If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
In this tutorial we will begin a tutorial on how to obtain access to WPS router pins using Reaver. We will briefly discuss the setup process, how to access your routers administration interface, and the arguments you will need to use when using Reaver. This video will serve as an introduction.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to the continuation of this tutorial. Anyway, today we’re going to do the actual cracking of the captured file, which is basically a follow up tutorial on the previous one. Make sure you watch these in the proper order, as they are usually tied to one another.
Anyway, we have aircrack-ng, so I’m just going to go ahead and type that in, aircrack-ng. We need -w for either the password or word list that we will be using. You can find these online and download them, and I’ve seen some pretty good ones. It will be around 48 gigabytes, something like that, however you will need to keep certain things in mind. First of all, the region where you’re performing this. For example, if you’re doing this in the US, or Canada, or any other English-speaking area, you will be able to find some relatively good word lists that you can use. If you are in a region such as mine where people mainly speak Slavic languages, an English word list is not going to be very helpful. Or, if you’re, for example, in Russia, or perhaps in France, or something of a kind, there are specified word lists for those particular languages. But, more often than not, they don’t tend to work. As I said, if you’re in an English-speaking region, try out a word list. People tend to either repeat passwords, or they tend to use fairly similar ones, so the likelihood of the password being in the word list is pretty high. This is what is referred to as a dictionary attack. You literally take a dictionary from somewhere, you type the name of the file here after download, and then you pass it to aircrack-ng, and then you start cracking, which is a fairly difficult process to do. But, over a certain period of time, it will practically finish trying all of the possible combinations, within the dictionary, in a reasonable amount of time. It might take a day or two, or something like that, but if you’re sitting next to a Wi-Fi you can spread this attack out. Once you begin cracking the password, you can sit in your house without a connection to the internet. The capture process requires being connected to the network, the cracking process is conducted on your local machine. This is very important, it is completely different from an online attack.
However, I am in a region where word lists are not very useful, and therefore I’m going to take a different approach. I’m going to say -w for a file to be read in, but I will also tell it to read in from standard output. Now I do need to specify the actual capture file, so SCAN_test-01.cap, let’s just expand this to full screen, excellent! So, I have SCAN_test-01.cap, and the final thing that I need to put in is the ESSID, which is Something. Now in front of it all I’m going to use crunch and pass it to a list of arguments. With -F you can actually specify what sort of characters will be assigned to which positions. So, for example, I would strongly advise looking through the man pages of crunch, let me just show you. Clear, and man crunch, excellent! So we have the man page for crunch, and you have these arguments, and so on and so forth. And if we go down below, this is f /path/to/charset.list which we might actually use as well. I’ve showed you that, but we’ll see whether that is convenient for our purpose. Sorry, it’s not -f, it’s -t. All of these symbols present certain types of characters. So, for example, the @ represents lowercase letters. The % sign represents numbers. The ^ I believe is capital letters, etc. You don’t need to memorize the syntax. Just take a look at the man page and figure out how to write the command.
So, keep in mind that the @ sign is an option, comma is an option, percentage sign is an option, and the caret sign is an option. Look at what it says, the explanation is practically perfect. Specifies a pattern, an example of a pattern, says your god. Believe it or not, people actually use that in their passwords. And he has two @ signs at the front, and four @ signs in the back. Look at what the @ sign represents, will insert lowercase characters. It will use this word, and it will insert lowercase characters in front and behind. If he had placed a comma in there it would insert uppercase characters. If he had inserted a percentage sign somewhere in there, it would insert numbers, not a caret sign, a percentage sign. And the caret sign is down below, it will insert symbols. That is why it is very important to acquaint yourselves with the sort of password that you are breaking. You cannot just walk in and break a password, brute-force it, without knowing anything about it previously. That’s just highly unlikely to happen. I mean, even with the best of machines out there, it will not work as well as you want it to. I’m running a few virtual machines in the background, so perhaps my CPU usage will be a bit lower, but I’ve managed to turn everything off and max it out. It was on 1,700 passwords per second. I think I could have gotten to 2,200 if I overclocked my processor, but I don’t have the proper cooling system.
That is a very important aspect to this. You will need to watch the temperature of your processor. If you’re using an Intel Core processor it will shut down by default, it will not allow you to destroy it by overheating it. On the right side of the screen here I have a temperature meter. You will see that the current temperature is around 61 degrees Celsius. When I begin the brute force attack with aircrack, it will load the CPU to ridiculous extent, and you will see how the CPU temperature will increase. When you’re performing this attack, you may wish to consider employing some extra cooling systems in order to reduce the temperature of your processor. That will not only decrease the chance of something malfunctioning, but it also increase the amount of attempts it can perform per second.
Anyway, without further ado, I’m going to type in crunch -t. I want you to use four numbers in front, and I know that the word is thunder so I’m going to type it in. I’m going to say, 123456789, and 0. Also, I need a pipe. A pipe is simply saying, whatever comes out of this, pass it to this. And this argument here is saying, read from whatever is passed, or from standard output. Press ENTER, and there we go. This is going to take a while. Actually, this is not going to work because I am a genius who failed to actually pass the proper length. Once passing length, and in combination with what we did here, you absolutely need to make sure that it’s exactly the same length. 11, 11, excellent! Press ENTER, and the scan is in progress. There we go, key found in a ridiculously short amount of time. Primarily because, I already knew a good portion of it. Let’s try something different. Let’s remove this, and if I remember correctly hat was for capital letters, I believe it was a comma? Let’s verify that because I’m not all-knowing, and comma will insert uppercase letters. Yes, it will. My memory still serves me well. I will remember to treat my brain with something later. Press ENTER, and the amount of possible combinations is not that large. I wanted to make sure that you had the opportunity to see the maximum amount of tries here.
Let me go ahead and close all of my other virtual machines. Once I do that, I will have more CPU power to spare, that I can devote to this brute-forcing method. I remember getting up to 1700. Once again, it’s found it within a reasonable amount of time. Let’s try passing a character set. So, it’s a lowercase f, /path/to/charset.lst charset-name. I need to go ahead and type in cd Desktop/crunch-3.6/, excellent! ls, and we have a charset somewhere in here. I’m pretty sure it’s crunch.c, Makefile, crunch.1, charset.lst, excellent! Here we go, let’s type in less charset.lst, and here we have the names as I stated before for pretty much all the charsets in existence. We can specify these manually, but it’s better to use these charsets as there is a much smaller probability of an actual mistake. Let’s use mixalpha-numeric-space, and this is going to significantly increase the amount of possible combinations. It will probably take until tomorrow to actually guess it, but oh, well. Press ENTER, and it’s still giving me a relatively small number of combinations. Let’s remove this one to say @@, and this one as well, @, press ENTER, it’s 726 gigabytes. Now this will take a significant amount of time. Let’s see what else we can close in order to increase it. Oh, I know why it’s so low. I am recording my screen for this tutorial. That is eating up my memory and CPU time as well.
