ARP Poisoning - arpspoof Arpspoof is a tool part of a suit called dsniff, which contains a number of network penetration tools. Arpspoof can be used to launch a MITM attack and redirect traffic to flow through our device. 1. Tell the target client th…

MITM - Wireshark WIreshark is a network protocol analyser that is designed to help network administartors to keep track of what is happening in their network and analyse all the packtes. Wireshark works by logging each packet that flows through the d…

MITM - ARP Poisoning Theory Man In The Middle Attacks - ARP Poisoning This is one of the most dangerous and effective attacks that can be used, it is used to redirect packets to and from any client to our device, and since we have the network key, we…

Nmap Nmap is a network discovery tool that can be used to gather detailed information about any client or network. We shall have a look at some of its uses to discover connected clients and gather information about them. We are going to use Zenmap -…

Post Connection Attacks Sophisticated attacks that can be used after connecting to the target AP. Gathering Information Now that we are connected to a specific AP, we can gather more detailed info about the clients connected to this AP. There is a nu…

Securing your Network From the Above Attacks. Now that we know how to test the security of all known wireless encryption(WEP/WPA/WPA2), it is relatively easy to secure our networks against these attacks as we know all the weaknesses that can be used…

WPA Craking WPA was designed to address the issues in WEP and provide better encryption. The main issue in WEP is the short IV which means that they can be repeated, therefore by collecting a large number of IVs aircrakp-ng can determine the key stre…

WEP Cracking Basic case Run airdump-ng to log all traffic from the target network. airodump-ng --channel [channel] --bssid [bssid] --write [file-name][interface] At the same time, we shall use aircrack-ng to try and crack the key using the capture fi…

Gaining Access to encrypted networks Three main encryption types: 1. WEP 2.WPA 3.WPA2 WEP Cracking WEP is old encryption, but it is still used in some networks, therefore we will explain how to break it. It uses an algorithm called RC4 where each pac…

Deauthentication Attacks Theory This attack is used to disconnect any device from any network within our range even if the network is protected with a key. Hacker sends de-authentication packets to the router pretending to be the target matching(by s…

Targeted packet sniffing airodump-ng --channel[channel] --bssid[bssid] --write[file-name][interface] Now all the data will be stored in the file name specified after the -write option. We can analyze this data using Wireshark. The only problem is tha…

Pre--Connection-Attacks that can be done before connecting to the network. Gaining Access - How to break Wi-Fi keys(WEP/WPA/WPA2) Post-Connection-Attacks can be done after connecting to the network. Detection&Security - detect and prevent the above a…

Detecting suspicious activities using Wireshark You can use make the MAC address of the router to static on the ARP table to prevent ARP attack. But it is not effective and useful for big companys . Start the attacks from the Kali Linux. Analyze the…

Detecting ARP Posionning Attacks ARP main security issues: 1. Each ARP requests/response is trusted. 2. Clients can accept responses even if they did not send a request. We can use the tool called Xarp(http://www.xarp.net/) to detect this kind attack…

MITM - Code Injection Inject javascript or HTML code into pages. Code gets executed on target machine. Use - - inject plugin. Code can be: 1. Stored on a local file --js-file or --html-file 2. Stored online --js-url or --html-url 3. Or you can supply…

MITM - Capturing Screen Of Target & Injecting a Keylogger ScreenShotter Plugin: ScreenShotter: Uses HTML5 Canvas to render an accurate screenshot of a clients browser --screen Load plugin 'ScreenShotter' --interval SECONDS Interval at which screensho…

MITM-DNS Spoofing DNS Spoofing allows us to redirect any request to a certain domain to another domain, for example we can redirect any request from live.com to a fake page !! 1. Edit DNS settings leafpad /etc/mitmf/mitms.conf 2. Run ettercap to arp…

Session Hijacking What if the user uses the "remember me" feature? If the user uses this feature the authentication happens using the cookies and not the user and password, So instead of sniffing the password we can sniff the cookies and inject…

MITM - bypassing HTTPS Most websites use https in their login pages, this means that these pages are validated using an SSL certificate and there for will show a warning to the user that the certificate is invalid. SSLstrip is a tool that canbe used…

ARP Poisoning - MITMf MITMf is a framework that allows us to launch a number of MITM attacks. MITMf also starts SSLstrip automatically to bypass HTTPS/SSL. Download and Install the MITMf tool from the following website: https://github.com/byt3bl33d3r…

WEP Cracking Packet Injection What if the AP was idle, or had no clients associated with it? In this case, we have to inject packets into the traffic in order to force the router to create new packets with new IV's. Before we can start injecting pack…

Creating a fake access point (honeypot) Fake access points can be handy in many scenarios, one example is creating an open AP, this will attract a lot of clients, many of which will automatically connect to it. Then we can sniff all the traffic creat…

Change MAC Address using macchanger.  Packet Sniffing Basics Airodump-ng airodump-ng is a program part of the aircrack-ng package, it's a packet sniffer that allows us to capture all the packets that are in our wifi card range. We can also use it to…

 ALFA  AWUS 1900 RTL8814AU https://www.alfa.com.tw/products_detail/2.htm Follow the guide on aircrack-ng/rtl8812au step by step. https://github.com/aircrack-ng/rtl8812au Because VMware Workstation has issues, giving kernel oops on module load. I swit…

SQL INJECTION SQLMAP Tool designed to exploit SQL injections. Works with many DB types, MySQL, MSSQL ...etc. >sqlmap --help >sqlmap -u [target URL] Following are examples: sqlmap -u "http://10.0.0.24/mutillidae/index.php?page=user-info.php&…

OWASP ZAP(ZED ATTACK PROXY) Automatically find vulnerabilities in web applications. Free and easy to use. It can also be used for manual testing. This is the welcome page. Options Page Scan Policy Setting Page. Attack this target URL http://10.0.0.24…

SQL INJECTION WHAT IS SQL? Most websites use a database to store data. Most data stored in it(usernames, passwords ..etc.) Web application reads, updates and inserts data in the database. Interaction with DB done using SQL. WHY ARE THEY SO DANGEROUS…

XSS VULNS XSS - CROSS SITE SCRIPTING VULNS Allow an attacker to inject javascript code into the page. The code is executed when the page loads. The code is executed on the client machine, not the server. Three main types: 1. Persistent/Stored XSS 2.…

SQL INJECTION Preventing SQLi Filters can be bypassed. Use a blacklist of commands? Still can be bypassed. Use whitelist? Same issue. -> Use parameterized statements, separate data from SQL code. <?php //$textbox1 = admin' union select # Select * fr…

SQL INJECTION Discovering SQLi in GET Inject by browser URL. Selecting Data From Database Change the number to a big one, then you can get a useful error message. And you can try different number to find the right column. Using “union select 1,2,3,4,…