Click to Show/Hide Starters Guide
Recent Posts

Saturday, February 4, 2017

Compiling Linux Kernel (on Ubuntu)

This guide may not exactly be relevant to this blog, but as an exercise in getting familiar with Linux, I'll post it anyways. Here are a few disclaimers-


  1. Don't follow this guide for compiling linux kernel, there are much better guides out there for that purpose (this is the one I followed). The guide exists to help you learn some new stuff which you didn't know before, and to improve your understanding of Linux a bit.
  2. My knowledge of Linux and operating systems, in general, is somewhat limited, and hence, some things might be wrong (or at least not perfectly correct).
  3. The main reason for writing this tutorial is because I had to submit a document showing what I did. It's not exactly related to hacking. It just gives you some insight into linux (which I perceive is helpful).
  4. Do everything on a virtual machine, and be prepared for the eventuality that you'll break your installation completely.

Linux Kernel

Running uname -r on your machine would show you what kernel version you're using. uname -a would give you some more details regarding that. 

Every once in a while, a new stable kernel release is made available on kernel.org. At the time of writing this, the release was 4.9.8. At the same time, there is also the latest release candidate kernel, which is not of our interest, as it's bleeding edge (latest features are available in the kernel, but there could be bugs and compatibility issues), and hence not stable enough for our use. 

I download the tar ball for the latest kernel (a compressed archive of ~100MB size, which becomes ~600 MB upon extraction). What we get upon extraction is the source files of your linux kernel. We need to compile this to get an object file which will run our OS. To get a feel for what this means, I have a little exercise for you-

Small (and optional) exercise


We will do the following-
  1. Make a folder, and move to that folder
  2. Write a small c++ hello world program
  3. Compile it, using make
  4. Run the compiled object file.
On the terminal, run the following-

Step 1:
mkdir testing
cd testing
Step 2:
cat > code.cpp
Paste this into the  terminal
#include <iostream>

int main(){
    std::cout << "Hello World\n";
    return 0;
}

After pasting this, press ctrl+d on your keyboard (ctrl+d = EOL = end of line).
If this doesn't work, just write the above code in your favourite text editor and save as code.cpp


Step 3:
make code
Step 4:
./code
 Notice how we used the make command to compile our source code and get an executable. Also, notice how the make command itself executed this command for us-
g++ code.cpp -o code
In our case, since there was only one source file, make knew what to do (just compile the single file). However, in case there are multiple source, make can't determine what to do.

For example, if you have 2 files, and the second one depends on the first one in some way. Then, you need the first one to be compiled before the second one. In case of the kernel, there are possibly millions of source code files, and how they get compiled is a very complex process.

If you navigate to the folder containing linux kernel (the folder where you extracted the tar ball), you'll get an idea of the sheer magnitude of complexity behind a kernel. For example, open the Makefile file in that folder in your favourite text and editor and see the contents of the folder. Makefile contains instructions which make (the command line tool we used earlier) uses to determine how to compile the source files in that directory (and subdirectories).

Some tools

Compiling our simple c++ program didn't need much, and your linux distribution (I'm using Ubuntu 16 for this tutorial) would come with the required tools pre-installed. However, compiling kernel needs some more stuff, and you'll need to install the required tools. For me, this command installed everything that was needed-
sudo apt-get install libncurses5-dev gcc make git exuberant-ctags bc libssl-dev
 Many of these tools would actually be pre-installed, so downloading and installing this won't take too long.

(if you're not on Ubuntu/Kali, then refer to this guide, as it has instruction for Red Hat based and SUSE based systems as well)

Download kernel

In the guide that I followed, he suggested that I clone this repository-
git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
After cloning the repo, I had to choose the latest stable kernel and then proceed further with it. This would be useful when you want to keep pulling updates and recompiling your kernel. However, for the purpose of this tutorial, let's ignore this possibility (because cloning the git repo took a lot of time and the downloaded file was huge and everything was taking forever).

Instead, we just download and extract the tarball (as discussed earlier in the Linux Kernel section).


Configuration

Here, we have two options. 
  1. Use a default configuration
  2. Use the configuration of your current kernel (on which your OS is running right now).
As in downloading the kernel step, I tried both methods, and for me, the default one worked better. Anyways, for current configuration, run the following-
cp /boot/config-`uname -r`* .config
This copies the configuration for your current kernel to a file in the current folder. So, before running this command, navigate to the folder containing the extracted tarball. For me, it was /home/me/Download/linux-4.9.8

For default config (recommended), run
make defconfig

If you don't see a config file, don't worry. In linux, files/directories starting with . are hidden. On your terminal, type vi .config (replace vi with your favourite text editor) and you can see the config file.

Compiling

Similar to the way you compiled your c++ program, you can compile the kernel. In case of c++ program, we didn't have any Makefile, so we had to specify the name of the source file (make code), however, since we have a Makefile here, we can simply type make, and our Makefile and .config file (and probably many more files) will tell make what to do. Note that the config file contains the options which were chosen for your current kernel. However, on a later kernel, there might be some choices which weren't available in the the previous kernel (the one you're using). In that case, make will ask you what to do (you'll get to choose between option - yes and no, or options - 1,2,3,4,5,6, etc.). Pressing enter chooses the default option. Again, I suggest you use the default configuration file to avoid any issues.

To summarise, simply run this command-
make
If you have multiple cores, then specify it as an argument (compilation will be faster). For example, if you have two cores, run make -j2
If you have 4 cores, run make -j4 

Now, you can do something else for a while. Compilation will take some time. When it's finished, follow the remaining steps.

Installation

Simply run this command-
sudo make modules_install install

Fixing grub

There are following things that need to be changed in the /etc/default/grub file. Open this file as sudo, with your favourite text editor, and do the following.

  1. Remove GRUB_HIDDEN_TIMEOUT_QUIET line from the file.
  2. Change  GRUB_DEFAULT to 10 from 0
This is how my file looks after being edited. 

What these changes do is-
  1. Grub menu for choosing OS to boot from is hidden by default in Ubuntu, it changes that to visible.
  2. The menu shows up for 0secs, before choosing the default option. It changes it to 10 secs, so we get a chance to choose which OS to boot from.

