Mousejack on the WiFi Pineapple
The Mousejack attack is extremely useful for dropping payloads on machines where vulnerable RF wireless devices are used and after a bit of trial and error, it was possible to get the Jackit exploit tool running on a WiFi Pineapple.
Commands to get things up and running below.
Note: It is also possible to run Jackit on the Nano but it requires moving Python to an external SD card first.
root@pineapple:~$ opkg update
root@pineapple:~$ opkg install python-pip libusb-1.0 libusb-compat
root@pineapple:~$ pip install pyusb click six tabulate
...
Download jackit from https://github.com/Sliim/jackit/tree/openwrt-libusb
Modify jackit as per master...Sliim:openwrt-libusb (e.g. wget https://raw.githubusercontent.com/Sliim/jackit/4de42c5d9cdae2ed1009b8cd161101e88ab1c76a/jackit/lib/nrf24.py)
...
root@pineapple:~$ ./setup.py build
root@pineapple:~$ ./setup.py install
Jackit Github Page:
https://github.com/insecurityofthings/jackit
Tags: wifi
Increasing the Power Output of your Alfa AWUS036H
OS: Kali Linux
Checking the Current Power Output
In the example below Tx-Power is set to the default value of 20dBm for the current locale.
Information on how this value is determined is explained in-depth at Linux Wireless (http://linuxwireless.org/en/developers/Regulatory/)
wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-Associated
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Increasing the Output to 1-Watt (30dBm)
To increase the power output of the Alfa AWUS036H to 1-Watt (manufacturer specified maximum) you will need to change your locale to a region with different regulations (e.g. Belize – BZ) and set txpower manually.
root@kali:~$
root@kali:~$
root@kali:~$
root@kali:~$
wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-Associated
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
We have successfully set txpower to 30dBM (1-Watt).
Higher values can also be set and detailed instructions are available at Null Byte (http://null-byte.wonderhowto.com/how-to/set-your-wi-fi-cards-tx-power-higher-than-30-dbm-0149606/).
Tags: wifi
Netgear Wireless Router Default Passphrase Vulnerability
OS: Debian 8
A vulnerability exists in the default passphrase for Netgear Wireless Routers. The default passphrase consists of two words, followed by a three digit number (http://support1.gearguy.com/useruploads/images/19915v3.PNG):
word1word2xxx
To exploit this vulnerability you will need “aircrack-ng”, “pyrit” and the wordlist containing all possible passphrases. Initially, i was going to generate the dictionary using /usr/share/dict/cracklib-small and “crunch”, but the Netgear dictionary is already available for download from ScriptKitty (http://www.scriptkitty.ca/index.php/wordlists/).
Installation of Required Software
Manual step-by-step instructions @ blackMORE Ops (http://www.blackmoreops.com/2014/03/13/install-nvidia-driver-kernel-module-cuda-and-pyrit-kali-linux/)
user@debian8:~$
Step 1 – Capturing the Handshake
Plug in your Alfa AWUS036H and capture the 4-way handshake.
Tutorial @ SecurityTube - http://www.securitytube.net/groups?operation=view&groupId=9
user@debian8:~$
user@debian8:~$
Step 2 – Cracking the Capture
Confirm you have useable handshakes, then clean up the capture file and crack the passphrase.
user@debian8:~$
user@debian8:~$
...
Parsing file 'stripped-netgear.cap' (1/1)...
Parsed 10 packets (10 802.11-packets), got 1 AP(s)
Tried 12235614 PMKs so far; 25683 PMKs per second.
The password is
Solution
Never use the default passphrase provided with your router and always use complex passwords that do not follow predictable patterns.
Tags: wifi