Archives 2020

Have you wanted to play around with the limitless wifi around you but didn’t bring your laptop. Well luckily this sweet little watch is the perfect answer to just that problem. I’m going to be going over the controls in more depth below I figure I should give you a link to see what I’m talking about if this is your first time hearing about this watch. (DSTIKE Watch)

After I got mine its been a blast to play around with as well as give live impromptu demonstrations about the dangers and limitations of wifi that everyone takes for granted. Their was even one time I needed to free up some bandwidth on a public wifi for a download so I kind of booted everyone but me off the network for a bit. Sorry script writers at Starbucks but my VM download trumps your “Next Big Story”. If you’re just getting into playing with wifi networks from a pentesting standpoint or want to get a more hands on feel for what deauthing is like in the wild I can’t recommend this device more. Its the next best thing to a pineapple but that is for another post.

Controls Explained

From first powering on the watch you will be given a boot message telling you information about the board used, who developed it @Spacehuhn, and what version the deauther watch is running. After that message dissapears you will be given the ability to choose from six different menu options.

• SCAN
• SELECT
• ATTACK
• PACKET MONITOR
• CLOCK
• LED

SCAN

Scan is used to discover access points as well as wifi stations within rang of the watch. Unfortunately due to the limitation of the hardware’s chipset it won’t be able to discover or interact with 5g signals. But don’t worry cell phones are still susceptible to this watch thanks to the dual band setup they use. While it can scan for APs and STs at the same time, which honestly is what I use 90% of the time when I scan, you can go a more stealthy route and only scan one or the other. This will just depend on objective and personal preference.

SELECT

Select is going to be the next option on the list from the home menu as well as your next step after a scan has been completed. Any access points and stations picked up by DSTIKE will be stored here. Simply select either the APs or Stations options to start selecting them. The APs will show the names of the as you would see them if you were to connect from your cell phone. For example NETGEAR65-2G, GirlsGoneWireless, Xfinitynew etc. You can either click each one on the list that you would like to use or at the bottom of the list you get the option to SELECT ALL the same goes with DESELECT ALL and REMOVE ALL. Remove all will remove them from the select list and would require a new scan to populate the select list again.

ATTACK

Attacking is probably the most enjoyable part to this whole watch. After all its called DSTIKE Deauther not DSTIKE Conversation Piece. After you’ve selected the targets you would like to deauthenticate in the select option described above simply select DEAUTH and hit start. This will start sending deauth packets to the selected targets for as long as you are running the attack. Under the attack option you also have the option to send out a Beacon attack this will tell the surrounding area that APs in the area for connection. By default these APs are the lyrics to the Rick Roll. You can change the names that the beaconing attack will spawn inside the watches settings. The watch will allow you to deploy both deauth and beacon attacks at the same time. Once the attack is started the green indicator light will turn red alerting you that an attack is underway. Just make sure to turn the attack off when your done as to not drain the battery unnecessarily.

PACKET MONITOR

Packet monitor is really one of the coolest setting to use for me. By selecting this option you get to see in real time the about of packets being sent around on the different channels. It can listen on channels 1 to 14 and is super useful if your interested in what the wifi area looks like. When using the watch in a new area I like flipping around the channels to see which one has the most traffic. The real fun starts though when you find a channel that has low traffic on it compared to the others in the area. Is someone trying to play around with their own wifi hacking tools? Is it the channel a business is using to separate the staff from the public? No matter the answer unique is always worth the look.

CLOCK

The clock is a nice little feature that simply displays the time in minutes since it was last turned on. I particularly like this for the fact that its less suspicious to have a watch displaying a time rather then showing bar graphs of the current amount of packets flying by on some wireless channel. Trust me you go threw a metal detector at your favorite amusement park or airport you have a lot less explaining to do if you use this display.

LED

This option is really the most self explanatory. You select this option an LED turns on at the base of the watch. A little too spy kids of a feature to me but it does stop me from needing get my phone when I need to read in a dark room I shouldn’t be in.

If you’ve made it to the end congrats! This really is a fun tool to use. Of course if you’ve hit this page because you got yours already and wanted some answers on what it does you already know how cool it is. If you’ve reached the bottom and would now like to get your hands on one feel free to use This Link and get started right away.

One of the most popular exploits for new hackers to try is cracking Wi-Fi access points. Before someone can even consider attacking a Wi-Fi AP, they need the MAC address of the target AP (also know as the BSSID), the MAC address of the client, and the channel the AP is operating on. All this information and more can be found using the tools in the aircrack-ng suite. This suite of tools is included by default in every version of Kali, so if you’ve got you real hacker hat on you don’t need to apt-get anything.

