HOWTO : Wifi Intrusion Detection Without Tears

Wifi everywhere! When you are using wifi no matter it is a public or private hotspot, you are at the risk of being attacked.

When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passphrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.

However, we do not know the one who at the building or parking lot opposite your home or office is a hacker. Fortunately, we can inspect the suspicious or malicious packets in the air, it is the tool namely WAIDPS which stands for Wireless Auditing, Intrusion Detection and Prevention System.

You can leave this tool running and it will report back if there is any suspicious activity in the air near you. You can even fight back to the attacker. However, in my opinion, it is too late for that as the attacker may already have your encrypted passphrase with the four-way handshake.

If you observe any attack such as deauthentication, you can reset your passphrase to a stronger one in order to stop the attack on your wifi router.

By the way, MAC address filtering and hidden SSID mean nothing to attacker. The best way to defense is to have a very strong passphrase.

Reference

[1] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[2] Kali Linux

That's all! See you.

HOWTO : Wifi Penetration Testing Without Tears

Wifi everywhere! There are a lot of private and public wifi access points around you. Almost everyone will use wifi at anytime. The security of wifi should be taken into account.

The most common wifi frequencies are 2.4GHz and 5GHz at the time of this writing. 2.4GHz frequency channel range is between 1 and 14 while 5GHz frequency channel range is between 34 and 165. That's include a/b/g/n/ac modes.

You can even find some access points still using WEP but it is not common. Almost all access points are using WPA/WPA2. To get passphrase of WEP from access point is very easy. However, WPA/WPA2 is not very hard indeed.

When access point and client communicate, they will carrying out a four-way handshake in which the encrypted passhrase will also be transmitted between them. When attacker captures the four-way handshake, the encrypted passphrase is also captured in which it can get the passphrase by wordlists brute forcing.

To complete the capture steps, you need a tool namely Aircrack-ng. It is a very powerful wifi auditing tool. Furthermore, there is a good tool to brute forcing WPA/WPA2 key, it is Hashcat. Hashcat is very powerful tool for password recovery. Hashcat requires GPU to do the brute forcing job. The more powerful the GPU, the faster the process of brute forcing.

However, to carry out the wifi penetration testing is somehow very hard for some people. It is because it will involve a lot of steps and procedure to complete. In addition, you also need a workable wifi USB dongle or card to make the job done.

Current version of Aircrack-ng 1.2 RC4 does not fully compatible to 5GHz frequency. It is required to patch it and compile it yourself in Kali Linux.

Realtek 8812au chipset wifi USB dongle is ready for 5GHz frequency and penetration testing. The driver is required to compile and install on Kali Linux yourself too.

One of the automated tools for penetration testing wifi is WAIDPS. It also can act as intrusion detection and prevention system for wifi. It just a few keystrokes to complete the wifi penetration testing.





Reference

[1] List of WLAN channels
[2] Kali Linux
[3] Aircrack-ng Official Site
[4] WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System
[5] Install Realtek 8812au Linux Driver
[6] Patch Aircrack-ng For 5GHz Band On Kali Linux 2017.3
[7] Hashcat Official Site
[8] Install Hashcat on Ubuntu 16.04.3
[9] TP-Link Archer T4UHP (Realtek 8812au chipset)
[10] ALFA AWUS036NH (Realtek 8812au chipset)
[11] D-Link DWA-171 Nano USB Adapter (Realtek 8812au chipset)

That's all! See you.

HOWTO : Patch AirCrack-NG For 5GHz Band On Kali Linux 2017.3

Since AirCrack-NG release 1.2rc4 and github repository commit number 7552fdc do not detect 5GHz channel number properly, you need to use jpmv27's repository for the workaround till official is patched in the next release.

The following is the best way than this as it uses the latest source of AirCrack-NG from GitHub.

Step 1 :

apt install pkg-config libssl-dev libsqlite3-dev libnl-3-dev libnl-genl-3-dev libpcre3-dev

Step 2 :

To patch for 5GHz band :

git clone https://github.com/aircrack-ng/aircrack-ng
cd aircrack-ng/src

wget https://github.com/jpmv27/aircrack-ng/commit/8199c04357ea05daaf2de2ae7eebb28d30baef87.patch

patch < 8199c04357ea05daaf2de2ae7eebb28d30baef87.patch

Step 3 :

To fix a typo :

nano bessid-ng.c

Replace line 709 where

err(1, "wi_wirte()");

to

err(1, "wi_write()");

Step 4 :

make
make install

Important

Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.

