Tuesday, November 19, 2019

i0t-pr0be - IoT Device Search & Default Credential Scanner

A Python 3 script to automate search via Shodan, save IoT device query results and also scan for their respective default credentials.


The script utilizes two main APIs; Shodan & Python Selenium.

Shodan
Shodan membership allows you to get 100 query credits that resets every month while for the API plans it can range from thousands  up to unlimited.

How shodan query credits work
Search query without any filters and 1st page of results no query credit used
Search query with a filter e.g product:mongodb 1 query credit
Search query requesting only the 3rd page: 1 query credit
1st-5th page search query results: 4 query credits
More about Shodan credits: Shodan Credits Explained

Python Selenium
This library is used to scrap and authenticate web forms. I chose it over conventional libraries like Beautiful Soup and Scrapy because Selenium was developed to automate browser automation hence easy to be mimic a real user scenario by handling mouse and keyboard events.

Selenium has an optional headless feature which hides the GUI making it easy to implement console scripts but the GUI really does help in debugging and sorting out errors during program development.

One main disadvantage of Selenium is; it's slow. This is because selenium drivers are not 'thread-safe' hence hard to create task queues and threads. ...'But this is life on earth, you can't have everything.'

Installation 
The script needs a WebDriver for the selenium library. I used Firefox WebDriver for this script.
Download WebDriver from https://github.com/mozilla/geckodriver/releases depending on your Linux architecture then extract the file to the /usr/bin/ directory.

Do the git thing:
git clone https://github.com/e13olf/i0t-pr0be.git
pip3 install -r requirements.txt 
./i0t-pr0be.py -h
./i0t-pr0be.py -s <search-term> -a <api-key>

Note
There are many ways to find devices on Shodan. Usually, using the name of the manufacturer or the server name which is the most effective because Shodan query results will output the IP and the corresponding web port.

Unfortunately most devices do not have server names indexed, so when searching you'll have to add the web server port filter e.g D-Link port:"80" This will use 1 extra query credit but the results will have the IP and web server port needed for later credential scanning.

Shodan also  indexes information in the banner but not the content, this means that if the manufacturer puts its name in the banner, you can easily search by it. If they don't then no results from your search query.

Nowadays most IoT firmware require password creation during first login but you can still find some old firmware that still accept default credentials.


References
https://danielmiessler.com/study/shodan
https://www.ispyconnect.com/userguide-default-passwords.aspx
https://ipvm.com/reports/ip-cameras-default-passwords-directory
http://www.critifence.com/default-password-database/
https://192-168-1-1ip.mobi/default-router-passwords-list/
https://selenium-python.readthedocs.io

Friday, September 1, 2017

Arch Linux not loading Kernel Modules with Cryptsetup/LUKS

You are likely to encounter this error when logging to an Arch Linux System just after a kernel update with a Cryptsetup and LUKS encrypted partition. Upon successful encryption password input to the Window Manager all the hardware inputs are unresponsive and nothing can be done unless switching back to the tty screen. Cryptsetup is utility used to conveniently setup disk encryption based on DMCrypt kernel module and LUKS is the standard for Linux hard disk encryption.



To tackle this issue one needs a live Arch Linux CD/USB flash drive with no fear of data loss. The following command steps shows how to go about it and getting back to the Window Manager.

Boot up the Linux system with the Live USB/CD to this prompt:
root@archiso~#

Unlock the encrypted partition:
cryptsetup luks0pen /dev/sda2 cryptroot

Create a directory to mount the decrypted partition to:
mkdir /mnt/arch

Mount the decrypted partition to the folder created above:
mount /dev/mapper/cryptroot /mnt/arch

Change the working directory to the one created:
cd /mnt/arch

Mount the file systems: 
mount -t proc proc proc/
mount -t sysfs sys sys
mount -o bind /dev dev/

Mount the boot partition:
mount /dev/sda1 boot/

Connect the box to the internet:
sudo wifi-menu

Change the root directory from the current LiveCD or USB to the Linux box:
chroot . /bin/bash

Update the box:
pacman -Syu && mkinitcpio -p linux

Exit the environment and unmount the partition :
exit
unmount

Reboot the system, remove the LiveCD/USB flash drive and you are good to go.

To avoid the issue in future; when updating the kernel; one has to remember to use the mkinitcpio -p linux command argument after updating the system or simply:
pacman -Syu && mkinitcpio -p linux

Mkinitcpio creates an initial ramdisk environment. The initial ramdisk is in essence a very small environment (early userspace) which loads various kernel modules and sets up necessary things before handing over control to init. This makes it possible to have, for example, encrypted root file systems and root file systems on a software RAID array. mkinitcpio allows for easy extension with custom hooks, has autodetection at runtime, and many other features.