After all this, just run the command to apply the changes.
sudo update-grub2

Now restart the machine.

Did it work?

If it worked, then you'll ideally see something like this upon restart -


In advanced options, you'll see two kernels. If you did everything perfectly, and no drivers issues are there, then your new kernel will boot up properly (4.9.8 for me). If you did everything reasonably well, and didn't mess things up too bad, then at least your original kernel should work, if not the new one. If you messed things up completely, then the new kernel won't work, nor would the old kernel (which was working fine to begin with). In my case, in the first trial, my new kernel wasn't working. In the second trial, both kernels were working.

Once you have logged in to your new kernel, just do a uname -r and see the version, and give yourself a pat on the back if it is the kernel version you tried to download.
I did give myself a pat on the back
If your new kernel is not working, then either go through the steps and see if you did something wrong, or compare with this guide and see if I wrote something wrong. If it's none of these, then try the other methods (default config instead of current kernel config, and vice versa). If that too doesn't work, try out some other guides. The purpose of the guide, as explained already, isn't to teach you how to compile linux kernel, but to improve your understanding, and I hope I succeeded in that.

Removing the kernel (optional and untidy section)

The accepted answer here is all you need. I'm gonna write it here anyways. Note that I'm writing this from memory, so some things may be a bit off. Follow the AskUbuntu answer to be sure.

Remove the following (this is correct)-

/boot/vmlinuz*KERNEL-VERSION*
/boot/initrd*KERNEL-VERSION*
/boot/System-map*KERNEL-VERSION*
/boot/config-*KERNEL-VERSION*
/lib/modules/*KERNEL-VERSION*/
/var/lib/initramfs/*KERNEL-VERSION*/
For me, Kernel version is 4.9.8. I don't remember exactly what commands I typed, and am too lazy to check them again, but I think these would work (no guarantee).

cd /boot/
rm *4.9.8*
cd /lib/module 
rm *4.9.8*
cd /var/lib/initramfs
rm *4.9.8*

Also, I have a faint recollection that the name of the initramfs folder was something a bit different in my case (not sure).

Kthnxbye

Tuesday, December 20, 2016

How to hack WPS wifi using android

Below is a guest post by Shabbir, and I'd like to add some comments describing what to expect ahead. First, there are two methods, both are very simple. One works with rooted phones only, and the other works with/without root. Without root you can get connected to the wireless network, but won't find out it's password. These methods work only on vulnerable wifis, so success rate is low. Still, since it's a 5 minute process (simply install an app from play store), it might be worth the effort for most people. <actual post starts below>


You know if you ask me, hacking a wifi network is easiest of the all hacking techniques. And Yes, it is Boring, time consuming and difficult to hack wifi when it comes to android. Because in android you don’t have much powerful resources and you don’t have many hacking attacks and don’t have lots of hacking tools like you do have in Laptop, Pc or mac.
In Today’s post we are going to cover the topic “how to hack wifi with android”.

Hi, this is Shabbir. A guest writer, and contributor at kali tutorials. He is the author of a blog known as “Hacking Tutorials. Let’s get to the tutorial.

We are going to exploit a wifi vulnerability found in most of the router’s security called WPS (wifi protected setup).

According to Wikipedia. A major security flaw was revealed in December 2011 that affects wireless routers with the WPS PIN feature, which most recent models have enabled by default. The flaw allows a remote attacker to recover the WPS PIN in a few hours with a brute-force attack and, with the WPS PIN, the network's WPA/WPA2 pre-shared key. Users have been urged to turn off the WPS PIN feature.
We are describing two methods that are most effective in hacking wifi with android and are almost successful.
Things Required for Both tutorials
  • Android Phone with good Processor and RAM
  • Android Phone Must be Rooted
  • A Wifi Network to hack (Very Important)
  • WPS CONNECT app from Play store (for 1st tutorial)
  • WPS WPA Tester app (for 2nd tutorial)

How this is going hack wi-fi Let’s get to the process

Many Guy says this is the fake app but hey guys this is not a fake app, this is working app for hacking wi-fi password from android mobile. You can hack WiFi network with this app, which has WPS enabled in their router security.
If you found any wi-fi network in your Android mobile, which shows WPS security. You can easily connect with any WPS  security wifi without given any type password. WPS Connect bypasses WPS security and gives you access to connect with wi-fi without typing any password.

Some of recent wifi hacking tutorials on Kali Tutorials.


With this app, you’ll connect to WiFi networks which have WPS protocol enabled. This feature was only available in version 4.1.2 of Android.
App developed for educational purposes. I am not responsible for any misuse.
WPS Connect is focused on verifying if your router is vulnerable to a default PIN. Many routers that companies install own vulnerabilities in this aspect. With this application, you can check if your router is vulnerable or not and act accordingly.
Includes default PINs, as well as algorithms such Zhao Chesung (ComputePIN) or Stefan Viehböck (easyboxPIN).

Step 1

Open the app

Step2

Tap Refresh Icon to get wifi AP with Mac addresses

Step 3

Tap on the wifi you wanna hack

Step 4

Try every pin one by one in the app and try to hack wifi password

Step 5

You have successfully hacked wi-fi via WPS.

2nd app is Wi-fi WPS WPA Tester

WPS Connect app hack only WPS routers with limited features. But this is an advanced app for hacking wifi password from android mobile. Make sure your phone is rooted. You can check the wireless security of your routers from this Android app. If your router is not secure this wifi hacking android app easily bypass wifi password from android mobile and connect with android mobile to router directly without need any type of password.
The algorithm of wps default (zaochensung) SOME of the routers, you can receive the WPA WPA2 WEP set to the router.

Step 1

Open the app

Step 2

Tap on the wifi you wanna hack

Step3

Try every pin one by one in the app and try to hack wifi password

Step4

 After that app will try to brute force and if it succeeded then You have successfully hacked wi-fi via WPS. If some problem came in that process. Ask us in Comment Section.

Conlusion:

This wifi hacking Android apps works in rooted and without rooted android mobile. So you can easily hack wifi password from your android phone without rooting your android phone with this app.