The first step to get started is to put your wireless network card into monitor mode. This mode allows your card to see all the traffic around it similarly to promiscuous mode for wired network cards. The aircrack way of doing this is as follows:

root@kali: ~# airmon-ng start wlan0

wlan0 in this case is the default wireless network interface if the command runs into trouble make sure that wlan0 is in fact there using the ifconfig command. Once your wireless card is in monitor mode airmon-ng will rename the interface something like “wlan0mon” take note of this rename it will be important later.

Now that we are listening to all the packets flying by our heads its time to start doing something with them and that is where airodump-ng command comes into play. Airodump-ng captures and displays the key data from all the broadcasting APs as well as the clients connected to those APs. The command to do this is as follows:

root@kali: ~# airodump-ng wlan0mon

Airodump-ng will split the output screen into an upper and lower portion. The upper portion has information on the broadcasting APs including:

1. BSSID: MAC address of the AP or client
2. PWR: power of the AP (the strength of the signal)
3. Beacons:how many beacon frames have been detected
4. #Data: data throughput rate
5. #/s: how many packets have traversed the wireless card
6. CH: channel (1-14)
7. MB: theoretical throughput limit
8. ENC: encryption protocol
9. CIPHER: cipher used for encryption
10. AUTH: authentication type
11. ESSID: (also know as the SSID)

Now that all the information needed to crack the AP lets get to the crack itself. To crack the Wi-Fi password you can open three terminals or tabs in the same terminal. In the first you would enter commands similar to the following:

root@kali: ~# airodump-ng -c 10 --bssid 01:02:AA:BB:CC:22 -w <capture_output> wlan0mon

That command captures all the packets traversing the AP on channel 10 (-c 10) to the location of your output file (-w <file_name>). In the second terminal we are going to use aireplay-ng to deauthenticate anyone connected to the AP. This will force them to reauthenticate with the AP. The reason for this we are going to be capturing the authentication hash that gets passed in the four-way handshake. This speeds up the creaking process as you would need a large amount of random packets captured otherwise. The command to do this is as follows:

root@kali: ~# aireplay-ng --deauth 100 -a 01:02:AA:BB:CC:22 -c AO:A2:E1:33:7C:E5 wlan0mon

And in the last terminal, we can use a password list to find the password in the captured hash file (this will be the output in .cap format). This command will do just that:

root@kali: ~# aircrack-ng -w wordlist.dic -b 01:02:AA:BB:CC:22 capture_output.cap

If you’ve spent five minutes looking around at anything related to hacking networks you’ve undoubtedly run across the tool NMAP. And if you’ve just followed what ever example you saw it used in you are missing out on one of the most powerful hacking tools out there. Lets start from the beginning about nmap it was developed by Gordon Lyon also know as fyodor in 1997. It was created for fun and in the hopes that people would find it useful. And fyodor if you’re reading this it really is. This tool comes by default on kali machines but if you are using an OS that doesn’t have it already installed I’ll go over installation right now.

Installing Nmap

Linux RPM Source and Binaries

Simple commands for downloading nmap to RPM Source Linux check out the following commands. If these don’t work for you check out the more detailed guide on the nmap site here

rpm -vhU https://nmap.org/dist/nmap-7.80-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/zenmap-7.80-1.noarch.rpm
rpm -vhU https://nmap.org/dist/ncat-7.80-1.x86_64.rpm
rpm -vhU https://nmap.org/dist/nping-0.7.80-1.x86_64.rpm

Mac OS X Binaries

You can get a stable release installer for Mac OS here

Scanning for targets

Before you can start looking at open ports and what services reside there we have to see what hosts are up to begin with.

Scan single IP	root@kali:~# nmap 127.0.0.1
Scan via domain name	root@kali:~# nmap www.target.com
Scan range of IPs	root@kali:~# nmap 127.0.0.1-24
Scan a full subnet	root@kali:~# nmap 127.0.0.1/24
Scan based on IP text file	root@kali:~# nmap -iL iplist.txt
Exclude host from Scan	root@kali:~# nmap --exclude 127.0.0.1
Exclude list from Scan	root@kali:~# nmap --excludefile ips.txt

OS and Service Detection

Now that we can see what host is up we should take a look at what Nmap can do in helping us determine the operating system and services on those hosts.

Detect OS and Services	root@kali:~# nmap -A 127.0.0.1
Standard Service Detection	root@kali:~# nmap -sV 192.0.0.1
Aggressive Detection	root@kali:~# nmap -sV --version-intensity 5 127.0.0.1
Banner Grabbing	root@kali:~# nmap -sV --version-intensity 0 127.0.0.1

Scanning for ports

While nmap has added a dizzying amount of functions and features port scanning is the core of what it does. Nmap recognizes six states when it comes to ports open, closed, filtered, unfiltered, open|filtered, and closed|filtered.

