Review #4_Wireless Attack with airodump

*Book Review,  Kali Linux Cookbook: Willie L. Pritchett, David De Smet (published 2013)

Chapter 9 : Wireless Attacks

to test a wireless pentesting, I had to set up wireless environment on Kali linux. I have to download [compat-wireless-2010-06-26-p] and extract it to set up. Also i have to turn off my desktop wifi connection and let my USB wifi adapter(TP-link) to activate on my virtual machine, and connect it over there.  After i setup the wireless network, i follow the instruction to do WPA/WPA2 cracking. I stop airmon-ng service, and change the MAC address of Kali as 00:11:22:33:44:55 to change the identity on the network and restart the airmon-ng. After then, you can check MAC address by inputting “ifconfig

04-01

04-02

Next i use airodump command  “airodump-ng mon0” to find available networks (wireless) nearby. You might want to wait 1 or 2 minutes to find available wireless access point. And I select the target and write down target’s MAC address and channel number.

04_edit

Next i use airodump command  “airodump-ng mon0” to find available networks (wireless) nearby. You might want to wait 1 or 2 minutes to find available wireless access point. And I select the target and write down target’s MAC address and channel number.

Once you are done, you can stop the airodump process by pressing “ctrl+c” to break the program. Next step is airodump command to monitor handshake connection about target. “airodump-ng -c 6 -w wpcrack14[or anything you wanna name] –bssid 8C:04:FF:AF:FB:51 mon0”.

04-05

04-06

While it’s collecting network information into local directory named as [wpcrack14], the book suggested to send de-authentication packet to target AP, so we can capture  WPA handshake. So I send the command which will disconnect all the users on the target AP, so we can monitor handshake automatically when they reconnect.

04-07

Once you get a WPA handshake and stored into your library, you can use aircrack to try dictionary password to crack the target’s AP’s password.

04-08

The last step is very simple because we  are using aircrack to try every dictionary passwords from wordlist. Sometimes, it says ‘ passphrase not in dictionary’ which means you need more wordlist.

04-09

*Book Review,  Kali Linux Cookbook: Willie L. Pritchett, David De Smet (published 2013)

Advertisements

Review #3_Password Attack with THC-Hydra

*Book Review,  Kali Linux Cookbook: Willie L. Pritchett, David De Smet (published 2013)

Chapter 7 : Escalating Privileges

Once you gain access to the target machine, you would prefer to have privileges like admin so you can get full control over the target. In this book, it shows different ways to escalate the privileges like using impersonation tokens or creating persistent backdoor. I practice local privilege escalation attack on a compromised machine to gain access to system or domain user account. By typing session -i 1 and connecting into number #1 session, you can type getsystem command which you will get once you run bypass command.

03-01

Chapter 8 : Password Attacks

I really like this chapter a lot because it has actual practice and tools description on it. Every time when i’ve learned about password attack it was general concept like brute force technique and rainbow attack without actual practice.

THC-Hydra password cracker, I tried to get a router password for my own house, but for some reason, the password wasn’t showing or just default password. This is a brute force technique, which inputs every password and id from namelist and john(password list).

03-03

03-02

*Book Review,  Kali Linux Cookbook: Willie L. Pritchett, David De Smet (published 2013)

Review #2_OpenVAS and Metasploit

*Book Review,  Kali Linux Cookbook: Willie L. Pritchett, David De Smet (published 2013)

Chapter 5 : Vulnerability Assessment

I’ve heard Nessus is the most popular tool among other vulnerability scan tools. I’ve never used it before at work, but it was always fun to try new tools. I set up Nessus to find vulnerability for my own kali linux #2 (Debian7 64bit)  and localhost, which is 127.0.0.1. I find useful feature of vulnerability scan on Nessus, which is CVE numbers and CVSS. As we already know, lot of company follows security testing methodology which is based on CVE(Common Vulnerability and Exposure), so this information is easy to check the security and identify the vulnerability. You can find more details on the offical CVE site, https://cve.mitre.org .If you are using free Nessus, some of feature is locked because you have to buy Nessus tools. Because of this, most of my coworker prefer using OpenVas

02-02

02-03

Chapter 6 : Exploiting Vulnerabilities

This chapter was familiar with me because i had experience with msfconsole function on Metasploit. When I worked as a security test methodology researcher,  I used lot of ethical hacking methodology to find out security level of IPS and Firewall. I set up vulnerable environment on the targets, vmware machines based on CVE and exploit the target machines with that vulnerability and see whether it’s blocked or detected by IPS or Firewall. I used two exploit on msfconsole, PDF was easy because it’s putting embedded exploitable code into the file.

