpdump -i <network interface> host <host ip>
Tcpdump 5
Tcpdump 6

Let’s say you want to view traffic only that is originating from a particular device, you can use the option “src” for that.

sudo tcpdump -i <network interface> src <device IP>
Tcpdump 7

Similarly you can also view only the traffic that is coming to the particular system using the “dst” option.

sudo tcpdump -i <network interface> dst <device IP>
Tcpdump 8

We can also view traffic belonging to a specific part using the “port” option.

sudo tcpdump -i <network interface> port <port number>
Tcpdump 9

To write the output to a file, we have to use the “-w” option as shown below.

sudo tcpdump -i <network interface> port <port number> -w <file to write to> 
Tcpdump 10

To open the saved pcap file, you have to use the ‘-r’ option as shown below.

sudo tcpdump -r <pcap file>
Tcpdump 11

This pcap file can also be opened with Wireshark.

Posted on

WhatWeb tool: Beginners guide

Hello, aspiring ethical hackers. In one of our previous blogpost, you learnt about what is website hacking, what are the various website hacking techniques used by hackers etc. In this blogpost, you will learn about WhatWeb tool, a web scanner.

WhatWeb tool is a tool that can be used to identify a website. As its makers say, the goal of WhatWeb tool is to answer the question “What is that website?”.

That’s right because WhatWeb can identify a variety of web technologies used on a website that include web servers, Content Management System (CMS), blogging platforms, statistics and analytic packages, JavaScript libraries, embedded devices, version numbers of the software, email addresses, account in web framework modules, SQL errors etc. WhatWeb too has over 1800 plugins, each to recognize something different.

WhatWeb is installed by default in Kali Linux. Let’s see how to use it for scanning the website. As target, we will be using Multillidae in Metasploitable 2. To scan a website, all you have to do is specify the target website or its IP to WhatWeb as shown below.

Whatweb 1
Whatweb 2

WhatWeb has different levels of aggression while scanning its targets. By default it is set to 1 (stealthy) and it makes one HTTP request per target. However, we can set the level of aggression while scanning the target. If we set the aggression level to “3 (aggressive)” as shown below, WhatWeb will send additional requests once it finds a level 1 plugin.

Whatweb 3

Similarly, setting the aggression level to “4 (Heavy)”, WhatWeb makes a lot of HTTP requests per target. In this level, URLs from all plugins are attempted.

Whatweb 4

At the beginning of the article, I told you that WhatWeb has lot of plugins each suited for a specific purpose. You can view all the plugins of WhatWeb using the “-l” option.

Whatweb 5
Whatweb 6

If you want to view the information about each plugin the “–info-plugins” option will do this for you.

Whatweb 7
Whatweb 8

You can also search for a particular plugin from the list of plugins using the “–search- plugins” option. For example, let’s search for webdav plugin in WhatWeb.

Whatweb 9
Whatweb 10

To use a particular plugin the option is “-p”. For example, let’s use the “webdav” plugin with the same target.

Whatweb 11

If you want the result to be in more detailed format while scanning with WhatWeb, you can use the verbose option with WhatWeb.

Whatweb 12
Whatweb 13
Whatweb 15
Whatweb 16

Whatweb also has a quiet mode scan option that scans a website without showing output to terminal (stdout) as shown below.

Whatweb 17

Posted on

Beginners guide to dirbuster

Hello, aspiring ethical hackers. In this blogpost, you will learn about dirbuster, a tool used to scan web directories and file names on web application servers. Dirbuster is written in Java and can be installed on Linux systems. Almost all pentesting distros include this in their tools list. For this tutorial, we are going to use Kali Linux. Dirbuster can be started on Kali by using the command as shown below.

dirbuster
Dirbuster 1

Typing this command will open a GUI window as shown below.

Dirbuster 2

Here, you can configure all the options required to scan the target web server. For this tutorial, we will be using Metasploitable 2 as our target. Any directory scanning and fuzzing tool is as good as the wordlist it uses while scanning for hidden directories and files. Dirbuster provides its own set of wordlists which are located in “usr/share/dirbuster/wordlists” directory in Kali.

