Wireless AP forgery made easy with Wifi Honey.Read More
I wrote a post about installing Kali NetHunter a while back which you can read here building the hacker phone since then I have tested out quite a few features of the Kali NetHunter phone so I thought I would share a quick and easy wifi hacking tutorial with you all.
Even prior to launching this blog I had written at least 7 or 8 wifi hacking / web cracking posts and tutorials. I never published any of these tutorials due to the clunky / annoying but simple sequence of steps these kind of attacks were comprised of, I’m glad to see that Kali NetHunter and Wifite change all of this.
What you can do now with a mobile device in your pocket is verging on spectacular so without further ado lets go into the details.
Wifite is an automated wireless auditing script if you are familiar with using airmon and aircrack-ng wifi basically rolls up those tools and the process behind finding AP’s and automating penetration tests against them. In short it cuts out the complexity and manual work required when running these tools from the command line.
Preparation: What you will need
- A phone with Kali NetHunter installed (in this example I used a Nexus 5).
- a USB to USB-C adapter.
- A Wireless Network adapter.
The Score: Running Wifite
As always - remember running these attacks I have carried out all of the steps in this post on networks and devices I own and operate doing so anywhere else may be an offence.
Running wifite is very easy. to begin navigate to the Kali menu in your NetHunter phone and click “Launch wifite”. Now to progress further than this your going to have a your additional wireless adapter attached to your NetHunter device. Make sure you have a small adapter or one that uses very little energy in my earlier tests I wasn't able to get some larger adapters working with my NetHunter device.
First you will be asked which device you want to put into monitor mode you should put your external wifi adapter into monitor mode - this will most likely turn up as wlan1 where as your phones inbuilt will show up at wlan0. select the appropriate number to progress to the next step.
Based on your choice wifite will create a monitor mode interface which will just be listening for any traffic flowing through the ether.
Once its done scanning you should see a constantly refreshing list of ssid’s press Control + C to select which AP’s to attack.
Now list the numbers next to the AP’s you want to attacking watch wifite churn through them by running a combination of active and passive attacks to try and capture enough session into to decipher a wifi key.
Please note that in this example I attacked my own network and had devices authenticating and de-authenticating multiple times to generate this information quickly.
Opening the vault: Working out the password
Unlike using wifite on a Kali desktop. NetHunter introduces a few additional steps into the equation after you have successfully captured enough info to start cracking an AP's password.
NetHunter will save your session as a .cap file. If for some reason you would like to go through your capture in a program like Wireshark for analysis you will need to convert them into .pcap files you can do that by going to the link here and uploading your .cap file:
From then on you can upload your .cap file to the Distributed WPA PSK auditor which is a service where people dedicate compute power to WPA cracking. you can upload your file by going to http://wpa-sec.stanev.org/?submit
Unfortunately since my wifi password is super complex none of these tools were able to crack it in a timely fashion :). But the below screen shows you what your end result should look like:
Its taken much longer than expected to get this simple tutorial published, between work and study it hasn't been easy to make enough time to get this post published. Thats said if this post proves popular I'd like to take the concept of wifi heists further in future posts by having multiple, tools tested and examined as well as offering some more in-depth scenarios perhaps via video? In closing I hope you found this tutorial useful or at least mildly entertaining, this is just one of the features Kali NetHunter offers there will be many more covered soon!
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!
One of my favourite TV shows is Person of interest. I was just finishing up my Computer science degree when the show first started airing I was amazed at how the Reese and Finch managed to so easily bluejack unsuspecting “numbers”. In High school I has a range of Bluetooth sniffers installed on my trusty and highly customizable Sony Ericsson. Unfortunately by the time person of interest started airing everyone had either moved to android or the iPhone and Bluetooth sniffing was never the same.
Recently I purchased the Ubertooth One to see how much Bluetooth sniffing has changed since my high school days, this post documents my first attempts at Bluetooth sniffing / cracking with the Ubertooth One.
What you will need
In order to be able to successfully set-up a Bluetooth sniffing system you will need the following:
- An Ubertooth One device.
- An additional Bluetooth dongle or Bluetooth adapter.
- A PC which runs Windows, Mac, OSX or Linux.
