sudo apt update
sudo apt -y full-upgrade --allow-downgrades
sudo apt -y autoclean
sudo apt -y autoremoveWhen asking for update the configure files, select "Y" when necessary.
That's all! See you.
Monday, April 16, 2018
HOWTO : Update Parrot Security OS 3.11
Parrot Security OS 3.11 cannot be updated properly with the default updater after freshly installed. We can update it manually.
When asking for update the configure files, select "Y" when necessary.
That's all! See you.
When asking for update the configure files, select "Y" when necessary.
That's all! See you.
HOWTO : Fallback to OpenJDK 8 on Parrot Security OS 3.11
Since OpenJDK 9 is installed for the recent update on Parrot Security OS 3.11, some Java applications that are using OpenJDK 8 may not work properly. We can fallback to OpenJDK 8 easily.
Then select OpenJDK 8 or OpenJRE 8 when necessary. You can change back to OpenJDK 9 at any time with the same command.
That's all! See you.
sudo update-alternatives --config javaThen select OpenJDK 8 or OpenJRE 8 when necessary. You can change back to OpenJDK 9 at any time with the same command.
That's all! See you.
Sunday, April 15, 2018
HOWTO : Fix Vokoscreen 2.5.0 on Parrot Security OS 3.11
Vokoscreen 2.5.0 on Parrot Security OS 3.11 does not work properly as ffmpeg crashed. You can fix this problem by replacing the ffmpeg with Vokoscreen's copy.
That's all! See you.
wget http://linuxecke.volkoh.de/vokoscreen/ffmpeg-64bit.tar.gz
tar -xvzf ffmpeg-64bit.tar.gz
sudo mv /usr/local/bin/ffmpeg /usr/local/bin/ffmpeg-original
sudo cp ffmpeg /usr/local/bin/That's all! See you.
Tuesday, March 20, 2018
Longjing - Deep Learning Driven Web Application Firewall
Longjing is Chinese green tea and full of antioxiants. It is good for health and to fight against cancer. Longjing Web Application Firewall (WAF) is deep learning driven and developed with Python 3 and Scikit-Learn library. To define it as deep learning is that it uses neural network MLP Classifier to build the model. Even it is a simple neural network MLP classifier, the accuracy rate is very high. It supports Linux system only.
Longjing WAF is mainly design to protect the web applications from being attacked by SQL Injection (SQLi) which is at the top of OWASP Top 10 in 2017. If successfully attacked, data leakage and/or system compromised will be caused. It is a critical vulnerability for web applications.
Longjing WAF is well tested on Damn Vulnerable Web Application (DVWA) with Burp Suite, SQLMap, OWASP ZAP, XSSER and Commix. Not only detects SQLi but also XSS (Cross-site Scripting). The accuracy rate is over 99% under the samples testing. It can be further tune for the false positive easily as the running code is an open source project that released under GPLv3 by Samiux. However, the training data and modelling are not open sourced.
It is not very complicate to install and deploy it. The latest version as at this writing is version 0.9.1. It works with Anaconda 3 and MitmProxy 3.0.3. Anaconda will install all required SciKit-Learn Python Libraries for you and it is also very easy to maintain. MitmProxy will act as a proxy to deal with the HTTP/HTTPS requests and responses.
Longjing is the next generation Web Application Firewall! Fetch it and try!
That's all! See you.
Reference
Longjing - Web Application Firewall
Longjing WAF is mainly design to protect the web applications from being attacked by SQL Injection (SQLi) which is at the top of OWASP Top 10 in 2017. If successfully attacked, data leakage and/or system compromised will be caused. It is a critical vulnerability for web applications.
Longjing WAF is well tested on Damn Vulnerable Web Application (DVWA) with Burp Suite, SQLMap, OWASP ZAP, XSSER and Commix. Not only detects SQLi but also XSS (Cross-site Scripting). The accuracy rate is over 99% under the samples testing. It can be further tune for the false positive easily as the running code is an open source project that released under GPLv3 by Samiux. However, the training data and modelling are not open sourced.
It is not very complicate to install and deploy it. The latest version as at this writing is version 0.9.1. It works with Anaconda 3 and MitmProxy 3.0.3. Anaconda will install all required SciKit-Learn Python Libraries for you and it is also very easy to maintain. MitmProxy will act as a proxy to deal with the HTTP/HTTPS requests and responses.
Longjing is the next generation Web Application Firewall! Fetch it and try!
That's all! See you.
Reference
Longjing - Web Application Firewall
Saturday, March 03, 2018
[Full Disclosure] Vulnerable Web Sites In Hong Kong (March 2018)
Since I am not a White Hat, I will disclose all my findings fully to the public. Do not blame me for that! I am a Grey Hat.
Recently, I found out that the personal web site of the anti-government politician in Hong Kong, Claudia Mo, has been hacked since 2016. Some China relevance videos and statement had been posted to the site since 2017. Meanwhile, the volunteers' personal particulars had been leaked in the Pastebin since 2016. The most important thing to know is that the site was protected by Cloudflare, a kind of cloud based DDoS protection and web application firewall (WAF).
I conducted a very simple and quick check on the site some days before yesterday and confirmed that her site was vulnerable to blind sql injection. However, her site has been deleted since yesterday (March 2, 2018, Hong Kong Time).
After a simple search, it was confirmed that the site was developed by OneTeam.hk. Some other sites that are developed by them has been obtained by Google search and from their official site. Another quick and simple tests on those sites has been conducted.
The result shows that about 18 web sites are vulnerable to sql injection vulnerability. It seems that those sites are developed by a vulnerable library.
The url of those sites are listed at the below for reference. It may not be a completed list. I do not responsible to any lost or/and damages caused once those sites have been disclosed. You have been warned that you will be put into the jail when you attack or doing evil on those sites.