02-04.png

But the second vulnerability, ‘Browser_autopwn’ was hard because i need another victim vmware to test and get connection. this attack use reverse TCP connection to get a control. I set LHOST(local host IP) and SRVHOST as 192.168.247.132 which is IP address of this kali linux. I set URIPATH as ‘/’ simply.

02-05.png

Once you exploit, then your victim pc needs to go into that URL ‘ http://192.168.247.132:8080’ to connect reverse_tcp with attacker. I tried to use Debian linux kali as a victim vm, but the session was not opened. So i installed windows XP vwmare as another victim vmware.

02-06

*Book Review,  Kali Linux Cookbook: Willie L. Pritchett, David De Smet (published 2013)

Review #1_Information Gathering with DNSenum

*Book Review,  Kali Linux Cookbook: Willie L. Pritchett, David De Smet (published 2013)

When I first saw the Kali Linux, I didn’t know much about penetration testing tools. I only used Metasploit framework to penetrate some CVE on virtual machines. After few more days later, I took a penetration testing courses, and found out Kali linux has more function besides than msfconsole. So, I decided to read this book to learn more about Kali’s pen-testing features and functions.

First two chapters, named “up and running” and “customizing” are simple step for person who never used or installed Kali Linux. This chapter was helpful when I need to set up certain network protocol like like SSH, FTP and Apache2. To customize the environment, the book shows how to install kernel headers. I’ve never learned about the function of kernel header, but it’s used to define interfaces between components of the kernel and user space.

Chapter 3 : Advanced Testing Lab

For hacking tools/ penetration testing, the chapter shows ‘Turnkey Linux WordPress Virtual Machine’ , which named “WPScan”. It scans WordPress Security and allows users to find their vulnerability. To practice, we need a testbed, target wordpress website and it’s IP or domain address.

Chapter 4 : Information Gathering

To penetrate a target, we need to know basic information about a target, This step also called is footprinting and reconnaissance. The author emphasizes that documentation is also important. There’s passive and active technique, passive footprinting / scanning is collecting public/general information, which isn’t required interaction with a target such as google search, company’s webpage’s public information or job opening description . Active scanning is required a interaction between target server/ system such as ICMP scanning.
In this chapter, I learned how to use enumeration tricks by using DNSenum (DNS enumeration tool) and SnmpEnum(SNMP enumeration tool). For your information, DNS, Domain Name System is decentralized naming system for devices, which helps them to connect to the internet or private network. By using DNS enumeration technique, you can get a target’s network’s’ computer names, IP address and username. I try to scan a website by using DNSenum. As you can see the image below. There’s DNS zone transfer at the bottom. For your information, DNS Zone Transfer is used to copy and paste DNS data to other DNS servers or backup DNS files incase of error. As you can see I can’t get DNS zone transfer information because the AXFR record query failed ,refused.

01

To determine network range, in this book, they use dmitry(Deepmagic Information Gathering Tool). The option -wnspb shows WHOIS lookup which helps you to find out registered domain owner and other information. I think drawing target’s network topology is important , but also the actual IP address of target. Because of CloudFlare’s  security function, it was hard for me to find actual IP address. I tried to get information by pinging MX server, crimeflare and checking DNS information.

To identify active machine and open ports and gather OS information about a target host, all you need to know is nmap command. (I remember this was also part of CEH exam quiz), nmap -p [port number ] and nmap -o for OS information

*Book Review,  Kali Linux Cookbook: Willie L. Pritchett, David De Smet (published 2013)