Kali Linux's Aircrack-ng is installed at /usr/bin and /usr/sbin while GitHub's Aircrack-ng is installed at /usr/local/bin and /usr/local/sbin. The $PATH will search for /usr/local first. Therefore, you will run GitHub version instead of original one.

When Kali Linux updated AirCrack-ng, you can uninstall the GitHub version by the following command when the source code is still there :

cd aircrack-ng
make clean
make uninstall

Remarks :

If using WAIDPS, make sure to use v1.0 R.6d (or newer) as it fixed for the newer aireplay-ng display.

Reference

5GHz Patch
Typo Patch

That's all! See you.

HOWTO : Install HashCat on Ubuntu 16.04.3

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.




Step 1 :

sudo apt install ocl-icd-libopencl1 git build-essential

mkdir ~/infosec
cd infosec

git clone https://github.com/hashcat/hashcat
cd hashcat
git submodule update --init

make

cd ~/infosec
git clone https://github.com/hashcat/hashcat-utils
cd hashcat-utils/src

make

cp *.bin ../bin

Step 2 :

To crack WPA/WPA2 passphrase, convert cap to hccapx :

If using WAIDPS, copy the "cap" file to "~/infosec" :

cp /.SYWorks/Saved/Handshake_F92A673ED5C2_hihi_StrictFull.cap ~/infosec

cd ~/infosec
hachcat-utils/bin/cap2hccapx.bin Handshake_F92A673ED5C2_hihi_StrictFull.cap hihi.hccapx

If you are using Kali Linux 2017.3, "cap2hccapx.bin" is located at the following :

/usr/lib/hashcat-utils/cap2hccapx.bin

Step 3 :

The following are the example usgaes of hashcat to crack WPA/WPA2 passphrase:

To crack with rockyou dictionary :

cd ~/infosec/hashcat
./hashcat -m 2500 ~/infosec/hihi.hccapx ~/rockyou.txt

To crack up to 8 digits :

./hashcat -m 2500 ~/infosec/hihi.hccapx -a 3 ?d,?d?d?d?d?d?d?d?d --increment-min 1 --increment-max 8 --increment

To crack up to 8 characters for all available characters including space :

./hashcat -m 2500 ~/infosec/hihi.hccapx -a 3 ?a,?a?a?a?a?a?a?a?a --increment-min 1 --increment-max 8 --increment

To crack with rules and rockyou dictionary :

./hashcat -m 2500 -r rules/best64.rule ~/infosec/hihi.hccapx ~/rockyou.txt

The WPA/WPA2 crack on MacBook Pro (Retina Mid 2012 - NVIDIA GeForce GT 650M and Intel HD Graphics 4000) with hashcat required about half an hour for captioned first 2 examples. The third example requires over 305 years to complete on my MacBook Pro. The forth example requires 1 day and 13 hours to complete on my MacBook Pro.

Reference

How to Perform a Mask Attack Using hashcat

That's all! See you.

HOWTO : Install Forked AirCrack-NG on Kali Linux 2017.3

Since AirCrack-NG release 1.2rc4 and github repository commit number 7552fdc do not detect 5GHz channel number properly, you need to use jpmv27's repository for the workaround till official is patched in the next release.

Step 1 :

apt install pkg-config libssl-dev libsqlite3-dev libnl-3-dev libnl-genl-3-dev libpcre3-dev

Step 2 :

git clone https://github.com/jpmv27/aircrack-ng

cd aircrack-ng

Step 3 :

make
make install

Make sure not to uninstall aircrack-ng by "apt" command as it will also uninstall some useful packages at the same time.

That's all! See you.

Zotac ZBox CI549/MI549 nano for Croissants

Croissants is Intrusion Detection and Prevention System (IDPS) which requires 3 network interfaces and CPU with AVX2, Zotac ZBox CI549 or MI549 is another good choice for home and/or SOHO users. It's small footprint and Intel Core i5-7300U (Dual Core/4 Hyperthreading) is suitable for home and/or SOHO users for IDPS, like Croissants.