Finally, some web developers in Hong Kong cannot build a secure web site properly. They believed that Cloudflare can protect the sites in a very secure manner. Cloudflare WAF can be bypassed very easily. Before investing money to your web sites, please consider the ability of the web developers and the security of the web applications.
Vulnerable sites :
http://www.geosecurities.com.hk/
http://www.charleskwok.hk/
http://shopkeeper.oneteam.hk/silverhealth/index.php
http://www.wiseland.com.hk/
http://www.islandsouth.hk/
http://www.hkdogschool.com/
http://www.newrecordltd.com/
http://www.winner28.cc/
http://www.ur-choize.com/
http://sealairsoft.com/
http://www.instantbuy.hk/
http://www.iiistyle.com/
http://www.toptrendint.com/
http://www.studioone.hk/
http://www.walterly.com.hk/
http://www.kangxi.hk/
http://www.crazymorestore.com/
http://www.trusty.hk/
Non vulnerable sites :
http://oneteam.hk/
http://www.musicianxdesigner.com/
http://shopkeeper.oneteam.hk/bq/
http://www.jpmyhouse.hk/
https://www.swordtacticalsupply.com/
http://taodeliver.mofa.ht/
http://www.mingkoi.com/
http://www.wai-hei.com/
http://innercare.com.hk/
http://www.95gd.hk/
http://siman.com.hk/
That's all! See you.
Recently, I found out that the personal web site of the anti-government politician in Hong Kong, Claudia Mo, has been hacked since 2016. Some China relevance videos and statement had been posted to the site since 2017. Meanwhile, the volunteers' personal particulars had been leaked in the Pastebin since 2016. The most important thing to know is that the site was protected by Cloudflare, a kind of cloud based DDoS protection and web application firewall (WAF).
I conducted a very simple and quick check on the site some days before yesterday and confirmed that her site was vulnerable to blind sql injection. However, her site has been deleted since yesterday (March 2, 2018, Hong Kong Time).
After a simple search, it was confirmed that the site was developed by OneTeam.hk. Some other sites that are developed by them has been obtained by Google search and from their official site. Another quick and simple tests on those sites has been conducted.
The result shows that about 18 web sites are vulnerable to sql injection vulnerability. It seems that those sites are developed by a vulnerable library.
The url of those sites are listed at the below for reference. It may not be a completed list. I do not responsible to any lost or/and damages caused once those sites have been disclosed. You have been warned that you will be put into the jail when you attack or doing evil on those sites.
Finally, some web developers in Hong Kong cannot build a secure web site properly. They believed that Cloudflare can protect the sites in a very secure manner. Cloudflare WAF can be bypassed very easily. Before investing money to your web sites, please consider the ability of the web developers and the security of the web applications.
Vulnerable sites :
http://www.geosecurities.com.hk/
http://www.charleskwok.hk/
http://shopkeeper.oneteam.hk/silverhealth/index.php
http://www.wiseland.com.hk/
http://www.islandsouth.hk/
http://www.hkdogschool.com/
http://www.newrecordltd.com/
http://www.winner28.cc/
http://www.ur-choize.com/
http://sealairsoft.com/
http://www.instantbuy.hk/
http://www.iiistyle.com/
http://www.toptrendint.com/
http://www.studioone.hk/
http://www.walterly.com.hk/
http://www.kangxi.hk/
http://www.crazymorestore.com/
http://www.trusty.hk/
Non vulnerable sites :
http://oneteam.hk/
http://www.musicianxdesigner.com/
http://shopkeeper.oneteam.hk/bq/
http://www.jpmyhouse.hk/
https://www.swordtacticalsupply.com/
http://taodeliver.mofa.ht/
http://www.mingkoi.com/
http://www.wai-hei.com/
http://innercare.com.hk/
http://www.95gd.hk/
http://siman.com.hk/
That's all! See you.
Monday, February 26, 2018
Longjing - Machine Learning Driven Web Application Firewall
Longjing is Chinese green tea with a lot of antioxiants. It is good for health. Longjing Web Application Firewall (WAF) is machine learning driven and it is designed to protect the web application from being attacked by SQL injection.
Longjing WAF is written in Python and It is not designed for the high performance in mind. Only Linux is supported.
Longjing WAF can protect your web application from being scanned by Burp Suite, SQLMap, OWASP ZAP, XSSER and Commix even your web application has SQL injection vulnerability. Meanwhile, reflected Cross Site Scripting (XSS) can be detected too.
SQL injection is on the top position of the OWASP Top 10 2017 which can lead to data leakage and/or system compromised. It is a critical vulnerability.
Longjing WAF is a PARTIALLY Open Source Project under GPLv3 License by Samiux. Training and Modelling are NOT open sourced. Demo may be provided when necessary.
The training requires about 3 hours on Intel i7-5500U with 16GB RAM. The accuracy rate is over 99%. The Longjing requires about 3GB RAM to run.
Requirement
- Ubuntu Linux Server 16.04.4 LTS
- Anaconda3
- mitmproxy
- web server
- web application
- SSD is recommended
- at least 8GB RAM
Installation
(A) Install Anaconda
install anaconda3 to
(B) Update Anaconda
(B) Install mitmproxy
The current version of mitmproxy at this writing is 3.0.3.
Exit to normal user by entering
(C) Update mitmproxy
(D) Install Longjing
where :
- NET_INF is the network interface of the mitmproxy to be listening
- PORT is port number of the mitmproxy to be listening, e.g. 8080
- CERT is the location path of the private key TLS/SSL certificate of the domain when available. It should be starting with
Please read mitmproxy "about certificate" documents for details - Using a custom certificate.
