Okay so I've been experimenting with various pentesting tools. I know how to use the aircrack-ng suite to deauthenticate clients on a WPA network and capture the handshake packet. I know how to crack weak passwords with hashcat. What can I do once I am inside a person's wifi network? I know most of the time people have default username/password set on the router so I can usually gain access to that. However, what can I do with that? What else can I do other than access network shares and fuck with their router settings?
Pentesting Thread
Parker Walker
Other urls found in this thread:
nofile.io
twitter.com
Anthony Morris
You could, for example, forward all traffic logs back to yourself. You could mitm spoof incoming traffic and compromise any device on the network with malware.
You could make a new router account for I dunno, further access? Could you tunnel in far enough to persist past a full flash? Probably. Would you need to if you've taken over any of the machines on the network? Probably not. Network security is difficult.
So when you say you intercept the handshake you can then access the router?
Nicholas Young
>You could mitm spoof incoming traffic and compromise any device on the network with malware
I assume this would have to be done on the router. Would I need to flash it with custom firmware in order to accomplish this? I have LEDE (an OpenWRT fork) on my router right now. Do you know of any tools I could install on that to experiment with this?
Jaxson White
No, remember, routers are just mini Linux computers, some even come equipped with python but you can script whatever the fuck you want on them... I don't know any tools because obviously mitm malware compromise and dragnet surveillance are reprehensible unless you are using them against the establishment and not your neighbour. You could script something that logs requests, and a Cron job that FTPs that file to you before it overflows and empties it to start again.
William Cox
Got it. I'm learning about tools like arpspoof and driftnet now. Once I get the hang of that it shouldn't be too difficult to figure out how to modify driftnet to intercept downloaded .exe files and serve custom malware in their place.
Michael Hernandez
Wouldn't even necessarily need to be .exes you could append something into a .zip or pdf or some shit...
The feds have literally just started mitm android apps, game needs no permissions? "This application won't work properly without microphone permissions" cunts.
Xavier Campbell
>you could append something into a .zip or pdf
Wouldn't that be detected by most antivirus programs?
Brayden Rogers
That depends on whether you specifically program it to avoid detection
Jace Sullivan
>I Just Learned How to Install This Cool Thing Called Kali Linux I Saw On Mr. Robot, Now What?: The Thread
Dominic White
Heres a CBT nuggets course on pen testing
The guys voice is incredibly unbearable but its still good info
nofile.io
Jace Morris
ARP poison
tldr: all traffic is sent to you
also do ssl strip
Jacob Martin
Most wifi attacks are only useful for MITM attacks and passively spying on traffic. Keep in mind encrypted channels (HTTPS, SSL, SSH etc) you will not be able to read unless you launch a DNS poisoning attack for specific machines.
Best attack vector for full access (assuming a machine is running as admin, which most normies run as admin)
>MITM the wifi
>DNS poison google to your own crafted phishing page maybe a little dropper.
>Drop malware with some remote connectivity.
>1337 haxor
or you could use default creds on a router, change the DNS or routing settings to point to illegal sites or to a phishing site of your choice.
All in all if you haven't gotten a shell on a machine from a phishing email or dropper, you will be limited in your attacks on wifi due to HTTPS and other protocols. Master making good phishing emails and sites and you will be a semi ok pen tester in no time.
By the way never do this on a network you do not own. That should be obvious.
Benjamin Rivera
>Implying
I use Arch Linux and have known about aircrack-ng since before Mr Robot existed.
Levi Gray
Anyone know if a WiFi network which uses WPS of both types LAB and PBC can be cracked? I know that PBC is impractical to crack because of the short time window, but if it supports both LAB and PBC, I can still exploit LAB regardless of whether the button was pushed recently, right?
Lincoln Sanders
Anyone ever try to get the ssid of a hidden open network? Apparently its possible with aircrack after capturing a handshake.
Juan Perry
Just make a literal botnet. You could do it grey hat and use their computers to train a neural network, or black hat and just set up a bunch of miners.
Julian Wilson
Anyone know a wireless adapter that allows you to set a mac address in windows 10? (locally administered mac address)
I haven't seen that shit since the xp days but recently I installed windows on my MacBook and I found that feature. Well it's great but the range is fucking trash do I can't use it.
I searched the chip but eventually found that it's an oem chip used only by Apple.
Owen Peterson
this and set up a mitm proxy to replace downloads of proprietary software with their libre replacements
Ethan Ramirez
I have had this idea for a while that I would get a raspberry pi or similar device with a wifi module, then write a script that would send deauthentication packets to all devices of my choice. Then I could carry this with me and shut down wifi traffic. This would be especially useful in areas where there's a low-bandwidth public wifi and lots of people using it. By doing this I could throw out all the other devices and use all the traffic myself.
Has anyone else done this? Is it a good idea/bad idea, and how illegal is it?
Leo Bell
If I recall correctly, all you have to do is use aireplay-ng to deauthenticate a connected client while airodump-ng is running. Then when the client reconnets, airodump-ng will automatically pick up the SSID.
James Miller
Kismet usually detects SSID of hidden networks automatically. It may only be during connects though as this guy says
Joshua Perez
Sslstrip is useless now days because most sites use really tricked out SSL setups combined with modern browsers that detect mitm attacks. Its possible to arp poison and listen for one URL then forward them to a spoofer page locally hosted on your own machine to capture credentials.
Also OP could sniff traffic with wireshark and log sites visited. Won't be able to crack the strong SSL now days but you could still see the domain they are visiting if you just want to snoop.
Lastly if the router supports openwrt you would gain access and flash their router with the firmware and then possibly use it for other stuff. Careful you don't brick it though.
Jordan Scott
why not use krack?
Seems much faster and most networks are still not protected
Kevin Sanchez
>flash their router with the firmware and then possibly use it for other stuff.
Can you elaborate a little on this point? What would you use it for? What packages would you install?
Ian Clark
Its an FCC violation to willingly interfere with radio signals. Just like operating a ham radio without a license.
Angel Sullivan
Isn't that a client side vulnerability that has already been patched on Windows and most Linux distros? Also, iirc that does not allow you to connect to their wifi network or obtain the wifi password.
Chase Ross
Well if your the router you are the man in the middle so no need to arp poison anymore... You could maybe capture traffic someway although router nvram is limited. Might be able to turn on a VPN or ssh and bounce traffic off it or use it as your own personal vpn.
I'm sorry to tell you that since most sites force strong SSL now days mitm has become much more complicated.
Jack Martin
it is client side which means it is a lot harder to patch.
Eg, most android phones are not patched.
Kayden Wood
ITT script kiddies. Pathetic.
Gavin Rogers
>Eg, most android phones are not patched.
Sure, but believe almost all desktop computers are patched. If I understand the situation correctly, all I would be able to do is snoop on unencrypted Android communications, which is pretty boring imo.
Ryan Gray
You could possibly inject cryptominer.js into their pages provided its http plaintext traffic.
Http plain text is not really used anymore though. Even the smallest websites seem to be using SSL now.
Jacob Baker
>http plain text is not really used anymore though
Many porn websites still (ironically) do not use ssl encryption.
Oliver Lewis
scenario:
some guy has a wifi, which probably means a laptop and an android, maybe a desktop.
Laptop and desktop is patched, is not.
You run the attack on the android phone, gain access to the network and then you snoop on the phone, the laptop AND the desktop.
When you have access to the network, you can do all kinds of things, redirect traffic to a site to fish their passwords etc.
Nicholas Nelson
Laptop and desktop is patched, the phone is not.*
Eli Green
They are starting to now. The major ones like pornhub and xhamster use https now. Maybe some smaller ones dont but it won't be long before they do.
The door on mitm attacks seems to be closing.
Isaiah Brown
It doesn't really let you gain access to the network though. It only lets you snoop on the traffic for that particular client. It doesn't get you the wifi password or allow you to authenticate your clients with their router.
I may be wrong, but that is the understanding I came to after reading about it.
Ryder Bell
you made a gay thread, faggot
Austin Powell
Interesting, thanks anons
Michael Hernandez
sent ;)