Unlike other wordlists, these wordlists are created using a different approach. These lists are created from scratch by crawling the internet and making a collection of the all the files used by all developers. It comes with a total of 9 different lists. If all these lists fail, dirbuster also has brute force option.

Dirbuster 3A

The scan starts. Depending on the size of the target web server, finishing time may vary. The progress of the scan will be displayed in the “scan information” tab.

Dirbuster 4

As the scan continues, you can see the results in different views. The “List view” shows all the detected directories and files by dirbuster in the form of a list.

Dirbuster 5

You can also see the results of the scan in the form of “Tree view” that enables us to gain understanding about the target web server directories structure.

Dirbuster 6

You can right click on the detected directories for more options as shown below.

Dirbuster 6a

If dirbuster faces any errors while scanning directories, they are displayed in the “errors” tab.

Dirbuster 7

You can wait until the scan finishes or you can even end the scan by hitting “stop” button. Once you do that, dirbuster will prompt you to save the result of the scan as shown below.

Dirbuster 8

You can also use dirbuster by specifying its options through command line. The basic options to set are the URL and the wordlist. These can be set with ‘-U’ and ‘-r’ options respectively.

Dirbuster 9
Dirbuster 10

Then, all you have to do is click on “Start”. If you want to find files with a particular extension with dirbuster the option is ‘-e’. For example, let’s say you want it scan for files with “php” extension here is the command,

Dirbuster 11

To save the output of dirbuster scan, use command line option ‘-r’.

Dirbuster 12

Headless mode (-H)

You can run dirbuster in headless mode without GUI option as shown below.

Dirbuster 13
Dirbuster 14

Posted on

Aircrack-ng: Complete guide to beginners

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what is Wifi hacking and different techniques to hack wireless networks. In most of these hacking techniques, a tool named aircrack plays a very important role.

In this blogpost, you will learn about this tool. Aircrack-ng or aircrack ng is a complete suite of tools used to test wi-fi network security. The various functions of aircrack include,

  1. Monitoring: It can be used to capture wireless packets and save data in text file which can be processes by third party tools.
  2. Attacking: We can use it too perform various wireless attack like Replay attacks, DE authentication access points and other attacks.
  3. Testing: Checking Wi-Fi cards and capability of the drivers. (capture and injection)
  4. Cracking: For cracking WEF and WPA PSK (WPA 1 and WPA 1) passwords.

Just now, we have learnt that aircrack-ng is a combination of tools. Let’s understand what those tools are and what are they used for.

1. airbase-ng:

It is a multi purpose tool that can be used to attack the Wi Fi client instead of the Wi Fi access point.

2. airdecap-ng:

With this tool, you can decrypt WEP/WPA/WPA2 capture files. It is also used to remove the wireless headers from an unencrypted wireless capture.

3. aircrack-ng:

It is key cracking program.

4. airdecloak-ng:

Some wireless Intrusion Prevention System (WIPS) prevent WEP from being cracked by using fake WEP frames. This tool removes the WEP cloaking frame a captured pcap file.

5. airdrop-ng:

airdrop-ng is a program used to de authenticate users from access points. It uses rule based de authentication techniques that can be MAC address, type of hardware, etc.

4. aireplay-ng:

This tool is used to inject frames. It is used to generate traffic which can be used later by aircrack-ng for WEP and WPA-PSK key cracking.

5. airmon-ng:

It is used to enable monitor mode on wireless interfaces.

6. airodump-ng:

This tool is used to capture raw 802.11 packets. It is used particularly for collecting WEP IVS or WPA handshakes to crack later with aircrack.

7. airolib-ng:

This is a tool designed to store and manage ESSID and password lists. calculate their Pairwise Master Keys (PMK’s) and use them in WPA/WPA2 cracking.