Finally, make sure to copy
(D) Running
(E) Testing with Tools
Longjing is well tested on Damn Vulnerable Web Application (DVWA) with the following tools :
- Burp Suite on DVWA (sqli and xss blocked except DOM)
- sqlmap on DVWA (tamper also blocked)
- OWASP ZAP on DVWA (sqli and xss blocked)
- xsser on DVWA (xss blocked)
- Commix on DVWA (blocked and Commix will hang in the middle)
That's all! See you.
Longjing WAF is written in Python and It is not designed for the high performance in mind. Only Linux is supported.
Longjing WAF can protect your web application from being scanned by Burp Suite, SQLMap, OWASP ZAP, XSSER and Commix even your web application has SQL injection vulnerability. Meanwhile, reflected Cross Site Scripting (XSS) can be detected too.
SQL injection is on the top position of the OWASP Top 10 2017 which can lead to data leakage and/or system compromised. It is a critical vulnerability.
Longjing WAF is a PARTIALLY Open Source Project under GPLv3 License by Samiux. Training and Modelling are NOT open sourced. Demo may be provided when necessary.
The training requires about 3 hours on Intel i7-5500U with 16GB RAM. The accuracy rate is over 99%. The Longjing requires about 3GB RAM to run.
Requirement
- Ubuntu Linux Server 16.04.4 LTS
- Anaconda3
- mitmproxy
- web server
- web application
- SSD is recommended
- at least 8GB RAM
Installation
(A) Install Anaconda
sudo apt install build-essential libssl-dev libffi-dev python3-devwget https://repo.continuum.io/archive/Anaconda3-5.1.0-Linux-x86_64.shchmod +x Anaconda3-5.1.0-Linux-x86_64.shsudo -sH./Anaconda3-5.1.0-Linux-x86_64.shinstall anaconda3 to
/etc/anaconda3 and then answer "yes" to allow change the .bashrc of root.source /root/.bashrc(B) Update Anaconda
sudo -sH
conda update --prefix /etc/anaconda3 anaconda
conda update -n base conda(B) Install mitmproxy
sudo -sH
conda install pip
pip install mitmproxyThe current version of mitmproxy at this writing is 3.0.3.
Exit to normal user by entering
exit.(C) Update mitmproxy
sudo -sH
cd /etc/anaconda3
pip install mitmproxy --upgrade(D) Install Longjing
wget https://www.infosec-ninjas.com/files/longjing-0.8.0.tar.gz
tar -xvzf longjing-0.8.0.tar.gz
cd longjing
nano config.confwhere :
- NET_INF is the network interface of the mitmproxy to be listening
- PORT is port number of the mitmproxy to be listening, e.g. 8080
- CERT is the location path of the private key TLS/SSL certificate of the domain when available. It should be starting with
--certs.Please read mitmproxy "about certificate" documents for details - Using a custom certificate.
sudo ./install.shFinally, make sure to copy
index.html to the web application root directory.(D) Running
sudo systemctl restart longjing.service(E) Testing with Tools
Longjing is well tested on Damn Vulnerable Web Application (DVWA) with the following tools :
- Burp Suite on DVWA (sqli and xss blocked except DOM)
- sqlmap on DVWA (tamper also blocked)
- OWASP ZAP on DVWA (sqli and xss blocked)
- xsser on DVWA (xss blocked)
- Commix on DVWA (blocked and Commix will hang in the middle)
That's all! See you.
Thursday, January 18, 2018
HOWTO : Install MicroCode in Ubuntu Linux
Linux can update microcode to fix Meltdown and Spectre vulnerabilities instead of BIOS update. Ubuntu can fix the vulnerabilities with just one command.
For Intel CPU :
For AMD CPU :
After that, reboot your Ubuntu box.
That's all! See you.
Update on JAN 24, 2018
Since Linux creator Linus Torvalds disagrees to install Intel's patches for Spectre, the Intel microcode is patched back to the previous version. You are not required to uninstall it. You just update and it will patch it back to the previous version. Please see The Hacker News for details.
sudo apt update
sudo apt dist-upgradeFor Intel CPU :
sudo apt install intel-microcodeFor AMD CPU :
sudo apt install amd64-microcodeAfter that, reboot your Ubuntu box.
That's all! See you.
Update on JAN 24, 2018
Since Linux creator Linus Torvalds disagrees to install Intel's patches for Spectre, the Intel microcode is patched back to the previous version. You are not required to uninstall it. You just update and it will patch it back to the previous version. Please see The Hacker News for details.
sudo apt update
sudo apt dist-upgrade
Monday, January 08, 2018
New Year New You 2018!
This year, I am interested in Machine Learning Python Programming. The useful Python 3.x environment is to install Anaconda. Download the shell script and it will install all the related Python 3.x and Python Libraries for you. Your Linux may have 2 copies and 2 versions of Python and their libraries. You can uninstall Anaconda when you do not need it. This tool is very easy to use. You can also use Jupyter Notebook for the development.
Since I am not good at maths, I am going to find a more easier way to learn Machine Learning. The following is the list that I found from the internet which I can understand about Machine Learning programming and concept.
I just modified faizann24's Python script and the demo is below :
I write the script from the scratch. The demo is here :
The following demo is version 0.3 of the Machine Learning Driven Web Application Firewall :
The following demo is version 0.5 of the Machine Learning Driven Web Application Firewall. It is running much faster than previous versions :
Reference
[1] Josh Gordon's Machine Learning Recipes Video
[2] Machine Learning for Complete Beginners
[3] Machine Learning for Security Informatics
[4] Machine Learning is Fun
[5] FWAF Machine Learning Driven Web Application Firewall
[6] FWAF Machine Learning Driven Web Application Firewall (GitHub)
[7] Machine Learning Tutorial Video
[8] How To Build a Machine Learning Classifier in Python with Scikit-learn
That's all! See you.
Since I am not good at maths, I am going to find a more easier way to learn Machine Learning. The following is the list that I found from the internet which I can understand about Machine Learning programming and concept.