References
https://wiki.archlinux.org/index.php/mkinitcpio
https://www.reddit.com/r/archlinux/comments/3ejvn0/whats_mkinitcpio_and_is_it_needed_when_installing/

[root@e13olf]# exit

Friday, June 16, 2017

Exploiting CCTV and IP Cameras

Surveillance cameras has helped launch the biggest attacks on the Internet. The Internet of Things (IoT) is now a major force in the weaponization of DDoS and the cameras being one they are used as botnets to fuel attacks. This blog article shows how they can be compromised and exploited by attackers using various techniques.Surveillance Cameras is a group term used to encompass both CCTV and IP Cameras. There are some major differences between Closed Circuit Television (CCTV) systems and Internet Protocol (IP) cameras. IP cameras are the modern choice, though business owners and property managers prefer to use CCTV cameras to monitor large spaces. Below is a brief comparison of some of the main features of each type of cameras.

CCTV cameras
IP cameras
Sends video back through coaxial or UTP cables.
Broadcasts video as a digital stream over an IP network to an NVR (network video recorder).
Video is recorded on a physical DVR which can be connected to the internet for remote viewing.
Use of SD cards, allowing them to record locally, or sends video via the internet to an NVR
Power and network cables run between each camera and the base station.
Uses PoE (Power over Ethernet) making it unnecessary to run power cables.
Because cabling is required, CCTV cameras all have to be in one location.
Because cabling is not always required, IP cameras do not all need to be kept in one location.
Cameras typically offer lower resolution of 960 x 480, but some systems offer HD resolution.
Some cameras feature increased resolution of 4096 x 2160. Standard resolution tends to be 1080p HD.
Primarily provides video surveillance without advanced features.
Includes advanced features such as analytics, advanced motion detection, and remote focus.
There is a physical limit to the number of cameras that can be added to the network.
Unlimited cameras can be added to the network.
2-way audio for communication with people on the other end.
2-way audio for communication with people on the other end.
Uses television to broadcast signals.
Uses Wi-Fi and bandwidth.

In this article we will concentrate more on IP Cameras since they are the mostly used and it provides a direct communication between the computer network and the internet hence it can be accessed anywhere on the live feed using any device.

Google Dorks
Google dorks are Google Search queries that find vulnerable systems or sensitive information about databases, websites or any IoT device.
The following type of queries can be used to find vulnerable security cameras in the internet:
Inurl:”CgiStart?page=”
inurl:/view.shtml
intitle:”Live View / – AXIS
inurl:view/view.shtml
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG) (disconnected)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:”live view” intitle:axis
intitle:liveapplet
allintitle:”Network Camera NetworkCamera” (disconnected)
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / – AXIS”
inurl:indexFrame.shtml Axis


Shodan
is also great search engine that lets one find specific types of computers or anything imaginable connected to the internet in this case the IP Cameras. Using filters you can get a list of exploitable IP cameras.

Angry IP Scanner
Also known as ipscan, is an open source network scanning tool that can be used to scan ip addresses and ports on your network. Angry IP scanner tool works by just inputting a network range to scan. For first time use, make sure you add the web-detect feature by going to Tools>Fetchers. 
In an internal network it easy to input the network range, start with your default gateway network address to the last network address. When the scan is complete it will show you the IP address assigned to the IP camera. The IP Camera may be configured to be outside the network. 
myip.ms is an online IP database, it is good for finding any Public IPv4 network address of any Country or Province. Since you will not get the exact IP address for the Camera you have to input a network range to scan, preferably from the first to the last octet tof the subnet (0-255).
After a successful scan note the name of the cameras on the Web detect tab.

The following are the keywords to look out for from the web detect tab, they do identify the IP cameras;
RomPager/4.07 UPnP/1.0
Uc –httpd 1.0.0
DVRDVS-Webs
Microhttpd
Webs
Hikvision-Webs
iBall –Baton


Copying the IP address on your web browser you will be presented with a web login page. Their are different IP cameras models out in the market. This article will also try to point out how poor the security is and how it can be easily exploited.
You should first try logging in with default passwords. System administrators leave their devices with default username and password combinations for a variety of reasons. Simply not knowing that a password needs to be changed or assuming that their perimeter firewall will protect them from unauthorized access are some of the reasons for doing so, which is a stupid idea. During an attack phase, attackers spent most of their time going through products specification, configuration to find any way to get into a device or system.
Different Camera models have different default logins, try googling for them for your case. Some IP cameras like the Avigilon and new Axis require password creation during first login which is a good practice, other Models like Hikvision,Panasonic, Nothern, Samsung and Bosch have adopted the same by upgrading their firmware to require unique password creation.
After a successful login some cameras need plugins for them to work on the web page, you can it download them from the same page or from the manufacture website.