Sunday, December 18, 2016

Use Python To Detect And Bypass Web Application Firewall


Web application firewalls are usually placed in front of the web server to filter the malicious traffic coming towards server. If you are hired as a penetration tester for some company and they forgot to tell you that they are using web application firewall than you might get into a serious mess. The figure below depicts the working of a simple web application firewall:


As you can see its like a wall between web traffic and web server, usually now a days web application firewalls are signature based.

What is a signature based firewall?


In a signature based firewall you define signatures, as you know web attacks follow similar patters or signatures as well. So we can define the matching patterns and block them, i.e.

Payload :- <svg><script>alert&grave;1&grave;<p>

The payload defined above is a kind of cross site scripting attack, and we know that all these attacks can contain following substring -> "<script>", so why don't we define a signature that can block a web traffic if it contains this sub string, we can define 2-3 signatures as defined below:
  1. <script>
  2. alert(*)
First signature will block any request that contains <script> substring, and second one will block alert(any text). So, this is how signature based firewall works.

How to know there is a firewall?

web-applicaion-firewall-cyberpersons
If you are performing a penetration test and you didn't know that there was a firewall blocking the traffic than it can waste a lot of your time, because most of the time your attack payloads are getting blocked by the firewall not by your application code, and you might end up thinking that the application you are testing have a secure good and is good to go. So, it is a good idea to first test for web application firewall presence before you start your penetration test.

Most of the firewalls today leave some tracks about them, now If you attack a web application using the payload we defined above and get the following response:

HTTP/1.1 406 Not Acceptable
Date: Mon, 10 Jan 2016
Server: nginx
Content-Type: text/html; charset=iso-8859-1
Not Acceptable!Not Acceptable! An appropriate representation of the

requested resource could not be found on this server. This error was generated by Mod_Security.
You can clearly see that your attack was blocked by the Mod_Security firewall. In this article we will see how we can develop a simple python script that can do this task detecting firewall and bypassing it.

Step 1: Define HTML Document and PHP Script!

We will have to define our HTML document for injection of payload and corresponding PHP script to handle the data. We have defined both of them below.
We will be using the following HTML Document:

<html>
<body>
<form name="waf" action="waf.php" method="post">
Data: <input type="text" name="data"><br>
<input type="submit" value="Submit">
</form>
</body>
</html>

PHP Script:


<html>
<body>
Data from the form : <?php echo $_POST["data"]; ?><br>
</body>
</html>

Step 2: Prepare malicious request!

Our second step towards detecting the firewall presence is creating a malicious cross site scripting request that can be blocked by the firewall. We will be using a python module called 'Mechanize', to know more about this module please read the following article :


If you already know about Mechanize, you can skip reading the article. Now that you know about Mechanize, we can select the web form present on any page and submit the request. Following code snippet can be used to do that:

import mechanize as mec
maliciousRequest = mec.Browser()
formName = 'waf'
maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
maliciousRequest.select_form(formName)

Lets discuss this code line wise:
  1. On the first line we've imported the mechanize module and given it a short name 'mec' for later reference.
  2. To download a web page using mechanize, instantiation of browser is required. We've just did that in the second line of the code.
  3. On the first step we've defined our HTML document, in which the form name was 'waf', we need to tell mechanize to select this form for submission, so we've this name in a variable called formName.
  4. Than we opened this url, just like we do in a browser. After the page gets opened we fill in the form and submit data, so opening of page is same here.
  5. Finally we've selected the form using 'select_form' function passing it 'formName' variable.
As you can see in the HTML source code, that this form have only one input field, and we are going to inject our payload in that field and once we receive response we're going to inspect it for know strings to detect the presence of the web application firewall.

Step 3: Prepare the payload

In our HTML document we've specified one input field using this code:
input type="text" name="data"><br>
You can see that name of this field is 'data', we can use following bit of code to define input for this field :

crossSiteScriptingPayLoad = "<svg><script>alert&grave;1&grave;<p>"

maliciousRequest.form['data'] = crossSiteScriptingPayLoad
  1. First line saves our payload in a variable.
  2. In a second line of code, we've assigned our payload to a form field 'data'.
We can now safely submit this form and inspect the response.

Step 4: Submit the form and record Response

Code I am going to mention after this line will submit the form and record the response:

maliciousRequest.submit()
response =  maliciousRequest.response().read()

print response
  1. Submit the form.
  2. Save the response in a variable.
  3. Print the response back.
As I currently have no firewall installed, the response I got is :

no-web-application-firewall-present

As you can see that payload is printed back to us, means no filtering is present on the application code and due to the absence of firewall our request was also not blocked.

Step 5: Detect the Presence of firewall

Variable named 'response' contains the response we got from server, we can use the response to detect presence of firewall. We will try to detect the presence of following firewalls in this tutorial.
  1. WebKnight.
  2. Mod_Security.
  3. Dot Defender.
Let see how we can achieve this with python code:
if response.find('WebKnight') >= 0:
       print "Firewall detected: WebKnight"
elif response.find('Mod_Security') >= 0:
      print "Firewall detected: Mod Security"
elif response.find('Mod_Security') >= 0:
      print "Firewall detected: Mod Security"
elif response.find('dotDefender') >= 0:
      print "Firewall detected: Dot Defender"
else:
      print "No Firewall Present"

If Web Knight firewall is installed and our request got blocked, response string will contain 'WebKnight' inside it some where, so find function will return value greater than 0, that means WebKnight firewall is present. Similarly we can check for other 2 firewalls as well.
We can extend this small application to detect for as many number of firewalls, but you must know there response behavior.

