www.security.mtrico.com Open in urlscan Pro
136.243.91.6  Public Scan

URL: https://www.security.mtrico.com/
Submission: On July 12 via automatic, source certstream-suspicious — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Wifi basic commands ip link show #List available interfaces iwconfig #List
available interfaces airmon-ng check kill #Kill annoying processes airmon-ng
start wlan0 #Monitor mode airmon-ng stop wlan0mon #Managed mode airodump-ng
wlan0mon #Scan (default 2.4Ghz) airodump-ng wlan0mon --band a #Scan 5Ghz
iwconfig wlan0 mode monitor #Put in mode monitor iwconfig wlan0mon mode managed
#Quit mode monitor - managed mode iw dev wlan0 scan | grep
"^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA" #Scan available wifis Tools
EAPHammer git clone https://github.com/s0lst1c3/eaphammer.git ./kali-setup
Airgeddon mv `which dhcpd` `which dhcpd`.old apt install isc-dhcp-server apt-get
install sslstrip asleap bettercap mdk4 hostapd beef-xss lighttpd dsniff
hostapd-wpe Run airgeddon with docker docker run \ --rm \ -ti \ --name airgeddon
\ --net=host \ --privileged \ -p 3000:3000 \ -v /tmp:/io \ -e DISPLAY=$(env |
grep DISPLAY | awk -F "=" '{print $2}') \ v1s1t0r1sh3r3/airgeddon From:
https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux wifiphisher It
can perform Evil Twin, KARMA, and Known Beacons attacks and then use a phishing
template to manage to obtain the network real password or capture social network
credentials. git clone https://github.com/wifiphisher/wifiphisher.git # Download
the latest revision cd wifiphisher # Switch to tool's directory sudo python
setup.py install # Install any dependencies Wifite2 This tool automates
WPS/WEP/WPA-PSK attacks. It will automatically: Set the interface in monitor
mode Scan for possible networks - And let you select the victim(s) If WEP -
Launch WEP attacks If WPA-PSK If WPS: Pixie dust attack and the bruteforce
attack (be careful the brute-force attack could take a long time). Notice that
it doesn't try null PIN or database/generated PINs. Try to capture the PMKID
from the AP to crack it Try to deauthenticate clients of the AP to capture a
handshake If PMKID or Handshake, try to bruteforce using top5000 passwords.
Attacks Summary DoS Deauthentication/disassociation -- Disconnect everyone (or a
specific ESSID/Client) Random fake APs -- Hide nets, possible crash scanners
Overload AP -- Try to kill the AP (usually not very useful) WIDS -- Play with
the IDS TKIP, EAPOL -- Some specific attacks to DoS some APs Cracking Crack WEP
(several tools and methods) WPA-PSK WPS pin "Brute-Force" WPA PMKID bruteforce
[DoS +] WPA handshake capture + Cracking WPA-MGT Username capture Bruteforce
Credentials Evil Twin (with or without DoS) Open Evil Twin [+ DoS] -- Useful to
capture captive portal creds and/or perform LAN attacks WPA-PSK Evil Twin --
Useful to network attacks if you know the password WPA-MGT -- Useful to capture
company credentials KARMA, MANA, Loud MANA, Known beacon + Open -- Useful to
capture captive portal creds and/or perform LAN attacks + WPA -- Useful to
capture WPA handshakes DOS Deauthentication Packets The most common way this
sort of attack is done is with deauthentication packets. These are a type of
"management" frame responsible for disconnecting a device from an access point.
Forging these packets is the key to hacking many Wi-Fi networks, as you can
forcibly disconnect any client from the network at any time. The ease of which
this can be done is somewhat frightening and is often done as part of gathering
a WPA handshake for cracking. Aside from momentarily using this disconnection to
harvest a handshake to crack, you can also just let those deauths keep coming,
which has the effect of peppering the client with deauth packets seemingly from
the network they are connected to. Because these frames aren't encrypted, many
programs take advantage of management frames by forging them and sending them to
either one or all devices on a network. Description from here. Deauthentication
using Aireplay-ng aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30
ath0 -0 means deauthentication 1 is the number of deauths to send (you can send
multiple if you wish); 0 means send them continuously -a 00:14:6C:7E:40:80 is
the MAC address of the access point -c 00:0F:B5:34:30:30 is the MAC address of
the client to deauthenticate; if this is omitted then broadcast deauthentication
is sent (not always work) ath0 is the interface name Disassociation Packets
Disassociation packets are another type of management frame that is used to
disconnect a node (meaning any device like a laptop or cell phone) from a nearby
access point. The difference between deauthentication and disassociation frames
is primarily the way they are used. An AP looking to disconnect a rogue device
would send a deauthentication packet to inform the device it has been
disconnected from the network, whereas a disassociation packet is used to
disconnect any nodes when the AP is powering down, rebooting, or leaving the
area. Description from here. This attack can be performed by mdk4(mode "d"): #
-c # -b victim_client_mac.txt contains the MAC address of the device to
eliminate # -e WifiName is the name of the wifi # -B BSSID is the BSSID of the
AP # Notice that these and other parameters aare optional, you could give onli
the ESSID and md4k will automatically search for it, wait for finding clients
and deauthenticate them mdk4 wlan0mon d -c 5 -b victim_client_mac.txt -E
WifiName -B EF:60:69:D7:69:2F More DOS attacks by mdk4 From here. ATTACK MODE b:
Beacon Flooding Sends beacon frames to show fake APs at clients. This can
sometimes crash network scanners and even drivers! # -a Use also non-printable
caracters in generated SSIDs and create SSIDs that break the 32-byte limit # -w
n (create Open) t (Create WPA/TKIP) a (Create WPA2/AES) # -m use real BSSIDS #
All the parameters are optional and you could load ESSIDs from a file mdk4
wlan0mon b -a -w nta -m ATTACK MODE a: Authentication Denial-Of-Service Sends
authentication frames to all APs found in range. Too many clients can freeze or
reset several APs. # -a BSSID send random data from random clients to try the
DoS # -i BSSID capture and repeat pakets from authenticated clients # -m use
real MACs # only -a or -i can be used mdk4 wlan0mon a [-i EF:60:69:D7:69:2F] [-a
EF:60:69:D7:69:2F] -m ATTACK MODE p: SSID Probing and Bruteforcing Probes APs
and checks for answer, useful for checking if SSID has been correctly decloaked
and if AP is in your sending range. Bruteforcing of hidden SSIDs with or without
a wordlist is also available. ATTACK MODE m: Michael Countermeasures
Exploitation Sends random packets or re-injects duplicates on another QoS queue
to provoke Michael Countermeasures on TKIP APs. AP will then shutdown for a
whole minute, making this an effective DoS. # -t of a TKIP AP # -j use
inteligent replay to create the DoS mdk4 wlan0mon m -t EF:60:69:D7:69:2F [-j]
ATTACK MODE e: EAPOL Start and Logoff Packet Injection Floods an AP with EAPOL
Start frames to keep it busy with fake sessions and thus disables it to handle
any legitimate clients. Or logs off clients by injecting fake EAPOL Logoff
messages. # Use Logoff messages to kick clients mdk4 wlan0mon e -t
EF:60:69:D7:69:2F [-l] ATTACK MODE s: Attacks for IEEE 802.11s mesh networks
Various attacks on link management and routing in mesh networks. Flood neighbors
and routes, create black holes and divert traffic! ATTACK MODE w: WIDS Confusion
Confuse/Abuse Intrusion Detection and Prevention Systems by cross-connecting
clients to multiple WDS nodes or fake rogue APs. # -z activate Zero_Chaos' WIDS
exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
mkd4 -e -c [-z] ATTACK MODE f: Packet Fuzzer A simple packet fuzzer with
multiple packet sources and a nice set of modifiers. Be careful! Airggedon
Airgeddon offers most of the attacks proposed in the previous comments: WPS WPS
stands for Wi-Fi Protected Setup. It is a wireless network security standard
that tries to make connections between a router and wireless devices faster and
easier. WPS works only for wireless networks that use a password that is
encrypted with the WPA Personal or WPA2 Personal security protocols. WPS doesn't
work on wireless networks that are using the deprecated WEP security, which can
be cracked easily by any hacker with a basic set of tools and skills. (From
here) WPS uses a 8 length PIN to allow a user to connect to the network, but
it's first checked the first 4 numbers and, if correct, then is checked the
second 4 numbers. Then, it is possible to Brute-Force the first half and then
the second half (only 11000 possibilities). WPS Bruteforce There are 2 main
tools to perform this action: Reaver and Bully. Reaver has been designed to be a
robust and practical attack against WPS, and has been tested against a wide
variety of access points and WPS implementations. Bully is a new implementation
of the WPS brute force attack, written in C. It has several advantages over the
original reaver code: fewer dependencies, improved memory and cpu performance,
correct handling of endianness, and a more robust set of options. This attack
takes advantage of a weakness in the eight-digit WPS PIN code; because of this
issue, the protocol discloses information about the PIN’s first four digits, and
the last digit works as a checksum, which makes brute forcing the WPS AP easy.
Note that some devices include brute-force protections, which usually block MAC
addresses that repeatedly try to attack. In that case, the complexity of this
attack increases, because you’d have to rotate MAC addresses while testing PINs.
If the WPS valid code is found, both Bully and Reaver will use it to discover
the WPA/WPA2 PSK used to protect the network, so you will be able to connect
anytime you need it. reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L
-d 2] -vvroot bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3 Smart Brute
force Instead of starting trying every possible PIN, you should check if there
are available PINs discoveredfor the AP you are attacking (depending of the
manufacturer MAC) and the PIN software generated PINs. The database of known
PINs is made for Access Points of certain manufacturers for which it is known
that they use the same WPS PINs. This database contains the first three octets
of MAC-addresses and a list of corresponding PINs that are very likely for this
manufacturer. There are several algorithms for generating WPS PINs. For example,
ComputePIN and EasyBox use the MAC-address of the Access Point in their
calculations. But the Arcadyan algorithm also requires a device ID. WPS Pixie
Dust attack Dominique Bongard discovered that some APs have weak ways of
generating nonces (known as E-S1 and E-S2) that are supposed to be secret. If we
are able to figure out what these nonces are, we can easily find the WPS PIN of
an AP since the AP must give it to us in a hash in order to prove that it also
knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and
E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin.
More info here:
https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)
Basically, some implementations failed in the use of random keys to encrypt the
2 parts of the the PIN(as it is discomposed in 2 parts during the authentication
communication and sent to the client), so an offline attack could be used to
brute force the valid PIN. reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -K 1 -N
-vv bully wlan1mon -b 00:C0:CA:78:B1:37 -d -v 3 Null Pin attack Some really bad
implementations allowed the Null PIN to connect (very weird also). Reaver can
test this (Bully cannot). reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -g
1 -vv -p '' Airgeddon All the proposed WPS attacks can be easily performed using
airgeddon. 5 and 6 lets you try your custom PIN (if you have any) 7 and 8
perform the Pixie Dust attack 13 allows you to test the NULL PIN 11 and 12 will
recollect the PINs related to the selected AP from available databases and
generate possible PINs using: ComputePIN, EasyBox and optionally Arcadyan
(recommended, why not?) 9 and 10 will test every possible PIN WEP So broken and
disappeared that I am not going to talk about it. Just know that airgeddon have
a WEP option called "All-in-One" to attack this kind of protection. More tools
offer similar options.