[Australia passes new law to thwart strong encryption]

I was upset by this at first but after I thought about it and did a bit of research the new laws won't have as large of an impact as most people think.

Firstly, the laws are very vague and were rushed through parliament without much thought on how they will be implemented. It's all well and good to say the Australian government has these new powers but if a manufacturer or software developer resides in another country where Australian laws do not apply then how can the Australian government enforce its policy?

Secondly, a lot of software developers co-operate with government agencies anyway and provide private keys on demand e.g. Skype, Facebook, (and I'm sure many others that haven't admitted it yet). If people are relying on large corporations to secure their privacy or believe that they have the individual's best interests at heart then we have bigger problems then these new laws.

Thirdly, you can't create backdoors in existing and proven encryption algorithms just because the law says that we need to.  The only thing you can do is ask developers and manufacturers to create backdoors in their platforms  and handover user keys but this has its limitations (refer point 1).

The only real way to defeat encryption in my opinion is for manufacturers to create backdoors into devices like laptops, phones, etc and provide access to governments on demand. By access I mean the ability to capture key strokes and screen content so it wouldn't matter what encryption algo you are using because they would see it all in plain text as you type it. Will it get to that? Maybe who knows but hopefully we will be a step ahead 😉

[Pass the Hash question]

Not really sure if I understood your questions and your scenarios. It would probably make more sense if you pasted the hashes here so people can see what you're talking about but I will try to answer anyway.

You need to identify what hashes you are capturing first because Windows uses several authentication protocols. Compatability/group policy will determine which authentication protocol is used and subsequently the hashing algorithm. For example, Windows 7 does not support LM hashes by default but Windows XP is backward compatible so it can.

NTLM hashes are not salted which means that if you you computed the "password" value into a hash value multiple times, you will always get the same resulting hash.

NTLMv2 hashes on the other hand are salted which means if you converted the same password value multiple times into a hash value then you will always get a completely different looking hash each time.

Identifying the hashes first will help you figure out what you can do with them because you won't be able to use ntlmv2 hashes in a pass the hash attack.

Some useful reference material for identifying hashes:

https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4

 

[tracker / keylogger office computer]

If you are after a keylogger then you could try a keyboard logger. Plug your usb keyboard into the capture device and then plug the device into the PC. Unless somebody looks behind the PC and knows what they are looking for then unlikely that anybody will recognise the keylogger. The best thing about hardware keyloggers is that they are independent of the OS so you are capturing everything the person is typing from the moment the computer boots.

It goes without saying but this won't work if your office computer is a laptop without an external keyboard.

 

[Signal Vs Alternatives]

Surespot is another one. I personally don't know which is one more secure or better than the others. The real question is: are you sure you can trust a third party with your encryption? If governments get their way, software developers will soon have to start handing over keys or building backdoors into the encryption software.

This only mitigates the above-mentioned scenario somewhat but I like to use a number of different apps at the same time. I keep a third of my contacts on separate apps so if one app or key gets compromised the others don't 😉

[Wifislax issues]

Have you checked if your laptop cards support monitor mode? 

If you don’t want to mess around with drivers get something like this:

https://www.amazon.com/Alfa-AWUSO36NH-Wireless-Long-Rang-Network/dp/B0035APGP6

[SMB NTLMv2 password cracking with wireshark]

15 hours ago, Elevant said:

I am not sure I understand you how the null values would effect cracking this. 

What I'm saying is, it's probably a null password as well but hashcat just doesn't recognise it as one.

Reference packet 11: signature states that password length is 1 and password value is 00.

At this point, it doesn't even matter what the password value is because you can just use the hash value itself to authenticate.

[SMB NTLMv2 password cracking with wireshark]

I don't think you can crack the hash like that. I tried hashcat with some dictionaries but I realised password complexity is not the issue.

If you check the packets closely you will see that he is using null values for most fields.

In packet 8 he is presented with the server challenge value of 85b0128d82e3e115 which is later used for crypting the pass hash (LM hash)

He sends the encrypted pass hashes (LM hash and NTLM hash) in packet 9 and requests path \\192.168.1.26\C$ along with extended signature values in packet 11.