I would like to show you something else before I wrap this tutorial up, because I have a feeling I’ve already breached the allotted time. If you have some sort of temperature meter on your computers, you will notice that after an hour, or something like that, the temperature will begin to rise. What you can do here in order to alleviate the stress on a single machine, and in order to increase the number of possible attempts, you can actually use this command and specify either a list of characters. For example, you can tell one machine, okay, I want you to do all of the combinations for 9 9. Of course, then this option would not be possible any longer. We would need to delete this, and another machine could do, for example, 10 10. Another one could do 11 11. This technique is especially useful for laptops, because a single laptop doesn’t have a ton of processing power. Laptops weren’t actually amazing. So we actually merged not just a few laptops but also desktop computers. I remember merging 10-20 computers together to conduct a brute-force attack. They were all generating passwords. You can give different parameters to different computers to execute it on the captured file. Because this captured file is portable, you can conduct a brute forcing attack offline. In the follow up tutorials, I will show you some other methods for how you can attack wireless access points, and what you can do with them. In any case, I bid you farewell, and I hope to see you in the next tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Let’s continue from where we left off in the previous video.
I have a live capture here in progress, I’m going to go ahead and cancel it, and now I will take the information that I need. So, the next command that we’re going to use, again, is airodump-ng. We will use it in combination with a few aditional arguments in order to conduct a more precise scan, so that we can capture the four-way handshake which we need in order to continue with the exercise. Go ahead and type in airodump, and you don’t need to memorize the full command. You can type in air, and then press Tab twice. If it doesn’t work after Tabbing twice, press it how ever many times until you find the command you need. The terminal will tell you what your possibilities are. What we need is airodump, and this is the command that we need. Go ahead and type in O, Tab it again, it will give you fewer options, dump-ng, and that’s it. One of the first things that we’re going to need to do is specify the channel on which my wireless is functioning. For this particular exercise I will be using channel 6. So, channel 6, and what is the BSSID? This is the BSSID. Don’t attempt to retype it, copy/paste it just to be sure it is entered in correctly. If you miss a single a single character here, nothing will be achieved. Now we need a file to write to. I will name mine SCAN_test. The final thing that I’m going to need is this BSSID. Go ahead and copy it, and we’ll just reformat this a bit. I’m fairly certain it would work like this as well, but we always want to make our code nice and clean so that it can be read and understood for troubleshooting purposes. When you have commands, text, and code spread around, it can be difficult to figure out what is where. Maybe you can in that moment, but try doing it the next day and it can be difficult to pick up where you left off. Go ahead and press Enter.
Okay, so what does it say? No interface specified. Every time you do this you actually do need to specify an interface. Mine is wlp2s0, that is my wireless interface that is currently in monitor mode, so press ENTER, and there we go. Our scan is now in progress. I have another device that is connected to the network, that’s this device, it’s BSSID, and station. A station is a device that is connected to this access point. You will not be able to perform this exercise if you do not have any stations that are connected to your access point. This is because you have nothing to deauthenticate, there is nothing conducting the authentication process which you can capture. We will be deauthenticating this device, and this is also a method that you can use in order to perform a DoS attack on a wireless network. It is nearly guaranteed to work. Pretty much any public wireless network will be vulnerable to this, and you will be able to deauthenticate every device on the network. This, of course, is susceptible to misuse. I would like to ask you, since I am doing this for educational purposes, not to do that.
Anyway, that being said, we need to use aireplay-ng, and this is used for deauthentication purposes. We’ll just go ahead and type it in, air, and once again I will use Tab to complete the command, replay-ng. What I want to do is pass an argument of -0, and then I’m going to give it the 0 again. I will explain in a moment what these are, – a, and the MAC address of the access point. We don’t need the BSSID flag there. These two arguments state the number of deauthentication transmissions that you wish to send. If you put a 0 in it sends it into an infinite loop. You will permanently be deauthenticating pretty much every device on this particular MAC address. For example, if you wish to temporarily disrupt connections you can type in 10, or 9, or something like that. There are even options to deauthenticate particular clients. But, for the time being, I’m going to send a general deauthentication request transmission. This will deauthenticate everybody on this particular wireless access point. Since it is my wireless access point, I don’t really care. I only one device associated with it, and that device will be disconnected shortly. If you wish to verify this, you can connect your cell phone, and you can connect them to your Wi-Fi access points, and then you can try performing a DoS attack on yourself to see how it works. If you have any troubles, feel free to ask me in the question section. The procedure is exactly the same as what I’m doing now. You will then notice that the Wi-Fi connection on your phone is breaking. When that starts happening, when the deauthentication request start being sent, try accessing a website through your cell phone. You will see that you can’t because there is something obstructing your connection, and you are no longer associated with that access point. I would recommend trying this as it’s a fantastic exercise. You cannot cause any damage to your network or devices. As soon as the deauthentication requests stop your connection will be restored.
Let’s go ahead and execute our command. One of the downsides of aircrack is that you need to type in the interface every single time. Excellent! I am now broadcasting the deauthentication signal. Sure enough, I have lost connection to the network on all of my devices. Leave it running for a while just to make sure that you have deauthenticated the device, because you cannot see the device that you are deauthenticating. At a certain point of time, after a couple of minutes, maybe less, you can cancel it. Due to the proximity I can go ahead and cancel it now, and my device will automatically try to reconnect. Once it does, I will capture that authentication, and it should work just fine. In a moment, we should get a four-way handshake in the upper right corner, and there we go. It says WPA handshake for this MAC address. At this point of time, you can go ahead and stop the capture process as there is really no longer a point to do it. We have captured the information that we needed. It’s all here.
In the next tutorial we will take apart the file which we have captured, and see what we can do with it, and how we can actually crack it. That is the difficult part of this process. Capturing traffic is not a problem, finding the
wireless access point is not a problem, the problem is cracking the encryption itself. Now, keep in mind you must absolutely have at least one device that is associated with this access point, and the BSSID. If there are several devices you may want to consider a different denial of service attack. You shouldn’t deauthenticate them all. Select a few and leave them running. So, if you have 10 or 20 devices, you can select 5 of them. If just 5 of them don’t work they’ll usually look to the person next to them, or something like that, and they’ll see that it’s working for them. So, the general conclusion that pretty much everybody draws from that is, oh, it has to have something to do with my device. Let me just attempt to reconnect to the network. We will go over this in great detail when we cover denial of service attacks, but for the time being just know that it is an option. In any case, I bid you farewell, and I sincerely hope to see you in the follow-up tutorial where we will actually crack the code.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, we will cover how to crack Wi-Fi. Now that we have finished setting up all of the necessary tools, we can begin with the demonstration.
The first thing that we will need to do is set our network wireless card in to monitor mode. Type in ifconfig, press Enter, and this will display all of the network interfaces that are available. My wireless interface is called wlp2s0. A bit of a strange name, I know, but Fedora has a custom of assigning strange names. For example, my wired connection is called p8p1, which is kind of weird, but OK, never mind. Just identify the name of your interface and adapt accordingly. Anyway, I’m going to use wlp2s0. We have two ways of configuring monitor mode. The first method is what I usually use to set it in monitor mode, and the second one is what I use to check for problems. Go ahead and type in ifconfig. Again, wlp2s0, which is the name of my wireless network card, and type in down. Let’s shut our wireless card down completely. Now we can make some modifications to it. Type in ipconfig wlp2s0, mode monitor. Again, ifconfig wlp2s0 up, and now our network card is configured to function in monitor mode. Before it was functioning in the promiscuous mode. There are several names for it, but promiscuous mode is the most common. The difference between the two modes is that in monitor mode network cards are configured to accept packages, regardless if it is meant for them or not, and in promiscuous mode they will only accept packages that are meant specifically for them.
