Hack to the Future

day four. kali linux and other pentesting tools

{ Kali Linux }

  • Kali Linux is a Debian-based distribution
  • Comes loaded with pentesting and digital forensics tools
    • Penetration testing is the testing of computer/system security by hacking into it
    • Very advanced and difficult to use for a GNU/Linux beginner
  • We'll be installing it in a virtual machine
    • Follow along and do everything I do EXACTLY as I do it

Reality check!

:)

{ REAL-life programming }

  • Very difficult
  • Takes very long
  • Critical thinking/problem solving
  • Lots of hard work and frustration
  • Nothing like what you've done so far. :)
    • Especially not in Minecraft class or SYWMAA
  • Usually not fun until you reach a high level

{ but wait! what if all i want to do is make games??? }

{ demonstration time! }

{ pseudo-programmers }

  • Don't understand how anything actually works 
  • Just knows how to code and "make things happen"
  • Not a lot of money
  • Difficulty finding jobs because there's so many of them out there
    • ex.  Someone we all know ...

{ real hackers vs. script kiddies }

  • Real hackers have to be good at programming
  • The difference between real hackers and script kiddies is that hackers can actually make their own tools
    • ​This is why you have to actually learn Python
  • Script kiddies just use the tools that others have made
    • When you hack your way into a system, those tools won't be available and you'll have to code your own

{ Team Function Review! }

Write a function overlapping() that takes in two lists as parameters. If the two lists have any elements in common, the function returns True. False if there are no common elements.

{ Team Function Review! }

Write a function that takes in a list of numbers that must be at least size 4 (the function should not continue if there aren't at least 4 elements). Return the mean (average) of the numbers in the list.

{ pipelines }

  • Pipe operator | (vertical bar) pipes the standard output of one command into the standard input of another
  • command1 | command2
  • Commands used on the pipeline to change the input before outputting it are called filters
    • sort combines multiple outputs into a single, sorted one
      • ls /bin /usr/bin | sort | less
    • uniq omits/reports repeated lines
      • ls /bin /usr/bin | sort | uniq | less
      • ls /bin /usr/bin | sort | uniq -d | less
    • wc prints the number of lines, words, and bytes
    • grep searches a file and prints lines matching a pattern
      • grep "full name" thisIsAFile.py
      • ls /bin /usr/bin | grep zip

{ WiFi security }

  • Most WiFi networks are secured with different password algorithms
  • Wired Equivalent Privacy (WEP)
    • Uses a single shared key among users
    • 40 bit encryption key
    • Very insecure (FBI cracked it in less than 3 minutes with publicly available tools)
      • Any kid with a laptop == gg ez no re
    • Make sure you don't use it

{ aircrack-ng }

  • aircrack-ng is a WiFi password key cracking program
    • Works best with WEP keys
    • Captures encrypted packets and uses them to crack the pre-shared key
  • Network packets
    • Unit of collection of data that is transferred over a wireless network (for example, the internet)

{ aircrack-ng }

  • Find out the name of your wireless adapter interface
    • ifconfig and look for the wireless interface
      • ex. wlan0 or wlp3s0
  • Enable monitor mode
    • sudo airmon-ng start interface
    • Creates a virtual interface named mon0 to capture packets

{ aircrack-ng }

  • Start capturing packets
    • sudo airodump-ng mon0
    • Captures packets in the air to show list of wireless networks (find the name of the WiFi you want to hack)
    • This step is not necessary
  • Store the captured packets in a file
    • sudo airodump-ng wlan0mon --write filename
    • Captures packets which will be stored in filename.cap
    • Wait until you have enough data (10000 minimum)

{ aircrack-ng }

  • Crack the WiFi
    • sudo aircrack-ng filename.cap
    • The program will prompt you to select the name of the WiFi
      • Choose it and aircrack-ng will do its job
    • If the password isn't weak enough, the program will need to obtain more packets
  • You'll obtain the key, usually in this format:
    • xx:xx:xx:xx:xx
    • Remove the colons:
      • xxxxxxxxxx is the password of the network

{ troubleshooting issues }

  • If the monitor isn't working, reset it and turn on the monitoring:
    • ifconfig wlan0mon down
    • iwconfig wlan0mon mode monitor
    • ifconfig wlan0mon up
    • ALSO
    • ifconfig to find mon#
    • airmon-ng stop mon#

{ WPA l & ll }

  • WiFi Protected Access (WPA/WPA2)
    • Uses a more complex passphrase algorithm
    • 128 bit encryption key
    • Message integrity check so packets can't be altered
    • Dictionary attack could take days, or even years depending on the password
    • Incredibly difficult to configure or use

{ WPA l & ll }

  • WiFi Protected Setup (WPS)
    • Supposed to make it tougher to crack
    • Easier for the users to configure
    • Push a button on router and device connects
    • Modern routers enable it by default
  • WPS has the user send 8 digit pins (numbers) to connect
    • Normally it would take years to crack
    • However, the pin number's setup makes it easier to brute force; split verification in half

{ reaver }

  • Reaver is a tool that performs a brute force attack against WPS
    • Cracks the WPS pin within hours
    • Recovers the WPA/WPA2 passphrase from that WPS pin
    • Only takes 11,000 attempts to guess the pin
      • Instead of 364,000 - 100,000,000 attempts
  • Change your password around every 3 months

{ reaver }

  • If you have already have the information you need:
    • reaver -i <interface-name> -b <BSSID of target>
    • Take a (very long) nap and it'll be done in 6 - 16 hours on average
  • However, you most likely won't have the info so follow along!

{ reaver }

  • Find out if the network has WPS enabled
    • Start wireless interface in monitor mode
      • sudo airmon-ng start interface
    • ​​sudo wash -i mon0
      • If it doesn't work: sudo airodump-ng mon0
        • Assume WPS is enabled for WPA/WPA2
    • Regardless of which command you use, there'll be a BSSID column (format: XX:XX:XX:XX:XX:XX)
      • Copy it

{ reaver }

  • Now use Reaver to crack it
    • sudo reaver -i mon0 -b XX:XX:XX:XX:XX:XX -w

    • -i indicates the interface used (we created mon0)
    • -b specifies the BSSID of the network
      • BSSID is the MAC address of the wireless access point (unique identifier on the network for the hardware)
    • -w increases the verbosity of the tool, so it tells you what's going on
    • Wait a few hours and then we'll continue

{ what have we learned? }

{ more bash! }

  • Basic networking
    • ping <IP Address/domain name> to send a special packet to a network host to check if your computer can establish a connection
      • Interrupt to check if there is any packet data loss
    • traceroute to trace the path of a network packet as it tries to get to the host
      • Packets usually "hops" through network traffic to reach its destination
    • netstat to examine network settings & statistics
      • -ie option for local, -r for routing table

{ TFR }

Write a function that takes in an integer as a parameter, and returns True if a number is prime and False if it is not.

{ survey time! }

https://www.surveymonkey.com/r/DWLHWKC

Made with Slides.com