Using Brute force to bypass Firewall filter

I've mentioned in the start of the article that mostly firewall these days block requests based on signatures. But there are hundreds and thousands of ways you can construct a payload. Java script is becoming complex day by day, we can make a list of payloads, and try each of them, record each response and check if we was able to bypass the firewall or not. Please note that if firewall rules are well defined than this approach might not work. Let see how we can brute force using python:

listofPayloads = ['&lt;dialog open="" onclose="alertundefined1)"&gt;&lt;form method="dialog"&gt;&lt;button&gt;Close me!&lt;/button&gt;&lt;/form&gt;&lt;/dialog&gt;', '&lt;svg&gt;&lt;script&gt;prompt&amp;#40 1&amp;#41&lt;i&gt;', '&lt;a href="&amp;#1;javascript:alertundefined1)"&gt;CLICK ME&lt;a&gt;']
for payLoads in listofPayloads:
    maliciousRequest = mec.Browserundefined)
    formName = 'waf'
    maliciousRequest.openundefined"http://check.cyberpersons.com/crossSiteCheck.html")
    maliciousRequest.select_formundefinedformName)
    maliciousRequest.form['data'] = payLoads
    maliciousRequest.submitundefined)
    response = maliciousRequest.responseundefined).readundefined)
    if response.findundefined'WebKnight') &gt;= 0:
        print "Firewall detected: WebKnight"
    elif response.findundefined'Mod_Security') &gt;= 0:
        print "Firewall detected: Mod Security"
    elif response.findundefined'Mod_Security') &gt;= 0:
        print "Firewall detected: Mod Security"
    elif response.findundefined'dotDefender') &gt;= 0:
        print "Firewall detected: Dot Defender"
    else:
        print "No Firewall Present"

  1. On the first line we've defined a list of 3 payloads, you can extend this list and add as many payloads as you require.
  2. Then inside the for loop we did the same process we did above, but this time for each payload in a list.
  3. Upon receiving response we again compare and see see if firewall is present on not.
As I've had no firewall installed, my output was:

no-firewall-present

Convert HTML Tags to Unicode or Hex Entities

If for example firewall is filtering html tags like <, >. We can send their corresponding Unicode or Hex Entities and see if they are being converted to there original form, if so, than this could be an entry point as well. Code below can be used to examine this process:

listofPayloads = ['&lt;b&gt;','\u003cb\u003e','\x3cb\x3e']
for payLoads in listofPayloads:
     maliciousRequest = mec.Browser()
     formName = 'waf'
     maliciousRequest.open("http://check.cyberpersons.com/crossSiteCheck.html")
     maliciousRequest.select_form(formName)
     maliciousRequest.form['data'] = payLoads
     maliciousRequest.submit()
     response = maliciousRequest.response().read()
     print "---------------------------------------------------"
     print response
     print "---------------------------------------------------"

Each
 time we will send the encoded entry and in the response we will examine
 if it got converted or printed back without conversion, when I ran this
 code I got the this output :

cross-site-scripting-encoded-html-tags

Means none of the encoded entry got converted to its original form.

Conclusion

The purpose of this article was to train you in advance so that you can penetrate your firewall before a hacker can do. It is always a good choice to self test your network infrastructure for vulnerabilities, because our first concern always is to get our application up and running and we overlook the security part. But it must not be over looked, because later it can be a huge headache.
Complete source code can be downloaded from this link.

Author Info:

Usman Nasir, founder, and author of Cyberpersons is a Computer Science student. I also worked as a technical support staff at various hosting companies and love to write about Linux and web application security.

Thursday, December 8, 2016

Kali Installation : Dual Boot VS Live Boot VS Virtual Machine

If you are yet to have a Kali instance running on your machine, then you have quite a dilemma ahead of you. There are three ways to go about running Kali, each with their own advantages and disadvantages. In this article, I'll tell you what exactly the terms Dual Boot, Live Boot, and Virtual machine installation mean, how easy/difficult these are to perform, and what are the advantages/disadvantages of each of them. In the end, I'll tell you how to find guides for doing all of these.


PS: This guide (and the blog) is focused on Kali, but everything in this post is applicable to Linux in general. Certain parts are related to hacking, but you can take networking lessons from them regardless, even if you aren't interested in hacking per se.

Dual Boot

Most of you would be running a single operating system on your system right now. However, that doesn't have to be the case. We can partition our hard disk, and install multiple operating systems alongside each other. 

Think of how you have multiple partitions in your Windows (C,D,E,F drives). All your Windows system files would usually be in C (local disk). What if you let go of drive F (copy it's content to C,D,E first), and decide to install Kali's system files on it (you can install Kali's system files on your computer using the .iso file of Kali that is available for download). Now, you will have 3 drives of Windows format (NTFS), and one drive with Linux format (ext4). C drive (NTFS), will have Windows installed, and F drive (ext4, and it's name isn't really F drive anymore), has Linux.

But since your computer loads the system files during bootup, it needs to know whether to load files from C drive or from the "formerly F" drive. This is handled by the bootloader.

This was a gross oversimplification. Here's a nice article on HowToGeek that explains stuff in more details.
This is when Kali installer asks where it should install the OS.
In the sample explanation, you should install it where the "F" drive of
Windows is. If you instead install it over the "C" drive, you'll lose
Windows, and will only have Kali in your system.
Once you have installed Kali on a system which already had Windows,
the bootloader (GRUB) will ask you which of them to boot from.

 USB Boot

In the above example, we had Windows on our C,D,E,F partitions. The C partition had the system files, while D,E,F had other files. We decided to overwrite F and install Kali's system files over there. When we wanted to run Windows, we booted from C, and when we wanted to run Kali, we booted from the "former F drive" (of course we didn't know what exactly we are booting for, GRUB handles that for us, we just have to choose).

So, can we, instead of installing Kali on our F drive, install it on an external Hard Disk, and then boot from that external hard disk? The answer is yes. Well, you may ask, the size of Kali's ISO is <4 GB. What if I have a 16 GB USB flash drive. Surely, the installed OS will not take more than 16GB. Why use a hard disk, let me just install the OS on a USB flash drive.

Well, the answer to that is yes too. You can but 10 USB flash drives, and install 10 different operating systems on each of them, and then plug in whichever one you want, boot from it, and if your OS supports the filesystem of your hard disks, you can use your computers hard disks as well. You actually don't even need hard disks at all. You can run your computer from a flash drive itself. 