I’m going to go ahead and clear the screen, and I’m finally going to start using some of the software packages that come with aircrack. I have a list of commands here which we will use today on the right side of my screen, and we’re going to use a few other ones, but these are the basic ones that you absolutely need to know. So, let me go ahead and type in airmon-ng check wlp2s0. I want to see if there are any possible processes that could cause interference, and I see that there are quite a few of them. One of the first things that you need to kill is the network manager. Even though it doesn’t actually directly interfere with the functioning of our software, it does spawn some other processes that might interfere, like your active internet connection here, the dhclient. For example, if your network manager is configured to automatically connect to a certain network, or to a wired network that you plug into your computer. So, let’s just go ahead and kill the process. I’m not going to take any chances, today. I’m going to go ahead and kill the network manager, and then I will begin killing the rest. So, let’s repeat the airmon-ng check, excellent! I have a few more of these. You will need to kill them in a certain order because they tend to spawn each other. Even though you’ve killed it as root, it will kill it, but it will restart it as well. I’ll just go ahead and kill the dhclient as well in order to prevent any interference, and the rest of killing can be done in any way you like. So, kill, let’s just go ahead and kill 1556, 1215, and 1216. Excellent! Let’s do a check one more time, something is still up. This is what I meant, it is highly annoying. Avahi-demons are the only ones running. Apparently, I have to kill the WPA supplicant first, and then I can kill these. It can be frustrating because you can’t kill them all at once. You will have to type in the commands time and time again. Let me just go ahead and clear the screen, and always perform an extra check. You see here that nothing is active, nothing should present any problems now.
Let me go ahead and clear the screen. The next thing that we need to do is perform a scan of our environment here to see what sort of networks are available, and who is connected to which networks. Now you cannot see with the network manager. With the network manager we can only see the visible wireless access points around us. While on the other hand, with one of the tools that comes with the aircrack, you can actually see wireless access points around you and who is connected to them, which is a very nice feature. I’ll go ahead and type in the first command from my selected list here, it’s airodump-ng wlp2s0, and press Enter. You can now see all of the wireless access points. This one is mine, it’s called Something. I’ve created this network specifically for the purposes for this tutorial. It has a good, strong password, and we are going to be cracking it today. Okay, let me cancel the scanning process, and I would like to explain a few of the things that you can see here during the scanning process itself. The BSSID is the MAC address of the wireless access point. The PWR is the strength of the signal. So, the smaller this negative number is, so let’s say -30, -15 is a stronger signal than -30. -57 will not be the greatest of connections. -78 or -84, yeah, you might be able to connect to them, but this will certainly result in a poor connection. However, even though the signals here are weak, if you have a good enough wireless card you will be able to perform the authentication, and therefore I will be able to render any of these networks that you see here inoperable. But, that we will save for the later tutorials.
For the time being, I would like to show you one of the ways in which you can crack the WPA2 encryption. DoS attacks are very useful. I mean, they can practically render almost any WiFi network out there useless. Nobody will be able to connect to it, or you can deauthenticate a specific client on the network which is also extremely useful. So, let’s go ahead and clear the screen. Once again, I will run airodump, and I will expand this terminal window so we can see some other things as well. It says something, it’s 90:F6. I am looking for something to be associated with 90:F6, and that is what I shall use in order to actually deauthenticate, because we are looking for a four-way handshake. It will appear in the top right corner. There we will be able to see all of the packets that are coming in, and there we will be able to actually capture a file and see what is going on. However, that is not possible to do at the time being because we are scanning for pretty much every single network available, and I just wanted to show you what it looks like.
The next thing that we need to do is perform a targeted scan. We will be targeting this network here, as it has a good signal. More importantly than that, I have permission to do whatever I want with this network, as it is mine. These down below are not mine. Also, keep in mind that we are not doing anything illegal here. Everything that you see here is public information. This is simply what all of the Wi-Fi routers around me are broadcasting. They are broadcasting their MAC address, and they are are broadcasting the name of the network, basically. The SSID name is not a technical term. ESSID is the term, but everybody refers to it as the name of a wireless access point. Anyway, as I said, all of this is public information. You will see that it’s WPA2 encryption, you will see the MAC address, and you will see the ESSID. The ESSID will be the first thing that you see on the network. Also, you will see the channels as well. Anyway, I will call the tutorial here, and in the next one we will be performing a specific scan where we will capture information, and use that capture file in order to crack the encryption. Until then I bid you farewell, and I hope to see you in the next tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will show you how you can install aircrack and Reaver.
The aircrack setup is pretty simple. Just type in yum install aircrack-ng, and it’s going to pick up the right version by default. Go ahead and press Enter. In Fedora it runs through checks every time you call yum, you can pass the -c argument in order for the system not to do that. It says package aircrack-ng is already installed and is the latest version. You might be prompted for a question along the way. If you wish to skip that type in -y, that’s it. With this command that I am selecting you won’t be prompted for any questions, and you will have aircrack-ng installed on your system without any problems.
However, Reaver is quite a different story. Reaver cannot be found in Fedora’s repositories, and therefore it has to be downloaded from the internet. There are many places to download it, I have chosen to download it from Google code. Google code is one of the safest sources on the internet. Let’s go ahead and open up my favorite browser, which is Firefox, you can open whatever you wish. Type in “reaver google code.” Now we are on the Google code website where we have reaver-wps, you have a description here, and you have a pro version here. The difference between the pro version and the free one that we will be using is this graphical user interface. I mean, let’s face it, if you’re a pen-tester, or a white hat hacker, you’re not going to be using that many GUIs. Optimized PIN sequencing, this means that it’s going to try pins in a certain order, which is more likely to succeed than the default one, according to some but not necessarily true, and integrated WEP cracking. As I said, you don’t really need WEP support. You’re not going to be able to find this protocol these days pretty much anywhere. If you do, as I said before, those people don’t deserve to use WiFi. It’s basically and open WiFi network, regardless of how complex your password is. Make sure you are not one of the people using the WEP protocol. It’s a good idea to switch to WPA or WPA2.
Anyway, I’m going to go ahead and click on downloads in the upper left corner, and there are different versions here that can be downloaded. There are no fundamental differences in the way that Reaver works in between these versions, but there are bug fixes, definitely, and that is very nice. Reaver is maintained, there’s support for it, and so on. So, go ahead and click on Reaver 1.4.tar.gz, and it says reaver.tar.gz here, file description, etc. This is a checksum, you can use this in order to verify that your file is intact, but I’m not going to do that now. I’m going to go ahead and download it. Once it is downloaded, you can go ahead and open up the folder in which it actually exists. Go ahead and double click on this file, you can extract it through the GUI method, it’s far simpler. You can also extract it through the terminal, but I’m going to go ahead and use the GUI on this occasion. This is one of the advantages of Linux over Windows. By default, it will be able to unpack pretty much anything zip, tar, winrar, whatever, it’s going to be able to unpack it without any problems, which is fantastic! No extra installation is needed, this is all installed by default. Let’s go ahead and click on extract. Where would I like to extract the file to? Let’s say to desktop because I’m going delete it anyway, as I already have it installed. So, just go ahead and press OK, and give me desktop. Let’s go back to our terminal, navigate over to desktop, and I imagine I have a lot of things there. OK, so, cd /home/Chronic/Desktop, Enter, ls, and do I have it here? Yep, there we go. So, clear, let me just show you that I do in fact have it, ll. It’s much neater if I do it like this, and there we go, reaver-1.4. Let’s navigate over to that folder, reaver-1.4, clear the screen, list the contents of the directory. Go to docs first and let’s see what is in there.