It comes with 2 network interfaces and one Thunderbolt 3 Type-C port which can connect to an adaptor to become another network interface. It also can install up to 32GB DDR4 memory. In my opinion, it can handle up to 1000Mbps bandwidth with low to medium traffic flow even I did not test it at my side at the moment. However, I will purchase one for the test when it is available.

On the other hand, you can install pfsense with suricata plugin on it when Hyperscan is available for FreeBSD or pfsense. pfsense requires 2 network interfaces only.

Finally, the difference between CI549 and MI549 is that CI549 is passive cooling while MI549 is active.

That's all! See you.

Reference

Zotac ZBox Comparison 2017

One More Secure Layer For Your Security Stack

Quad9 is founded by IBM, PCH and Global Cyber Alliance to provide a free DNS service to you that can block malicious websites when you are surfing the internet.

You can set it up on your router or personal computer in a few steps. It is painless to set it up as the official site provides videos and text documentation to help you to set it up.

Make sure you put "9.9.9.9" on the toppest position of your DNS list in your router or personal computer.



I have tested it and find out that the surfing speed is very fast without lagging. Finally, be keep in mind that Quad9 cannot 100% protect you from being reached all the malicious websites. However, it adds one more secure layer on your existing security stack.

That's all! See you.

VPN and IPS For Public Wifi

Many friends of mine always asking me how to protect themselves from being hacked. The most asked question is how to protect them from being hacked when using public wifi. They are asking if VPN can do it or not as they saw a lot of advertisement about it.

I recommend them to use their own VPN server with additional protestion, such as Intrusion Detection and Prevention System (IDPS), Next-Generation Firewall or Unified Thread Management System (UTM). It is because most of those products equipped with Anti-Virus/Malware, Exploit prevention and etc. It would be more better and more secure than just use commercial VPN alone.

Open source solutions will be very great for home users and small businesses. I recommend pfsense with suricata and Croissants. pfsense basically is a router and it can install suricata plugin that making it to be an inline IPS. pfsense also have build-in VPN. On the other hand, Croissants is designed for inline IPS and it does not comes with VPN. You need to setup your own.

Once the VPN and IPS are setup, when you are going to use the public wifi, you can connect to the public wifi hotspot and then connect to your VPN which is setup at your home or office. The traffic will be go through the inline IPS via VPN. As a result, you will be under the protection of the IPS. However, the downside is the battery of your mobile device (such as smartphone) will be drained out more quickly. Therefore, you can connect to your VPN when necessary.

Finally, when using pfsense with suricata, you need to fine tune the rules set in order to prevent some false positive alerts. However, Croissants is already tune for daily usage.

Reference

pfsense Official site
Youtube - Build a Router 2016 Q4 -- pfSense Build
pfsense Forum - Suricata true inline IPS mode coming with pfSense 2.3 -- here is a preview
Youtube - pfSense: Network Intrusion Detection w/Suricata (pt4)
Youtube - Suricata Network IDS/IPS System Installation, Setup and How To Tune The Rules & Alerts on pfSense
Croissants - Intrusion Detection and Prevention System


That's all! See you.

WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System

WAIDPS - Wireless Auditing, Intrusion Detection and Prevention System is an open source project which is designed for both offensive and defensive purpose in mind.

This project is original created by SY Chua of SYWorks Programming. However, it is no longer maintained by him since 2014. The GitHub version is v1.0 R.6 and it is dated Oct 10, 2014. However, the demo in his tutorials and Youtube videos are displayed v1.0 R.7 dated Oct 11, 2014.

This software is a very good design in screen layout and good operation experience. Since v1.0 R.6 will crash when handshake is captured and it is not working properly on Kali Linux 2017.2, I modified the Python script to make it to work again in two days. Meanwhile, IEEE 802.11ac is also supported in my modification.

It is well tested on Kali Linux 2017.2. Other penetration testing Linux distributions may work too.

My modification is also an open source project and it is released under GPLv3.