However, remember how I said install the OS on the USB flash drive. Turns out, you don't even have to install the OS. In general, for most software, there is 'an installer', and after the installer finishes it's job, we have the software installed and then can use it. For example, take a simple game. Suppose it has a setup.exe file on the CD drive you bought. When you run that, you can't yet play the game, and you instead need to install it on your hard disk, after which it can be played. This is true for operating systems as well. If you plug in a Windows installation CD/DVD/USB into your computer, it will do what the name says, install Windows on your computer. Upon installation, you can run Windows.

But with some Linux distributions, we have the ability to run the OS without installation(live boot). You can take the ISO, burn it to a DVD drive, and "live boot" it. It will not touch your hard disk, and everything will run directly on your primary memory (RAM). Hence, the installer also acts as the installed software. 

So, simply download Kali Linux' iso, and copy it to a USB, and you are done. Except for a little problem, USB drives are not bootable by default. So you need a little software which will properly perform the copying of the iso to the USB drive, such that it can be booted from. 

In summary, download the ISO, use a tool to intelligently copy the ISO to a flash drive, plug in the flash drive, and boot from it. It will ask you whether you want to Install the OS, or start running it right away (live boot). Just select the live boot option, and Kali is up and running, without any installation. However, since everything happens in volatile primary memory (RAM), changes are lost. So, everytime you boot into the live USB, it would be like running a fresh install (which can be both a good and a bad thing). With persistence mode, even this limitation is overcome, and you can have changes which persist across boots.

These are the choices offered when you boot from Kali's installer on a USB
You can run it live, run it live with persistence, or install the OS.

Virtual Machine

Suppose you only have Windows on your machine. How do you go from a powered off system to having a fully functional Windows running on your machine. Actually, a more useful question is, what all do you need to go from nothing to functional OS running. Here are a few things I can think of-
  • System files that run the OS (or in other words, system files that basically the OS).
  • A small core utility which can load the system files into memory from the hard disk (bootloader) when the computer is presently in a void like situation.
  • Memory where the system files are loaded.
  • Processing power which runs the OS.
  • Hard Disk space, where you can store stuff, Networking so that you can access the internet, and so on.
So, from a powerless state, in the presence of all the above, we can move to a state where we have a functional Windows instance running on our system. The question I want to ask you is, from a state where we have a functional Windows instance running on our system, can we move to a state where we have two functional OSs running on our system?

The answer should be, why not, if we have all the requirements that can result in a transition from 0 to 1, then if same requirements are met again, we can go from 1 to 2. In other words, if we have-
  • System files that run the second OS
  • A different core utility which can load the system files into memory from the hard disk (bootloader) when we have an OS running on the system already (as opposed to being in  a void like situation)
  • Memory, separate from the already runnning OS's memory, where the system files of this OS are loaded.
  • Processing power, separately for this OS, which runs the OS.
  • Hard Disk space, separately for this OS, where you can store stuff, Networking so that you can access the internet, and so on.
The above discussion should tell you that it would indeed be possible to run multiple OSs together, by somehow dividing the memory, hard disk space, processor power, etc. into two, and letting both OSs run on their share.

Without going into too much detail, let me just tell you that using hypervisors, this has indeed been achieved, and now we can run multiple OS inside one OS, given that there are enough resources to sustain the needs of all the simultaneously running OSs. VMware has been a pioneer in this technology, but they only offer limited capability VMWare player for free, while VMWare workstation will cost you. On the other hand, VirtualBox provides free open source products.

Now that you know about all the different ways to run Kali, be it alongside Windows, inside Windows (virtually), or live without installation, let me tell you about advantages and disadvantages of these methods.
Multiple Operating systems can run simultaneously as virtual machines.
In the picture, you can see VmWare workstation and various virtual machines on it.

Comparison


Live Boot V/S Dual Boot

Dual boot performs faster than live boot, and has persistence (though live boot with persistence is also available, but that is limited persistence). If you are using live USB, then you have to keep updating the ISO version on the USB frequently (download a new ISO, then write that ISO to the USB). If you have dual boot, then you'll update Kali the usual way (using apt-get update, upgrade, and dist-upgrade). 

I have put this point of comparison first because this is the only point of difference between live boot and dual boot. The two are identical in every other aspect, and from here on, I'll use live boot to refer to both live boot and dual boot.

Hardware access

In live booting, when you are running Kali, it would be the sole owner of all the resources that the computer offers (except hard disk space which is occupied by Windows, which is not a major concern). Not only that, it will have access to internal wireless card of your machine. We'll get a better idea of what hardware advantages we are getting by looking at what we don't get when we are inside Virtual Machine.

When Kali is running from inside a virtual machine, it doesn't have access to-
  1. Full CPI / GPU power (because processor needs to be shared between the two simultaneously running OSs) - So, this will mean slower cracking (processor intensive task like cracking WPA-2 4-way handshake will suffer here).
  2. No direct access to internal hardware, only bridged access - What this means for you is that you can't access the internal wireless adapter of your laptop. So, for wireless hacking, you will need to purchase an external wireless adapter if you are working inside a VM. (even if you are live/dual booting, you may need to purchase an external wireless card, because internal wireless cards are weaker, have less driver support, and sometimes don't support injection, which is needed in many attacks).
So, for wireless hacking, Virtual Machine isn't the best way to go.

Networking

In live booting, you are a direct part of the local network you are connected to. In virtual booting, your host computer is a part of that network, and you are part of internal network which contains only you, your host, and other guests. 

First, let me explain some technical jargon-
  1. Internal network - When you connect to your wifi router, you, along with other connected devices (your iphone, android phone, macbook, PC, etc.) become part of a local network. The internet knows only about your router. Every communication must be sent via the router to the internet, the internet will respond to router, and router will return the response to the appropriate system on the local network.
  2. VMnet - This is an equivalent of internal network, with the guest virtual machines, and the host machine a part of it.
  3. Host machine - The machine on which Vmware/virtualbox is installed, and inside which the virtual machines are running.
  4. Guest machine - The machines inside virtualbox/vmware.
  5. Internal IP - Your IP on the local network
  6. VMnet IP - Your IP on the Virtual network (VMnet) [This is not a standard term, internal and external IPs are standard terms, this I'm using for convenience]
  7. External IP - Your IP on the internet. 
If any of the machine make a request to the internet, their external IP would be the same. To check this, open your smartphone, and search "Whats my IP on google". Repeat this from all your other devices connected to the same router. Each one will have the same IP. Internally, all the devices have a different internal IP (the router has an internal IP too, like any other device on the local network).