Scan Single Port (port 80)	root@kali:~# nmap -p 80 127.0.0.1
Scan a range of ports	root@kali:~# nmap -p 22-80 127.0.0.1
Scan top 100 most common ports	root@kali:~# nmap -f 127.0.0.1
Scan all the ports	root@kali:~# nmap -p"*" 127.0.0.1
Scan results for open ports only	root@kali:~# nmap --open 127.0.0.1

Port Scanning Techniques

With Nmap you can set the type of scan you would like to do when you set off on a scan hunt. Depending on the type of scanning you do most often you will use one of the following on an almost every scan bases. But even if that is the case it never hurts to know what the other techniques for scanning are out there.

TCP SYN scan (default)	root@kali:~# nmap -sS 127.0.0.1
TCP connect scan	root@kali:~# nmap -sT 127.0.0.1
UDP scan	root@kali:~# nmap -sU 127.0.0.1
SCTP INIT scan	root@kali:~# nmap -sY 127.0.0.1
TCP ACK scan	root@kali:~# nmap -sA 127.0.0.1
TCP Window scan	root@kali:~# nmap -sW 127.0.0.1

Outputting Formats

Lets finish this off with how you can store what nmap give you from these scans. Yes you could always pipe the standard out to a file but before you do that but check out what nmap can do right out of the box.

Default output to file	root@kali:~# nmap -oN file.txt 127.0.0.1
Output to XML	root@kali:~# nmap -oX file.xml 127.0.0.1
Output for grep friendly file	root@kali:~# nmap -oG file.txt 127.0.0.1
Output in all formats	root@kali:~# nmap -oA file 127.0.0.1

Conclusion

Nmap has far more to it then just what is listed here. Full books have been written on the subject including this one from the creator himself Nmap Network Scanning these will get you started in taking your nmap skills beyond simply running this command examples that are found on stackoverflow.

TLDR;

Wikipedia defines Virtual Machines as: In computing, a virtual machine (VM) is an emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardware, software, or a combination. This post will be a Hello World for getting up and running with them.

• Virtual Machines Explained
• Images Explained
• VMs and Linux
• VMs and Mac
• VMs and Windows

Virtual Machines Explained

A Virtual Machine, also referred to as VM, is simply a system known as the Guest running inside another system known as the Host with software holding the boundaries between the two. The system running inside the Virtual Machines is based on something called an Image and I’ll cover what that is in the next section. Virtual Machines are useful for a number of reasons from protecting your system from potentially harmful software to keeping a backup of a system ready for deployment at anytime. But for the purposes of this post and most of the site I’ll be using VMs for loading images to test hacking skills against.

What is an Image

The image is the everything when it comes to VMs. It holds the OS, applications, preexisting files, and anything else a normal system could have. Think of an image as a snapshot of a system. This could be used for handing out identical systems to multiple people and is a great way to learn since differences in configurations aren’t a factor. While you can make your own images that will be out of the scope of this post. But luckily you can pick up tons of images from VulnHub. For this post I’m going to get the Mr. Robot Image for no other reason then I’m a fan of the show. So go ahead pick one that you like or you can just follow the link I put for the Mr. Robot image. Then simply download the ova (this is the file type VMs use) and check that the hash matchs.

Virtual Machines for Linux

For linux we are going to go with virtual box as our VM software of choice. You can find the download link here. This is the hardest of installs for virtual box as the number of linux distros is pretty high. The following are the basics if you don’t see your flavor of linux here and/or the steps aren’t working for you please check out the download page of virtual box for more details.

Oracle Linux

Users of Oracle Linux 6 and 7 can use the Oracle Linux yum

yum install VirtualBox-6.1

Debian-based Linux distributions

Add the following line to your /etc/apt/sources.list. According to your distribution, replace ‘<mydist>’ with ‘eoan’, ‘bionic’, ‘xenial’, ‘buster’, ‘stretch’, or ‘jessie’ (older versions of VirtualBox supported different distributions):

deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian <mydist> contrib

Then to download:

sudo apt-get update
sudo apt-get install virtualbox-6.1

Once you’ve installed virtualbox just run it and its as simple as clicking the import selecting the image file you’ve downloaded

Virtual Machine for Windows

Once again going with virtualbox for this instance the process is more straight forward then with linux installation. Just download the exe file format from here go threw your normal next next finish clicking and once you’ve finished the installation you’re ready for importing the ova to get started.

Virtual Machine for Mac

If you’ve made it this far in the post what I’m going to say next is obvious. Download virtualbox for Mac on the download page.