[Help with PMKID cracking script? BASH]

I finished my script (not sure if that's what you had in mind with yours). There is a function in hcxdumptool that will do an "rca scan" which scans for APs and displays the channel, mac address, and essid. I couldn't get it to save to file though because either I'm using it incorrectly or there's a bug (I commented the line out so the rest of the script runs assuming you have a filterlist.txt file). Anyway, it's almost sun rise and I need to catch a few Zz.

#!bin/bash
sudo killall NetworkManager && sudo killall wpa_supplicant
ifconfig
read -p "select interface : " interface
echo""
sudo ifconfig $interface down
sudo macchanger -r $interface
sudo ifconfig $interface up
##sudo timeout 10 hcxdumptool --save_rcascan=filterlist.txt -i $interface
sudo timeout 60 hcxdumptool -o outputfile.pcapng --filterlist=filterlist.txt --filtermode=2 --enable_status=3 -i $interface
hcxpcaptool -E essidlist.txt -z pmkidlist.hash outputfile.pcapng
sudo service NetworkManager start
sudo service wpa_supplicant start
./hashcat64.bin -a 3 -m 16800 pmkidlist.hash ?d?d?d?d?d?d?d?d

 

[Help with PMKID cracking script? BASH]

21 hours ago, PoSHMagiC0de said:

hcxdumptool doesn't quit when it has the pmkid plus there is one more tool needed to convert what hcxdumptool gets to a hashcat crackable formatted hash.

That's correct, you will need to run hcxpcaptool to strip the junk data and convert it to a hashcat format. Realistically speaking, the "hashcat format" (aka 16800 mode) is just:

PMKID:macAP:macStation:ESSID
(all hex encoded)

If you want to output these one by one into hashcat as you capture them (instead of using hcxpcaptool) then you will need to convert them into that relevant format as above... I'm not even going to try coding a script for that.

12 hours ago, vailixi said:

I was grabing the MAC addresses from airodump's output.

There's no need, hcxdumptool will grab them for you. The only thing that hcxdumptool/hcxpcaptool won't do is match the essids to the mac addresses and yea I feel your pain on that matter. You could have 3 captured PMKIDs listed and they could all be for the same AP but hcxdumptool will still treat them as 3 different/separate entries (meaning that you could be trying to crack the same PSK 3 times... if you don't crack it on your first attempt that is).

I can sort of understand where you guys are coming from because hcxdumptool is too automated which leads to duplicate entries as well as redundant attacks on randomised mac addresses. Either way, it's beyond my ability to streamline this process.

Try running wlanhcxinfo (more details on the captured handshakes/PMKIDs) or wlanhcx2ssid to strip the captures to one entry only. Hope this helps.

[Help with PMKID cracking script? BASH]

12 hours ago, Bigbiz said:

Wifite simple enough. Still learning about pmkid attacks though so. 

We all have our preferences ?

PMKIDs are just another way to crack the PSK instead of using a captured 4-way handshake. You still have to bruteforce the key with hashcat etc.

[Help with PMKID cracking script? BASH]

I didn't get to finish the script but it would go something like this:

#!bin/bash
killall NetworkManager && killall wpa_supplicant
ifconfig
read -p "select interface : " interface
echo""
ifconfig $interface down
macchanger -r $interface
ifconfig $interface up
hcxdumptool -o outputfile.pcapng --enable-status=3 -i $interface

I didn't get a chance to finish it but that would at least get you to the part where you are using pmkid attacks and outputting to outputfile.pcapng

 

[Just tinkering with MAC Addresses]

On 8/3/2018 at 2:42 PM, Just_a_User said:

IIRC it is, - I think iOS 8 and Adroid 6 onward's started doing this to avoid tracking.

EDIT:   However there seems to be methods around it to see real MAC addresses https://arxiv.org/pdf/1703.02874v1.pdf   @Sebkinne  would/could that be a potential feature that the pineapples could use?

Thank you, my brother. I've been looking for somewhere to get me started on this. I'm not sure if these methods still work but I will definitely give them a go. I'll let you guys know how it goes.

[Help with PMKID cracking script? BASH]

I love the first part of your script. I've been too lazy to write something like that myself even though after all these years I still go through the motions each time I want to fire up airmon/airodump.

I'm not sure what you're trying to do after:

On 9/1/2018 at 4:34 AM, vailixi said:

##edit this shit

I'm a terrible coder but from a practical perspective, why are you running airodump for 10secs and then running hcxdumptool? From the code it seems you are trying to output a list of the essids from airodump to feed into hcxdumptool filter list.

Hcxdumptool is independent of the aircrack/airodump suite. Hcx scans nearby devices on its own and performs all the attacks on any device broadcasting a beacon. You don't need to put the interface into monitor mode for hcx, it will do it on its own. i.e. hcxdumptool -o outputfile.pcapng --enable-status=3 -i $INTERFACE

You also need to clean up the output file for hashcat before you can run 16800 mode. i.e. hcxpcaptool -E essidlist.txt -z pmkidlist.txt outputfile.pcapng then you can run hashcat on the pmkidlist.txt

I'm not sure if I misunderstood your script and/or intentions but I will try editing it tonight and see what results I get.

[Portable Handshake grabbing device.]

lol i was jk but thanks for the offer anyway. I'm just glad I could help a fellow hak5 member. I learnt a lot from the forum posts here and the hak5 tools over the last couple of years so just glad that I could give back to the community.

[Portable Handshake grabbing device.]

lol fair enough. It sounds like I should be hitting YOU up for some cracking power ?

Yes, please keep me posted with updates.

[Portable Handshake grabbing device.]

27 minutes ago, Onus said:

@icarus , looking into hcxdumptool a little further this morning, i am seeing that i indeed am getting and able to sort handshakes and pmkid with rather ease.  Im wondering though how that tool gets handshakes?  is it passive? does it still use deauths?   I will have to investigate a little more as to how long on average i should let it run, and if i there is an efficent way for me to monitor it.  Definitely going to migrate in that direction..  Now that i really look into it, it definitely seems a bit more robust and would make my attack script rather clean.

thanks again

 

Yea I liked it as well and I don't normally like automated wifi tools like wifite etc. It just seems to be efficient in terms of trying all the possible attack vectors against so many targets and in such a short amount of time. You can change the attack parameters to only passive ones or not do deauth etc so those could maybe the options on the buttons of your device.

When you convert the captured handshakes/PMKIDs use the following:

hcxpcaptool -P plainmasterkeys.txt -E outputwordlist.txt -I identitylist.txt -U usernames.txt -o wpa2handshakes.hccapx yourhcxdumptoolfile.cap

That's how I found the plaintext pass.

I got a couple of 1080x lying around so let me know if you have a large list of handshakes and/or PMKIDs you want me to run against some dictionaries or some digit combos. A list of handshakes and PMKIDs from your devices that is...

Peace out brother ?

[Portable Handshake grabbing device.]

All good my friend. I'll just say that I'm not a professional pen-tester or anything so keep my feedback in context ? 

17 minutes ago, Onus said:

I wanted to make it as automated as possible. I guess i could make the deauth specific to a client on that AP instead of the AP itself.. (thoughts?) 

I think you have the right idea already in terms of keeping it simple and for what you need. I was just saying that's the disadvantage of having it automated. Aircrack user guide says that deauths work better against associated clients rather than broadcast deauth (which can sometimes be ignored by clients). I had successes using both methods in my limited experience.

31 minutes ago, Onus said:

capture handshakes as well, and  a bit more passively, though

hcxdumptool can be very aggressive and it will do deauth attacks on any authenticated AP/client it finds by default. It also does passive collection of handshakes as well.

The default setting is basically a scatter gun approach where it will try every attack that it can on any AP and clients in range (regardless of whether they are associated or not). It will literally try to hack the neighborhood if you don't use any filters or specify which attacks you want to carry out.