- A bootable USB running Kali Linux (this one is optional)
You can perform these activities on just about every major desktop operating system but for this tutorial we focussed on running this with Kali Linux.
The most difficult part of Bluetooth sniffing – installing all of the tools
I caution you – there are a number of resources on the internet dedicated to setting up the Ubertooth One, this post included. After spending a day and a half attempting to get bluetooth sniffing working with absolutely zero background on the subject, my perseverance and can do attitude kicked in and I had the Ubertooth and associated scanning commands working like a charm. In order to save everybody the trouble here are the golden rules of getting the Ubertooth running on your machine:
- Ignore all of the blog posts and websites which tell you how to install / configure the Ubertooth One (most of them are no longer relevant).
- Only follow the installation guide at this location
- Update your Ubertooth firmware asap.
One final tip make sure you have a range of additional Bluetooth tools you can use for Bluetooth debugging / sniffing if you’re having trouble with the install its good to have an arsenal of other tools you can use to verify if the issue you are experiencing is a configuration issue or a hardware issue.
Learning to walk before you can run, viewing the Wi-Fi spectrum with the Ubertooth On
Getting the Ubertooth One setup for Bluetooth sniffing isn’t the easiest activity to get up and running so I recommend before you go into any sniffing you walk through some of the Ubertooth Ones other capabilities i.e. spectrum analysis.
To get started make sure you have installed Kismet and spectools for spectrum analysis. To install kismet and spectools follow the commands below:
root@kali:~# git clone https://www.kismetwireless.net/spectools.git Cloning into 'spectools' root@kali:~# cd spectools root@kali:~/spectools# ./configure root@kali:~/spectools# make root@kali:~/spectools# make install
Now to run Spectools simply type:
Below are some screen caps of some of the Spectrum analysis I performed:
How does one listen in on Bluetooth?
Once your Ubertooth is setup and configured you can run the following commands to analyse Bluetooth traffic.
hcitool is one of the default linux Bluetooth utilities when running it will return the MAC address and name of any Bluetooth devices in range:
root@kali:~# hcitool scan
One of the Ubertooth utilities is ubertooth-scan also allows you to passively monitor Bluetooth traffic – below is the command line usage:
root@kali:~# ubertooth-scan –s
The majority of the scanning work I undertook was with using ubertooth-btle. This allows you to capture Bluetooth traffic between Bluetooth low energy compatible devices this is becoming one of the preferred methods of Bluetooth communication between new devices, next time you’re in a store just look at the Bluetooth devices most of them should say Bluetooth-low energy compatible.
To run ubertooth-btle in promiscuous mode and output the contents int a pcap file simply run the command:
root@kali:~# ubertooth-btle –p –f -c capture.pcap
Below is a sample of what the btle packets look like when your run ubertooth-btle in promiscuous mode:
systime=1441512979 freq=2440 addr=8d651b4d delta_t=3.599 ms 86 9e d1 00 65 92 86 01 5d 3e 0e 5e 65 e0 61 9a 7d f7 04 c8 9f f5 45 00 ce f5 cc c8 8f 67 02 f5 4f a7 f5 Data / AA 8d651b4d (valid) / 30 bytes Channel Index: 17 LLID: 2 / LL Data PDU / L2CAP start NESN: 1 SN: 0 MD: 0 Data: d1 00 65 92 86 01 5d 3e 0e 5e 65 e0 61 9a 7d f7 04 c8 9f f5 45 00 ce f5 cc c8 8f 67 02 f5 CRC: 4f a7 f5 systime=1441512979 freq=2440 addr=72f844df delta_t=146.421 ms 01 00 9b 72 68 Data / AA 72f844df (valid) / 0 bytes Channel Index: 17 LLID: 1 / LL Data PDU / empty or L2CAP continuation NESN: 0 SN: 0 MD: 0 Data: CRC: 9b 72 68
If you want to follow a specific device you can use the command below where “00000000” would be the devices MAC address:
root@kali:~# ubertooth-btle –a 00000000
Using crackle to decrypt Bluetooth packets
Crackle is an easy to use brute force cracking utility. Since most Bluetooth pairing codes which encrypt traffic between two devices are only 4-6 digits long they can be easily decrypted if the pairing between two devices is captured and this also allows you to listen in on future interactions between the two devices as we will show shortly, but fist lets walk through installing crackle which can be done by following the commands below:
