How to Use Truecrypt | Truecrypt Tutorial [Screenshots] | Kali Linux, BackTrack, BackBox, Windows

Written by Pranshu Bajpai | Join me on Google+ | LinkedIn

Data protection is crucial. The importance of privacy--specially concerning sensitive documents--cannot be overstated, and if you’re here, you have already taken the first step towards securing it.

Truecrypt is one of the best encryption tools out there. It’s free and available for Windows and Linux. It comes pre-installed in Kali Linux and Backtrack. I first came across the tool when I was reading ‘Kingpin’ (The infamous hacker Max Butler was using it to encrypt data that could be used as evidence against him).

Here is how you can set up Truecrypt for use in Kali Linux (similar procedures will work in other Linux distros and Windows).

Goto Applications -> Accessories -> Truecrypt

Truecrypt main window opens up. As this is the first time we are using Truecrypt we need to set up a volume for our use.

Click ‘Create Volume’ and the Truecrypt volume creation wizard opens up:

Click on ‘create an encrypted file container’

This container will contain your encrypted files. The files can be of any type, as long as they lie in this container, they will be encrypted after ‘dismounting the volume’.

Now the next screen asks if you want to create a Standard or Hidden Volume. In case of hidden volume, no one would really know that it is there so they can’t ‘force’ you to provide its password.

For now we will just create a ‘Standard’ volume.

On the next screen you will asked for the ‘location’ of this volume. This can be any drive on your computer. This is where your container will lie. The container can be seen at this location but it won’t have any ‘extension’ and will have the name that you provide it during this set up.

Choose any ‘location’ on your computer for the container and carry on to the next step.

A password is now required for this volume. This is the ‘password’ which will be used to decrypt the volume while ‘mounting’ it. Needless to say, it should be strong as a weak password defeats the whole purpose of security/encryption.

Next click on ‘Format’ and the volume creation would begin. You will be shown a progress bar and it will take some time depending on how big your volume size is.

Once your ‘Formatting’ is completed. Your volume is ready to be used. You can place files in there (drag and drop works). Once done ‘Dismount’ this volume and exit Truecrypt.

When you want to access the encrypted files in the container, fire up Truecrypt and click on any ‘Slots’ on the main window.

Now goto ‘Mount’ and point to the location of the container which you selected during setting up the volume.

It will then prompt you for the password.

If you provide the correct password, you’ll see that the volume is mounted on the ‘Slot’ that you selected, if you double-click that ‘Slot’ a new explorer window would open where you can see your decrypted files and work with them. And you can add more files to the container if you want.

After you’re done, ‘Dismount’ the volume and exit Truecrypt.

Hacking Neighbour's Wifi (Password) | Hacking Neighbor's Wireless (Internet) | Step by Step How To

Written by Pranshu Bajpai | Join me on Google+ | LinkedIn

Disclaimer: For educational purposes only: This is meant merely to exhibit the dangers of using Poor wireless security. Please note that prior to beginning the test you should seek explicit consent from the owner if the access point does not belong to you.

Hacking into a Neighbor's Wifi access point

OS: Kali Linux
Test Subject: Neighbor's WiFi Access Point
Encryption: WEP

I noticed 4 wireless Access Points in the vicinity. 3 of these were using WPA / WPA2 and I was in no mood for a dictionary attack on WPA handshake, since it takes a long time and success isn't guaranteed. I found one access point using WEP Security and as you know it is an outdated protocol with poor security.

I tested penetrating this WEP access point using the same Aircrack-ng Suite of tools as I have mentioned in this previous post.

Step 1: Discovered the WEP AP having SSID 'dlink'  (Notice the weak signal power from neighbor's house to mine)

Step 2: Collected the required number of Data Packets from the WEP Network. Meanwhile, I used 'aireplay-ng --arpreplay' to increase the data rate since I am not a Patient soul.