8. airtun-ng:

This tool creates a virtual tunnel interface. It has two basic functions. They are, allowing all encrypted traffic to be monitored for wireless interface detection system (WIDS) and injecting arbitrary traffic into a network.

9. Besside-ng:

It is used to automatically crack WEP and WPA networks . See how to automatically crack WEP and WPA networks with Besside. Learn more about it .

10. dcrack-ng:

dcrack is used to distribute WPA2 / PSK cracking process across multiple servers.

11. easside-ng:

This tool is a magic tool that allows you to communicate with a WEP access point without knowing its WEP key.

12. packetforge-ng:

This tool is used to create encrypted packets to be used for packet injection. Using this tool, we can create various types of packets like ARP requests, UDP, ICMP and custom packets.

13. tkiptun-ng:

This tool is used to inject a few frames into a WPA TKIP network.

14. wesside-ng:

Wesside-ng is another auto-magic tool that uses a variety of techniques to get the WEP key.

    Cracking WEP passwords with aircrack

    Let’s see how to crack WEP passwords with aircrack. All wifi hacking attacks require a wireless adapter that supports packet injection. For this tutorial, I am using ALFA Wireless USB adapter. My attacker machine is Kali Linux which is installed on VMware. So I first connected the ALFA wireless adapter to my laptop and make sure it is connected to the Kali Linux virtual machine. Now, I open a terminal in Kali Linux and type command shown below that shows all the wireless interfaces connected to the machine.

    iwconfig
    
    Wep Crack 1

    Then I start monitor mode on the wireless interface. Monitor mode is just like promiscuous mode on wired interfaces. When in monitor mode, the wireless adapter sniffs on all the wireless traffic around.

    Wep Crack 2

    I once again run the “iwconfig” command to have a look at the wireless interfaces to confirm monitor mode started on the Wireless interface.

    Wep Crack 4

    As you can see the name of the wireless interface changed from waln0 to wlan0mon. The monitor mode is on. To see all the traffic being observed by the wireless interface, I run the command airodump-ng on the wireless interface.

    how to crack wep with aircarck

    As you can see, this shows all the wireless traffic around us. There are many wireless networks available but my target is the Wi-Fi Access point I named “Hack_Me_If_You_Can”. I use the same airodump-ng to target the MAC address of target’s Access point and route all the traffic it has to a file named wep_hc_crack.

    Wep Crack 7 1024x426

    In the above image, you can see the clients connected to the targeted Wi-Fi Access point. All the traffic belonging to the Wi-Fi access point “Hack_Me_If_You_Can” will be saved in the file “wep_hc_crack.cap”. What I am looking for is the initialization vectors that are useful in cracking WEP. This initialization vectors play a key role in cracking the password of any WEP enabled Wi-Fi access point.

    Just remember the more IV’s we have, the more the chances of cracking the WEP password. Since I need more traffic to crack the WEP password fast, I can use some tricks to create more traffic. A feature of aircrack-ng, aireplay-ng helps us to create more traffic. It has various methods of creating additional traffic. One such method is ARP request replay attack.

    The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a ne- w IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key. This attack can be started as shown below.

    Wep Crack 9

    where “-h” option is used to specify the MAC address of any client we want to use. Here is another way in which you can start the ARP replay attack.

    Wep Crack 15

    As initialization vectors start collecting in the wep_hc_crack file, I can use aircrack to try cracking the password. The command is “aircrack-ng wep_hc_crack.cap“.

    Wep Crack 10 1024x267

    If the initialization vectors are too less (in this case I have a new 20) aircrack wait for enough initialization vectors. I continue the ARP request replay attack until traffic increases.

    Wep Crack 12 1024x276
    Wep Crack 14 1024x281

    You can see the traffic increasing. All have to do is play the game of patience now .

    Wep Crack 18 1024x316
    Wep Crack 19 1024x306
    Wep Crack 20 1024x286
    Wep Crack 21 1024x297

    After collecting almost 25000 IV’s aircrack finally cracked the WEP password. The password of the Wi-Fi access point is 1234567899. It’s a 64bit hexadecimal key. As you can see, it took me around one hour thirty five minutes for me to crack the password.