You might think that I am some sort of an expert, and that I just do these things off of the top of my head, but no. People create readme files for a reason. They are there to be read because the developer has left specific instructions on how to do something within the software. So, let’s go ahead and cat it. Excellent! The following are Reaver source files. It has the description of what is located in each one of these files. You have 802.11.c functions for reading, sending, and parsing 802.11 management frames. 802.11 is a standard, as I said before, but look at this. The developer has actually left the entire installation process here. You have every single command that you need to run, explained in detail what it does, and how you can type it in and execute it. This is wonderful! That’s why when you download a new piece of software, check out the readme file. People do tend to leave instructions there on how to do essential tasks within the software. They’ve most likely encountered the same problems that you might have encountered so you can even see possible solutions. Reaver is only supported on Linux platforms. It requires libpcap, this libsqlite3, and one more, I can’t really pronounce this, and it can be built and installed by running the following command. So, execute the configuration script, and that’s it. It even tells you how to uninstall it.
Anyway, ls, of course you cannot run the configuration file from here. We need to reverse course, and go to source from, yep, src. Let’s see what is in there, there we go. We have configure, and you can see by default here it’s executable. If I give you a longer listing, configure, there you go. It has an x permission here, here, and here. So the user has it, and the group has it as well. Anyway, type in ./configure. So, now it’s checking for stuff, it has its dependencies, without which it cannot function. Type in make, there we go, it’s running through. I want to reiterate that I didn’t do any of this from memory. I just went on the internet, I found the safest place to download the code from, and I’m compiling it here as the developer of the code instructed me to do it. The instructions aren’t complicated, just three commands, and the final command is make install. It’s going to give me several errors here, well not errors but warnings, because I already have it installed. Here it says rm, I need to clear this out, and then I will be able to install Reaver. I will now abort the installation because Reaver is already installed on my machine. If you have any problems feel free to post it in the discussion section.
Lastly, let’s check to see if Reaver is functioning properly. So, type in reaver –help, excellent! It is installed, it is functional, it is responsive to our commands, and here is the syntax for reaver. This is the basic syntax. Of course, you can pass all of these arguments to it, and there are quite a lot of them. Basically, you can say -i for the network interface, and -b for BSSID, or for the MAC address, and of course we even have reaver -vv for double verbose output, which is fantastic! I’ll go ahead and clear the screen. That is how you install aircrack and Reaver on Linux. We will cover the Windows procedure in the next tutorial. Until then, I bid you farewell!
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will begin a chapter on wireless hacking.
So, first off, you need to know that there are different types of encryption. There is WEP, and whoever is still using WEP shouldn’t be on a wireless network. The WEP protocol is quite easy to crack, and it’s practically as if you are on an open WiFi network. However, if you’re using WPA or WPA2, that is another story. These two protocols are quite difficult to crack, especially if the passwords are complex. There are different methods for direct wireless hacking, and I would not recommend using them. There are some circumstances which are favorable to these sort of methods, however it is better to get the IP of the router, and then attack the router itself. Routers usually have far more vulnerabilities than WPA2 encryption.
However, since we are cracking wireless, I’m going to go ahead and type in ifconfig here, and you will notice that I don’t have a wireless interface here. Why is that? Well, even though I have a network integrated card, a wireless one, within my laptop, this is a virtual machine, and virtual machines do not support integrated network cards. They can only go through your host machine, and in such a way virtual machines are secure. So, you can install all sorts of programs on them, viruses, etc., and your host machine will be safe. However, we can use a USB wireless card, then you can set up a pass-through for your virtual machine, and in such a way be able to connect to a wireless network.
However, password cracking from a virtual machine is not a good idea. I mean, it’s a terrible idea. Especially using VirtualBox. Maybe if you were using Xen where you have 90-95% native performance, that would be great, but using VirtualBox for password cracking isn’t very effective. Let me show you why. If you go to devices, and I’m just going to go ahead and click on network settings and then I will get the menu for the other things. So, let’s just go ahead and click on general. Is it here? No, system, sorry. Look here at the base memory. This can be altered when the machine is off. You cannot change these settings here while the machine is turned on. First of all, it says that I have 2 gigs of RAM available for this particular virtual machine. Now, that’s great for day-to-day operations, especially for Linux which only requires 512 megabytes to run. However, if you want to brute-force a password, if you want to take that path, by generating huge password lists and trying to guess it, this is not a sufficient amount of memory. If we click on the processor you will see that the execution cap is 100%, but we only have a single core assigned to this virtual machine. It says here one CPU core in the upper bar, in the upper status bar, where it says processors. It’s gray at the moment because you can’t change the number of processors that a machine is using while it’s running. In any case, it only has one CPU assigned to it. I know it says 4 here, but I have an Intel i7 inside and the VirtualBox supports only 4 CPU cores for its machines. You shouldn’t need more than 4 for a virtual machine, unless you’re doing something that is strongly related to graphics. One CPU is perfect. You won’t need any more computing power.
Anyway, I’m going to go ahead and click OK here, and I want to show you that the resources of your virtual machine are simply not sufficient in order to support the brute force method. As I said, you can buy a wireless USB card for $20 or so, plug it in, pass through the ports, and it’s going to work, but it’s going to be terribly slow. You will need to run Linux as the primary operating system on your host machine. So, because my main machine is Fedora Linux, I have installed all the necessary tools on it. You can install the same tools on Fedora as you can on Kali, and I will be doing my pen-testing from here, from Fedora. Let me exit the virtual machine. However, if you are a Windows user, if you don’t have a native Linux system on your host machine, you will also be able to do this in Windows. I will only show you the installation process, I will not show an actual brute-force demonstration. But, the principles are the same. When you do it in Windows you have to use the GUI mode, and quite frankly for these sort of things I personally do not like to do them via a GUI. It’s far more effective to do them from the Linux terminal. Some of the tools that we will need I will mention them here, and feel free to read up on them a little bit on the net as you progress through the course, and then go through the videos as well. There’s a lot of extra information out there on the net, especially if you come accross any problems using the software. Also, feel free to post in the discussion section if something is not working. I will be more than happy to walk you through it.
So, just type in yum search. This is one of the tools that we will need, aircrack-ng, press enter, and it should find it shortly. There we go. Aircrack is in the default repositories of Fedora, and you will be able to find it there without any sort of problems. So, it says aircrack-ng.x86_64, this is a standard for wireless, and it says sniffer and WEP/WVP-PSK key cracker. We’re interested in this part, key cracker. Basically, you can install it anywhere, we can even install it on the virtual machine. We could capture the file on the virtual machine, and then transfer the file to the host machine to crack it. However, that is not what we wil be doing today. Let’s go ahead and install aircrack and I will teach you how to use it.
There a few more tools related to aircrack, but there is one more tool that we will use that employs a completely different method, it uses a completely different way of cracking wireless passwords, and we will mainly be covering the WPA and WPA2 password encryption methods. I will do a brief demonstration of how to crack WEP, but, I mean, chances of you encountering WEP in today’s world are practically non-existent. If you open up your cell phone, I don’t know if you’re using Android, or an Apple phone, or a Windows Phone, and whatever else is out there, just take a look at the wireless networks around you, and take a look at the encryption methods because they will be shown to you. You will almost never see WEP. If you ever do see it, it’s practically open Wi-Fi. WEP has been cracked, it takes a very short amount of time to break it. You don’t need to use any sophisticated methods, a child could crack it without any problems. Basically, just follow through the procedure, and that’s it.