Similarly, when you send a request from any of the VM guests to a machine outside the VMNet, but inside the local network, you'll carry the internal IP of your VM host (i.e. the Windows machine). Internally, all the guests have a VMnet IP (the host has one too, and inside the VMnet, behaves like guests).


Let me explain this a bit further with pictures.
Here, the kali machine is a part of VMNet, and can't directly contact
the mac machine and android machine. To reach them, it has to go via the Windows machine.
The router doesn't know about the existence of Kali Machine (or the Windows XP machine).
The path to the internet involves both the host machine, and the router. 
Here, Kali is directly a part of the Local network. Here, the router knows about the Kali Machine.
Also, the path to the internet involves only the router.

So, what does this mean for us?
  1. If you want to practice penetration testing, VMs can be great. You can have a Windows host, and Kali running as a virtual machine. Alongside, you can have Windows XP running as another guest VM. Now, these are a part of VMNet and directly connected. So, you can easily perform any attacks from Kali to this machine.
  2. If you want to do real life pentesting, your target is probably over the internet. In that case, having Kali inside a virtual machine doesn't help. Firstly, even if you are live booting Kali, you are a part of the local network, and to communicate with your target over the internet, you need to "forward" your requests through the router (this is called port forwarding). This, in itself, can sometimes be a pain in the ass. If you are inside a VM, your path to your target would involve your router, your host machine, and then the Kali Machine. This is quite inconvenient. So, if you want to attack someone over the internet, being in a virtual machine sucks.
In other words, your guest machine (Kali) does not have access to your laptop's network card. It has bridged access to it. In theory, you can still use most of the functionality of the card, but in practice, it's a painstakingly hard job. You can, however, add an external card and give it to the Kali guest instead of the windows host, mitigating this problem. Read the food for thought below for more-

Food For Thought

When you are inside a virtual machine, you are using your host to connect to the internet. But that doesn't have to be the case. You can plug in an external wireless card, and connect to the router directly. That would mean, that you are now a part of VMNet, as well as a part of LAN (your wlan0 card gets allocated an internal IP on the LAN (WLAN), say 192.168.1.5. Now, you don't need your host for internet access, and as far as the router is concerned, you are a separate computer. So, this does solve the problem that being inside a virtual machine causes. (I'm too lazy to draw a diagram for that, but in this case, the diagram will have Kali as a part of both the internal network dotted box, and the VMnet dotted box. This is exactly equivalent to the condition Windows 8/10 machine in the first diagram. It will also have two IPs, one for VMnet, and one for LAN).


Ease/Risk

Live boot is the easiest to perform, and the least risky.
Virtual machine is a bit harder, but still not risky.
Dual boot is tough, and you run the risk of losing your data/ getting rid of your original OS, etc.

Also, sometimes Dual Booting can be next to impossible. For example, some laptops with Microsoft signature (the 2-in-1, laptop+tablet types usually) addition don't let you dual boot anything alongside Windows.

Forensics

Live booting doesn't leave behind many traces, other two methods do.


How to find installation guides

For finding guides, keep the following pointers in mind-
  1. Consult multiple resources before doing anything. There are thousands of guides for installing Kali, and there's no 'best' guide.
  2. Make sure to read the official documentation.
  3. Make sure not to limit yourself to just written tutorials, or just YouTube videos. Both has their own advantages and disadvantages. 
  4. Consult tutorials for your precise versions of software (how to install Kali Rolling alongside Window 10), not simply Kali alongside Windows. There are only a few minor difference across the various releases, and their install instructions, but when you're doing it for the first time, these minor differences are important.
  5. Live USB is the easiest, go for it first. Go for Virtual machine if you're interested in practicing Penetration Testing. 
  6. Even the easiest method, Live USB, isn't trivial. If you're a beginner, even that will require some efforts (changing boot order/ choosing USB as boot device, finding a proper software for making bootable USB, etc.). Don't get discouraged.

Extra Advice

  • For wireless hacking, don't even think about anything, go for live boot, it's a no brainer.
  • For pentesting, when you're just getting started and need to practice on local targets, go for Virtual machine.
  • When you're comfortable with Linux, and feel that you can use Kali for usual stuff, only then install Kali alongside Windows. Still, I won't suggest using Kali as your primary OS.
  • If you love Linux, and love challenges, then install Kali as your primary OS. If you do, see if you're able to figure out  how to install Skype on Kali rolling release (if you succeed, please let me know. I haven't been able to do it so far, and anyways, skype web works fine).
The last point tells me that I'm getting carried away now, and this post needs to come to and end. Hope you learnt a lot. Let me know if you feel that there's something important worth inclusion that I missed.

Tuesday, December 6, 2016

Bettercap : MITM attack for sniffing traffic and passwords

Contents

  • Installation
  • Sniffing Traffic
  • Getting password
We will be installing Bettercap, doing a quick sniffing exercise, and then a more detailed section on grabbing the password. Will demonstrate the password grabbing on outlook.com, which seems to be particularly vulnerable to this attack.

Installing bettercap

Installation is simple-
apt-get update
apt-get dist-upgrade
apt-get install bettercap
The above three commands will leave you with latest versions of Kali and bettercap.

PS: I am writing this tutorial from a location with slow internet connection, and hence didn't perform the dist-upgrade step. However, bettercap seems to be running mostly fine. There may be a few difference in what you observe and what I show in this demo due to this difference in versions. For those who want to know the versions of various utilities that I'm using, take a look below. If you are unfamiliar with Linux, you're best off using the latest versions of everything, which can be obtained by running the three commands I mentioned earlier.

new@kali:~$ uname -a
Linux kali 4.7.0-kali1-amd64 #1 SMP Debian 4.7.6-1kali1 (2016-10-17) x86_64 GNU/Linux

new@kali:~$ bettercap -v
bettercap 1.5.8

new@kali:~$ ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]

Not on Kali?