I just modified faizann24's Python script and the demo is below :
I write the script from the scratch. The demo is here :
The following demo is version 0.3 of the Machine Learning Driven Web Application Firewall :
The following demo is version 0.5 of the Machine Learning Driven Web Application Firewall. It is running much faster than previous versions :
Reference
[1] Josh Gordon's Machine Learning Recipes Video
[2] Machine Learning for Complete Beginners
[3] Machine Learning for Security Informatics
[4] Machine Learning is Fun
[5] FWAF Machine Learning Driven Web Application Firewall
[6] FWAF Machine Learning Driven Web Application Firewall (GitHub)
[7] Machine Learning Tutorial Video
[8] How To Build a Machine Learning Classifier in Python with Scikit-learn
That's all! See you.
Friday, January 05, 2018
New year New Hack 2018!
On Jan 4, 2018, GoldJoy Holidays reports that their server has been hacked. It is the second local travel agency company has been hacked in this month so far. The first one is Big Line Holiday which is hacked on Jan 3, 2018.
Big Line Holiday is hosting on their own server which is running Microsoft IIS 8.5 and PHP 5.5.30 with no SSL certificate. On the other hand, Goldjoy Holidays is hosting on web hosting company (the name is unknown to me) which is running Debian Linux, Apache 2.4.10 and PHP 5.6.31. It is believed that Big Line Holiday is running a custom web application while GoldJoy Holidays is running Joomla! Meanwhile, both of them are without security headers.
Today, Jan 5, 2018, GoldJoy Holidays announces that they applied layers of firewall to their website. I curious to know what kind of firewall they applied.
After a quick check, GoldJoy Holidays is now running behind Cloudflare and believed that it is either a free plan or Pro plan. The Cloudflare WAF (Web Application Firewall) may be set to high sensitive and SSL certificate is set. However, the SSL certificate provided by Cloudflare is a share certificate and the IT staff of GoldJoy Holidays misconfigures it. Since the site has no appropriated security headers, it may be affected by MITM (Man-In-The-Middle) attack.
The website of GoldJoy Holidays has several XSS (Cross Site Scripting) vulnerability and several suspected SQLi (SQL Injection) vulnerability. In addition, the website has some other minor problems related to security too. It is believed that the web application is Joomla! 1.5.x.
In my opinion, Cloudflare is not a good solution when your vulnerabilites at your website are not fixed. It will mislead the IT staff or users that your site is secure. Cloudflare WAF can be bypassed. I hope that it is a workaround solution, otherwise, it is still danger.
Reference
[1] Yahoo News
[2] South China Morning Post News
[3] TVB News
That's all! See you.
Big Line Holiday is hosting on their own server which is running Microsoft IIS 8.5 and PHP 5.5.30 with no SSL certificate. On the other hand, Goldjoy Holidays is hosting on web hosting company (the name is unknown to me) which is running Debian Linux, Apache 2.4.10 and PHP 5.6.31. It is believed that Big Line Holiday is running a custom web application while GoldJoy Holidays is running Joomla! Meanwhile, both of them are without security headers.
Today, Jan 5, 2018, GoldJoy Holidays announces that they applied layers of firewall to their website. I curious to know what kind of firewall they applied.
After a quick check, GoldJoy Holidays is now running behind Cloudflare and believed that it is either a free plan or Pro plan. The Cloudflare WAF (Web Application Firewall) may be set to high sensitive and SSL certificate is set. However, the SSL certificate provided by Cloudflare is a share certificate and the IT staff of GoldJoy Holidays misconfigures it. Since the site has no appropriated security headers, it may be affected by MITM (Man-In-The-Middle) attack.
The website of GoldJoy Holidays has several XSS (Cross Site Scripting) vulnerability and several suspected SQLi (SQL Injection) vulnerability. In addition, the website has some other minor problems related to security too. It is believed that the web application is Joomla! 1.5.x.
In my opinion, Cloudflare is not a good solution when your vulnerabilites at your website are not fixed. It will mislead the IT staff or users that your site is secure. Cloudflare WAF can be bypassed. I hope that it is a workaround solution, otherwise, it is still danger.
Reference
[1] Yahoo News
[2] South China Morning Post News
[3] TVB News
That's all! See you.
Monday, December 18, 2017
HOWTO : Wifi Intrusion Detection Without Tears
Wifi everywhere! When you are using wifi no matter it is a public or private hotspot, you are at the risk of being attacked.
When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passphrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.
However, we do not know the one who at the building or parking lot opposite your home or office is a hacker. Fortunately, we can inspect the suspicious or malicious packets in the air, it is the tool namely WAIDPS which stands for Wireless Auditing, Intrusion Detection and Prevention System.
You can leave this tool running and it will report back if there is any suspicious activity in the air near you. You can even fight back to the attacker. However, in my opinion, it is too late for that as the attacker may already have your encrypted passphrase with the four-way handshake.
If you observe any attack such as deauthentication, you can reset your passphrase to a stronger one in order to stop the attack on your wifi router.
By the way, MAC address filtering and hidden SSID mean nothing to attacker. The best way to defense is to have a very strong passphrase.
Reference
[1] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[2] Kali Linux
That's all! See you.
When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passphrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.
However, we do not know the one who at the building or parking lot opposite your home or office is a hacker. Fortunately, we can inspect the suspicious or malicious packets in the air, it is the tool namely WAIDPS which stands for Wireless Auditing, Intrusion Detection and Prevention System.
You can leave this tool running and it will report back if there is any suspicious activity in the air near you. You can even fight back to the attacker. However, in my opinion, it is too late for that as the attacker may already have your encrypted passphrase with the four-way handshake.
If you observe any attack such as deauthentication, you can reset your passphrase to a stronger one in order to stop the attack on your wifi router.