I cracked a few known and unknown PSKs on hashcat -m 2500 and -m 16000 (or whatever MPKID is) captured with hcxdumptools so I can verify that it works (example from my PMKID potfile below).

dd85857fda9d49f79344a055926333cd*000c42d54356*f0a2257ca5c3*4d696b726f54696b2d443534333536:Test1234

I've even captured a plaintext pass with it but I don't know if that's because the PSK was the bssid or if it was because of anything that hcxdumptools did (I only used it a couple of times so not an expert in how it works). The biggest drawback I found with hcxdumptools is that it doesn't output the essids to the potfile so you have to manually match mac addresses or run some scripts to match it all up. Can be a headache if you have multiple pcap files and potentially dozens/hundreds of PMKIDs.

I think the new aircrack version comes with PMKID attack as well but if you're after automation, I recommend giving hcxdumptool a 2nd chance. It's very particular about the wifi drivers/chipsets so just check yours against the compatible list first.

[Portable Handshake grabbing device.]

Some initial thoughts:

Positives:

* Doesn't look like a sinister wifi exploitation device ?

* Seems easy to use (after you remember all the different colour codes);

* Could be a solution for some automated handshake capturing without needing a gui or terminal to punch in commands;

Negatives:

* There are many automated wifi tools out there already (as bonez mentioned) so could be some tough competition if you're planning on commercialising this;

* Seems a bit reckless to deauth anything that comes your way i.e. can you just leave it in monitor mode and switch to deauth attacks at a certain point in time?;

* Deauth attacks are becoming less effective with protected management frames;

Suggestions:

* Why not use hcxdumptool to also incorporate PMKID attacks? You will be able to target more devices i.e. client-less APs and have additional attacks to deauth.

 

I like it for the look and the concept so you have my blessing (whatever that's worth) ?

[List of free WiFi's]

Check the local hashcat potfile ?

[building 2 gaming / cracking rigs... SLI or no SLI...]

Anymore updates on this? I'm curious ?

I haven't done any indepth reseach into this but I think the SLI technology is only really applicable to gaming. Hashcat doesn't care if you run different cards by different manufacturers as long as the motherboard has the slots for it so don't throw out your old cards (unless they're not supported by hashcat) ?

I experimented with something similar for hashcat purposes and then for crypto mining when that was the cool thing to do. I have x2 1080s, a 960, and a Radeon RX 580. The Radeon was great for mining monero but half the speed of the 1080 for cracking wpa2. I found that running hashcat on ubuntu server to be optimum for hashing speeds despite some saying windows has better driver support.

At 600K h/s you will be able to crack most default WPA2 passwords out there. The 10 random hex passes will still be a challenge - it will take you roughly 21.2 days to exhaust the whole keyspace. Technically speaking you will have a greater than 50% chance of cracking it after only 10.6 days and you can decrease that further with some rules etc. Complex passwords and anything greater than 8 random chars (alpha-numeric) you can forget about.

I don't know if it's worth building your own cracking rig with anything more than 2 or 3 cards unless you're going to do complex passes on a regular basis. I think most people these days just hire out Amazon AWS servers if they need something serious cracked. I haven't tried it yet but I might check it out.

[Mobile App security Demo]

I remembered an article I read a while back about people using open wifis to mine moneroz and other cryptos. I can't remember where I read the original article but could be an interesting idea for a demo. Link below is a summary of the method.

https://www.helpnetsecurity.com/2018/01/08/public-wifi-cryptocurrency-mining/

The idea is to inject some inital js code into the user's requested html page which calls the crypto miner. The link above summarises the process in a bit more detail... ?

The article talks about using CoffeeMiner but I guess you could achieve similar outcomes with mitmfm etc.

[Mobile App security Demo]

To be completely honest with you, I have never used any of the hak5 WiFi gear. I have the BB (which I love) and received my packet squirrel  yesterday. You have to keep in mind that these are just automated tools and frameworks designed to help pen-testers and enthusiasts learn about IT security. You can carry out the same wifi attacks with your laptop and two wireless adapters that the pineapple can .

I don't work in IT but I work for a large organisation and I still recommend just showing a video demo of your exploits rather than doing anything live. Wifi signals are hard to control unless you know what you're doing and if you've never used the tools before.... anyway I said my warnings and disclaimers.

Once you have users on a network (regardless of whether it's open or protected) where you can control and manipulate traffic, a malicious user can carry out a wide variety of attacks starting from simple traffic captures, enrcyption downgrades, DNS spoofing, and packet injection. The goal in most cases is to either capture login credentials and/or distribute malware. These attacks are much harder to carry out in real life though because web developers, browser vendors, and AV products will use their own defences to protect their users against these attacks.

There are many tools out there that will help you with your educational requirements. Evil Portal and Wifi Phisher are just some examples and can get you started on your journey.

https://github.com/wifiphisher/wifiphisher

https://github.com/frozenjava/EvilPortalNano

https://github.com/kbeflo/evilportals

I haven't used these tools before so I can't tell you how to use them but I'm sure there have been some discussions on the forums and the google ?

Good luck, amigo.

[Mobile App security Demo]

Hey bro, welcome to hak5.

Got a bit of a cheeky idea for a demo ?

Try to get a hold of one of the senior exec’s phone or the CEO’s (for greater effect). Tell them it’s for a harmless educational demo on the topic of “why you shouldn’t give strangers your phone”.

Then pump a meterpreter payload into it and dump their txt messages and pics onto the big screen. Hopefully there’s something in there from a mistress or the secretary (if you know what I mean). People are definitely going to be shocked at how quickly you departed the company ?

I’m jk ?

I wouldn’t recommend doing any live demos (especially with wifi). You could inadvertently breach your company’s IT policy or even a federal law. Anyway, I can't tell you how to run your show. Check out the Pineapple nano forums for payload ideas since that’s what you’d be getting in the field kit.

Let us know how the demo goes ?

[New WPA/WPA Attack - Hashcat PMKID]

I'm not sure why the PMKID attacks (and hcxdumptool) are not as well known or discussed as they should be. I know wifi has been done to death but people are still posting questions on the forums about why their deauth attacks aren't working or why they can't capture a 4-way handshake.

To be honest, I didn't know about this attack vector until a week ago myself when I read a post on the hascat forums (refer to link in OP or https://hashcat.net/forum/thread-7717-post-41446.html

I tested hcxdumptool and there are several considerable advantages of using this new method over the “traditional” 4-way handshake approach i.e. sometimes it’s a lot easier to request a single EAPOL frame (with a PMKID) than waiting or forcing a 4-way handshake. Only needing one EAPOL frame also means you can target client-less APs or AP-less clients (refer to link above for details).

Not all vendors/devices are vulnerable because sending the PMKID is optional i.e. EAPOL frames do not need to contain the PMKID for an AP and client to authenticate. It doesn't seem to be a legacy issue - to me it seems that a lot of vendors leave it enabled by default.

There is also no advantage that I can see of using a captured PMKID over a captured 4-way handshake for "cracking purposes" i.e. you will have captured all the crypto values needed but in different ways. You will still have to bruteforce/dictionary attack the key like you normally would with hashcat or JTR. Hashing speeds look similar from my unscientific tests using both modes in hashcat (someone please confirm).

In my opinion, the PMKID attack methods are a great alternative to the traditional 4-way handshake approach (if the device is vulnerable) because they can be less disruptive to the target network/device. I don’t normally advocate automated tools but some of the options of hcxdumptool are definitely worth exploring.

On 8/11/2018 at 11:26 PM, PoSHMagiC0de said:

Tried it, it works.  Better if you use the parameters --filtermode=2 --filterlist=<text file with bssids you are targeting> 

Else it goes after every beacon it hears.  You also have to manually break when you see that status say pownd=1 as it means it has gotten a PMKID.

 

Agree. Be careful running hcxdumptool first time because default attack mode is very aggressive i.e. it will try all possible attacks (including deauth and disassociate) on any wifi device it picks up in range so use a filter with your device bssids only.

 

 

[[Question] Android hacking (via payload)]

There are plenty of youtube videos on how to do this. Above post summarises the process pretty well too.

Technically speaking, you don't need ngrok to handle connections over WAN. You just need to add port forwarding rules on your router to direct traffic to your local listener/server address.

As for your closing connections, that could be for any number of reasons including: firewall rules blocking incoming/outgoing traffic on certain ports, misconfigred payloads, etc. I don't use android phones anymore so I haven't tested this on any new phones to confirm if new security policies are the issue.