    Cracking WPA / WPA2 passwords with aircrack

    Now, let’s see how to crack WPA / WPA2 with aircrack. WPA stands for Wifi Protected Access. It is an encryption system to secure WLAN networks. It eliminates all known vulnerabilities in WEP(Wired Equivalent Privacy). WPA uses 128 bit key and 48 bit initialization vector while WEP uses 108 bit key with 24 bit initialization vector. WPA2 is the successor of WPA. Both WPA and WPA2 use temporal key integrity protocol(TKIP) for encryption and pre-shared key(PSK) authentication. The only difference between WPA and WPA2 is that they use Rivest Cipher(RC4) and Advanced Encryption Standard(AES) encryption algorithms respectively. Both can be configured to use counter cipher block chaining mode(CCM) though. They are by far considered most secure for Wifi networks.

    I am using the same arrangement I used for cracking WEP above. So let’s start. Once you have booted into Kali Linux, open terminal and type command “iwconfig”. It lists your wireless interfaces just like ifconfig shows wired interfaces.

    Wpacrack1

    We can see that we have a wireless interface wlan0. Now we are going to start monitor mode on our wireless interface. Monitor mode is same as promiscuous mode in wired sniffing. Type command shown below. We can see below that monitor mode has been enabled on “mon0″.

    airmon-ng start wlan0
    
    Wpacrack2

    Now let’s see all the traffic collected by our wireless interface. Type command airodump-ng mon0.

    Wpacrack3

    Hit Enter. We can see all the wireless networks available as shown below.

    crack wpa

    We can see that all the wifi networks are configured with WPA2 or WPA. We are going to hack the network “shunya”. We will collect the shunya’s network traffic into a file. Open a terminal and type command “airodump-ng –bssid <Mac address of wifi access point> -c 13 –write wpacrack mon0″.

    Wpacrack5

    where

    • –bssid stands for base station security identifier
    • <MAC address> is the Mac address of access point.
    • -c is used to specify the channel the wifi network is operating on.
    • –write to write to a file.
    • “wpacrack” is the file name we are writing into.
    • mon0 is the interface.

    Hit Enter. We will see the result as below.

    Wpacrack6

    We can only hack a WPA/WPA2 protected Wifi network by capturing its handshake process or association( when the client is trying to connect to the wifi network.). So let’s try to disconnect all the clients connected to the wireless network “shunya” first. Open a new terminal and type the command

    aireplay-ng –deauth 100 -a <MAC> –ignore-negative-one mon0
    

    where

    –deauth are the de authentication packets,

    100 are the number of de authentication packets we want to send.

    -a stands for access point.

    <MAC> is the MAC address of the wireless access point.

    Wpacrack7

    This command will send 100 de authentication packets to the broadcast address of the wireless access point. This will make all the clients connected to the “shunya” get disconnected. As soon as this happens, all the clients will try to connect back to the wireless network once again. We can see that a WPA handshake has happened in the previous terminal.

    Wpacrack8

    Now let’s see where our capture file is located. Type “ls”. We will do dictionary password cracking here. So let’s find out where the dictionaries are. Type commandlocate wordlists”. This will show us a number of wordlists available by default in Kali Linux.

    Wpacrack9

    Our captured traffic is stored in .cap file. We will use the wordlist big.txt for cracking the password. Open a new terminal and type command

    aircrack-ng wpacrack-01.cap -w /usr/share/dirb/wordlists/big.txt 
    
    Wpacrack10

    Hit Enter. If our dictionary or wordlist has this password, the result will be as below. If our dictionary doesn’t have the password, we have to use another dictionary or wordlist.

    Wpacrack11

    Remember that the choice of dictionary or wordlist will play a key role in WPA/WPA2 password cracking. So that is one way in which we crack wpa wpa2 password with aircrack for you. Hope this was helpful. Learn how to crack WPA WPA2 with Fern Wifi cracker.