Now, as I was saying, there is another method of doing this for WPA, and the name of the tool is Reaver. Reaver is not in Fedora’s default repository, so we will need to go through the installation process and find it on the net. But, basically, what Reaver does is guess the pins on your router. So, most routers these days have pin authentication. This enables you press a button and everybody around you can connect to that router. Basically, these things have been invented primarily for Windows users. Rarely, very rarely, will you find a Linux distro with support for pins. This method is highly insecure. I mean, that is really one of the downsides of wireless networks. If you’re using pin authentication, you should definitely disable it on your home routers as it enables malicious attackers to take your WiFi, get your IP address, and from there move on to more serious things. I will show you how to disable these things as well on one of my routers that I have here. I believe I have a tp-link router. I will plug it in later on and show you what it does.
As a part of the aircrack package you will get a few other programs which we will use. One program in the aircrack package enables you to perform a DoS attack on wireless networks around you. So, you will be able to deauthenticate whoever you want, whenever you want, as long as two conditions are met. The first condition is proximity, that you are close enough to the network, and the second condition is that you actually have to scan in monitor mode, with your network card, and figure out what is going on around you. You need the the MAC address of that access point, and the MAC address of the person you want to jam. This is not difficult to do, this is easy, as both MAC addresses are public information. All you need to do is listen for them. That is what monitor mode enables you to do. Network cards have multiple modes which they can operate in, but there are only two which are of interest to us. There is promiscuous mode where your card will receive all packets on the same network segment, whereas the normal mode will only accept packets addressed to your MAC address. Typically, your card will disregard encrypted information not addressed to it. However, if you put your network cards in to monitor mode, they will take all of this traffic, process it, and see what they can retrieve from it. Most of this information is encrypted, but some of it isn’t. MAC addresses can’t be encrypted. You can take it, and you can jam whoever you want. You can deny wireless access to pretty much everybody within the range using your laptop, no extra devices are needed. Of course, it is necessary that your network card supports monitor mode. There is a compatibility list on the net, I will show it to you in the follow-up tutorial.
For the time being, I just wanted to introduce you to the chapter, and to show you what we shall be doing. I would advise you perform a quick search of aircrack-ng on Google, or whatever your favorite search engine is. For Reaver as well. Read some additional information on these two software packages. I will show you how to install aircrack-ng and Reaver in the follow up tutorial. I will also show how to install aircrack-ng on Windows, and I will attempt Reaver as well. Reaver tends to break on Windows, and that can be problematic. I will show you how to install aircrack-ng. I’ll show you how to use it a bit, it’s not difficult, there’s a graphical interface. However, I restate once again, you should have a Linux host machine which you can use, to which you have access. These tools work much faster on Linux machines. They work much better, they’re faster, and quite frankly they are easier to install. Plus, you get a higher degree of anonymity. Anyway, I bid you all farewell, and I’ll see you in the follow up tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will show you some more stuff you can do with nmap. But, more importantly than that, I will show you a tool which you can use to assign a physical location, namely a city, to an IP address. It’s relatively precise, but the downside of it is that you can only make 1,000 queries per day. I mean, 1,000 queries per day is still fairly reasonable, however if you’re doing some form of mass scanning it won’t really help you much. You will need to go online and download additional libraries for that. But, 1,000 is a very good number, and let me just show you how it actually works.
So, here I have a command. This is the command that I’ve used previously, scanme.nmap.org, and to pull information from it. So, it’s curl ipinfo.IO/, and then you get an IP address here, it’s a curl script, just copy/paste that here, and this is the command, curl. This is the argument that you are passing to it along with the IP address. Once you press ENTER it queries the server, and there you go. You have an IP, and you get a host name as well. You get a city, it’s Vermont, it’s region is California, a country, U.S. You even get some coordinates here, organization, postal code, and so on and so forth. So, you get some really useful information here in regard to an IP address. But, as I said, the downside is that you can make only 1,000 queries per a day. So, you’re not doing anything illegal here, you are simply querying a database somewhere in the world to give you specific information on an IP address. You could have done this by simply typing on the net whois, however I wish to teach you how to do these things in the terminal so that you will be less dependent on the browser. Anyway, let me just go ahead and clear this.
What I would like to cover today with you are some external resources which you can use in combination with nmap. Nmap has a wide variety of scripts that are applicable to it, and then you will be able to use nmap in order to scan for particular vulnerabilities on servers elsewhere in the world. Go ahead and open up your browser. Okay, so I have this website, scanme.nmap.org, open here, and on the website there is a link, it’s nmap.org, and then some links here. Look, here we have a list of categories of the sort of scripts I can run with nmap in order to scan for particular vulnerabilities. There are 490 scripts. For example, here are scripts I can use for DoS (denial of service) attacks. Anyway, let’s go and click on one of the links. I’m going to go ahead and click on vuln, general thing, and now I have all these things here. So, if you’re wondering how you can bypass firewall rules, well, simply use a script. It says, firewall-bypass: detects vulnerability in netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip. Let’s open it up in a new tab. Once you click on it you’ll get the exact syntax on how to use it, so example usage. Instead of just type in the IP address, and that’s it. Literally, that is the only thing that you need to change here. Copy/paste this command, and then just change the last thing into the IP address that you wish to scan. I’m not going to go through all of them, as I said there are 490 different scripts. We will be using a few of them in the later tutorials where we will get into demonstrations, once we actually start attacking particular services and start exploiting their vulnerabilities. There are many resources here which you can utilize, and I strongly advise you to go on to this website and check it out. This is the most important part for you on this website, it’s the availability of these scripts. So, take a look at what they do, and you can save yourself a ton of time by conducting a scan for certain types of exploits. If I click on exploits, it gives me all various sorts of exploits. For example, if I’m attacking a very secure File Transfer Protocol, it explains in great detail what it does, and if you click on it it’s going to give you the exact syntax which you need to use. Literally, the exact syntax which you need to use. Right next to it you just type in the IP address of whatever host you want, and that’s it. There are no changes, there is nothing else that you need to do, you just copy/paste this, and change the name here.
Anyway, I’m just going to go ahead and scroll up, and I have yet another website that I wish to show you. It’s called exploit-db. So, just type in exploit-db, and the first site that pops up should be exploit database by offensive security. This is one of the largest databases out there in regard to vulnerabilities. You can find them all in one place here. There are some very nice wireless tricks that you can use here, reverse shells, privilege escalation, pretty much everything. We will be using this site fairly extensively in the follow up tutorials, but I just wanted to mention it here so that you can explore it a little bit. Feel free to go through the website. For example, take a look at the router that you are using. Identify the router you are using, take a look at what sort of router was provided to you by the ISP provider, and then go ahead and click on search in the upper right corner. I’m going to click on it and search for the vulnerabilities of home routers. See what you can do with it. You can look at it by a port, there is a free text search, description, order, platform, look at how many platforms are down there. If you don’t know what platform it is just just try a free text search. Type in the name of your router in the text search and it’s bound to give you some vulnerabilities, because most home routers have more vulnerabilities than they should. So, that is the task that I leave you with. I want you to open up this website, exploit database, find a vulnerability with your home router, and once you’ve done that there will be a description of how to use it. Try using it, try exploiting it. If it fails, not a problem. We will get into greater detail regarding routers later on in the course. If you have any questions, feel free to post them in the question section.
Before I leave, once more, over here you have scripts that you can use with nmap to detect particular vulnerabilities. Just click on it, you will get the exact syntax. All you need to do is change the IP address. The website is exploit-db, use this website extensively, it is very good. There are a lot of vulnerabilities on it, pretty much all of them are located there. The site is open, free, anybody can access it, no registration required. With that, I bid you farewell.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will do some actual scanning, and for that I have picked a domain outside of my local area network. You can find this on the nmap official site, scanme.nmap.org. Feel free to this site as they have given the public permission, but do not abuse the privilege. A few scans per days is sufficient to learn how to use nmap.