Non default credentials do not keep attackers away, the passwords can be cracked. Poor password creation is exploited at this point, the simpler the passwords are the easier they can be cracked.
Hydra is powerful tool that can be used to crack the IP/CCTV cameras passwords or other password secured applications. You will need a wordlist which is can be found in default in Kali Linux distro or you create a custom one for yourself.

hydra -s 80 -l admin -P /path/to/your/wordlist.txt -e ns -t 16 targetIP http* 
The arguments of the above hydra command is shown below:
-s 80 -- define port number
-l admin -- default login name 'admin'
-P -- path to your wordlist
-e --- empty password
ns --- try login as password and try empty password
http --- port name for attack

Most of the commercial IP cameras out there utilize RTSP as a mechanism for streaming their video feeds. Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VCR-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client.
RTSP just like HTTP protocol runs on specific ports i.e ports 554 (default RTSP port) and 8554 (default emulated RTSP port). RTSP has different structure and control commands but is textual in its format hence easy to use after learning the basic commands behind it.
RTSP is not that in the limelight but not to the Security professionals since it is exploitable. Their is a tool; Cameradar that hacks its way into RTSP CCTV cameras. It is available in Github. It has got the following cool features:
  • Detects open RTSP hosts on any accessible subnetwork.
  • Gets the public info (hostname, port, camera model.)
  • Brute forces its own way into them to get their stream route.
  • Brute forces its own way into them to get the username and password of the cameras
  • Generates thumbnails from them to check if the streams are valid.
  • It creates a Gstreamer pipeline to check if they are properly encoded.
  • Prints a summary of all the information.


Cameradar uses docker an application that automates the deployment of applications inside software containers.
Before you run the tool, ensure you install all the dependencies depending on your Linux distribution package manager:
sudo pacman -S docker

Start the docker service:
sudo systemctl start docker
Install the tool by git cloning it from Github then build it.
git clone https://github.com/EtixLabs/cameradar.git
cd cameradar/deployment
sudo rm *.tar.gz
sudo ./build_last_package.sh
docker-compose build cameradar
docker-compose up cameradar

Run Cameradar from the terminal:
sudo docker run \
-v /tmp/thumbs:/tmp/thumbs \
-e CAMERAS_PORTS=your_ports \
-e CAMERAS_SUBNETWORKS=your_subnetwork \
ullaakut/cameradar:tag

The arguments of the above command is explained below:
tmp/thumbs - path to the saved thumbnails
CAMERAS_SUBNETWORKS - a subnet (e.g.: 172.16.100.0/24) or even an IP (e.g.: 172.16.100.10).
CAMERAS_PORTS - a port, multiple ports and even port ranges (e.g.: 554,8554,9000-9554)
tag - lows you to specify a specific version for cameradar.

After a successful scan and brute force the generated thumbnails will be in /tmp/thumbs on your machine and in the container. The results would be outputted in JSON objects like:
{
"address" : "127.0.0.1",
"ids_found" : true
"password" : "123456",
"path_found" : true,
"port" : 554,
"product" : "Vivotek FD9381-HTV",
"protocol" : "tcp",
"route" : "/live.sdp",
"service_name" : "rtsp",
"state" : "open",
"thumbnail_path" : "/tmp/thumbs/127.0.0.1/1234567.jpg",
"username" : "admin"
}


VLC Media Player can be used to view the RTSP live stream from Media>Stream>Network option in the this format :
username:password@address:port/route
admin:123456@127.0.0.1:554/live.sdp

Further research on the IP Cameras is ongoing, more so on how they can be used as bots.


References
https://github.com/EtixLabs/cameradar#quick-install
http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/

[root@e13olf]# exit

Wednesday, June 7, 2017

Phishing with Gophish+Mail-in-a-box (MIAB)

Phishing is often the first phase of an attack after reconnaissance . This is mainly because it works well since it involves psychological manipulation of the human mind. To counter this 'Phishing as a Service' routine has been introduced which involves using tools that can create fully automated campaigns. Employees are trained on how to spot phishing emails, and then get tested with mock phishing emails. The percentage of those who fall victim decreases with each round though it is impossible to get to a zero response rate. This article tries to show how to configure Gophish; one of the phishing simulators out there with Mail-in-a-Box a dedicated Linux Mail Server.