By the way, MAC address filtering and hidden SSID mean nothing to attacker. The best way to defense is to have a very strong passphrase.
Reference
[1] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[2] Kali Linux
That's all! See you.
Tuesday, December 05, 2017
HOWTO : Wifi Penetration Testing Without Tears
Wifi everywhere! There are a lot of private and public wifi access points around you. Almost everyone will use wifi at anytime. The security of wifi should be taken into account.
The most common wifi frequencies are 2.4GHz and 5GHz at the time of this writing. 2.4GHz frequency channel range is between 1 and 14 while 5GHz frequency channel range is between 34 and 165. That's include a/b/g/n/ac modes.
You can even find some access points still using WEP but it is not common. Almost all access points are using WPA/WPA2. To get passphrase of WEP from access point is very easy. However, WPA/WPA2 is not very hard indeed.
When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passhrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.
To complete the capture steps, you need a tool namely Aircrack-ng. It is a very powerful wifi auditing tool. Furthermore, there is a good tool to brute forcing WPA/WPA2 key, it is Hashcat. Hashcat is very powerful tool for password recovery. Hashcat requires GPU to do the brute forcing job. The more powerful the GPU, the faster the process of brute forcing.
However, to carry out the wifi penetration testing is somehow very hard for some people. It is because it will involve a lot of steps and procedure to complete. In addition, you also need a workable wifi USB dongle or card to make the job done.
Current version of Aircrack-ng 1.2 RC4 does not fully compatible to 5GHz frequency. It is required to patch it and compile it yourself in Kali Linux.
Realtek 8812au chipset wifi USB dongle is ready for 5GHz frequency and penetration testing. The driver is required to compile and install on Kali Linux yourself too.
One of the automated tools for penetration testing wifi is WAIDPS. It also can act as intrusion detection and prevention system for wifi. It just a few keystrokes to complete the wifi penetration testing.
Reference
[1] List of WLAN channels
[2] Kali Linux
[3] Aircrack-ng Official Site
[4] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[5] Install Realtek 8812au Linux Driver
[6] Patch Aircrack-ng For 5GHz Band On Kali Linux 2017.3
[7] Hashcat Official Site
[8] Install Hashcat on Ubuntu 16.04.3
[9] TP-Link Archer T4UHP (Realtek 8812au chipset)
[10] ALFA AWUS036NH (Realtek 8812au chipset)
[11] D-Link DWA-171 Nano USB Adapter (Realtek 8812au chipset)
That's all! See you.
The most common wifi frequencies are 2.4GHz and 5GHz at the time of this writing. 2.4GHz frequency channel range is between 1 and 14 while 5GHz frequency channel range is between 34 and 165. That's include a/b/g/n/ac modes.
You can even find some access points still using WEP but it is not common. Almost all access points are using WPA/WPA2. To get passphrase of WEP from access point is very easy. However, WPA/WPA2 is not very hard indeed.
When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passhrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.
To complete the capture steps, you need a tool namely Aircrack-ng. It is a very powerful wifi auditing tool. Furthermore, there is a good tool to brute forcing WPA/WPA2 key, it is Hashcat. Hashcat is very powerful tool for password recovery. Hashcat requires GPU to do the brute forcing job. The more powerful the GPU, the faster the process of brute forcing.
However, to carry out the wifi penetration testing is somehow very hard for some people. It is because it will involve a lot of steps and procedure to complete. In addition, you also need a workable wifi USB dongle or card to make the job done.
Current version of Aircrack-ng 1.2 RC4 does not fully compatible to 5GHz frequency. It is required to patch it and compile it yourself in Kali Linux.
Realtek 8812au chipset wifi USB dongle is ready for 5GHz frequency and penetration testing. The driver is required to compile and install on Kali Linux yourself too.
One of the automated tools for penetration testing wifi is WAIDPS. It also can act as intrusion detection and prevention system for wifi. It just a few keystrokes to complete the wifi penetration testing.
Reference
[1] List of WLAN channels
[2] Kali Linux
[3] Aircrack-ng Official Site
[4] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[5] Install Realtek 8812au Linux Driver
[6] Patch Aircrack-ng For 5GHz Band On Kali Linux 2017.3
[7] Hashcat Official Site
[8] Install Hashcat on Ubuntu 16.04.3
[9] TP-Link Archer T4UHP (Realtek 8812au chipset)
[10] ALFA AWUS036NH (Realtek 8812au chipset)
[11] D-Link DWA-171 Nano USB Adapter (Realtek 8812au chipset)
That's all! See you.
HOWTO : Patch AirCrack-NG For 5GHz Band On Kali Linux 2017.3
Since AirCrack-NG release 1.2rc4 and github repository commit number 7552fdc do not detect 5GHz channel number properly, you need to use jpmv27's repository for the workaround till official is patched in the next release.
The following is the best way than this as it uses the latest source of AirCrack-NG from GitHub.
Step 1 :
Step 2 :
To patch for 5GHz band :
Step 3 :
To fix a typo :
Replace line 709 where
to
Step 4 :
Important
Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.
Kali Linux's Aircrack-ng is installed at /usr/bin and /usr/sbin while GitHub's Aircrack-ng is installed at /usr/local/bin and /usr/local/sbin. The $PATH will search for /usr/local first. Therefore, you will run GitHub version instead of original one.
When Kali Linux updated AirCrack-ng, you can uninstall the GitHub version by the following command when the source code is still there :
Remarks :
If using WAIDPS, make sure to use v1.0 R.6d (or newer) as it fixed for the newer aireplay-ng display.
Reference
5GHz Patch
Typo Patch
That's all! See you.
The following is the best way than this as it uses the latest source of AirCrack-NG from GitHub.