So, I need to take this domain. You cannot use control + C or control + V in the terminal because control + C is the universal interrupt command, and control + V will simply not work. You will need to use a mouse and manually do it. In any case, we need to trim this down, we don’t need any of these things, we just want the main name to remain. I’m going to go ahead and type in nmap, space, and there we go. We’re going to scan this domain. However, if I just press ENTER like this, it’s going to conduct some scanning, it will do the job I assure you, but it will not give us any output whatsoever. This will be continuously empty until the scan is complete. For a short scan such as this, zero output in the terminal is fine, but if you’re conducting a scan that can last up to a day, it’s worrying to see that there is nothing here. You can’t be sure whether it’s working, if it is bugged, or what not, and that’s why it’s always better to pass the V option for verbose output. I have a personal preference to pass the VV option for extra verbose output. So, the system tells me pretty much everything that it is doing, and how it is functioning, and I can see it as it progresses, and I can see that some ports are open prior to the completion of the scan. I’ll just go ahead and begin the scan, and you can see immediately, before it finished the scan, it has told me that ports 22 and 80 are open. Now, by default, nmap will scan for 1,000 ports. You can tell it to scan for more ports. You can even tell it to scan for the maximum range of ports which is 65,535. Rarely anyone does this as it is time-consuming. Usually, you have an idea what sort of services you wish to target, and then you scan for the ports on which those services are likely to run. For example, port 22 would be SSH (secure shell), and port 25 is SMTP (simple mail transfer protocol). If you don’t know what that is it’s an email server. 80 would be HTTP (hypertext transfer protocol), and you have nping-echo on port 9929. The state of these ports is rather clear. So, it’s open, open, open, and you can also get a state to closed. It says here not shown, 996 ports closed. When it says filtered, well, usually there’s a firewall setting which is dropping the packets. It may not be closing the board perhaps, but it’s definitely doing something to the packets that are coming through that port. It’s perhaps blocking them from a certain IP, or something of a kind, there can be a lot of options here. In any case, the general meaning of this filtered flag here is that nmap can not determine whether the port is open or closed. Usually, you want to stay away from those ports, or you can do some extra research and find out how you can access them. They may require a particular app, or a particular protocol, to be accessed, and that’s why nmap cannot scan it properly. That can be a bit problematic. Stick to the open ports and see what you can do with the them. Now, nmap also has an option to create a graphical output. Basically, you can dump your results here into a file, you can store it, and sort it as well. You then gain the ability to extract separate bits and pieces of information. For example, if you simply want the IP addresses of hosts that are up, or you want the IP addresses of hosts that have port 22 open or filtered, or that are running a certain service like SSH, or SMTP, or HTTP, etc. However, I won’t be doing that for scanme.nmap.org. I believe I have used their system enough, and for this example I require a range of IP addresses to give you a meaningful result.
What I’m going to do now is scan my local subnet. If you don’t know what yours is, well, it’s most likely configured as mine is. If it’s not, just type in…let’s just clear the screen first. Type in ifconfig and you will get a result here for eth0, or for whatever interface you are using. Just take a look at this IP address that has been assigned to this interface. So, the lowest and the maximum value of the final octet here, or the first octet here, will be the range of your local subnet. So from 0 to 255. Let me just show you what that looks like in case you did not understand here. Type in nmap, and then for a graphical output we need -oG, – and then we need to give it a range of IP addresses. So, 192.168.1.0 – 255. So, it’s going to scan for all of the IP addresses that have this, and that go from 0 to 255. Now keep in mind that I can customize the range anyway I want. For example, here where it says 1, I can type in – 67. So, it’s going to use these, it’s going to use this octet, and this octet in combination, and it’s going to scan for all possibilities, although that might take a lot of time because that’s a lot of IP addresses. Anyway, I’m not done just yet. What I need to do is actually cause a redirect. So, before I cause a redirect I’m just going give request double verbosity mode. Why am I redirecting my standard output? Well, I don’t want all of the information to be printed out in the terminal window where eventually it will be lost, pretty much as soon as I close the terminal, or as soon as enough commands are passed that the cache needs to be rewritten for the terminal. Furthermore, if it’s written out in standard output and on the terminal itself, I can’t do anything else with it. I cannot manipulate it, it’s not a file that I can take, rather instead it’s just standard output. What I want to do is cause a redirect with a greater than sign into a file. So, I’m just going to go ahead and type in /home/, and I’m going to name this file SCAN, excellent! So, all of the results that nmap gathers will be stored into this file here, and this is the path to the file. Even though I have passed a good amount of hosts here, I’ve given it 255 hosts, because I’m in LAN it’s going to go faster. When you’re doing this over the Internet, a very good idea is to pass a port, or at least a port range. Don’t let it scan all 1,000 ports. Or, even worse, do not specify that it should scan a full port range. Regardless of what sort of internet connection you have, it will take a good amount of time to finish. Furthermore, you’re bound to trigger some red flags, so you should define a port here in order to save yourself a lot of time, and I mean generally you will know which service you want to attack, you will have some sort of an idea there. I’m going to go ahead and pass port 22, that is the port that I wish to scan for, press ENTER, and let’s see if this is successful. There we go, it is functioning. It finished rather fast. Even though I passed double verbosity mode, everything here is being redirected here, so I won’t see anything in the terminal window. If this scan takes longer when you’re doing it over the internet, and it will take longer if you’re doing it over the internet, don’t think immediately that something has failed. So, let’s just do this, ls, now look what I’m doing here. I’m going to do a very similar thing with our scan file, and I’m going to type in grep SCAN, press enter, there we go. I have passed the ls command to list pretty much everything within the home directory, and then I have piped the output of ls to grep, basically pipe means just pass it. I’ve passed the output to grep, and what grep does is basically pull whatever you specify here. It pulls it from the output. I’ve told it to pull whatever is in there, that has the name scan, or that has the string scan within it. So, I could have had a name like AAA, scan, BBB, it would still pull it without any problems. This is one of the ways in which we can make sure that the file is located within a certain folder, especially in situations where you have hundreds of files in a single folder, and you don’t want to go through them manually. Just use grep if you know the name, or if you know a partial name, in order to figure out what is where. So, let’s go ahead and clear the screen, and let me just show you what is located within our scan file. So, less scan, press Enter, and there we go. We have pretty much all the hosts within my LAN network, within my local subnet. They are all down of course because I don’t have 255 computers or devices within my home network, rather instead you see what it has found. It has found the router IP, the router that I’m using for this test, and it says port 22/filtered/TCP/SSH. That one has an open port of 22, it’s status is up, and I also have on 100 status is up, 22 is closed, on 102 is up, it’s filtered, and so on and so forth.