Reference

[1] This project is forked from https://github.com/SYWorks/waidps
[2] Official tutorial - Part 1
[3] Official tutorial - Part 2
[4] Official tutorial - Part 3
[5] Official Youtube Playlist
[6] RealTek 8812AU Driver Installation
[7] TP-Link Archer T4UHP (Realtek 8812AU chipset)

That's all! See you.

HOWTO : Install RealTek 8812AU Driver with Packet Injection And Monitor Mode Support

TP-Link Archer T4UHP v1 is also supported by this driver with monitor mode and packet injection. It is a IEEE 802.11ac USB dongle.

Although Kali Linux has its own 8812au driver, I find AirCrack-ng's driver is the best.

Step 1 :

On Ubuntu Desktop 16.04.3 :

sudo apt update
sudo apt install build-essential dkms git

On Kali Linux 2017.2 :

apt update
apt install dkms

Step 2 :

git clone https://github.com/aircrack-ng/rtl8812au
cd rtl8812au

Step 3 :

On Ubuntu Desktop 16.04.3 :

Make sure to change at dkms.conf before running the following commands.

nano dkms.conf

Change all "/updates" to "/kernel/drivers/net/wireless" when using Ubuntu.

sudo bash ./dkms-install.sh

On Kali Linux 2017.2 :

bash ./dkms-install.sh

Step 4 :

To remove the dkms driver :

cd rtl8812au

Ubuntu Desktop 16.04.3 :

sudo bash ./dkms-remove.sh

Kali Linux 2017.2 :

bash ./dkms-remove.sh

Step 5 :

To control it, I suggest to use iw wireless tool.

Beware that the driver does not work properly on the following commands :

(1) airmon-ng start wlan0
(2) iw dev wlan0 interface add wlmon0 type monitor

Make sure run "airmon-ng check kill" beforehand.

Reference

AirCrack-ng RTL8812AU driver
HOWTO : Install Forked AirCrack-NG on Kali Linux 2017.3

That's all! See you.

HOWTO : Install GCC 7.x on Ubuntu 16.04.3 LTS

Some features require GCC 7.x to compile with, such as AVX-512.

sudo add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt update
sudo apt install gcc-7

Set gcc-7 as default in order for the compilation.

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 60 --slave /usr/bin/gcc-ar gcc-ar /usr/bin/gcc-ar-7 --slave /usr/bin/gcc-nm gcc-nm /usr/bin/gcc-nm-7 --slave /usr/bin/gcc-ranlib gcc-ranlib /usr/bin/gcc-ranlib-7

sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 60 --slave /usr/bin/gcc-ar gcc-ar /usr/bin/gcc-ar-5 --slave /usr/bin/gcc-nm gcc-nm /usr/bin/gcc-nm-5 --slave /usr/bin/gcc-ranlib gcc-ranlib /usr/bin/gcc-ranlib-5

Now, gcc-7 is the default compiler. To change back to gcc-5, you need to run :

sudo update-alternatives --config gcc

Then select gcc-5.

That's all! See you.

Vulnerability scanner can be trusted?

Many companies use vulnerability scanners to scan their systems, websites, products often to make sure they are secured. However, the former CEO of being hacked Equifax blamed that the system had been scanned after a week when the Apache Struts vulnerability had been announced. The scanner cannot detect the presence of un-patched Apache Struts implementations.

Please see the 8th paragraph of this articie for the captioned mention statement.

May be the vulnerability scanner signatures are not up-to-date that caused this fault. So, your vulnerability scanner should be up-to-date too!

That's all! See you.

Cloudflare-Recon Version 0.2 Demo

Cloudflare-Recon is forked from Cloudflare-enum which is written in Python. It obtains the DNS zone record from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection to the websites. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

Cloudflare-Recon is modified by Samiux.

Changlog :
Version: 0.1 - Sept 10, 2017 GMT+8
[+] Forked from Cloudflare-enum
[+] Enhancement

Version: 0.2 - Sept 12, 2017 GMT+8
[+] Improve readable foramtted output
[+] Error handling





That's all! See you.

Cloudflare-Recon version 0.1 Demo

Cloudflare-Recon is forked from Cloudflare-enum which is written in Python. It obtains the DNS zone record from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

Cloudflare-Recon is modified by Samiux on Sept 10, 2017.