The readme on github repository of bettercap is quite comprehensive, and would help you install bettercap on most linux distributions. After installation the process should be same for Kali or any other Linux distribution.


Sniffing Traffic

There's nothing special about the usual sniffing traffic functionailty of bettercap. Bettercap can easily performing sniffing on your local area network. It also lets you write the output to a pcap file and later analyze it with WireShark or some other tool of your choice. I'll just give a simple demo here. The real fun is in the capturing passwords section.

Run the command-
bettercap --sniffer
Sniffing traffic: Screenshot shows my lenovo smartphone's
requests to truecaller being sniffed

 You'll see all the websites being visited by all the devices on the network. Press ctrl+c to stop.

Take a look at the help manual for more commands, or read the wonderful documentation.


Internet stopped working

There are plenty of open issues on the github page of bettercap. The one problem I faced was that after bettercap had finished running, the internet connection on the attacker machine (Kali) would be killed. I fixed it by simply turning restarting the wlan0 interface (turn it off and on from the gui or use ifconfig commands). Some people reported that Bettercap killed internet connection for all hosts. If you face a different issue, take a look here and see if you can find a solution.



Capturing passwords

The fun part lies here. Bettercap uses sslstrip to change https webpages to simple http ones, which ensures that the passwords are transferred in clear text, and you can read them without any issues. I will be targeting my lenovo phone from my Kali machine. First, you must find the IP of your target. This can be done by simply running bettercap and waiting for all machines on your network to show up. Once they do, you can identify the one you're trying to attack, and note it's IP. Then use this IP as the target IP. Let's look at the steps first.
PS: I'm assuming you connected to the network you are attacking using the wlan0 interface. If not, specify your interface using the -I option.

  1. Run the command bettercap on the terminal
  2. Wait for bettercap to acquire targets.
  3. When bettercap discovers the target you're looking for, note down it's IP address. Let's call it TARGET_IP.
  4. Press ctrl+c to stop bettercap (if internet connectivity is lost, as was in my case, restart your wlan0 interface)
  5. Run this command - bettercap -T TARGET_IP --proxy -P POST (replace TARGET_IP with the appropriate IP)
In  my case, my target was my Lenovo smartphone. It was detected by bettercap,
and i noted down it's IP. 192.162.2.2 is what I'll use as my TARGET_IP
Now your attacker machine is ready and listening for traffic on the network. Once your victim opens any login page, bettercap will use sslstrip to remove the https from the URL, and once the target enters his/her login credentials, you will see them in cleartext.

Let's look at a demo run of the above procedure.

Capturing passwords entered on Outlook by smartphone user on same LAN/WLAN

This section is simply going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

Starting bettercap using the command I specified earlier.
Then I proceed to open outlook.com on my smartphone
SSLStrip detects that I'm trying to access outlook, removes the https from the page
This is the login page that my smartphone sees. Notice the address in the URL.
This is what the address should look like, with HTTPS. The URL on the smartphone lacks
HTTPS, and has extra Ws in www. I enter the username here. Meanwhile,
bettercap detected that username was entered and shows that to me. 

Bettercap shows me the username. In the smartphone, I am at the password stage after entering username.

I now enter the password. Let's see what happens on the attacker machine
I entered the password as "wrongpass" on my smartphone, and
bettercap is able to detect it.

Limitations

From this test run, here are the limitations of the tool that I observed-
  1. The biggest problem - It does not work on all sites. Before trying outlook, I tried to see if I could carry out this MITM attack over Facebook, Gmail, Twitter, etc. Unfortunately, I wasn't able to. It only seems to work with some websites.
  2. The difference in the URL if easily visible. Anyone who knows what https is, will notice the lack of it. I, for one, would never enter my credentials on an http page.The extra Ws in the www don't help eitheir.
  3. The tool isn't perfect. There are a few bugs.
Update : Giorgio's comment on the tutorial addresses the first and the third issues. The reason why Facebook and Gmail don't give in to the attack is because they don't have an http version of their websites. Bettercap can't force Facebook to replace it's https page with an http one, simply because there is no http version of Facebook. Secondly, Yahoo looks buggy because it's CSS files (ones hostel by google) are served over https, and an attempt to get an http version would yield nothing, since http versions aren't available. Hence, the CSS files are missing, and while the parts of the page which operate over http load well, the ones which are exclusively https do not.

Facebook seems immune to the attack
Yahoo's response is buggy, but you'll notice
that sslstrip did it's job, the page is regular http now
The tutorial ends here, a few personal insights ahead, not very important.

How to be safe

This demo must scare you. I, for one, wasn't sure if this tool would work at all. However, it did work very well with outlook, and somewhat worked with yahoo as well (not shown in demo). Facebook and Gmail seem to be immune to it, but I didn't really try hard to get them, and after writing this post, I'll try to see if I can get the tool to grab Facebook and gmail logins as well. Regardless, we see how easy it can be for someone to grab your credentials if they are on the same network as you. So how can you be safe?

Here are some pointers-
  1. Never enter your credentials on a non-https page. Also, if there's some flaw with the https, your browser usually will point that out to you. 
  2. Be extra careful on public wireless networks.

By clicking on details, you can see exactly how your connection to
a website is encrypted.
Chrome provides detailed breakdown of the cipher used and the validity of certificate

Things to do

This tutorial is supposed to serve as an introduction to sniffing, MITM and bettercap. I have observed that posts with too much theory don't perform too well, so I just demonstrated the functionality of the tool. However, this was a very basic exercise, and for both me you, there are things to do-

  1. Try other functionalities offered by this tool.
  2. Try to get it to work with Facebook and Gmail. I'll have to approach facebook and Gmail in a different manner, read the comment by Giorgio below for more information.
If I am able to get it to work with Facebook/Gmail, I'll write another tutorial, showing you how you can do it too.

Monday, December 5, 2016

The Dark Web And How To Access It

Contents

  • What's the dark web
  • How to access the dark web
  • Installation of TOR browser - Windows and Kali
  • Finding onion websites

Dark Web

What is the dark web

In short, dark web is part of the web which requires special software to browse, and isn't indexed by search engines. (More technical content is enclosed in <extra> tags ahead, and colored purple. Scroll through it if you just want to browse the dark web right away.)


