Wireless Hacking (Cracking WEP)

Cracking WEP
In this section we will use be using the Live Linux distribution called BackTrack to crack WEP. Backtrack comes with a huge list of preloaded software for this very purpose. Before we begin, there are a couple requirements:
1. You need a computer with a compatible wireless adapter.
2. Download Backtrack and create a Live CD.
The tools we will be using on Backtrack are:
• Kismet – a wireless network detector
• airodump – captures packets from a wireless router
• aireplay – forges ARP requests
• aircrack – decrypts the WEP keys
Let’s begin!
1. First we will find a wireless access point along with its bssid, essid and channel number. To do this we will run kismet by opening up the terminal and typing in kismet. It may ask you for the appropriate adapter which in my case is ath0. You can see your device’s name by typing in the command iwconfig.

2. To be able to do some of the later things, your wireless adapter must be put into monitor mode. Kismet automatically does this and as long as you keep it open, your wireless adapter will stay in monitor mode.

3. In kismet you will see the flags Y/N/0. Each one stands for a different type of encryption. In our case we will be looking for access points with the WEP encryption. Y=WEP N=OPEN 0=OTHER(usually WAP).

4. Once you find an access point, open a text document and paste in the networks broadcast name (essid), its mac address (bssid) and its channel number. To get the above information, use the arrow keys to select an access point and hit <ENTER> to get more information about it.

5. The next step is to start collecting data from the access point with airodump. Open up a new terminal and start airodump by typing in the command:

airodump-ng -c [channel#] -w [filename] --bssid [bssid] [device]

In the above command airodump-ng starts the program, the channel of your access point goes after -c , the file you wish to output the data goes after -w , and the MAC address of the access point goes after --bssid. The command ends with the device name. Make sure to leave out the brackets.

6. Leave the above running and open another terminal. Next we will generate some fake packets to the target access point so that the speed of the data output will increase. Put in the following command:

aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55:66 -e [essid] [device]

In the above command we are using the airplay-ng program. The -1 tells the program the specific attack we wish to use which in this case is fake authentication with the access point. The 0 cites the delay between attacks, -a is the MAC address of the target access point, -h is your wireless adapters MAC address, -e is the name (essid) of the target access point, and the command ends with the your wireless adapters device name.

7. Now, we will force the target access point to send out a huge amount of packets that we will be able to take advantage of by using them to attempt to crack the WEP key. Once the following command is executed, check your airodump-ng terminal and you should see the ARP packet count to start to increase. The command is:

aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:5:66 [device]

In this command, the -3 tells the program the specific type of attack which in this case is packet injection, -b is the MAC address of the target access point, -h is your wireless adapters MAC address, and the wireless adapter device name goes at the end.

8. Once you have collected around 50k-500k packets, you may begin the attempt to break the WEP key. The command to begin the cracking process is:

aircrack-ng -a 1 -b [bssid] -n 128 [filename].ivs

In this command the -a 1 forces the program into the WEP attack mode, the -b is the targets MAC address, and the -n 128 tells the program the WEP key length. If you don’t know the -n , then leave it out. This should crack the WEP key within seconds. The more packets you capture, the bigger chance you have of cracking the WEP key.

With all the different computers and network adapters out there, you may come across a error occasionally. If you get stuck, remember, Google is your friend!  Search for an answer and I guarantee you that 99% of the time you will find a solution.

Wireless Hacking (Scanning For Wireless Networks)

Nowadays, there are wireless hotspots everywhere! You can get internet access with a wireless enabled laptop almost everywhere you go. In this chapter I will discuss ways a hacker goes about getting into secure wireless networks and things he can do once he is inside.
Scanning for Wireless Networks
For this section and the following, you will need to have a wireless card/adapter. The hacker starts by scanning for wireless networks near him. The Windows tool we will use in this section is called NetStumbler. Also by the time you receive this eBook MacStumbler may already be released for those of you using a Mac. Some other similar programs are:
• Kismet for Windows and Linux.
• KisMac for the Mac.
1. Download and install NetStumbler.
2. Run it. It automatically starts to scan for wireless access points.
3. Once it is completed, you should see a list of all the wireless access points around you.

4. If you click on the MAC address of one of the discovered wireless networks under channels, you will see a graph that shows the wireless network’s signal strength. The more green and the less spaces, the better the signal.

5. As you can see NetStumbler provides a lot more than just the name (SSID) of the wireless network. It provides the MAC address, Channel number, encryption type, and a bunch more. All of these come in use when a hacker decides he wants to get in the secured network by cracking the encryption. The most common types of encryption are:

• WEP (Wired Equivalent Privacy) – WEP isn’t considered safe anymore. Many flaws have been discovered that allow a hacker to crack a WEP key easily.
• WAP (Wireless Application Protocol) – WAP is the currently the most secure and best option to secure your wireless network. It’s not as easily cracked as WEP because the only way to retrieve a WAP key is to use a brute-force or dictionary attack. If your key is secure enough, a dictionary attack won’t work and it could take decades to crack it if you brute-force it. This is why most hackers don’t even bother.

Network Hacking(Cygwin)

Cygwin
If you only have access to a Windows machine, and you come across a C/C++ script that is only meant to be compiled in Linux, then you can use Cygwin to make it possible in Windows. Let’s get right into it!
Cygwin
1. Download Cygwin from http://www.cygwin.com/
2. Run the installer.
3. Choose to install from the internet.
4. Continue on until it asks you to choose a mirror to download from. Choose any.

5. Next you must select packages to download. Click View “+” under Devel to expand the category. Expand the window so that you can see all of the columns. Under the package column, search for gcc-core and click on “Skip” to select it and click next.
6. If it tells you that you haven’t selected a couple packages that you need, agree to install them and click next.
7. It will begin to install the packages
8. Once it is installed, double click the desktop icon and a command prompt should come up.

9. Using the same exploit as the last example, save and move it into the “C:\cygwin” directory as “exploit.c”.
10. Now it’s time to run the exploit. First you must change the directory to the home directory (C:\cygwin) by using the command “cd /”. Next use the “ls” command to display all the files in the current directory. You should see “exploit.c”.
11. Now to compile the script we use the same command as we did in Ubuntu: “gcc exploit.c –o exploit”. Here you see that we added a new parameter “-o”. This simply tells the compiler to name the output exe “exploit.exe”. Hit <ENTER> and if no error messages came up, then it was successful. If you use the “ls” command again, you should see a new file “exploit.exe” in the directory.
12. To run the exploit, simply type “./exploit”. It will now display the scripts runtime directions. Put in the right options and parameters and run the script again. The picture below shows all of these steps being done.

13.Once a hacker runs this script against a vulnerable machine and the script works, he will have root access to the target computer.

The more exploits you run, the more you will notice that half of them may not work. Many exploits are created and tested in specific environments and the expected outcome only happens when the exploit is run in the exact same environment. That is another reason why programming knowledge is needed, so you could edit the exploit script to work for you.
Once a skilled hacker gains root to a server he has the ability to do a lot of damage. Some of the things a hacker might do with a rooted server is:
• Add himself as a permanent user for future access.
• Add the server into his botnet collection so he could use it as a weapon against other servers.
• Use it as a proxy to hack other websites.
• Install a rootkit so he can come back and have full control over the server when needed.
• Constantly steel information as it comes.
• Use the system to store illegal data.
• Deface the website and sometimes the hacker will delete everything off of the server.

Countermeasures
There are a few things you can do to stay secure from network hacking attempts.
1. Keep all your software up to date. There will always be new vulnerabilities coming out, and your responsibility is to patch them immediately after a patch comes out.
2. Implement a firewall. This will keep most of the bad data out and good data in.
3. Install anti-virus software.
4. Scan your system with a vulnerability scanner. This may reveal possible vulnerabilities in your system.

Network Hacking (C/C++)

C/C++
C/C++ are the most popular programming languages used in developing exploit code. Some C/C++ code can be compiled with any compiler and on any operating system. There are also C/C++ scripts that are made to be compiled by a particular compiler, or in a particular operating system. You can usually find this information commented in the top of the script. Below is a list of the most popular compilers for each operating system.
C/C++

Windows
• Microsoft Visual C++
• Borland C++
• Dev-C++
Mac
• MrC/MrCpp
• Xcode
Linux
• GCC


Google Search! Search Here!

Web
Images
Local Listing
Mobile Web

Most C/C++ exploit code is made to be compiled in Linux. If you wish to run one them but you’re only option is Windows, then you can use Cygwin . Cygwin is a Linux-like environment that runs in Windows and acts as a Linux emulation layer, allowing you to run Linux scripts in windows. Although many Linux C/C++ exploit scripts will work with Cygwin, there are also many may not. I will show you how you can use Cygwin right after I give you an example of compiling and running a C/C++ script in Ubuntu Linux. If you aren’t already using Linux, I would recommend following along using VirtualBox from the Linux chapter.

1. Open up Terminal.

2. Go to http://milw0rm.com/exploits/269 and copy the remote root exploit.

3. Open up the VI editor in the terminal by typing in “vi” and hitting <Enter>. You should see the following screen:

4. To get into typing mode type in I (Shift + I).

5. You are now in insert mode. Right click and paste in the exploit.

6. The script should have pasted in. Now it’s time to save it. Hit the <ESC> key and then type in “:wq exploit.c” . This quits and saves the document as exploit.c .

7. Now type in the command: ls. This command lists all the files in the current directory. You should see your newly made file in the list.

8. Now we will compile the script using the GCC compiler, but before we compile this script we need to first install a development package of all the libraries and headers needed to compile C/C++ scripts. It’s a very easy process. In the terminal type in the following command:

sudo apt-get install build-essential

9. This command downloads the package and then asks you if you would like to continue with installing. Type in a “y” and hit enter. It automatically will install the package.

10. Now to compile the script type in the command “gcc exploit.c” , it will quickly compile. If there was no error displayed, then it was successful. By using the “ls” command you can now see there’s a new file named “a.out” this is the compiled script.

11. To run the new file type in the command “./a.out”. This will display a little note telling you how to run the exploit against a server. The below image shows all of these steps together.

12. The last line of the picture shows the proper way a hacker would use the script against a server.

13. Once the hacker ran the script against a vulnerable server running BeroFTPD 1.3.4 and the script worked, the hacker would now have root access to the server. Below is an image of what the root account on Ubuntu would look like.

As you can see the “whoami” command tells you who you are on the system. In this case I am root.

Network Hacking (Python)

Pythton
Python is also a common programming language used in creating exploits. You can download python from
Python
http://www.python.org/download/. The steps to running a Python exploit are just as easy as the ones for Perl. See if you can get the exploit: http://milw0rm.com/exploits/3523 up and running. Hint: Python files end with .py .

Network Hacking (Perl)

Running Perl exploit scripts is just as easy as running PHP scripts.
Perl
1. Download and install the appropriate version of ActivePerl.

2. Next the hacker would find an exploit for vulnerability. In this example we will use the following example: http://milw0rm.com/exploits/6581 for WinFTP Server 2.3.0. This is also a Denial of Service (DoS) exploit.

3. Edit the options like the target server and others as needed. Then save the file as “exploit.pl”. As you can see Pearl exploits begin with “!/usr/bin/perl”.

4. Open CMD or Terminal and change into the directory with the exploit using the CD (change directory command). Then run the exploit by typing:
“perl exploit.pl”. The attack has begun.

Network Hacking (Penetrating)

Penetrating
So now you might be wondering: Once the hacker finds the right exploit, how does he go about running it against the target and penetrating the server? This will all be explained in this chapter.
As you search Milw0rm or any of the other couple exploit database websites provided in this chapter, you will notice that the exploits are created in many different types of programming languages. Below I will list a few of the most common programming languages used, and how a hacker would compile and run them against a server.
PHP-
PHP exploits are very common. PHP exploit code usually starts with <?php and ends in ?> . Let’s say the hacker wanted to do some temporary damage to a server running FTP Server 0.9.20. If he was to search milw0rm he would come up with the following DOS exploit:
PHP
http://milw0rm.com/exploits/2901 and run it against the server. Below are the steps the hacker would take.
1. First the hacker would need to install PHP onto his computer. WAMP is a free web server that comes with PHP. If you are using a Mac then you must install MAMP . Next, paste the PHP exploit into notepad or any word processor and save it as “exploit.php”.

You will have to know a little PHP to edit the target address. On line 13 of this exploit you will see:
$address = gethostbyname(‘192.168.1.3’); here you will have to edit in the IP address of the target. Every exploit is different. Some you have to know what to edit and some have runtime instructions. Save this edited file into the PHP directory on your server that contains the PHP executable file. In WAMP the directory would be C:\wamp\bin\php\php5.2.5 , of course the last directory version number changes with newer versions.
2. Next open up the command prompt or terminal if you are using a Mac, and go to the PHP directory by using the CD (change directory) command followed by the directory location.

3. Now it’s time to run the exploit. To run it simple type in “php exploit.php” and hit enter. You should get a couple errors.

4. When skilled hackers create exploits, they sometimes insert mistakes or extra code so that script kiddies with no programming knowledge wouldn’t be able to use them. The above is a simple example. If you go to line 18 of this exploit , will see the line
$junk.=”../../../sun-tzu/../../../sun-tzu/../../../sun-tzu”;
This line was inserted to throw off the script kiddies and by simply removing it, the error will disappear. Just another reason why it’s helpful to learn how to program.
Also every now and then you will receive other errors such as the one the second picture shows above. These errors have to do with the server configurations. Now as a hacker, you have to learn a lot on your own. By going around asking simple questions like this all the time will make you look bad and the most common response you will receive: www.google.com . Google is your friend, so take advantage of it! So starting now, begin to use Google, and if you are still stuck, then you can ask help on community forums.

5. Once the errors are fixed and the program is running, a DoS attack will be launched the target website up until you exit the command screen. If the target server can’t handle much, you may be able to see the affect of your exploit by going to the site and clicking around. If it is working, the site will begin to lag and it’ll take a long time to load pages. Eventually the server may go down completely.