Step 1 :
apt install pkg-config libssl-dev libsqlite3-dev libnl-3-dev libnl-genl-3-dev libpcre3-devStep 2 :
To patch for 5GHz band :
git clone https://github.com/aircrack-ng/aircrack-ng
cd aircrack-ng/src
wget https://github.com/jpmv27/aircrack-ng/commit/8199c04357ea05daaf2de2ae7eebb28d30baef87.patch
patch < 8199c04357ea05daaf2de2ae7eebb28d30baef87.patchStep 3 :
To fix a typo :
nano bessid-ng.cReplace line 709 where
err(1, "wi_wirte()");to
err(1, "wi_write()");Step 4 :
make
make installImportant
Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.
Kali Linux's Aircrack-ng is installed at /usr/bin and /usr/sbin while GitHub's Aircrack-ng is installed at /usr/local/bin and /usr/local/sbin. The $PATH will search for /usr/local first. Therefore, you will run GitHub version instead of original one.
When Kali Linux updated AirCrack-ng, you can uninstall the GitHub version by the following command when the source code is still there :
cd aircrack-ng
make clean
make uninstallRemarks :
If using WAIDPS, make sure to use v1.0 R.6d (or newer) as it fixed for the newer aireplay-ng display.
Reference
5GHz Patch
Typo Patch
That's all! See you.
Monday, December 04, 2017
HOWTO : Install HashCat on Ubuntu 16.04.3
hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.
Step 1 :
Step 2 :
To crack WPA/WPA2 passphrase, convert cap to hccapx :
If using WAIDPS, copy the "cap" file to "~/infosec" :
If you are using Kali Linux 2017.3, "cap2hccapx.bin" is located at the following :
Step 3 :
The following are the example usgaes of hashcat to crack WPA/WPA2 passphrase:
To crack with rockyou dictionary :
To crack up to 8 digits :
To crack up to 8 characters for all available characters including space :
To crack with rules and rockyou dictionary :
The WPA/WPA2 crack on MacBook Pro (Retina Mid 2012 - NVIDIA GeForce GT 650M and Intel HD Graphics 4000) with hashcat required about half an hour for captioned first 2 examples. The third example requires over 305 years to complete on my MacBook Pro. The forth example requires 1 day and 13 hours to complete on my MacBook Pro.
Reference
How to Perform a Mask Attack Using hashcat
That's all! See you.
Step 1 :
sudo apt install ocl-icd-libopencl1 git build-essential
mkdir ~/infosec
cd infosec
git clone https://github.com/hashcat/hashcat
cd hashcat
git submodule update --init
make
cd ~/infosec
git clone https://github.com/hashcat/hashcat-utils
cd hashcat-utils/src
make
cp *.bin ../binStep 2 :
To crack WPA/WPA2 passphrase, convert cap to hccapx :
If using WAIDPS, copy the "cap" file to "~/infosec" :
cp /.SYWorks/Saved/Handshake_F92A673ED5C2_hihi_StrictFull.cap ~/infosec
cd ~/infosec
hachcat-utils/bin/cap2hccapx.bin Handshake_F92A673ED5C2_hihi_StrictFull.cap hihi.hccapxIf you are using Kali Linux 2017.3, "cap2hccapx.bin" is located at the following :
/usr/lib/hashcat-utils/cap2hccapx.binStep 3 :
The following are the example usgaes of hashcat to crack WPA/WPA2 passphrase:
To crack with rockyou dictionary :
cd ~/infosec/hashcat
./hashcat -m 2500 ~/infosec/hihi.hccapx ~/rockyou.txtTo crack up to 8 digits :
./hashcat -m 2500 ~/infosec/hihi.hccapx -a 3 ?d,?d?d?d?d?d?d?d?d --increment-min 1 --increment-max 8 --incrementTo crack up to 8 characters for all available characters including space :
./hashcat -m 2500 ~/infosec/hihi.hccapx -a 3 ?a,?a?a?a?a?a?a?a?a --increment-min 1 --increment-max 8 --incrementTo crack with rules and rockyou dictionary :
./hashcat -m 2500 -r rules/best64.rule ~/infosec/hihi.hccapx ~/rockyou.txtThe WPA/WPA2 crack on MacBook Pro (Retina Mid 2012 - NVIDIA GeForce GT 650M and Intel HD Graphics 4000) with hashcat required about half an hour for captioned first 2 examples. The third example requires over 305 years to complete on my MacBook Pro. The forth example requires 1 day and 13 hours to complete on my MacBook Pro.
Reference
How to Perform a Mask Attack Using hashcat
That's all! See you.
Sunday, December 03, 2017
HOWTO : Install Forked AirCrack-NG on Kali Linux 2017.3
Since AirCrack-NG release 1.2rc4 and github repository commit number 7552fdc do not detect 5GHz channel number properly, you need to use jpmv27's repository for the workaround till official is patched in the next release.
Step 1 :
Step 2 :
Step 3 :
Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.
That's all! See you.
Step 1 :
apt install pkg-config libssl-dev libsqlite3-dev libnl-3-dev libnl-genl-3-dev libpcre3-devStep 2 :
git clone https://github.com/jpmv27/aircrack-ng
cd aircrack-ngStep 3 :
make
make installMake sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.
That's all! See you.
Monday, November 27, 2017
Zotac ZBox CI549/MI549 nano for Croissants
Croissants is Intrusion Detection and Prevention System (IDPS) which requires 3 network interfaces and CPU with AVX2, Zotac ZBox CI549 or MI549 is another good choice for home and/or SOHO users. It's small footprint and Intel Core i5-7300U (Dual Core/4 Hyperthreading) is suitable for home and/or SOHO users for IDPS, like Croissants.
It comes with 2 network interfaces and one Thunderbolt 3 Type-C port which can connect to an adaptor to become another network interface. It also can install up to 32GB DDR4 memory. In my opinion, it can handle up to 1000Mbps bandwidth with low to medium traffic flow even I did not test it at my side at the moment. However, I will purchase one for the test when it is available.
On the other hand, you can install pfsense with suricata plugin on it when Hyperscan is available for FreeBSD or pfsense. pfsense requires 2 network interfaces only.
Finally, the difference between CI549 and MI549 is that CI549 is passive cooling while MI549 is active.
That's all! See you.
Reference
Zotac ZBox Comparison 2017
It comes with 2 network interfaces and one Thunderbolt 3 Type-C port which can connect to an adaptor to become another network interface. It also can install up to 32GB DDR4 memory. In my opinion, it can handle up to 1000Mbps bandwidth with low to medium traffic flow even I did not test it at my side at the moment. However, I will purchase one for the test when it is available.
On the other hand, you can install pfsense with suricata plugin on it when Hyperscan is available for FreeBSD or pfsense. pfsense requires 2 network interfaces only.
Finally, the difference between CI549 and MI549 is that CI549 is passive cooling while MI549 is active.
That's all! See you.
Reference
Zotac ZBox Comparison 2017
Saturday, November 18, 2017
One More Secure Layer For Your Security Stack
Quad9 is founded by IBM, PCH and Global Cyber Alliance to provide a free DNS service to you that can block malicious websites when you are surfing the internet.
You can set it up on your router or personal computer in a few steps. It is painless to set it up as the official site provides videos and text documentation to help you to set it up.
Make sure you put "9.9.9.9" on the toppest position of your DNS list in your router or personal computer.
I have tested it and find out that the surfing speed is very fast without lagging. Finally, be keep in mind that Quad9 cannot 100% protect you from being reached all the malicious websites. However, it adds one more secure layer on your existing security stack.
That's all! See you.
You can set it up on your router or personal computer in a few steps. It is painless to set it up as the official site provides videos and text documentation to help you to set it up.
Make sure you put "9.9.9.9" on the toppest position of your DNS list in your router or personal computer.
I have tested it and find out that the surfing speed is very fast without lagging. Finally, be keep in mind that Quad9 cannot 100% protect you from being reached all the malicious websites. However, it adds one more secure layer on your existing security stack.
That's all! See you.
Tuesday, November 14, 2017
VPN and IPS For Public Wifi
Many friends of mine always asking me how to protect themselves from being hacked. The most asked question is how to protect them from being hacked when using public wifi. They are asking if VPN can do it or not as they saw a lot of advertisement about it.
I recommend them to use their own VPN server with additional protestion, such as Intrusion Detection and Prevention System (IDPS), Next-Generation Firewall or Unified Thread Management System (UTM). It is because most of those products equipped with Anti-Virus/Malware, Exploit prevention and etc. It would be more better and more secure than just use commercial VPN alone.
Open source solutions will be very great for home users and small businesses. I recommend pfsense with suricata and Croissants. pfsense basically is a router and it can install suricata plugin that making it to be an inline IPS. pfsense also have build-in VPN. On the other hand, Croissants is designed for inline IPS and it does not comes with VPN. You need to setup your own.
Once the VPN and IPS are setup, when you are going to use the public wifi, you can connect to the public wifi hotspot and then connect to your VPN which is setup at your home or office. The traffic will be go through the inline IPS via VPN. As a result, you will be under the protection of the IPS. However, the downside is the battery of your mobile device (such as smartphone) will be drained out more quickly. Therefore, you can connect to your VPN when necessary.
Finally, when using pfsense with suricata, you need to fine tune the rules set in order to prevent some false positive alerts. However, Croissants is already tune for daily usage.
Reference
pfsense Official site
Youtube - Build a Router 2016 Q4 -- pfSense Build
pfsense Forum - Suricata true inline IPS mode coming with pfSense 2.3 -- here is a preview
Youtube - pfSense: Network Intrusion Detection w/Suricata (pt4)
Youtube - Suricata Network IDS/IPS System Installation, Setup and How To Tune The Rules & Alerts on pfSense
Croissants - Intrusion Detection and Prevention System
That's all! See you.
I recommend them to use their own VPN server with additional protestion, such as Intrusion Detection and Prevention System (IDPS), Next-Generation Firewall or Unified Thread Management System (UTM). It is because most of those products equipped with Anti-Virus/Malware, Exploit prevention and etc. It would be more better and more secure than just use commercial VPN alone.
Open source solutions will be very great for home users and small businesses. I recommend pfsense with suricata and Croissants. pfsense basically is a router and it can install suricata plugin that making it to be an inline IPS. pfsense also have build-in VPN. On the other hand, Croissants is designed for inline IPS and it does not comes with VPN. You need to setup your own.
Once the VPN and IPS are setup, when you are going to use the public wifi, you can connect to the public wifi hotspot and then connect to your VPN which is setup at your home or office. The traffic will be go through the inline IPS via VPN. As a result, you will be under the protection of the IPS. However, the downside is the battery of your mobile device (such as smartphone) will be drained out more quickly. Therefore, you can connect to your VPN when necessary.
Finally, when using pfsense with suricata, you need to fine tune the rules set in order to prevent some false positive alerts. However, Croissants is already tune for daily usage.
Reference
pfsense Official site
Youtube - Build a Router 2016 Q4 -- pfSense Build
pfsense Forum - Suricata true inline IPS mode coming with pfSense 2.3 -- here is a preview
Youtube - pfSense: Network Intrusion Detection w/Suricata (pt4)
Youtube - Suricata Network IDS/IPS System Installation, Setup and How To Tune The Rules & Alerts on pfSense
Croissants - Intrusion Detection and Prevention System
That's all! See you.
Saturday, October 21, 2017
WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System is an open source project which is designed for both offensive and defensive purpose in mind.
This project is original created by SY Chua of SYWorks Programming. However, it is no longer maintained by him since 2014. The GitHub version is v1.0 R.6 and it is dated Oct 10, 2014. However, the demo in his tutorials and Youtube videos are displayed v1.0 R.7 dated Oct 11, 2014.
This software is a very good design in screen layout and good operation experience. Since v1.0 R.6 will crash when handshake is captured and it is not working properly on Kali Linux 2017.2, I modified the Python script to make it to work again in two days. Meanwhile, IEEE 802.11ac is also supported in my modification.
It is well tested on Kali Linux 2017.2. Other penetration testing Linux distributions may work too.
My modification is also an open source project and it is released under GPLv3.
Reference
[1] This project is forked from https://github.com/SYWorks/waidps
[2] Official tutorial - Part 1
[3] Official tutorial - Part 2
[4] Official tutorial - Part 3
[5] Official Youtube Playlist
[6] RealTek 8812AU Driver Installation
[7] TP-Link Archer T4UHP (Realtek 8812AU chipset)
That's all! See you.
This project is original created by SY Chua of SYWorks Programming. However, it is no longer maintained by him since 2014. The GitHub version is v1.0 R.6 and it is dated Oct 10, 2014. However, the demo in his tutorials and Youtube videos are displayed v1.0 R.7 dated Oct 11, 2014.
This software is a very good design in screen layout and good operation experience. Since v1.0 R.6 will crash when handshake is captured and it is not working properly on Kali Linux 2017.2, I modified the Python script to make it to work again in two days. Meanwhile, IEEE 802.11ac is also supported in my modification.
It is well tested on Kali Linux 2017.2. Other penetration testing Linux distributions may work too.
My modification is also an open source project and it is released under GPLv3.
Reference
[1] This project is forked from https://github.com/SYWorks/waidps
[2] Official tutorial - Part 1
[3] Official tutorial - Part 2
[4] Official tutorial - Part 3
[5] Official Youtube Playlist
[6] RealTek 8812AU Driver Installation
[7] TP-Link Archer T4UHP (Realtek 8812AU chipset)
That's all! See you.
Friday, October 20, 2017
HOWTO : Install RealTek 8812AU Driver with Packet Injection And Monitor Mode Support
TP-Link Archer T4UHP v1 is also supported by this driver with monitor mode and packet injection. It is a IEEE 802.11ac USB dongle.
Although Kali Linux has its own 8812au driver, I find AirCrack-ng's driver is the best.
Step 1 :
On Ubuntu Desktop 16.04.3 :
On Kali Linux 2017.2 :
Step 2 :
Step 3 :
On Ubuntu Desktop 16.04.3 :
Make sure to change at dkms.conf before running the following commands.
Change all
On Kali Linux 2017.2 :
Step 4 :
To remove the dkms driver :
Ubuntu Desktop 16.04.3 :
Kali Linux 2017.2 :
Step 5 :
To control it, I suggest to use iw wireless tool.
Beware that the driver does not work properly on the following commands :
(1) airmon-ng start wlan0
(2) iw dev wlan0 interface add wlmon0 type monitor
Make sure run "airmon-ng check kill" beforehand.
Reference
AirCrack-ng RTL8812AU driver
HOWTO : Install Forked AirCrack-NG on Kali Linux 2017.3
That's all! See you.
Although Kali Linux has its own 8812au driver, I find AirCrack-ng's driver is the best.
Step 1 :
On Ubuntu Desktop 16.04.3 :
sudo apt update
sudo apt install build-essential dkms gitOn Kali Linux 2017.2 :
apt update
apt install dkmsStep 2 :
git clone https://github.com/aircrack-ng/rtl8812au
cd rtl8812auStep 3 :
On Ubuntu Desktop 16.04.3 :
nano dkms.confChange all
"/updates" to "/kernel/drivers/net/wireless" when using Ubuntu.sudo bash ./dkms-install.shOn Kali Linux 2017.2 :
bash ./dkms-install.shStep 4 :
To remove the dkms driver :
cd rtl8812auUbuntu Desktop 16.04.3 :
sudo bash ./dkms-remove.shKali Linux 2017.2 :
bash ./dkms-remove.shStep 5 :
To control it, I suggest to use iw wireless tool.
Beware that the driver does not work properly on the following commands :
(1) airmon-ng start wlan0
(2) iw dev wlan0 interface add wlmon0 type monitor
Make sure run "airmon-ng check kill" beforehand.
Reference
AirCrack-ng RTL8812AU driver
HOWTO : Install Forked AirCrack-NG on Kali Linux 2017.3
That's all! See you.
Wednesday, October 11, 2017
HOWTO : Install GCC 7.x on Ubuntu 16.04.3 LTS
Some features require GCC 7.x to compile with, such as AVX-512.
sudo add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt update
sudo apt install gcc-7
Set gcc-7 as default in order for the compilation.
Now, gcc-7 is the default compiler. To change back to gcc-5, you need to run :
Then select gcc-5.
That's all! See you.
sudo apt update
sudo apt install gcc-7
Set gcc-7 as default in order for the compilation.
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 60 --slave /usr/bin/gcc-ar gcc-ar /usr/bin/gcc-ar-7 --slave /usr/bin/gcc-nm gcc-nm /usr/bin/gcc-nm-7 --slave /usr/bin/gcc-ranlib gcc-ranlib /usr/bin/gcc-ranlib-7sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 60 --slave /usr/bin/gcc-ar gcc-ar /usr/bin/gcc-ar-5 --slave /usr/bin/gcc-nm gcc-nm /usr/bin/gcc-nm-5 --slave /usr/bin/gcc-ranlib gcc-ranlib /usr/bin/gcc-ranlib-5Now, gcc-7 is the default compiler. To change back to gcc-5, you need to run :
sudo update-alternatives --config gccThen select gcc-5.
That's all! See you.
Subscribe to:
Posts (Atom)