<EXTRA>

Originally, the internet used telephone network for communication. My first internet connection was a "dial-up" connection which used the telephone network at my house to connect to my ISP. This is what an overlay network is, and in that case, internet was an overlay over the telephone network. Now, the reverse phenomenon can be seen, with people using the internet for voice calls (Voice over IP to be precise), and the telephone network is turning into an overlay over the internet.

How does knowing what an overlay network is help us? Well, to understand the dark web, we need to understand what the dark net is first.

The dark net is the opposite of clear-net. Clear-net is simply parts of the internet which are index-able by search engines. This means that search engine crawlers can read up the pages, understand what the content is, and return those pages when relevant search queries are made to the search engine. On the other hand, dark net can't be indexed, and usually uses uncommon communication protocols, encryption, etc. to achieve that result. Here's where overlay networks get relevant, all of dark net is an overlay network over the internet. Hence, while the Darknet and clear-net reside on the internet, Darknet still manages to be structurally different from the rest of the internet.

From the darknet, we move to the dark web, which is a subset of the dark net. While dark net consists of all sorts of stuff, from www pages to file transfer service and peer to peer connections, dark web only includes the world wide web pages of the dark net (Hence the change from the more encompassing term net in darknet to web in dark web). 

</EXTRA>

What does it contain

  1. Child pornography and illegal drug markets - These are the two things which the dark web is most infamous for, and if you've heard about the dark web, it's quite likely it in reference to either (or both) of these.
  2. Bitcoin services - Bitcoin is a Cryptocurrency, and considering the nature of activities that go on in the dark web, and the need for anonymity, it's the most common form of payment for any service that you seek on the dark-web.
  3. Hackers for hire 
  4. Carding forums
  5. Plenty of scam sites, phishing sites, etc.
  6. Terrorism
  7. Social media
  8. File sharing

However, the dark web, in general, consists mostly of file sharing, as shown by many studies. While the first few pointers in the list stand out in the crowd, they are not what the dark web is all about. PS: I make no guarantee about the accuracy of these stats.

Dark web statistics


<EXTRA>

Note : Using TOR is not illegal (in most countries) , but many of the things on the dark web are illegal. Despite the strongly encrypted communications and high level of anonymity, I'd like to suggest that you don't access any illegal content of the site. This article is only meant to educate you about the presence of the dark web, as not knowing about it doesn't mean it'll cease to exist, and as someone interested in the field of computer security/hacking, you must know about the dark web.

</EXTRA>

 How to Access the dark web

There are many ways to access the dark web. Being a part of the deep net, dark web operates differently than the clear-net, and needs special client software to be accessed. While there are multiple ways to access the dark web, the most common and recommended method involves using TOR, and then visiting the .onion websites. All dark web website have a url with .onion TLD (top level domain), which looks similar to the way the clear-net websites have .com, .org, .net, etc. TLD. Once you have TOR and find out the .onion address of a deep web site (hidden web site), you can simply enter it in the URL bar on TOR browser, and it'll open, just as normal websites open in usual browsers.



<EXTRA>

If you read the previous boring section, you'd see that I mentioned how the darknet often uses uncommon communication protocols, etc. In case of the dark web, we see that phenomenon with respect to the onion websites. I won't go in much depth, but first look at a .onion URL suggests that it's similar to the clear-net websites. However, internally, the way they work is nothing similar to the clear-net. Precisely, .onion is not part of the internet's DNS root, and hence, normal DNS servers can't resolve your request if you type the URL of a .onion website on your browser. TOR redirects these requests through it's own servers, similar to the way proxies work, and then we get to the website, without the involvement of DNS servers anywhere. This ensures that search engine bots can't browse around the deep web, and that anonymity is maintained, both of the client looking at the web pages, as well as the server serving the web pages. In other words, the server doesn't know who the client is, and the client doesn't know anything about where the server is.)

</EXTRA>


Install TOR

All required instructions can be found here, and I suggest you skip this section of the guide and use the official page (which has very very detailed instructions if you scroll down on that page)

Windows

Simply go to TOR Browser Download page, and download and run the executable provided. No further instructions are needed as far as installation goes, since it's quite similar to how you'd install regular software on windows.

Linux

Go to TOR Browser Download page, and download the .tar.xz archive (according to your architecture, 64bit or 32bit). There is no installation procedure. Simply extract the archive (using GUI or using tar on terminal).

Just extract the archive and you're good to go

Common for both Windows and Linux

  1. Locate where the TOR browser folder is located. This is where you installed/extracted it. You'll see an icon which says something like Tor Browser, or Setup Tor Browser, run it.
  2. You'll see a window. It may differ a bit, but you have to choose the connect option.
  3. You'll see a progress bar with some messages shown below. It'll take a few second and you'll have a browser window ready.







Finding onion websites

Now that you have what looks like Mozilla Firefox running in front of you. You can simply enter normal URLs and enjoy surfing the web with privacy. However, we are here to browse the dark web, and we have no idea what to enter in the URL bar.

The solution is simple, just head over to the hidden wiki (clearnet link), and you'll have a list of websites you can go to. Better yet, go to the dark web hidden wiki (link opens only on TOR), with an indexing of dark web websites. You are now surfing the dark web. This is the furthest I'm taking you, and from here on, you can go wherever you want. You can simply click URLs on the hidden wiki like you'd do on a regular browser, and the website would open. Regardless of what happens behind the scenes, the user experience from here on is what it's like in the clear web (albeit a lot slower).

As far as finding websites is concerned, you are left with indexes of websites, such as the hidden wiki, and some search engines, which are nowhere as good as the clearnet search engines, which is, by design, the intention of the dark web.

The hidden wiki, link provided above



Torch search engine, the hidden wiki has a link to it, which can be opened directly on TOR

Conclusion

Go around, explore the place, don't go anywhere illegal, don't do anything illegal. Also, beware of scams, and don't leave your personal information anywhere. Take a look at instructions on how to be safe when using tor, follow them properly, and you won't face any troubles.
© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC