How-To Hack Wifi: Testing Defenses

Hacking Wifi is useful since we want to test our defenses, to make sure we have a certain level of defense set up.

Aircrak-ng is used to crack the Wifi encryption that is available on Kali Linux Operating system (the operating system built for pentesters/ethical hackers)

aircracksnippet

As in this tutorial by WonderHowTo there is a few steps one has to perform before capturing data from the targeted Wifi Access point.

 

First one has to set up a Wifi card that is accessible by airodump-ng for the aircrank-ng process attempt to crack the WEP or WPA password key of the Access point to be tested.

Aircrack-ng is the primary application with the aircrack-ng suite, which is used for password cracking. It’s capable of using statistical techniques to crack WEP and dictionary cracks for WPA and WPA2 after capturing the WPA handshake.”

One then accumulates a certain level of data before trying to crack the code.

There are several other tools in the Aircrack-ng toolset:

 

Aireplay-ng – it can generate or accelerate traffic on the Access point, potentiall run WEP and WPA2 password attacks as well as ARP injection.

Airdecap-ng – decrypt wireless traffic once the key is cracked

Airtun-ng – virtual tunnel interface creator

Airolib-ng – stores or manages ESSIDs to help crack the password cracking.

Airbase-ng can make the laptop/computer into an Access point.

The reason one wants to spend time testing defenses is that Wifi tends to be set up and then forgotten, and if it was set up incorrectly then it should be fixed.

We  at Fixvirus.com have a WifiService: Psi service

just the router

An old Wifi Linksys router

Hydra Tool Can Crack Your Online Passwords

Here is a website link that discusses Hydra trying to crack online passwords at websites:

http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html

The tool can attack (and iterate)  through a set amount of dictionary passwords to ssh and ftp server accounts very easily (without any extra configuration)

If there are website forms that have usernames and passwords (like WordPress or Joomla or other CMS(Content Management Systems)

 

There is a better web blog explaining what Hydra does and a successful sample attack:

http://cs337-unyunizer.blogspot.com/

hydrasnippetfromattack

The snippet is from the cs337-unyunizer.blogspot.com webpage

All the white responses are the attempts at hacking, while the green text response was the successful attack with the correct password.

 

So this tool makes finding a password easy to set up, the hard part of course is finding a good dictionary list of words to attack the username password  (this is also called brute-force password attack)

 

Interesting to note, but if CAPTCHA is implemented well, this method will not work at all.

So let’s say one is a criminal hacker, the key is to find a good password file (from known passwords on the internet) there are likely files out there which allow the criminal to amass a decent password file, which would allow you to attack sites with this password dictionary file. Or one can generate a fgile on their own.

 

A good Google search can start the hacker on the way to building this file.

http://security.stackexchange.com/questions/1376/where-can-i-find-good-dictionaries-for-dictionary-attacks  is an example. of a link.

There is a list of password dictionaries at this site https://wiki.skullsecurity.org/Passwords . There are some lists that were used by the Conficker worm to spread.

As well as some leaked passwords (like from Sony etc. that have been compiled here.

So you can see it is a relatively straight forward method to try and go after online websites that have username and passwords.

Why am I saying this?  Because we ahve to become better at making passwords, change your passwords, make them longer and use less known words combinations with numbers and special characters. And the longer the better, to the tune of 10-20 letters.

 

Check this xkcd comic:  http://xkcd.com/936/  Tries to show pictorally that it is better to run together several words rather than using difficult combinations that cannot be remembered.

 

How Dangerous is SQL Injection?

A good tutorial of basic SQL injection (without a tool):

http://www.kalitutorials.net/2014/03/sql-injection-how-it-works.html

manualsqlinjection

Notice the bottom entryuser-id field: ‘ OR 1= 1; /*

and in password field: */–

As it states in the image (from the kalitutorials website) the second statement gives you access to data of all accounts.

 

Why is this? because a 1=1 statement  is “true” and we also have to enter something in the password field.

If the SQL data entry process (or function) does not dismiss this potential entry then there is a possibility that the SQL database response will be with all data or at least all data for the way the SQL function is calling in a specific table.

 

As the website mentions this is basically what the tools are performing in an automated manner, maybe with some variations in entries.

 

Another interesting bit of information are Dorks  (an input query into a search engine(Google for example) which attempt to find websites with certain text included:  inurl:”buy.php?category=”   for example.

dorksearchquery

 

Notice the response UNION ALL SELECT null,null in the search

 

this is how your website can be “found out” by criminal hackers, as they try to find victims of their attacks.

And slowly but surely  they then try to perform more sophisticated attacks using sqlmap and more

http://www.kalitutorials.net/2014/03/hacking-website-with-sqlmap-in-kali.html

With sqlmap you can test the url to inject with a command like

sqlmap -u <URL to inject>

As the hacker starts to map all your data they will get more and more  info that is not really for public consumption (or so it was thought).

 

 

It is not a good idea to give out too much information without knowing any circumstances. As an ethical hacker one needs to have permission to attempt to crack(or hack) a database interface. And if it is giving out too much information then one has to mitigate this situation.

At this point I will leave more sqlmap hacking for a specific pentest situation.

Contact Us to discuss further details.

Training the Next Cybersecurity Professionals

http://www.darkreading.com/operations/educating-the-cyberwarriors-of-the-future/a/d-id/1319590

 

Jeff Shilling opines that we need more experienced people in the Cybersecurity field. As usual the issue is senior-level execs do not fully understand all the ramification differences with

1.  a person with 5+ years experience in IT plus Cyber Security Knowledge   (no university degree)some certifications

or

2. a person with 2 years experience and has all the cyber Security certifications. (plus university degree)

 

His assertion is that the experience trumps the formal education, in fact with someone that came out of college with a degree, usually has 4 years working at the degree, so you add 1 or 2 years in the working world it does seem that a college degree (even in computer science or an engineering degree)  would not give the same outlook on a cyber security job than someone with 5 years in the working world without a 4 year college degree.

 

I think he misses the point that we need someone with experience(2-5 years or more), and a college degree, since the difficulties in today’s cyber security field will not become simpler.

 

There is nothing like being placed in a situation that was not in the books, was not taught by the college instructors, and the person has to figure it out on the job as it comes.

 

certified-ethical-hacker-LogoA Certified ethical Hacker has to have at least 4 years of security experience or have 3 years of security experience plus a college degree.  So the college degree is worth 1 year of experience not 3 or 4.

Another aspect is Cyber Security training for all users:

http://garyleemillner.com/information-security-awareness-or-cybersecurity-training/#sthash.ZZD0J8Vf.dpbs

security-awareness-training  (from garyleemillner.com)

Most people do not understand cyber Security and have had no training.

That makes sense, this is why we have this big problem of phishing and malware downloading. the general understanding of Cyber Security is horrible. Thsi is also why senior execs have such a low understanding of the true problem at hand.

 

Oversitesentry.com and fixvirus.com is trying to change that.  Little by little we are trying to help.

 

Testing Website With Owasp-zap

The Google code website link: https://code.google.com/p/zaproxy/

Here is an interesting bit of info (from the link above):

ZAP came second in the Top Security Tools of 2014 as voted by ToolsWatch.org readers

owaspzapscreenshot

 

Here is a screenshot with my test on my own website – www.fixvirus.com

I clicked on the response tab after Owasp-Zap tries to execute a variety of illegal attempts on my website.

If you have a website and need this done all you need is a copy of Kali-Linux and permission to “attack” the site.

As you can see OWASP runs a variety of GET commands with some attempts at sql injection and more logic testing. It has been shown when you enter “1=1” in a form the system responding may come back with more data then it was supposed to…  why would it do that? Well for some reason the person developing the website code did not do enough security testing.

 

This is why we recommend always to have a seperate entitiy testing your website, especially if it is performing some kind of dynamic code, accesses a database, scripting (javascript), and other .net technologies.

 

This is a basic thing cybersecurity, but we want to review it with all.

 

Running a basic owasp-command is just the beginning…  After a security professional starts with that initial test, depending on the responses further tests may be warranted.