Step 3: Saved the data packets in a file called 'neighbor-01.cap' and cracked the password using 'Aircrack-ng'

The Key for the Neighbor's Wifi turned out to be: "1234567890"   -    (An easily guessable Password, just what I expected from someone using WEP Security in 2014)

Step 4: I connected to the wifi using the decrypted key, it allocated an IP to me using DHCP (192.168.0.102)

Note: If you want a better step by step on how to hack a WiFi, check out my previous post here.

5: I was connected to the Internet.

6: Since I was part of their network now, curiosity got the better of me and I decided to scan the network and see who else is connected. I found 3 devices in the network:

One was my Laptop
Another one was my cellphone (I connected my cellphone to the network earlier)
And third was the Dlink router itself (192.168.0.1)

None of the neighbor's own devices were connected to the network at the time.

nmap told me that the dlink router had an open port 80, which reminded me to check out the control panel of this dlink device.

Step 7: So I fired up my browser and went to '192.168.0.1:80' which opened the login panel for dlink access point control panel



Step 8:  Quick google search revealed that defaults for login on dlink devices are:

username: 'admin' and password:blank

Step 9: A tried logging in with defaults and got access to the control panel.




(Again BAD security practice: leaving defaults unchanged!)

Step 10: I was getting weak power from the AP and decided to upgrade their firmware and see if it made a difference.

The Current firmware of the neighbor's wifi was '5.10'

I checked for latest Firmware available. It was '5.13'



I downloaded the upgrade on my machine ("DIR********.bin")

Step 11: I made a backup of the configuration of the Access point before upgrading. I saved backup 'config.bin' to my laptop from the neighbor's wifi

Step 12: I went ahead and upgraded the Firmware. I uploaded the DIR****.bin from my laptop to the access point and it went for a reboot.



I lost access to the WiFi after the upgrade.

I figured the new upgraded firmware changed the Password for the WiFi now and I couldn't connect to it anymore. Moreover, since I lost access to the Internet now along with the WiFi, I couldn't Google the default password for the upgraded firmware anymore.

And I couldn't crack it either because this time no one--not even the neighbor himself--would be able to authenticate to the WiFi with the new unknown password after the firmware upgrade and hence no data packets would be generated and I will have nothing to crack.

Step: I fired up 'Airodump-ng' again and noticed that the firmware upgrade simply changed the access point security to "open", ie, no password is required to connect to it.

Step: I connected to the "Open" wifi and restored the Configuration settings using the 'config.bin' backup I made earlier.

I manually selected WPA2 security and provided the same password as used earlier by my neighbor ("1234567890")

Disclaimer: Please note that I had explicit consent from the owner before commencing this test. If you do not have such permission, please try it on your own access point. Failing to do so will result in illicit activities.

Driftnet Tutorial | How to Sniff Images with Driftnet + Arpspoof / Ettercap | Kali Linux / Backtrack

Written by Pranshu Bajpai | Join me on Google+ | LinkedIn

If you're on a shared LAN and you are curious to know what kind of images people are searching for over the web on your Local LAN, you can use Driftnet.

For a penetration tester, there's no direct point of doing this, but since I tested this, I thought I might as well make a post about it. As a network administrator who is enforcing a policy on what kind of images are being searched on the local network, this might come in handy to see what images people are viewing at any time.

How to Sniff Images using Driftnet | ARP Spoofing with Arpspoof or Ettercap in Kali Linux

If you are learning, it is better to use Arpspoof to do the spoofing since it's a manual command line tool and if you set up the man in the middle attack in this manner, it will aid your learning.

1. Enable IP forwarding

#echo 1 >> /proc/sys/net/ipv4/ip_forward

2. Use Arpspoof on the desired interface [eth0] to spoof local switch's MAC to your own for a particular Victim IP in the network [see Figure below]



Victim machines now think you are the switch, hence all packets destined for the switch arrive on your machine.

3. Use Arpspoof to spoof the victim's MAC to your own for the switch on the network.



Traffic from switch destined to the victim's IP now arrives on your machine.

You are now acting as the "man in the middle"

4. Fire up driftnet. If you've done it all right, you should see the images

Looks like someone's hunting for a new dress.

Using Ettercap to perform the ARP Spoof

This is a GUI tool, and ARP Spoofing using Ettercap is simply point and click a few times. There are several tutorials on it on the web, so I am not covering that. But the concept is the same Man in the Middle Attack.

Web Applications Authentication Brute Force | Practical Demo [Screenshots] | Brute Force Website Login | How To

Written by Pranshu Bajpai | Google+ Pranshu Bajpai | LinkedIn

This post is meant to elucidate  web application brute forcing by providing a practical demo.

Read up on Authentication Brute Force here.

OWASP testing guide is your friend in Web Application Hacking.

How To Brute Force Website Login | Web Application Hacking Example | Authentication Brute Force

We have a 'Test' website running on 172.19.17.120. I have created a Test account on it with username 'pranshu' and password 'p'. (As we are playing the part of a penetration tester, during the test we will assume we do not know the password)

It has a login form requiring a 'username' and 'password'. HTTP POST Request Parameters are used.

Set up Burpsuite Proxy to intercept traffic between your browser and the server page you will be trying to brute force [Read up on Burpsuite]

Then send these to Burpsuite 'Intruder' to be attacked

The attack we will use is 'Cluster Bomb'

The highlighted parameters in the image above are the ones which will be bruteforced.

In case you already know 'username', "un-highlight" it, meaning Brute Force Password only. Since I already know the username is 'pranshu', I will try to brute force the password and set username as 'pranshu'

Payload type is a 'simple list' of characters 'a,b,c,d....z'  [which we will use as possible passwords]

Execute the attack. It will set the username to 'pranshu' and go through the 'simple list', trying every possible alphabet as password. All will recieve HTTP code 200 (OK)

Except one where the payload was set to 'p'. It received HTTP code 302 (Redirect)

If you know HTTP codes you know that 302 (Redirect) means that the webpage is trying to send us to another page. As a penetration tester, I would guess that the re-direction is occurring because of successful login (redirect to 'Home' page or something)

To verfiy this, I 'render' the 'response' in Burp suite and sure enough I see I am logged in as user 'pranshu'.

In this case, I have used BurpSuite but you can use 'Brutus' or 'Hydra' for such online brute force password cracking.

VPN Configuration / VPN Client in Kali Linux / Debian / Ubuntu / Backtrack | How to | Anonymous Internet | VPN Secure Connection

Written by: Pranshu | Find Pranshu on Google+ And LinkedIn

As a penetration tester, I have a variety of concerns while using the Internet:

1. Security: While I work as a penetration tester for remote clients, I like to make sure my "tunnel" to the internet is free from eavesdroppers and is reasonably secure. VPN tunneling takes care of that.

2. Anonymity: All of us need  privacy and anonymity for one reason or another. VPN servers allow that by 'not storing' logs of usage on their servers.

3. Over-blocking and "Internet-usage Policies": ISPs and local network administrators can get overzealous about restricting user activity on their networks (this is specially so for college and office networks). The network that I use takes pride in blocking categories like "file transfer" and "hacking". On several occasions, I have a legitimate need for visiting a hack forum or a "file transfer" service since most email providers don't allow 'attachments' to go over 25 - 30 MB.

(By the way, you can also use TOR for anonymity and unblocking websites. I have written about how to use TOR in Kali Linux here)

How to set up / configure VPN in Linux:

Step 1. Subscribe to a VPN Service. I have subscribed to AirVPN (around $9 a month)

Step 2. Login to the VPN service provider's website (AirVPN in my case) and locate 'Generate Configuration file'




Step 3. Download the .opvn file

Additionally, a .proxyauth file will be provided if a proxy authentication is required in your local network proxy (see HTTP code 407)

Step 4. In Terminal type:

             #apt-get install openvpn
             #openvpn --version
             #openvpn --config <file_you_downloaded.opvn>

This should configure that VPN.

            #ifconfig

Notice the presence of a new interface 'tun0', along with its IP address (a private IP address provided by the VPN network).

Now remove any local proxy setting you might be using in your browsers or system and connect to the Internet through the VPN tunnel.

How to Install New Cool / Hacker Fonts in Kali Linux / BackTrack / Debian

Written by: Pranshu | Find Pranshu on Google+ And LinkedIn

Are you looking to install new cool "HaX0r" fonts on your Linux distro?

My Advice: Don't

Reason: Most of the "hacker" fonts out there are illegible and not suitable for the long hours that you might be spending typing on Terminals as a penetration tester.

Here's how to install a new font in Linux:

Step 1: Download a .ttf font from the Internet. Google it, you will find many. As I have stressed before, avoid "cool hacker" fonts. Look for something comfortable to read.

Step 2.

        #gnome-font-viewer <font_location_on_drive>

(Notice the illegibility of the font)

Step 3. Install font

That's it. The new font will now show up in your 'Set Font' option in Terminal 'Preferences' or wherever you need to use it.

Given below are a couple of images of fonts that were too "Kewl" or "Elite" for me to use. I uninstalled them immediately.

DHCP DOS Attack with Yersinia in Kali Linux / BackTrack | How To

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

So there I was one fine evening, connecting to the internet, sending DHCP request packets to the local DHCP server for address allocation, when I noticed I wasn't getting any IP allocated to me. Some problem with the DHCP.


I 'pinged' the DHCP server thinking that it might be down for some reason. But it did send me a reply, so it was up. Then why wasn't it allocating an address to my computer?

Someone over the LAN had recently discovered Yersinia and proceeded to carry out a denial of service attack on our local DHCP. Not cool.

I decided to write up on Yersinia, since it makes DOS attack on DHCP quite simple and easy with its GUI.

If you're using Kali Linux, type:

            #yersinia -G

This will bring up the GUI which looks like this:

A super-quick discussion on DHCP, this is what happens on the network:

1. I got No IP - You power up your machine. It doesn't have an IP.
2. DHCP DISCOVER: Where can I get an IP? - If configuration isn't set to static, your machine looks for active DHCP servers in vicinity to get Configuration Info.
3. DHCP OFFER: I can give you an IP - The packets from your machines get to the local DHCP server and it sends DHCP offer to your machine.
4. DHCP REQUEST: Great!! Tell me my IP - Your machine responds by requesting configuration.
5. IP Allocation - DHCP Server selects an IP address from its 'pool' of free IPs and allocates it to your machine's MAC address.

So the concept is to send many DHCP discover packets to the local DHCP server, using a different spoofed MAC address each time. The DHCP server's free IP pool would quickly exhaust and a genuine request for DHCP would go unsatisfied.

So here's how we send many DHCP discover packets through Yersinia:

In my Case, I noticed within seconds that '163903' packets were sent. This is a DOS attack on the DHCP server.

Finally, you can stop the attack by 'list all attacks' and then cancelling the active attack.

You can find a 'yersinia.log' file created in your 'home' directory after the attack.

Security Against this DHCP DOS Attack by Yersinia:

Use port security at the Switch: On a specific port on the switch only a limited amount of MAC addresses would be allowed. So MAC spoofing wouldn't work after a while.

How to Add New Exploit to Metasploit / Kali Linux / BackTrack [Screenshots included]

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Sooner or later, penetration testers might feel the modules that are auto included in the Metasploit framework to be lacking. In such a case, they will want to add a new exploit to Metasploit.

Lets say you dig up a new vulnerability from cvedetails.com and notice that there is a public exploit available for this vulnerability on 'exploit-db' or '1337day'.

Goto exploit-db or 1337day and download the public exploit. It will be a .rb (ruby) script (or may be a python script).

Once you have the .rb exploit code, you need to add this to a hidden folder '.msf4' in your home folder (/root)

Note that the period, '.', before a file or folder name in Linux indicates that it is hidden.

Metasploit provides you a way to add new exploits. All you need to do is to add the .rb or .py file to this hidden .msf4 folder in your home folder and reload 'msfconsole'.

Here's a screenshot of 'msfconsole' before adding a new exploit:

Notice that total exploits equal 1090.
Here's a screenshot of the commands to copy the new exploit to .msf4 folder:

   

Now reload 'msfconsole'.

And here's a screenshot after the new exploit has been added:

Notice that the total number of exploit now equal 1091. We have successfully added a new exploit to Metasploit.

Torrents in Kali Linux - Best Torrent Client to Use in Kali Linux / BackTrack [Screenshot Included]

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

I tried the following client for downloading torrents in Kali Linux and it worked really well. Nice light-weight application with no bells and whistles. It's called Transmission.

            #apt-get install transmission

Here's a screenshot:

Do not use TOR (onion router) to download torrents (if torrents are blocked on your network). TOR is for anonymous web surfing purpose only. Their servers are not able to handle the massive traffic generated by peer to peer networks.

Disclaimer: I do not endorse downloading copyrighted files for free using peer to peer networks. This post was made only to demonstrate a peer to peer client for Linux.

How To Spoof DNS In Kali Linux / Facebook Phishing Page Using Social Engineering Toolkit In Kali Linux / BackTrack

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

I was recently asked to demonstrate quickly how DNS can be spoofed using Kali Linux, and how the traffic can be forwarded to a fake phishing page. I decided to demonstrate by phishing the Facebook page and spoofing the DNS to point facebook.com to my machine's IP address where I am hosting a fake page using social engineering toolkit.

Here's the procedure:

Host a phishing page using se-toolkit: Website Attack Vectors -> Creditials Harvestor -> Clone website / Use Web Template

 

As you can see I used a template of Facebook and SET hosted this on my IP: 192.168.0.10 at port 80.

Now I need to make sure traffic meant for facebook.com is redirected to my IP, for that I can use a DNS Spoof plugin available in ettercap

Change the contents of the file etter.dns, so the facebook.com points to your own IP.

Then load up "ettercap --g" and goto Plugins -> Manage the Plugins -> double click DNS Spoof plugin. Make sure you see the '*' next to it

Next, ARP poison all the hosts in the network, so that all the traffic passes through your machine. Start sniffing (read up on ARP poisoning if you can't understand).

Wait for the sometime. When someone tries to access facebook.com then your ettercap window will tell you 'blah_blah.facebook.com' spoofed to '<your ip>'.

At the same time in your SET window you'll see 'we got a hit!!' along with some other info. If the victim is gullible enough to enter his/her credentials on your phishing page, you'll see those details in the SET window.

But you have to play the waiting game and hold on until someone tries to access the phished website.

Disclaimer: This Post was only to demonstrate a concept; no Facebook hacking is endorsed or intended. This will only work on internal networks, that is, machines susceptible to your ARP poisoning attacks.

How To Hack Wifi and Crack its Password | Hacking Wifi | WEP + WPA

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

I recently traveled to Delhi in order to collaborate with an information security firm there.

The place that I rented for my short stay demanded an extra amount if I wanted to access the Internet. That didn't go down with me too well. They were using WEP, WPA and WPA2 security in the different WiFi HotSpots that they were running.

WEP Cracking

No doubt, WEP is the easiest to crack.

Here's how to crack WEP:

#airmon-ng start wlan0

 

Notice that the monitor mode is enabled on mon1; take note of this. We will need this interface later on.

Start dumping data packets with airodump:

#airodump-ng mon1

You'll see all the Wifi hotspots available in your area. Here we see different security like WEP, WPA and WPA 2. As WEP is the easiest to crack, choose one with WEP security.

Also, it is important to note other information here as that will determine how easily you get into the WiFi:

• The BSSID is the MAC address of the Wifi hotspot.
• Pwr tells you about the signal strength.
• Beacon signals are sent by the hotspot to indicate its presence.
• Data is the actual packets that we are interested in. The more data packets we have, the more certain we are to crack the hotspot.
• CH tells you the channel being used by the hotspot

Here I am testing something called 'BIPL'.