Gophish is a simple phishing toolkit that allows the easy management of phishing campaigns. It handles the malicious web pages that you create, email templates and SMTP configs. It is available for all OS types.
MIAB is an easy-to-deploy mail server in a box. It helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server, a mail server in a Linux box. Both of the two applications use a VPS for hosting, this blog post does concentrate mostly on Gophish and how to configure the two to run on one Linux box to save on hosting costs. For a complete detailed guide on how to set-up MIAB go to https://mailinabox.email/guide.html or for a video set-up guide head out to this YouTube video https://youtu.be/9WOmkoEYMIg

Installing Gophish

This takes places on the MIAB Linux Server. Assuming you have already set up MIAB and it already running download the latest version of Gophish:
wget https://github.com/gophish/gophish/releases/download/v0.3.0/gophish-v0.3-linux-64bit.zip

Once that is downloaded unzip the folder:
unzip gophish-v0.3-linux-64bit.zip -d Gophish

Change directory into that folder and  make the Gophish file executable:
cd Gophish
chmod +x Gophish


Open the config.json file and edit the listen_urls, paths to TLS certificates and keys:
vim config.json

MIAB use TLS certificates provisioned by Let’s Encrypt for your domains. You are going to use the certificates and keys on our Gophish application. The path to the certificates is: /home/userdata/ssl/. Next change the Listen url to 0.0.0.0, this allows Gophish to listen on all interfaces. After the edits the config.json file should look something like this:
{
"admin_server" : {
"listen_url" : "0.0.0.0:3333",
"use_tls" : true,
"cert_path" : "/home/user-data/ssl/ssl_certificate.pem",
"key_path" : "/home/user-data/ssl/ssl_private_key.pem"
},

"phish_server" : {
"listen_url" : "0.0.0.0:80",
"use_tls" : true,
"cert_path" : "/home/user-data/ssl/ssl_certificate.pem",
"key_path": "/home/user-data/ssl/ssl_private_key.pem"
},

"db_name" : "sqlite3",
"db_path" : "gophish.db",
"migrations_prefix" : "db/db_"
}

You can change the admin server port to your liking but the one of the phish server must be 80 since it will be the url that points to the malicious cloned web pages and also port 80 is a well-known port for http servers. This though would lead to errors because MIAB uses the same port on its Nginx Webserver. You would have to disable Nginx web server: 
service nginx stop

You can use netstat to confirm the services running on various ports: 
netstat –tulpn

NOTE that you will not be able to access you web-mail and that is why you must ensure your MIAB is running before you configure for Gophish. Remember the end goal is phishing and minimizing VPS hosting costs since MIAB was created to run on a fresh machine dedicatedly.

Now you can go ahead and start Gophish:
./gophish

Gophish should now be started and if you look at the terminal that you started Gophish you should see that two servers have been created; the admin interface which allows us to manage our phishing campaigns and the phishing server to create malicious clones.

Proceed to your browser and log in by using the credentials of admin:gophish You can change that from the settings tab. After you have logged into you are presented with the dashboard. From here you can navigate to the Sending Profiles tab on the left-hand side of the site and click New Profile. You then proceed to fill out the form presented with the mail details from MIAB. Fill in your email-address, SMTP details and password. Click on Send Test Email to ensure the details have been entered correctly.

You can then move on to the Landing Page. This is where the victim will be directed after clicking a link on the email message. Just like before click New Page and in the form entering the required details. Choosing a Page Name that you can remember, later on, I recommend using the same name as whatever website it is you are going to clone. Then you are able to import the site that you want to clone by clicking import site by inputting the legit web URL. With the new popup that appears, you simply add the URL of the site you want to clone. Once that is done you select Capture Submitted Data and Capture Passwords. You can then add a Redirect to the site i.e. the actual page the victim will be redirected to. In this case LinkedIn log in page. Note sometimes after cloning sites and running a campaign some may not work because of some JavaScript codes. You will have to manually go through the code and delete the unneeded codes. The “POST” function in the forms is the important part of the code.

Moving on to Email Templates, you again name the template with the name you used before on the landing page. You can then import an email template. In Gmail you are able to view the email source and copy this into the Email Content on Gophish. You then have the to change the links to point to Landing Page, this will allow any link in the email to automatically send us to the phishing cloned page. You can then save this template.


You then add Users and Groups, to which you add the Group Name. This is where the target email addresses are stored. Add the first and last name, an email and their position and add this to the list. You can also bulk import users into the group.

The last step is launching a campaign. You need to enter all the information you previously entered in our other steps along with naming the campaign and adding the URL of the site to which will capture the data. In this case, you have set-up and bought a domain that you had set up with MIAB. You can the schedule when you want the email to be sent. Also be sure you check the time-zone of the VPS you are using it to complement with where you are before you launch the campaign.



You can now see the active campaign in your dashboard as you wait for the email to be received. Within the dashboard you can also see a timeline of the campaign when the campaign was created, the email sent, the email opened if the link was clicked and if there was any data submitted. The submitted data allows you to see what data was entered. You can also replay the credentials and this allows you to automatically login to that site with them credentials.


References
https://getgophish.com/documentation/https://github.com/gophish/gophish/releases
https://mailinabox.email/
https://www.skyhighnetworks.com/cloud-security-blog/top-phishing-test-tools-and-simulators/

[root@e13olf]# exit

Monday, July 4, 2016

Arch Linux + i3 Window Manager

I have been using Arch Linux for like a year now and loving it with each passing day. The beauty of Arch is it allows one to tweak it to your preference. When i first installed Arch to my machine as a primary OS, i installed gnome to go along with it but later changed it to i3 tiling window manager.

Daniel Brühl playing Daniel Domscheit-Berg character in The Fifth Estate movie  using a tiling wm on his laptop.Image Source:http://www.secondstogo.blogspot.com/2015/04/phones-laptops-airports.html
Tiling window manager is a window manager with an organization of the screen into mutually non-overlapping frames.(Wikipedia definition) The Terminal is the most powerful tool in Linux, it is easy and fast to complete tasks using it compared to using the GUI, whoever it depends with your typing speed and how versed you are with the Linux commands. A tiling windows manager plus Terminal apps equals a sweet combination.



Their are any types of tiling window managers available today, like fluxbox, awesome,alopex, bspwm, catwm, i3 among others. In this article we concentrate on the i3 wm.

i3 is a tiling window manager whose target platforms are GNU/Linux and BSD operating systems, It is primarily targeted at advanced users and developers. This article shows you how to install i3 in your Arch Linux machine and its work around.

Install the i3 , which will include its 3 package members; the window manager -i3-wm, screenlocker -i3lock and a status bar -i3status;
sudo pacman -S i3

Next you have to configure your display manager or if you prefer you can set to start X session manually, add ‘exec i3’ to .xinitrc file in the user’s home directory. Then;
startx
Startx will initialize an X session and loads the clients/applications specified in `.xinitrc`. When the last client exits, the session will exit.
Gnome display manager allows one to switch between different windows manager when logging in but if you want to remove it completely:
sudo pacman -Rsc gnome gnome-extra
To be able to use i3 effectively it is good to know basic shortcuts.
The mod key is the windows key/super key
modkey + return/Enter - start a terminal.
modkey + 1/2/3 - open new workspace
modkey + v - ensure the next window opens in a vertical layout.
modkey + h - ensure the next window opens in a horizontal layout
modkey + d -ensure the next window opens in a tabbed layout
modkey + shift + r - reload i3 session
modkey + shift + e - exit i3 session.
modkey + shift + q - close current window.
modkey + f - switch the active window to full screen view.
modkey + r - resize a window.
modkey + shift + e - kill i3 session.
modkey + d - search for installed applications.
modkey + shift +workspace1/2/3... - move an open window to another workspace.
modkey + arrow keys - switch between tiles in a workspace.
modkey + s - open one window to full screen mode
modkey + e -switches back the windows to tile view


For more documentation about i3, go to http://i3wm.org/docs/
Their are many terminal like applications that go along with i3 or any window tiling manager, for example;


For email applications I use mutt;














File manager: ranger;


Music player: cmus;


Text editor: vim;


For more terminal-like application ArchWiki have got a list of applications, you can look into it and play along with to find one that suits you.

Customizing your i3 is quite a process but simple, Code Cast YouTube channel has got 3 awesome videos on how you can configure your i3. How to configure your status-bar, terminal, arrange your work spaces, wallpaper and much more.

[root@e13olf]# exit


Friday, May 20, 2016

Cracking WPA/WPA2 Passwords Using Airmon-ng in Kali Sana

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II(WPA2) are the most used Wi-Fi security algorithm to secure wireless networks. Wired Equivalent Privacy(WEP)standard was the initial security algorithm used but over time numerous security flaws were discovered and as computing power increased over the years, it became easier and easier to exploit them.

Disclaimer: The contents of this article are for ethical and educational purposes.

You will need a working Kali Linux machine and an external wireless card with packet injection capability or wireless card inside your laptop.
First open your the terminal and type airmon-ng to view the interfaces, another command that basically does the same is ifconfig
           


The wireless network interface mostly will be listed as wlan0 in some cases as wlp2s0.
Next you start the airmon-ng application with the wireless interface;
airmon-ng start wlan0
      

The command enables the monitor mode that makes you view the network traffic around. Their may be a warning showing process that are running and my cause problems, they need to be killed. Kill the processes with the kill command or airmon-ng check kill and run the command again to enable the monitor mode.

After successfully killing the processes, you check the available wireless networks around to find an access point;
airodump-ng wlan0mon

Let it run for a while,after seeing the name of the victim network, note its channel(CH) and the bssid number. Next we do;
airodump-ng -c channel_no -w wireless_name --bssid bssid_no wlan0mon

for my case it is;
airodump-ng -c 11 -w Yell --bssid 30:39:26:E3:8B:93 wlan0mon
This enables you to listen specifically to that wireless network.




You will note the number of devices connected to the network and what you are basically doing is waiting for a 4-way handshake that will be shown at the right top corner. We will kick out one of the computer or devices connected to the wireless network and technically as the device tries to reconnect to the wireless network it will give us the 4-way handshake that we are looking for. So we send out a deauthentication package, open a new terminal , note one of the bssid number of one device and type;
aireplay-ng -0 0 -a bssid_no wlan0mon
            
After a while you will then successfully get a WPA handshake(see on the top right side of the terminal).

Close one of the terminal then type ls to view the saved file that contains details of the victim wireless network(.kismet.csv, .kismet, .netxml, .cap, .csv).

You will be using the one with .cap extension to brute-force with a wordlist.



In Kali Linux the default wordlist rockyou.txt is situated in /usr/share/wordlists/ you can extract and use it if you do not have a custom wordlist for yourself.
With the available wordlist, downloaded or custom made, you will use it on the next step ;
aircrack-ng -w /root/Desktop/wordlist.txt wirelessname.cap

For my case it is;
aircrack-ng -w /root/Desktop/wordlist.txt Yell-02.cap

My wordlist is saved in root/Desktop directory.
The passwords on the lists will be tried at different rates depending on whether it is the GPU or the CPU used to crack the password.
       

After a while the key phrase is found :)
 


Brute-force takes a while depending on the password used. WPA allows password length of up to 64 characters with mixture of uppercase,lowercase, numbers and special characters.
Although passwords can be hacked, their are a number of ways to make them nearly impossible or hard to crack;
    • Use long passwords lengths, more characters make it stronger. A 10 numeral long password has got 1000 Million combination and it may take a hacker about 28 hours to crack it using class A(10,000 Passwords/sec) type of Class. Click here to check out the password recovery speeds depending on your type of password combination.
    • Mix Upper case and Low case letters.
    • Add special characters and symbols.
    • Use substitution cipher or leet speak i.e replacing alphabets with similar looking characters for example a with @, s and 5.
    • Change your password often and never use the same password on different password protected accounts/sites.
    • Never use birthday dates, pet names, phone numbers as your password.
    • Avoid using dictionary names as your passwords, it is susceptible to password dictionary attacks even if you add digits after it.
      [root@e13olf]# exit

      Saturday, March 5, 2016

      Basic Linux Commands

      This blog article contains list of Basic Linux Commands mostly for the beginners. With a little introduction, a terminal is the command interpreter also the Linux shell, it is where Linux commands are typed to be executed.

      A Linux kernel is the heart of a Linux system while a Shell Script is a list of commands stored in a file that the shell executes non-interactively.

      Their are different types of Linux command shells, for example;
      •   bourne shell ( $ character prompt)
      •   c shell (% character prompt)



      TYPES OF COMMANDS
      1. Simple commands - Example: who
      2. Complex commands - Example: who am i
      3. Compound commands - Example: date ; who am i ;

      When you open the terminal, the Home Directory is the directory in which you start out after you log in.
      NOTE: In Linux systems, it is case sensitive, Home, hOme,HOME,homE are three different files or folders depending on the scenario.

      LINUX COMMANDS
      su (super user) -allows a user to automatically log in as root/super user.
      sudo (super user do) -allows a permitted user to execute a command as the superuser or as root. According to the character prompt of your shell, it changes to # character prompt.

      NOTE: It is not advisable to use su for day to day use since it can result to serious errors when accidentally used hence sudo is considered safer than su.

      cal Displays calendar of present month and year.
      cal 1990 Displays all the months of the year 1990.

      date Prints current date and time.

      cd Change directory command, it changes the working directory.
      cd Desktop Changes the directory to Desktop.

      find Allows one to search for a file in a given directory.
      find file_name

      who It displays who is logged on, in which tty and time the user logged on.

      whoami Displays your username associated with the current user ID

      uptime Displays the time the system has been up/on.

      exit Exits the user from the terminal screen.

      clear This command clears the visible area of the terminal screen.

      du Shows how much space each file takes up.

      top Provides a quick overview of the currently running processes, number of users logged in and the uptime.

      kill is used to terminate processes that mostly cannot be terminated in a normal way. By executing it, you specify the respective process ID displayed from the top command.
      kill 175 Kills process ID=175.

      passwd Allows users to change their own password.

      free Displays the amount of memory used and free system memory.

      ifconfig Used to configure the kernel network interfaces.

      ping Allows a user to verify that a particular IP address accepts requests, used to test connectivity and determine the response time
      ping www.google.com

      w Prints the current system users.

      shutdown Shuts down the computer.
      shutdown -r Reboots of the computer after shutdown.
      shutdown -h
      Halts the computer after shutdown
      shutdown -c Cancels the shutdown process

      tar puts file(s) into an archive
      tar cvzf file_name.tar.gz /home/My_archives The command will create a compressed file for the directory /home/My_archives.
      -f writes the output to a file and not the screen as is usually the case.
      -c creates new tar archive
      -r adds files to existing archive
      -t outputs the contents of an archive
      -u add files, but only if they are newer than the files already in the archive
      -x extracts files from an archive
      -j packs the resulting archive with gzip
      -v lists the files processed

      Listing Files
      ls List files of the current directory you are in.
      ls -a view hidden files
      ls -F shows files and directories
      ls -1 produces a listing
      ls -l list all files with permissions
      You can use all the ls arguments at a go i.e;
      ls -aF1l
      lsblk
      Stands for list block devices, prints block devices by their assigned name and also Usb devices.

      cat
      Views the contents of a file.
      cat -b file_name numbers the output minus the blank spaces.
      cat -n file_name numbers the outputs.

      wc Counts the words, lines, and characters in a file.
      wc -lwc file_name
      wc -l file_name counts lines
      wc -w file_name counts words
      wc -c file_name counts characters

      Copying Files
      cp command
      cp file_name source destination
      cp source destination Directory/
      Copies a file to a given directory.

      Renaming Files
      mv command
      mv file_name new file_name

      Removing Files
      rm command
      rm file_name
      rm -i file_name
      Interactive mode for removing files.

      Creating New Files
      You can use different text editors to create new files like leafpad, gedit, nano etc depending with your Linux distribution. For this blog am using vim.
      Ensure you have vim installed;
      Type vim to open the terminal enabled editor
      press 'a' to insert text and 'Esc' key to get out of insert mode
       n goes to the next file in the file search
      :e filename switches to another file or to open a filename after you are in vim intro-page
      :u undoes the last edit command
      :q quits vim
      :q! forces close of vim
      :wq
      saves and quit
      :x saves the modified files and exits the editor
      :w file_name save as (to new file_name)

      Directories and their Manipulation
      pwd Prints the working directory.
      mkdir directory_name Creates a new directory
      mkdir -p notes/linux/commands/permissions Creates parent directories notes/linux/commands if they don't exist.
      cp -r source destination Copies a directory.
      cp -r docs/book docs/school work/src /mnt/zip Copies multiple dir book,school, src to the zip directory.
      mv
      source destination Moves file and directories.
      rmdir directory_name Removes an empty directory. 
      rm -r directory_name Removes a directory will all its contents.

      User_Groups and Permissions
      sudo adduser username adds a user
      sudo userdel username deletes a user

      /etc/passwd Stores users information. 
      /etc/group Stores all information about groups.

      sudo passwd username Changes user password. 
      sudo groupadd groupname Adds a group.
      sudo groupdel groupname Deletes a group.
      sudo adduser username groupname Adds a user to a group.
      sudo deluser username groupname Removes a user from a group.
      sudo chmod 777 foldername Changes the permissions of a folder.

      File or folder permissions can be changed with three permissions(read,write and execute) each with a unique number identified with it.
      4 -read permission (r)
      2 -write permission (w)
      1 -execute permission (x)


      With basic math 4+2+1=7(All the 3 permissions equals full permission).

      777, 775, 770, 700 etc
      1st instance of the three figure - Owners permission to a file or folder.
      2nd instance of the three figure - Group permission to file or folder.
      3rd instance of the three figure - Everybody else/others permission to a file/folder.

      775 owner and group full permission while others read and execute permissions only to a file or folder
      777 owner, group and others full permissions of read, write and execute to a file or folder

      sudo chmod 777 filename/foldername Gives owner, group and everybody else all full permissions of read, write and execute to a file or folder.

      sudo chmod 775 filename/foldername Gives owner, group full permissions of read, write and execute while everybody else read and execute permission only to a file or folder.

      sudo chmod 777 foldername -R (for recursive folders inside)

      Ownership
      sudo chwon -R username file_name/folder_name Changes the user ownership of a folder/file. sudo chgrp -R groupname file/folder Changes the group ownership of a folder/file.

      Man Pages
      Every version of Linux comes with an extensive collection of help pages called man pages (short for manual pages ). The man pages are the authoritative source about your Linux system.
      They contain complete information about both the kernel and all the utilities. If you type;
      man ls
      It brings out a list of information about the ls commands and arguments that go along with it.

      Happy learning.

      [root@e13olf]# exit


      Wednesday, March 2, 2016

      How to Install Arch Linux

      A step to step clean installation of arch Linux either in a new machine or virtual machine. You can get the ISO image from www.archlinux.org/download/



      Boot the image through a boot medium(flash drive or compact disk).
      You will received by an Arch Linux boot menu. Select the preferred version, note that the first in the list(x86_64) is the Arch Linux version of the 64 bit the the second selection(i686) is the 32 bit.After loading you'll be presented with a tty1 logged in screen.

      Next is the managing/partitioning of the hard drive.
      To find out how the hard drive is called, type;
      lsblk

      Partition the disk type;
      cfdisk /dev/sda

      sda being the drive to partition. You may receive a selection label type table, select the dos table. You will see the free space available to you.
      Click on New then select Primary
      Set it as Bootable, now the boot column will be marked with an *

      To make changes to the drive select Write, press enter then write in the words 'yes' then enter for the changes to take effect.
      Go back by selecting quit.

      To see how the disk has been partitioned type
      lsblk

      You will see a sda1 partitoned under sda
      Now to format the disk
      mkfs.ext4 /dev/sda1

      Next step is to mount the partition the local file system. You type;
      mount /dev/sda1 /mnt

      Next step is to install arch Linux into that partition. An internet connection is needed for this.
      To connect to a WiFi internet access,if you do not have a working Ethernet connection to the wireless by type;
      wifi-menu

      Wireless devices will be listed, WiFi names are likely to start with 'wl' select a wireless network and type it's password if it requires any.

      Test the connection
      ping -c 3 www.google.com

      Choose a mirror type;
      nano /etc/pacman.d/mirrorlist

      Through the list of find a mirror near you for better download speed,

      Hit Alt+6 to copy a particular mirror, use the 'Page Up' key to got on top and then hit Ctrl+U to paste the line on top, hit Ctrl+x to exit and type Y to save changes

      Next install the packages, run; 
      pacstrap -i /mnt base base-devel

      When prompt with Enter a selection (default=all): hit enter to install all the selection
      To proceed with the installation hit enter. (This is the default as pressing Y)

      The next step is set up the fstab file which in Linux is the text file that contains all the partitions and hard drives that you need to automatically mount on system boot. Type
      genfstab -U /mnt > /mnt/etc/fstab

      If you run the below command you will see the data has been written;
      cat /mnt/etc/fstab

      Change over from running on the Arch live CD into partition that was just installed into.
      arch-chroot /mnt /bin/bash

      Next install the boot loader;
      pacman -S grub

      Configure the downloaded grub
      grub-install /dev/sda

      NOTE: Install it to the drive but not the partition

      Next is to configure the init file system;
      mkinitcpio -p linux

      Next configure grub again;
      grub-mkconfig -o /boot/grub/grub.cfg

      You have successfully installed a bootable Linux environment, next step is to install tools for a usable desktop environment;
      pacman -S vim

      Another important tool is the bash-completion to auto-complete commands;
      pacman -S bash-completion

      Install the gnome desktop environment or any of your favourable Linux desktop environment;
      pacman -S gnome gnome-extra

      Set up the locale, this specifies the regional and language stuff of the system;
      nano /etc/locale.gen

      Using the arrow keys select your locale configuration by uncommenting (removing the # character)
      The default and most common locale is en_US.UTF-8 UTF-8 ( English Speakers)
      Hit Ctrl+ O then enter
      To leave the screen hit Ctrl+X
      To update the system to use the locale, type;
      locale-gen

      To specify English or another language to be used type;
      nano /etc/locale.conf

      Then type; 
      LANG=en_US.UTF-8

      Hit Ctrl+ O then enter. To leave the screen hit Ctrl+X to exit nano

      The next thing is to set the time zone (continent,Your Country's capital city)
      ln -s /usr/share/zoneinfo/Africa/Nairobi /etc/localtime

      For a person in New York
      ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

      Set up the hardware clock on the machine to track the time correctly
      hwclock --systohc --utc

      Setting the custom hostname for your system, run;echo qwerty > /etc/hostname (replace qwerty with your hostname)

      Setting up the root user password. Run;
      passwd

      enter the new UNIX password then retype it to verify it.

      Next step is creating the users and replace 'qwerty' with your username run;
      useradd -m -G wheel,storage,power -s /bin/bash qwerty

      Give the password for the new user in my case was qwerty;
      passwd qwerty

      To allow this user to do administrative jobs as sudo, install sudo;
      pacman -S sudo


      Allow the users in wheel group to be able to perform admin tasks with sudo, to edit that run; 
      EDITOR=nano visudo

      Move down then uncomment this line in the open sudoers line 
      %wheel ALL=(ALL) ALL

      Then type :wq to write and quit

      Unmount and reboot the machine
      exit
      unmount
      u mount /mnt
      shutdown -r now


      Remove the existing media (flash drive or cd). You will brought to a login screen. Input your username and password, you need to enable the gdm (gnome desktop manager) service for gnome desktop and then restart the box:
      sudo systemctl enable gdm

      After login, it is advisable to keep your system up-to-date
      sudo pacman -Syu

      If their are error messages it's because the network devices have been set, type;
      sudo systemctl enable NetworkManager
      sudo systemctl start NetworkManager


      Then try re-running the previous command to update your packages


      There you have it, a working Arch Linux Distro.


      [root@e13olf]# exit