root@kali:~# tar xf crackle-0.1.tgz root@kali:~# cd crackle-0.1 root@kali:~/crackle-0.1# ls aes.c aes-enc.c aes_i.h COPYING crackle.h README aes-ccm.c aes.h AUTHORS crackle.c Makefile test.c root@kali:~/crackle-0.1# make cc -Wall -Werror -g -c -o crackle.o crackle.c cc -Wall -Werror -g -c -o aes.o aes.c cc -Wall -Werror -g -c -o aes-ccm.o aes-ccm.c cc -Wall -Werror -g -c -o aes-enc.o aes-enc.c cc -Wall -Werror -g -c -o test.o test.c cc -o crackle crackle.o aes.o aes-ccm.o aes-enc.o test.o -lpcap root@kali:~/crackle-0.1# make install
Once crackle is installed we can begin walking through using crackle to decrypt pcap files with Bluetooth data on them. To do this simply run the following command on your desired pcap file:
root@kali:~/crackle-sample# crackle -i ltk_exchange.pcap -o decrypted.pcap TK found: 000000 ding ding ding, using a TK of 0! Just Cracks(tm) Warning: packet is too short to be encrypted (1), skipping LTK found: 7f62c053f104a5bbe68b1d896a2ed49c Done, processed 712 total packets, decrypted 3
Now to listen in on future communications between the two devices run the following command on a pcap file and supply the LTK value you discovered earlier:
root@kali:~/crackle-sample# crackle -i encrypted_known_ltk.pcap -o decrypted2.pcap -l 7f62c053f104a5bbe68b1d896a2ed49c Warning: packet is too short to be encrypted (1), skipping Warning: packet is too short to be encrypted (2), skipping Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: could not decrypt packet! Copying as is.. Warning: invalid packet (length to long), skipping Done, processed 297 total packets, decrypted 7
With some of my own BLE captures there wasn’t enough packet info to run crackle successfully so I ran crackle with some sample files to give an overview of how the tool works.
Here are a few good resources you should check out:
Bluetooth, hopefully this article packages it up into a nice and easy digestible format as the process to get it to this level wasn’t that straight forward or error free.
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!.
As promised here is the week that was (well what was read):
- 14 YouTube videos you need to watch for your career: https://www.jayschulman.com/the-14-best-youtube-videos-to-grow-your-security-career/
- Proxy chaining: http://resources.infosecinstitute.com/proxy-chaining/
- Difference between a hacker and a script kiddie: http://resources.infosecinstitute.com/25-ways-to-become-the-ultimate-script-kiddie/
- YSO Mobile Pentesting: http://www.sectechno.com/yso-mobile-security-framework-mobile-application-pen-testing-framework/
- Smalisca – Static Code Analysis for Smali files: http://www.sectechno.com/smalisca-static-code-analysis-for-smali-files/
- Katoolin - install all the Kali tools on your machine: https://n0where.net/automatically-install-all-kali-linux-tools-katoolin/
For those of you who have read a few of my previous posts may have noticed I use Kali Linux a lot, there’s a good reason for that its easily one of the most versatile and comprehensive Linux Distro’s available out there. Recently offensive security the group behind Kali Linux have release Kali Nethunter which is basically Kali Linux packed into an Android smartphone or tablet.
If anybody has seen or heard of the game Watch_dogs Kali Nethunter is like Aiden Pearce’s smartphone. For those of you who haven’t heard of Watch_dogs the premise is this: Aiden Peirce a notorious hacker roams around Chicago hacking a smart city with nothing but his smartphone. Kali Nethunter is pretty much the closest thing available to Aiden’s phone.
I recently went about installing Kali Nethunter on a LG Nexus 5 this post documents what did and what didn’t work in regards to getting it up and running. I hope you find this useful and it may save you a couple hours in future when it comes to rooting your own phone or installing Kali Nethunter. Once again I remind you make sure you never carryout any of these activities on devices that don’t belong to you or that you don’t have permission to be working on. Kali Nethunter is a powerful tool use it wisely.
What you will need
- A PC running Windows, Mac OSX or Linux
- A Kali Compatible device (I used a Google Nexus 5) the list of compatible devices is here
Installing it (the way that didn't work)
First you will need to prepare your phone which you can find the steps for in the prep link above in short it involved enabling developer mode on your phone and disabling storage MTP
After that the fun begins you will need to install nexus tools to be able configure your phone via the terminal
bash: install.sh: command not found root@kali:~# bash <(curl -s https://raw.githubusercontent.com/corbindavenport/nexus-tools/master/install.sh) [INFO] Nexus Tools 2.6.3 [INFO] Please enter sudo password for install. [ OK ] Sudo access granted. [INFO] Downloading ADB for Linux [Intel CPU] [INFO] Success. [INFO] Downloading Fastboot for Linux [Intel CPU] [INFO] Success. [INFO] Downloading udev list [INFO] Success. [INFO] Fix permissions [ OK ] Fixed. [INFO] Fix ownership [ OK ] Fixed. [INFO] Making ADB and Fastboot executable [INFO] ADB OK. [INFO] Fastboot OK. [ OK ] Done, type adb or fastboot to run!
After that to check adb is working run the following command (your device should be visible)
root@kali:~# adb devices * daemon not running. starting it now on port 5037 * * daemon started successfully * List of devices attached sleuthdevice00001 unauthorized
After this you will want to download the files listed in the LS command below (these are available on the Kali install website)
root@kali:~# ls CF-Auto-Root-hammerhead-hammerhead-nexus5.zip Desktop kali_linux_nethunter_1.21_hammerhead_lolipop.zip openrecovery-twrp-18.104.22.168-hammerhead.img
Now to unlock and root your phone you will need to run the following commands in the exact sequence as they are below:
root@kali:~# adb reboot bootloader root@kali:~# fastboot oem unlock OKAY [ 18.770s] finished. total time: 18.771s root@kali:~# fastboot flash recovery openrecovery-twrp-22.214.171.124-hammerhead.img sending 'recovery' (14000 KB) OKAY [ 0.653s] writing 'recovery' OKAY [ 1.080s] finished. total time: 1.733s root@kali:~# chmod 755 root-linux.sh root@kali:~# ./root-linux.sh ----- CF-Auto-Root-hammerhead-hammerhead-nexus5 ----- Please make sure your device is in bootloader/fastboot mode before continuing. ***WARNING*** ALL YOUR DATA *MAY* BE WIPED ! ***WARNING*** We are going to run the OEM UNLOCK command on your device. If your device was not previously unlocked, this will wipe all your data ! After the unlock, CF-Auto-Root will boot. You should see a big red Android on your device's screen. You may need to enter your administrator password to continue. Press Ctrl+C to cancel ! Press ENTER to continue FAILED (remote: Already Unlocked) downloading 'boot.img' OKAY booting OKAY It may take a minute or so for the red Android to appear. If it doesn't show up at all, there may be a problem. Press ENTER to continue root@kali:~# adb devices List of devices attached sleuthdevice00001 device
After this my phone got stuck in a boot loop with the twrp logo flashing on the screen before rebooting
So what next? After re-running the install process under Linux a few times and seeing no change I tried with windows, I was able to progress a little further but after installing Nethunter the phone kept crashing after trying to do something simple like unlocking the phone or trying to open the menu, the phone was once again rendered unusable at this point.
Installing it (the way that works)
I then tried using the Kali Nethunter Windows Installer. Which was by far the easier and simplest of the three install processes I tried. You simply install the tool and follow the prompts it downloads all the necessary files and installs them. At the end I had a fully functioning Kali Nethunter device!
Stuff you can do with it
Here’s a small list of some of the thing Nethunter can do:
- You can use it to boot into ISO images on a PC with Drive Droid
- You can run Metasploit on it!
- Offensive security have precompiled a number of handy penetration testing tools and attacks, you can see them in action on the Kali Website.
- You can use it as a webserver!
- You can use VNC and keyboard features to control PC’s.
- Perform NFC attacks
- Monitor /capture / sniff Wi-Fi traffic
I have also included a slideshow of browsing through some of the functionality:
Please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. As always thanks for your continued support! Until next time!