Version: 0.1 - Sept 10, 2017 GMT+8
[+] Enhancement











That's all! See you.

HatCloud-ng version 0.1 Demo

HatCloud-ng is forked from HatCloud which is written in Ruby. It obtains the "Real IP Address" from a website that protected by CloudFlare. This tool is a Swiss Army Knife that can be defensive and/or offensive.

CloudFlare is a cloud based service that provides Distributed Denial of Service (DDos) or DoS as well as Web Application Firewall (WAF) protection. The real IP address of the websites that protected by Cloudflare will be hidden as purpose. However, Cloudflare is a well known company that aiding and abetting criminals who host their websites behind it for malicious activities.

When the DNS zone records are configured incorrectly, the IP address of the server cannot be hidden and Cloudflare cannot protect you from being DDoS/DoS.

This tool is useful for law enforcements, hackers and sysadmins for finding out the real IP of the website that protected by Cloudflare.

HatCloud-ng is modified by Samiux on Sept 10, 2017.

Version: 0.1 - Sept 10, 2017 GMT+8
[+] Bug fixes for original HatCloud dated 2017-09-10
[+] Information and error handling enhancement





That's all! See you.

HOWTO : Install Metasploit Framework on Ubuntu 16.04.3 LTS

Metasploit Framework is a exploit framework.

Step 1 :

sudo apt install curl

cd ~
mkdir infosec
cd ~/infosec
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

msfconsole

Answer "yes" when you see this prompt message :

Would you like to use and setup a new database (recommended)? yes

Update and Upgrade

sudo apt update
sudo apt dist-upgrade

That's all! See you.

HOWTO : Install John on Ubuntu 16.04.3 LTS

John is a password cracker.

Step 1 :

sudo apt install git build-essential libssl-dev

Step 2 :

cd ~
mkdir infosec
cd infosec

git clone https://github.com/magnumripper/JohnTheRipper.git
cd JohnTheRipper/src
./configure
make clean
make

cd ../run
./john --help

Update and Upgrade

sudo apt update
sudo apt dist-upgrade

cd ~/infosec/JohnTheRipper
git pull origin master
cd src
./configure
make clean
make

That's all! See you.

HOWTO : Install THC-Hydra on Ubuntu 16.04.3 LTS

THC-Hydra is a password brute forcer.

Step 1 :

sudo apt install git build-essential libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird-dev libncurses5-dev

Step 2 :

cd ~
mkdir infosec
cd infosec
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
./hydra -h
./xhydra

Update and Upgrade

sudo apt update
sudo apt dist-upgrade

cd ~/infosec/thc-hydra
git pull origin master
make clean
./configure
make

That's all! See you.

HOWTO : Install Recon-ng on Ubuntu 16.04.3 LTS

Recon-ng is a full-featured Web Reconnaissance framework.

Step 1 :

sudo apt install git python-pip python-dnspython python-mechanize python-slowaes python-xlsxwriter python-jsonrpclib python-lxml

Step 2 :

pip install dicttoxml --upgrade

Step 3 :

cd ~
mkdir infosec
cd ~/infosec
git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
cd recon-ng
./recon-ng

Update and Upgrade

sudo apt update
sudo apt dist-upgrade

pip install dicttoxml --upgrade

cd ~/infosec/recon-ng
git pull origin master

That's all! See you.

HOWTO : Install Weevely3 on Ubuntu 16.04.3 LTS

Weevely3 is a web shell and it is hardly detected by Anti-Virus and the traffic is obfuscated within the HTTP requests.

Step 1 :

sudo apt install g++ python-pip libyaml-dev python-dev libncurses5 libncurses5-dev

mkdir infosec
git clone https://github.com/epinna/weevely3.git
cd weevely3
pip install -r requirements.txt --upgrade

Step 2 :

cd ~/infosec/weevely3
python weevely3.py -h

Update and Upgrade

sudo apt update
sudo apt dist-upgrade
cd ~/infosec/weevely3
git pull origin master
pip install -r requirements.txt --upgrade

Reference

Documentation

That's all! See you.