Metasploit move

[Primz]

Hi all, basically have been testing out metasploit lately and am a bit stuck (due to noobeisum) iv done the hole reaver thing and didn't really have much luck with cracking my brothers wpa2 (consent is all good) and got noticed that it was trying the same pin over and over again and noticed that most people have Generaly left reaver alone and metasploit / armitage is more a better route to take.

So here is my issues:

How do I remote scan for IP addresses outside my network (ie my brothers network)

This is prob a very stupid question and I do know if nmap but how do I remotely scan these networks for IP addresses?

Any advice is much appreciated all

[Sildaekar]

Could always go this route: https://github.com/robertdavidgraham/masscan

Just be prepared for blowback from your ISP :P

[Primz]

Not really looking to scan million ips across the internet. Generally looking for something to scan remote networks and To find IP addresses

[digip]

nmap with all work locally and outside but if behind Nat or firewalls don't expect much replies without being on the same subnet.

if looking for newer WPA tools try the pixie wps offline attack. uses a combination of reaver and some other scripting that works on most wps enabled devices. wps attacks can tend to loop with same pin if sending too fast and not close enough but the pixie attack should help you out. other thoughts is try good old fashioned aircrack suite :)

[cooper]

This thread puzzles me.

So you're trying to hack your brother's network. Since you describe WPS I'm assuming his router is well within reach of you? What distance are we talking about? Do you know what brand router he's got?

Next it seems you switched to trying to hack your brother's network over the internet. This implies you already know his external IP address. Do you? If you don't you need to stop right there as you might be messing with someone else's network.

If you indeed know the external IP address of his router, pretty much step one is to run nmap against it, see which ports are open. Because you have consent you could make it a noisy CONNECT scan (-sT) rather than the typical SYN scan (-sS) and do an exhaustive scan rather than just the more common standard set of obligatory ports (see the docs). Once you know what's available you can start to work out a plan of attack (pun intended).

If I misinterpreted and you wanted to try a networked attack against his AP, you can't do that until you access his wifi. If you did access his wifi and, through this, were given a network-local IP address from his AP, please say so and we'll take it from there.

[Primz]

Cooper that reply has made more sense to me than any thing Google has spat out at me all day :)

Also I should have made it a bit more clear. My brother lives across the road from myself (a matter of 8ft across from my home) I know his network name and I can see it when I was playing about with reaver (wrong direction I know).

I don't know his IP no but I could go and get it but that would defect the object really of my test.

So in nut shell. I want to be able to find his network when I do a scan and I can see it ( that I can and he has a sky broadband acc and a sky router) I then want to be able crack his wpa2 password and then when I get access to his network I want to be able to find a file on a device ( I will ask him to drop a file on his network for me calles test or something to that nature) and then be able to say change/ extract/ edit that file.

I know is Basicly asking to be spoon fed but for the life of me it is really stressful yet rewarding at the same time in a weird way 1 step forward 2 steps back 2 steps forward 1 step back :)

Any help would be great

Thanks in advance all

[Primz]

Little update to my mission. After last nights post I updated reaver and started to see some progression if regards to cracking my brothers wpa2 wireless network but when I checked back early this morning it was stuck on 90.90 % complete and froze. I then found out other have had this problem also so back to square one lol

Just a heads up on the above main goal is to get access to my brother witless network, see devices on network and search for a folder on one of devices then change/edit/extract the file of possible.

Any help guys as for the life of me is really starting to grind me gears :) losing sleep not being social lol any help is more than appreciated

Thanks in advance all

[i8igmac]

Sometimes stopping reaver and restarting may fix it... it should pick up where the attack left off...

does your brother use windows? Mac? Linux?

there are lots of tools that can produce a reverse shell for his machine... set toolkit, build your self a reverse shell fishing tactic, what sites do you know he visits daily? Make a spoof, send him a link...

[cooper]

Okay, so, step 1 is to get on his wifi network. There's nothing you can do with any of his machines until you manage to do that, so don't spend any time on that just yet.

To recap, the consenting target's network is WPA2 protected using a Sky-provided router which seemingly supports WPS.

This means there are 2 avenues of attack (well, 3 if you include breaking into his house and just reading the numbers off his router... we'll leave that one out for now): WPA2 and WPS

For WPS, you're already using Reaver which can't really make heads or tails of it currently, but I'd say keep trying - can't hurt I suppose. Another avenue of attack against WPS is the pixiedust attack which might be worth a shot.
For WPA2 you need to capture the 4-way handshake between one of your brother's devices and the AP, so work on that first using tools such as wifite, airodump-ng, Wireshark or tcpdump. Once you have this handshake we can get to work on trying to crack the password. If this password is something he himself set, you can probably assume it to be a concatenation of known words or common sequences of characters, possibly with the odd number of special char thrown in. There are wordlists all over the place that you can try, so in this case collect as many as you can, throw out any duplicates or words under 8 characters (WPA2 has an 8 char minimum) and get to work with tools such as hashcat, pyrit or maybe even John The Ripper to crack the password. If instead your brother got the device from his ISP and never bothered to change the WPA2 password, you should google around a bit to find out what the character set is that the ISP uses. Is it all caps? Are there any numbers in there? Special characters? How common is it to have the same character in there consecutively? Is the password always the same length? This thread has a post that apparently claims Sky uses the sequence SKY followed by 8 random uppercase characters. If so (VERIFY THIS!), that's only 208.827.064.576 variations. Considering the fact that Pyrit can manage 31.000 keys/second using a single Radeon 5870 (a 5.5 year old card already!), if you have a somewhat beefy graphics card that's capable of helping out at similar speeds we're talking about 78 days of non-stop cracking to get in. By comparison, I've seen reports of a single NVidia GTX 980 doing 170.000 keys/second which means it can perform an exhaustive scan of that keyspace (i.e. 100% chance of finding the key) in just over 2 weeks. If you wanted an excuse to buy that high-end graphics adapter, you now have one.

Here's a page on using a few of the tools I mentioned to try and hack WPA2.

Finally, WPS is an attack that works by communicating with an active AP. The WPA2 attack is an offline attack. This means that once you have that 4-way handshake (you might want to consider not running a WPS attack until you have this handshake, to keep the capture file smaller), you can do both attacks simultaneously. Whichever achieves a result first wins.

[Primz]

Again cooper thank you my main man!

Ok so here is where I am at now. Like you said cooper first step is to get access to his wifi network. Ok so I can use reaver, wifite or bully and I do but with not much success, it tried to crack the pin of the AP with reaver but always gets time out issues and multiple delays for 60 second that leaves think the best it got to was 90.90% then it froze. Wifite is pretty simple to use but again when it tried to crack the pins it's very slow and only have ever achieved 4% max in 5 hours then it froze and went on to try and collect a hand shake. (It can successfully collect handshakes as I tried it on my network with success) but for the life of the the pin cracking route is not working at all no mater I try. Have gone over reaver script with a fine comb and nothing works. Wifite is pretty much point and click so can't understand why that won't work.

Any news would be good news and any help is more than appreciated tho.

Thanks in advance all :)

[digip]

Give this a try. it's a WPS offline attack using partially reaver, aka Pixie Dust WPS Attack -

​

More info:

https://www.kali.org/penetration-testing/pixiewps-reaver-aircrack-ng-updates/

Edited May 18, 2015 by digip

[Primz]

Hey digip thanks for the reply dude. Tried that and have to say seemed to get a lot further than other routes. But best luck I had with it was again at 90.90% and then it froze and wouldn't budge. Also It also on a few APs and got the received time out occurred notification to which then it retrys the same pin over and over. I know there is a time out command -T 1.5 and iv tried that to no success also.

I think if I can't get any success anytime soon going down the route of cracking the pin then I guess I have to get as many dictionary's together as possible and start cracking the handshake as I seem to be able get handshakes ok.

Please anyone know a solution round this issues as I'm hitting a brick wall at every turn.

Thanks again in advance people, as is much appreciated

Edited May 18, 2015 by Primz

[digip]

Hey digip thanks for the reply dude. Tried that and have to say seemed to get a lot further than other routes. But best luck I had with it was again at 90.90% and then it froze and wouldn't budge. Also It also on a few APs and got the received time out occurred notification to which then it retrys the same pin over and over. I know there is a time out command -T 1.5 and iv tried that to no success also.

I think if I can't get any success anytime soon going down the route of cracking the pin then I guess I have to get as many dictionary's together as possible and start cracking the handshake as I seem to be able get handshakes ok.

Please anyone know a solution round this issues as I'm hitting a brick wall at every turn.

Thanks again in advance people, as is much appreciated

Are you installing them on your own from the old sources? Looks like the Pixie dust attack uses a fork for Reaver, so maybe that is partially the issues. Might also be that your brother has WPS off though. Make sure it's on first.

​ https://github.com/wiire/pixiewps/

[Primz]

ok i think i might have found the problem, as i was using kali via USB Boot my memory was pretty much used up and when i checked the update log from the github download it seems that there was a error with partial disk memory? i am going to be putting Kali onto my notebook fully so no USB booting anymore, and this way when kali has the full updated download with Pixie & reaver with (fork) then i can start fresh from the ground up again without any silly issues.

Thanks for all your help all, but sad to say i will be back with a few more questions if kl :)

[Primz]

Hi Everyone, Have been looking for this thread but thought it was under a diffrent title but any who. Just a update in regards to this. I have now got Kali up and running on my Asus Notebook and with the help of cap a handshakle i was then able to crack the WPA2 passwork in under 4.5 hours (password was stupidly simple, kicking myself for not guessing it ) with a few tables comipled. (Dont Worry all consent has been given in advance)

Now i have access to his network and can do a scan with nmap and see that he has 7 devices up and running a Sky TV Box, Acer Tablet i think, Ipad, Iphone and Xbox, his Smart LG TV ,HP Notebook (8 devices if you count myself)

Now i know the Iphone is a Iphone 5 and he never does his updates for his IOS

His Hp laptop is always online with no user lock at all and i think is running windows 8

his acer tablet i think is windows but not sure what version

and i am not to sure of the ipad if honest

this is where i am now stuck, what to do next what route to take as getting this far has taken months :)

I was going to use metasploit to try retrive the file i mentioned previously above in this thread but have no idea where to start.

Well thats the update hope all is good in the hood

[cooper]

You need to adopt the OODA loop.

When you started you Observed and all you saw was an AP, so 1 device to focus on. You Oriented yourself on the various options at your disposal allowing you to make an informed Decision on how to approach this problem. Then you Acted and now you're on the network.

Now you Observed and noticed that there are 7 devices and a router (which you ominously omitted from the list - assuming it's not the Sky TV Box). You're orienting yourself using the nmap output from the previous step but can't Decide on what to do next, meaning you're still in the Orienting phase.

Looking at your response you only discovered devices, but did you discover any services running on them? Did you see if there might be issues with these programs/versions (just Google)? Don't forget that some services allow you access by default - things like one of the VNC's for instance once the license has expired.

Also, now that you're on his network you can MitM those other 7 devices and listen in on their traffic which might give you clues on what to do next. I mean, he might access his email in an insecure manner allowing you to sniff his credentials from there and read anything he's received and sent (which people often omit when they browse a target's mailbox). There might be credentials for other services on there allowing you to expand your access. It's rarely as simple as: 1. get on network 2. get on box 3. access file.

[Primz]

Hi Cooper Thanks again for a speedy reply dude. Yeah that is right to be fair. I have only scanned the network while on it with nmap and can see and listed his devices from the Nmap output and also from personal knowledge as he is my brother :)

I havent yet checked what services each device is running but i am going to check this useing armitage (if there is a better method please let me know)

then after that and i know what device is running what serivce and version of OS i will prob be back posting what to do next in regards what exploit to use and how to gain acces to devices and retrive the file needed.

Once again thanks in advance all

[Mampt0n]

Armitage is a good shout. Maybe try Nessus as well?

Great advice from Cooper