So I use airodump to focus on dumping packets from this paricular BSSID and store them in a file:

#airodump-ng -w wap -c 8 --bssid 14:D6:4D:A6:F6:69 mon1

-w specifies the file to write to, -c specifies the channel and you know what --bssid is for

Now packet capture starts, and we play the waiting game. Wait to collect enough packets before trying to crack the password. Usually, we wait till we grab around 20000 packets.

How long this takes depends on the traffic flow on that BSSID and your distance from the BSSID.

If it is taking too long to grab required number of packets, then you can use something called aireplay:

#aireplay-ng -b 14:D6:4D:A6:F6:69 -h 00:11:22:33:44:55 mon1

-b option is to specify the bssid
-h is to specify your hardware address

aireplay-ng will start generating bogus traffic, so that you can grab enough data packets fast.

Now that we have enough data packets (42445), we can start cracking the password.

#aircrack-ng wap-02.cap

This cap file is where we saved the captured packets:

After a while Aircrack-ng will give you the cracked password:

It turns out, the password is someone's cell phone number. I traced its location and it's based in Delhi. A bad practice to use personal information as password.

  
WPA Cracking

A detailed article on WPA / WPA2 cracking is here

WPA cracking can be a bit more uncertain and complicated.

One thing to remember while WPA Cracking, is that you need to grab the WPA handshake. Use airodump to dump packets from the target WPA network (just like in WEP) but wait until you see 'Captured WPA Handshare' (or something close to that) on the top right corner.

Then stop the packet capture.

Load up aircrack-ng and provide it the .cap file where the handshake is located (saved by airodump previously).

Also provide a wordlist to aircrack-ng. Remember this is a 'dictionary based' attack:

#aircrack-ng blah_blah.cap -w /root/dic/darkc0de.lst

Aircrack will try passwords from the dictionary file against the .cap file. This might take a long time to crack and success depends on the kind of dictionary file you are using and how strong the password is.

Another tool called 'Reaver' can be used for WPA cracking, if WPS is enabled.

Here's the sample use of reaver:

#reaver -i mon1 -a 94:D7:23:48:BE:78 -vv -c8

• -i is for interface
• -a "94.... " is the bssid of hotspot
• -vv for verbose mode
• -c to specify the channel

For details on WPA / WPA2 Cracking, Check out this article

Disclaimer: This post is merely to demonstrate the inherent risks involved in using outdated WiFi security. This test was done under simulated conditions and does not endorse public or private WiFi hacking.

Setting Up VirtualBox / Virtual Lab for Penetration Testing in Kali Linux / Backtrack

Written by: Pranshu Bajpai | Find Pranshu on Google+ And LinkedIn

Configuring a virtual lab on your PC becomes indispensable if you wish to test different attacks under controlled conditions. You don't always have access to shared LANs where there a lot of vulnerable machines that you're allowed to experiment on. For example: ARP poisoning on a large LAN would bring down the network quickly, and you won't have a good time explaining to the network administrator why you weren't testing in an isolated environment. Hence, for numerous reasons, it is best if you work in virtual environments while testing.

Install VirtualBox on your Kali or Backtrack (or any other linux):

#apt-get install virtualbox

 OR

 System Tools -> Add / Remove Software

Start VirtualBox after installation

Applications -> Accessories -> VirtualBox

You need to have the ISO Image of the OS you want to host on the virtualbox. (I had a Windows XP Image)

In VirtualBox Menu:

New -> Allot Name and Type of OS ->  Select RAM Memory Size ->  Create New Hard Disk -> VDI -> Dynamically Allocated -> Summary -> Create

Now in Main Menu of VirtualBox you'll notice the name of the machine you just created.

Start -> Point to the ISO Image of the OS -> Follow OS installation Procedures

After the normal OS install procedures, you will have the virtual OS ready, running on Linux host machine.

For networking between the Host and Virtual machine, I chose 'internal' network option in VirtualBox and I was able to ping the Host and Virtual machine from each other

You can go ahead and try simulated attacks on this Virtual OS, and it gives you more control over the experiment (as you can increase or decrease security on the vulnerable host at will).