So, let me go ahead and do a very similar thing here because I want to leave it on the screen, so I can explain it to you. The less command is very nice but when you exit it disappears. Cat, however, prints everything within a file to standard output, and it stays here for the duration of the terminal. The reason why I did this will become apparent quite soon. So, what you want to do now is type in cat SCAN as before, and now we want to pipe the output of SCAN to grep in order to pull something out of here, the useful information. Let’s say that I want to pull all the hosts that are up. I want to pull all live hosts, I want to see their IP addresses, and when I type in grep what is the universal markation for all the hosts that are up? Well, you have a flag here, status and then flag up. Let’s go ahead and type in up, press Enter, excellent! I will give you a bit of clarity, there we go. You have these flags which are up, so I have all the hosts here that are currently up and running,
that are alive on the network, but this is not what I want. If I wanted to pass these IP addresses to another program, I wouldn’t be able to pass this whole line because it wouldn’t make any sense. Especially, if the other program is only requesting the IP address of the host. You perform one nmap scan to see which hosts are alive, and then once you figure out which hosts are alive you can do a more detailed scan on those particular hosts. This would save a lot of time. So, we have these hosts here, but we want to pull these IP addresses. I’m afraid I just can’t do that with grep. Perhaps I could, but it would be too complicated and it really wouldn’t be practical. That is why Linux has something that is called awk. Awk is used for formatting text and pulling out certain parts of a file that you have deemed that you need. Now you could make an entire separate tutorial on awk. I would strongly advise that you familiarize yourselves with awk by referencing the man pages. However, for the time being, and for the purposes of this tutorial, we will be using some basic awk commands which pretty much everybody uses, and which are a necessary part of pen-testing. So, cat can print everything to standard output, grep Up. So, grep all of the lines that contain the word up. And then what I want to do here is eliminate this part, leave this part in, and eliminate this part. How shall I do that? Well, the first thing that we need to do is specify a field delimiter. Basically, if you say that the colon here is a field delimiter, this will be one field, this will be another field, and this will be yet another field. So, you will have three fields in total. However, that doesn’t really work for us. If we say that the colon is a delimiter, this entire section that I’ve highlighted will be considered a field, and we will have parentheses, and the status, the parts that we don’t really want. What you can use as a field delimiter here is a space. So space here, this is one field, this is going to be another, and this again is going to be a field delimiter because there’s a space, and this will be a third one, and then you have another space, and the fourth, and so on and so forth. In order to specify a field delimiter to be space, well simply leave an empty space in between the quotation marks. Generally, you would put quotation marks and you would specify a field delimiter in between them. If you wanted a colon this is how you would do it, but we don’t want a colon. We want a space, and that’s it. Open single quotation marks, open curly brackets, type in print $, and then you need to type in the number of the field that you would like to print out. So, we would like to print out the second field, 2, close curly brackets, close quotation marks, press ENTER, and there we go. We have all the IP addresses listed of the host that are up without anything else. Now, what you can do with this is pass it to another file, it’s called SCAN2, press ENTER, and then you can type in nmap – iL scan2, then you can perform a full nmap scan for just four hosts. This might take a bit. No, I don’t want to view it like that. Let me request double verbose, excellent! So, now you can do a full scan for just four hosts instead of doing it for all 255 hosts. Just figure out which hosts are alive, and you don’t need to do that with port 22, just do a ping sweep, and that’s going to be it. You will be able to figure out which hosts are alive, perform detailed analysis of this particular host, and you can see I’m already receiving information here. My home router is filled with holes, but it doesn’t matter at this moment. I am just using it for the demonstration of this tutorial. I’m going to switch it as soon as I’m done with the tutorial. I have 443 on 102, so I probably have some SSL going on there. Port 80 here, port 23. We will soon see what all these services mean. However, you can experience these flags here, and usually you will experience delays because you know there are some packets that are being dropped, some that are being refused by the servers on the other side. You can also have time limiters, and so on and so forth. So, here you can see the scans and what they have revealed thus far. They will tell me everything that I want to know in regard to my local area network. It even gives out the MAC addresses which I’m going to cover up, and you won’t be able to see them, but, in any case, you see how much information you get, and how much time you can save. I am going to end this tutorial here and we will move on to the next one. I hope that you’ve enjoyed this one, and I’ll see you next time.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, I will show you how to schedule tasks to run upon rebooting your system, or at a certain point of time. In this particular tutorial, we will create a script or a command to change your MAC address each time you restart your Linux system. So, every time you reset your computer, each time you turn off your computer and turn it back on, not only does it give you a random address that anonymizes you further on wireless networks, but it will make sure that you do not share your permanent MAC address. You might think to yourself, well, I can just change the MAC address every time I need to change it. Well, you will forget, trust me. It’s far simpler to set a cronjob once, and it will run each time you reboot your computer. If we take a look in ifconfig, I don’t actually have any wireless interfaces configured here, mostly because this is a virtual machine. We will be doing some of the things on my other machine, on my Fedora host machine, but for the time being we will use eth0, my wired interface, as an example. You can just as easily do this with any other interface that you have. The only thing that should vary is the name of interface. For example, this one is eth0, wireless1 would be eth1. On my Fedora system the wireless interface is wlp2s0.
In any case, what we need to do is clear the screen. There is is a Linux software utility called cron, it should be included with nearly every Linux distribution available, and this is what you use in order to schedule tasks to run for you in an automated fashion. Let’s type in crontab –help, press Enter, and there we go. Let’s take a look at the help menu for this command. It’s fairly small, there aren’t that many options, the tool is fairly simple. You use -e to edit user’s crontab, you use -u to specify the user for which you wish to edit the crontab. That’s helpful if you have multiple users on a single system, but by default it will edit the cronjobs for the current user. You can also list the user’s crontabs, delete the user’s crontabs, very important, and you can also always use -i to prompt before deleting. Remember, once you delete something in Linux it’s gone. There are some methods for retrieving deleted information, but more likely than not it’s permanently gone. You will find it very difficult to retrieve information that you have deleted through the usage of terminal. Anyway, enough about that, let’s go ahead and start editing our scripts that will run on startup. So, type in crontab -e, press ENTER, and there we go. We are prompted with this file. This is opened with VI text editor, so we will need to go through some of the basics. Here it says edit this file to introduce tasks to run by cron. I strongly advise reading through this entire file. It’s very small. Just read it. I’m 99% sure that you will be able to understand pretty much everything that is written here. Over here, the last line is actually the format. You have minutes, you have day of the month, you have day of the week, you have a command for the meaning of each of these separate sections. You can read this file here. So, mon is month, the dom is day of the month, this is hour, this is minute, and so on and so forth. Go through this file, read through it, and you will understand this format to the fullest extent.
For the time being, here is the command that I wish to use. In order for you to edit pretty much anything in VI, VI is a Linux text editor, you need to open a file and then press I. Just go ahead and press I on your keyboard, letter I, and it says you are currently in the insert mode. You can see how I’m highlighting it, now it says insert, and now you can actually type things in. What we want to type in is @reboot, and then type in the command macchanger -r, eth0. That is the command that we use in order to randomize the MAC address of our eth0 network interface. Here you have at reboot. So when do we want this to happen? We want it to happen when the system reboots. When we reboot our machine execute this command. If you wanted to run a script you would just need to specify a path to that script, and then a command to execute it. So just press escape now to exit insert mode, and press : on your keyboard. So just press colon on your keyboard and you will be prompted with a command line here. In the command line you need to type in “w” for write, so write these changes to the file, and then in addition to w you also need to write “q”, quit. After you’ve written to the file I want you to quit the file. If this doesn’t work you can also add an additional argument which is an exclamation mark to forcibly do it, but there is no need in this example, it’s going to work. So quit, there we go. This says installing new crontab, excellent! So we’ll just go ahead and clear the screen, type in macchanger -s to show the MAC address of my interface, eth0, press Enter, and you see it says permanent MAC, this one, current MAC that we are using, same one. Let’s go ahead and reboot the computer, and after the reboot we will see a different current MAC address listed. 08 were the first two places that were occupied in the MAC address. Once we reboot the system I will start up the ifconfig, actually not ifconfig, I will use macchanger from now on to actually verify the MAC addresses of my interfaces. Even though, even though, that is not a good thing. You should honestly be using ifconfig because it is the universal way of checking a MAC address on pretty much any Linux distro out there. While on the other hand, macchanger is most likely only installed by default on Kali Linux, and pretty much any other distro does not have it installed by default. Let’s go ahead and use ifconfig. We’re being logged in at the moment, sorry for any delays. This is a virtual machine so it’s bound to have some slight delays, but surprisingly I have found it very efficient. It’s working at a relatively fast pace. I’ll just go ahead and open up our terminal, type in ifconfig, and you can see that the hardware address has been changed. This one is no longer 08. So, to confirm this further, we’ll just go ahead and type in macchanger -s eth0, excellent! So you can see the permanent MAC is this, current Mac is this. It’s of an unknown type, unknown manufacturer that is. You can take a look at the macchanger help menu to specify the type of a MAC address that you want it to assign to your interface. Feel free to play around with that. Again, if you have any questions in regards to that, feel free to post them, I will be more than happy to help you out in any way that I can. In any case, I bid you farewell, and I hope to see you in the next tutorial.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing:
If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!
Hello everybody and welcome to this tutorial. Today, we will discuss MAC addresses, what they are, how they can be used, and how you can change them in order to anonymize yourself.
So, what is a MAC address? A MAC address is a physical address for all of the individual network interface in your computer. All of your network interfaces have a MAC address, be it a wireless or wired interface, it will have a mac address burned into it. As soon as you connect to a wireless network, or a LAN with a wired cable, that particular MAC address is used to identify you in combination with an IP address within that LAN. The MAC addresses do not go further, they do not go outside the LAN, they do not go outside the first jump from the first router. So, as soon as you go through the first router from your computer, your MAC address is no longer being shared. Anyway, let’s see what a MAC address looks like. So, what command do we use if we want to list our network interfaces? We will be using ifconfig. Press Enter, there we go. I have a loopback interface which I’m not really that interested in, I would like to remove it for the time being, ifconfig eth0, and there we go. I just wanted a listing for this particular interface, and this is your hardware address. Do not confuse it with the ipv6 address which is here. You can see that it is quite a bit lot longer, and it has far more characters than a MAC address. The first three sets of the MAC address are used to identify the manufacturer of the device. You can’t really utilize these last three sets because you don’t really know what the manufacturer has done with them. But, you can use the first three sets in order to figure out who has produced the device, and if you know which company has made has made the device, then you can research the possible vulnerabilities for that device. This is also one of the methods of foot printing, or figuring out a MAC address of a device. If you have a MAC address, you can conclude with reasonable safety who produced the device, and in doing so you will get a better idea of what you can do with the device, how you can exploit it, and so on. Let’s take a closer look here, ifconfig eth0, you can also do this. Let me show you an application of the grep command. You can use | grep, and you type in HWaddr, and there you go, this is a far better listing. It will list eth0, link encap:Ethernet, and HWaddr, so you can see clearly what is written here. I could use the awk command to filter this out, and leave only the MAC address to be printed out, but this provides a good overview as well. Keep in mind that other things can be listed here from one system to another, but you can always view it using the ifconfig command. Once you know how MAC addresses are written, when you know their formats, you will be able to recognize them even in a vast mass of information.
Since MAC addresses are used to identify you within a wireless network, if somebody actually checks the devices within the network they will know who you are, they will be able to kick you off the network, and we would like to protect ourselves from being identified. We want to be anonymous. One of the downsides of MAC addresses and them being used as means of identification, is that you can view the other MAC addresses on the same network. You can then copy those MAC addresses, use them as your own, perform some sort of shenanigans on the network, admins will notice that there is a problem, then they will permanently ban that MAC address. You have successfully performed a denial of service attack. I have seen this used at university multiple times. Basically, what people would do is figure out what the professor’s laptop MAC address is, they would then deliberately perform some kind of malicious activity such as attempting to login in to the router, the administrators would notice, and they would permanently ban that MAC address. This would effectively render the laptop useless for that lecture because that laptop could no longer connect to the wireless projectors where the presentations were being held. They eventually did get caught, and it was a pretty messy situation, but I’m just giving you an example of how these things can be used and abused. I am not suggesting that you should do this. Instead, use it for a benevolent purpose. Don’t use it for silly things that literally have no benefit.
In this particular tutorial I would like to introduce you to a tool called macchanger, so macchanger, press enter, and there you go. You can see it is installed by default with Kali. So, it says Usage: macchanger [options] and then device. I’m going to clear this and type macchanger – -help. Let’s see what kind of options we have with this tool. So, you see you have a few options, not many, it’s a fairly simple tool. We just passed –help, we can print the version and exit, we can print the MAC address and exit. Actually, I have never tried this. Let’s give it a try. macchanger -s eth0. It does indeed give the address. I have always used ifconfig. It gives us the permanent MAC address, and then you have the current MAC address with which we can do whatever we want. Go ahead and clear the screen, for convenience sake, and call the help menu once more. Now this is what I was talking about a moment ago, it says do not change vendor bytes. So, if you want to change your MAC address but still stay within the same vendor, it says don’t change the vendor bytes. Those are the first six characters, the first three sets that is. We can set a random vendor Mac of the same kind, you can also use these parameters, however they are not used very often. Usually, what you would use is either a fully random MAC address, or you would use one for a particular vendor. So you would go online, see what the particular vendor MAC addresses are, or you can print known vendors. There is a list included with the program, let me just show you, -l, and there are a lot of them. So it is only showing you the first three sets, and then for the other three you can type in whatever you feel like typing in. If you would like to be discrete on a network, as a standardized device within that network and not raise any suspicions, this is a good way of doing it. You can have the MAC address of a device that the network administrator is familiar with. They won’t be able to tell the difference unless they actually dig deeper. The important thing here is that if anybody digs deep enough they will find that you are doing something, but the idea is not to raise any flags, any suspicion, and in such a way pass through unnoticed. You of course have the ability to generate a fully random MAC address, and you can also set your own. You can use the -m parameter, or –mac, and then you type in the MAC address that you would like. People will use the MAC addresses of legit devices on the network to conduct malicious activity, and then those devices would be banned.
Let me show you what changing a MAC address looks like. We will deal with this sort of an attack a bit later on when we get into wireless hacking, and breaking wireless encryption, and what you can do on a wireless LAN network. Here I just want to show you what a changed MAC address looks like. So let’s just show eth0. Ok, so, we’ve seen this a moment ago, now here’s what happens when I use macchanger. macchanger -random eth0, press Enter, and there we go. It says permanent, current, new. So this is the new MAC address and it says unknown, I haven’t assigned it to any particular vendor. If I now say show, excellent! So it says permanent and current. The current one is the one that is being shown, that can be seen within the LAN network, and that is used to identify you. You can’t actually destroy your own MAC address because it’s literally burned into the device, this one will be shared with everybody else, and this one will remain within your own computer. It will not exit your interface. Anyway, a good practice would be to set up a script which upon booting changes the MAC address, and sets it to random every time you boot your computer. I will show you this in the next tutorial. Until then I hope that you have enjoyed the tutorial, and thank you for watching.
The remainder of the tutorial videos can be found in this YouTube playlist:
You can also enroll in the course and download the videos for offline viewing: