2014-08-26
2014-08-24
Rooted Nexus 7 - Kali Pwn Pad (IN PROGRESS)
after keeping the nexus 7 stock and slave to google, on a hot California summer, I finally decided to void it's warranty by attempting to root, multi boot rom and run Kali Linux on it. These are my notes and google search results.
IMPORTANT: Read each Phase (more than once if necessary) completely before you take any action. Take note of the GREEN updates, they are the ones that actually worked. Each Phase is a work in progress, and are my notes to remind me where I left off. So please pardon the mess.
IMPORTANT: Read each Phase (more than once if necessary) completely before you take any action. Take note of the GREEN updates, they are the ones that actually worked. Each Phase is a work in progress, and are my notes to remind me where I left off. So please pardon the mess.
Google Search: "root nexus 7" - Root your Nexus 7
Google Search: "kali nexus 7" - forum.xda-developers.com post by droidshadow
My number 1 advice on following the instructions: Read each step a few times, every letter and every word - including the pop-up windows from the tools when running the actual steps.
Note: be thankful to the guys who already did the leg work to deliver you the step-by-step instructions. the very least you can do is read everything they wrote down, plus you'll be doing yourself a favor by doing so.
PHASE 1: Root your Nexus
I followed the rooting instructions from - http://nexus7.wonderhowto.com/how-to/root-your-nexus-7-tablet-running-android-4-4-kitkat-windows-guide-0150849/
The text only instructions are below. The original post/link above has screenshots included. Remember to read the instructions carefully.
Step 1: Enable USB
Debugging
You
need to allow the toolkit to make a connection to your Nexus, so you'll need to
enable USB Debugging. Simply go into Settings -> Developer Options -> USB Debugging.
If you
don't see Developer Options, don't worry. Go
into Settings -> About Device and
tap on Build Number about 7 times. You'll see a toast
notification pop up letting you know that you're a developer. Then simply go
back and you'll see "Developer options."
Step 2: Download
& Install the WugFresh Nexus Toolkit
If you
don't know, this kit is a Godsend—it literally does all of the heavy lifting
for us. Head over to the WugFresh website and grab
the latest version of the Nexus Root ToolKit, which has
been updated with KitKat 4.4.2. compatibility.
You can
also grab the direct download here.
Whenever you run the app, make sure to right-click on the icon and select
"Run as administrator".
Step 3: Back Up Your
Nexus
The
first step to rooting is unlocking the bootloader, which I'll get into a little
later. Unfortunately, that process means that you'll need to wipe the data on
your device. If you're not interested in starting fresh, the WugFresh toolkit
has you covered.
Select
"Backup" from the left-most panel, then select the items you want to
back up. In general, I only backup SMS and call logs because apps and contacts
are restored once you sign in with your Google account.
Unfortunately,
app data is not restored automatically, so if you've
got a great high score in Flappy Birds that
you'd be sad to lose, you may want to back up your apps using the toolkit. Just
select "Create Android Backup File," either under "Backup All
Apps" or "Backup Single App."
Alternatively,
you can back up your
Nexus 7 without root or a custom recovery using various other
backup tools.
Step 4: Set Up the
Toolkit
When
you initially launch the toolkit, you'll need to provide some basic
information. Choose the specific Nexus device and build you have. If you're not
sure what you input here, just select Auto Detect Device + Build.
Next,
you'll need to install the proper drivers for your device, if you didn't
already do so through the backup process. All you do is select Full Driver Installation Guide and follow the
simple instructions.
After
going through the driver installation, Unlock your
device to make rooting possible.
Unlocking
will wipe the device.
Step 5: Root Your
Nexus 7
Finally,
you're ready to root. Check the Custom Recovery option
to also apply TWRP custom recovery to your device, then click Root to initiate the process.
With
the custom recovery, you will have an extra step that includes tapping your
screen a few times, but it's easy to follow with WugFresh. After the program
runs its course, your device will be unlocked and rooted and will reboot.
Step 6:
Make Sure You're Rooted
An
easy way to make sure the WugFresh toolkit worked and your Nexus 7 is rooted is
to download the free Root Checker app
from Google Play. Just open the app, select Verify Root, and
wait for the results.
PHASE 2: Install MultiRom Manager & Quickboot
Now that your tablet is rooted you need to install MultiRom Manager. What this does is it allows you to put multiple roms on your tablet without ever harming your stock (internal) android rom. This is a great tool and all of us who use it really owe the developer a lot of credit...
There is a very easy way to install MultiRom Manager. The developer of this program has created an app that you can download from the Google Play Store to install it easily and successfully.
Open up the Google Play store and do a search for "multirom manager". Download it, open it up, grant it root permission and run the app. The app will do all of the hard work for you and it will install MultiRom for you. Once it is done reboot your tablet. Since your stock rom won't have the reboot option i recommend downloading "quickboot" from the Google Play Store. This app requires root access but it will allow you to quickly reboot your tablet, boot into recovery, or boot into the bootloader.
When you are booting up after installing multirom you need to click on your tablet as MultiRom is counting down. The only Rom that will be listed is "internal" (because you haven't installed any other roms) go ahead and boot into "internal" by clicking on the boot button.
IMPORTANT NOTE: it is very important to boot your internal (stock rom) at least one time before you flash/add another ROM with multirom manager. MAKE SURE YOU DO THIS!
PHASE 3: Install a custom additional Roms
Use the Quick Boot app that WugFresh loaded during the Phase 1 to boot into "Recovery Mode". Now in recovery manager which works hand in hand with MultiRom you are going to want follow these steps:
1. Hit the Advanced button
2. Hit the MultiRom button
3. Add Rom
4. Select "Add Zip". Choose the cm-11-20131213-bruce2728-odexed-flo.zip file to flashed.
5. Once that is done flash the zip by sliding the bottom button from left to right.
Okay now after you flash the zip you should see "ZIP FLASHED SUCCESSFULLY".
Now what you want to do is hit the back button till you get to the main recovery page.
08/24/2014 UPDATE: NOTE: I have not successfully installed a rom on my device - it keeps FAILING. Research and testing is currently in progress. Stay tuned.
08/25/2014 Update: upon reading the FAIL message closely, it said that the CM11 version I was trying to load was for a FLO (Nexus 7 2013 - 2 cameras) device while my Nexus 7 was a GROUPER (Nexus 7 2013 - 1 camera). I'm going to try and load the latest GROUPER CM11 I can find and cross my finger. Here's the CyanogenMod 11 Grouper Link -
https://download.cyanogenmod.org/?device=grouper&type=stable
09/06/2014 Update: Sorry for the long delay on updates. The Grouper ROM works for my Nexus 7 (with 1 camera). I've since also flashed the ROM with the PA-Google Apps. You will need this to be able to get to Google Play.
http://forum.xda-developers.com/showthread.php?t=2397942
Next step adding Google Apps from TWRP recovery manager:
1. advanced
2. multirom
3. list rom
4. now that you have flashed CM11 you should see a ROM under "internal". Remember "internal" is your stock rooted nexus 7 rom. click on the new rom you just installed.
5. click flash zip.
6. navigate to where you downloaded the pa-gapps.zip file, and pick it.
7. slide the button to flash the zip.
HIT THE BUTTON TO REBOOT YOUR SYSTEM.
Okay so now that your Nexus 7 is rebooting you need to tap on your device to stop the countdown from MultiRom. There will be 2 choices on the list 'internal' and the ROM you just added. You want to select your newly added rom and tap it again to boot it.
NOTE: The 'internal' rom is your clean stock factory rooted rom. To go back to it, you'll need to reboot again and choose it at the multiboot screen.
SET UP YOUR DEVICE and make sure GOOGLE PLAY STORE IS RUNNING CORRECTLY:
IMPORTANT TIP: if the google play store stops working try rebooting your system. If that does not work and your google play store is giving you an error 920 code then you need to close the google play store. go to settings -> apps -> all apps. Click on Google Play and wipe data and cache. After that you need to click on GMAIL and wipe data and cache.
WIPING THE CACHE and DATA on GMAIL will fix problems with the GOOGLE PLAY STORE especially error code 920.
1. Hit the Advanced button
2. Hit the MultiRom button
3. Add Rom
4. Select "Add Zip". Choose the cm-11-20131213-bruce2728-odexed-flo.zip file to flashed.
5. Once that is done flash the zip by sliding the bottom button from left to right.
Okay now after you flash the zip you should see "ZIP FLASHED SUCCESSFULLY".
Now what you want to do is hit the back button till you get to the main recovery page.
08/24/2014 UPDATE: NOTE: I have not successfully installed a rom on my device - it keeps FAILING. Research and testing is currently in progress. Stay tuned.
08/25/2014 Update: upon reading the FAIL message closely, it said that the CM11 version I was trying to load was for a FLO (Nexus 7 2013 - 2 cameras) device while my Nexus 7 was a GROUPER (Nexus 7 2013 - 1 camera). I'm going to try and load the latest GROUPER CM11 I can find and cross my finger. Here's the CyanogenMod 11 Grouper Link -
https://download.cyanogenmod.org/?device=grouper&type=stable
09/06/2014 Update: Sorry for the long delay on updates. The Grouper ROM works for my Nexus 7 (with 1 camera). I've since also flashed the ROM with the PA-Google Apps. You will need this to be able to get to Google Play.
PA-GOOGLE APPS
https://www.androidfilehost.com/?w=files&flid=15800http://forum.xda-developers.com/showthread.php?t=2397942
Next step adding Google Apps from TWRP recovery manager:
1. advanced
2. multirom
3. list rom
4. now that you have flashed CM11 you should see a ROM under "internal". Remember "internal" is your stock rooted nexus 7 rom. click on the new rom you just installed.
5. click flash zip.
6. navigate to where you downloaded the pa-gapps.zip file, and pick it.
7. slide the button to flash the zip.
HIT THE BUTTON TO REBOOT YOUR SYSTEM.
Okay so now that your Nexus 7 is rebooting you need to tap on your device to stop the countdown from MultiRom. There will be 2 choices on the list 'internal' and the ROM you just added. You want to select your newly added rom and tap it again to boot it.
NOTE: The 'internal' rom is your clean stock factory rooted rom. To go back to it, you'll need to reboot again and choose it at the multiboot screen.
SET UP YOUR DEVICE and make sure GOOGLE PLAY STORE IS RUNNING CORRECTLY:
IMPORTANT TIP: if the google play store stops working try rebooting your system. If that does not work and your google play store is giving you an error 920 code then you need to close the google play store. go to settings -> apps -> all apps. Click on Google Play and wipe data and cache. After that you need to click on GMAIL and wipe data and cache.
WIPING THE CACHE and DATA on GMAIL will fix problems with the GOOGLE PLAY STORE especially error code 920.
PHASE 4: Install Kali Linux
1. Download the KaliPwnPad: Go to http://w11.zetaboards.com/Pwnie_Express/topic/8951376/1/ and spend some time to search for the latest and greatest version available. The actual version I used is from this download link - https://mega.co.nz/#!aZ5THSxL!PFuyV1Z7Vb-QgmhYF5a7CgMukI1JAGIUkEo972KEgiE
2. After you get the file, boot back up into recovery. Pick the your new rom and basically perform the same "flashing" steps you did as installing the PA-Google Apps.
In Recovery go to -> ADVANCED -> MULTIROM -> LIST ROMS -> SELECT your ROM -> ADD ZIP.
Navigate and select the kali pwn pad file that you downloaded earlier.
WARNING: this file will take about 30 minutes to flash. you are going to want to keep and eye on this file. if at all possible do not let TWRP time out and turn off the screen. You can avoid TWRP turning off your screen from an idle timeout by clicking on your tablet's screen once a minute. I know it may seem like a lot but it is best and easier to avoid the screen from turning off from an idle timeout. If your tablet does turn off from an idle time out if you are on POWER you should be able to turn the screen back on by just clicking on the power button and swiping the bottom of your tablet from left to right to unlock it.
Okay now that KaliPwnPadv0.5 is flashing you will just have to wait for it to finish...
It does take about 30 minutes for this big file to flash. Now you will see the progress bar filling up. When the progress bar is full don't worry that the zip isn't done flashing. It may take 5-7 minutes after the progress bar is full for the zip file to finish flashing.
Caveats:
-The error "unable to load ramdisk" and the top screen which said "Error: unable to flash zip". Don't worry this will not affect your system.
-Once the file finished regardless if you got "zip file flashed successfully" or "unable to load ramdisk" error you will need to reboot your tablet.
3. Let's light this candle!
- Boot into the ROM you flashed KALI in
- Start your Terminal Emulator
- On the prompt, type "SU"
- Get the party started by typing "bootkali"
PHASE 5: USB Drivers and ALFA
09/06/2014 Update: I have recently ordered the cables I need to get the external Wifi connected to the Nexus. I also have not really flashed the kernel to add the drivers. I'll continue this project when the required materials arrive.
09/06/2014 Update: I have recently ordered the cables I need to get the external Wifi connected to the Nexus. I also have not really flashed the kernel to add the drivers. I'll continue this project when the required materials arrive.
The Onion Network (good reads)
Want Tor to really work?
You need to change some of your habits, as some things won't work exactly as you are used to.
- Use the Tor BrowserTor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.
- Don't torrent over TorTorrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that's how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.
- Don't enable or install browser pluginsThe Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy. The lack of plugins means that Youtube videos are blocked by default, but Youtube does provide an experimental opt-in feature (enable it here) that works for some videos.
- Use HTTPS versions of websitesTor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, the Tor Browser includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website. Also see EFF's interactive page explaining how Tor and HTTPS relate.
- Don't open documents downloaded through Tor while onlineThe Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
- Use bridges and/or find companyTor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you're using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!
Be smart and learn more. Understand what Tor does and does not offer. This list of pitfalls isn't complete, and we need your help identifying and documenting all the issues.
2014-08-21
Row-Row-Row Your Boat
I leached this post from the internet, but unfortunately have forgotten where I got it. I would to apologize and thank the original author for this excellent post.
In order to use Reaver, you need to get your wireless card's interface name, the BSSID of the router you're attempting to crack (the BSSID is a unique series of letters and numbers that identifies a router), and you need to make sure your wireless card is in monitor mode. So let's do all that.
Press Enter. You should see a wireless device in the subsequent list. Most likely, it'll be named wlan0, but if you have more than one wireless card, or a more unusual networking setup, it may be named something different.
This command will output the name of monitor mode interface, which you'll also want to make note of. Most likely, it'll be mon0, like in the screenshot below. Make note of that.
(Note: If airodump-ng wlan0 doesn't work for you, you may want to try the monitor interface instead—e.g., airodump-ng mon0.)
For example, if your monitor interface was mon0 like mine, and your BSSID was 8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:
Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of PINs on the router in a brute force attack, one after another. This will take a while. When Reaver's cracking has completed, it'll look like this:
Also of note, you can also pause your progress at any time by pressing Ctrl+C while Reaver is running. This will quit the process, but Reaver will save any progress so that next time you run the command, you can pick up where you left off-as long as you don't shut down your computer (which, if you're running off a live DVD, will reset everything).
Read more details about the vulnerability at Sean Gallagher's excellent post on Ars Technica.
How to Protect Yourself Against Reaver Attacks
So that's kind of a bummer. You may still want to try disabling WPS on your router if you can, and test it against Reaver to see if it helps.
You could also set up MAC address filtering on your router (which only allows specifically whitelisted devices to connect to your network), but a sufficiently savvy hacker could detect the MAC address of a whitelisted device and use MAC address spoofing to imitate that computer.
In order to use Reaver, you need to get your wireless card's interface name, the BSSID of the router you're attempting to crack (the BSSID is a unique series of letters and numbers that identifies a router), and you need to make sure your wireless card is in monitor mode. So let's do all that.
Find
your wireless card: Inside
Terminal, type:
iwconfig
Press Enter. You should see a wireless device in the subsequent list. Most likely, it'll be named wlan0, but if you have more than one wireless card, or a more unusual networking setup, it may be named something different.
Put
your wireless card into monitor mode: Assuming your wireless card's
interface name is wlan0, execute the following command to put
your wireless card into monitor mode:
airmon-ng start wlan0
This command will output the name of monitor mode interface, which you'll also want to make note of. Most likely, it'll be mon0, like in the screenshot below. Make note of that.
Find
the BSSID of the router you want to crack: Lastly, you need to get the
unique identifier of the router you're attempting to crack so that you can
point Reaver in the right direction. To do this, execute the following command:
airodump-ng wlan0
(Note: If airodump-ng wlan0 doesn't work for you, you may want to try the monitor interface instead—e.g., airodump-ng mon0.)
You'll
see a list of the wireless networks in range.
When
you see the network you want, press Ctrl+C to stop the list from refreshing,
then copy that network's BSSID (it's the series of letters, numbers, and colons
on the far left). The network should have WPA or WPA2 listed under the ENC
column. Now, with the BSSID and monitor
interface name in hand, you've got everything you need to start up Reaver.
Crack a Network's WPA
Password with Reaver
Now
execute the following command in the Terminal, replacing bssid and moninterface with the BSSID
and monitor interface and you copied down above:
reaver -i moninterface -b bssid -vv
For example, if your monitor interface was mon0 like mine, and your BSSID was 8D:AE:9D:65:1F:B2 (a BSSID I just made up), your command would look like:
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of PINs on the router in a brute force attack, one after another. This will take a while. When Reaver's cracking has completed, it'll look like this:
EXPAND
A
few important factors to consider:Reaver worked exactly as advertised in
my test, but it won't necessarily work on all routers (see more below). Also,
the router you're cracking needs to have a relatively strong signal, so if
you're hardly in range of a router, you'll likely experience problems, and
Reaver may not work. Throughout the process, Reaver would sometimes experience
a timeout, sometimes get locked in a loop trying the same PIN repeatedly, and
so on. I just let it keep on running, and kept it close to the router, and
eventually it worked its way through.
Also of note, you can also pause your progress at any time by pressing Ctrl+C while Reaver is running. This will quit the process, but Reaver will save any progress so that next time you run the command, you can pick up where you left off-as long as you don't shut down your computer (which, if you're running off a live DVD, will reset everything).
How Reaver Works
Now
that you've seen how to use Reaver, let's take a quick overview of how Reaver
works. The tool takes advantage of a vulnerability in something called Wi-Fi
Protected Setup, or WPS. It's a feature that exists on many routers, intended
to provide an easy setup process, and it's tied to a PIN that's hard-coded into
the device. Reaver exploits a flaw in these PINs; the result is that, with
enough time, it can reveal your WPA or WPA2 password.
Read more details about the vulnerability at Sean Gallagher's excellent post on Ars Technica.
How to Protect Yourself Against Reaver Attacks
Since
the vulnerability lies in the implementation of WPS, your network should be
safe if you can simply turn off WPS (or, even better, if your router doesn't
support it in the first place). Unfortunately, as Gallagher points out as Ars, even
with WPS manually turned off through his router's settings, Reaver was still
able to crack his password.
In a
phone conversation, Craig Heffner said that the inability to shut this
vulnerability down is widespread. He and others have found it to occur with
every Linksys and Cisco Valet wireless access point they've tested. "On
all of the Linksys routers, you cannot manually disable WPS," he said.
While the Web interface has a radio button that allegedly turns off WPS
configuration, "it's still on and still vulnerable.
So that's kind of a bummer. You may still want to try disabling WPS on your router if you can, and test it against Reaver to see if it helps.
You could also set up MAC address filtering on your router (which only allows specifically whitelisted devices to connect to your network), but a sufficiently savvy hacker could detect the MAC address of a whitelisted device and use MAC address spoofing to imitate that computer.
I
have the open-source router firmware DD-WRT installed on my router and I was
unable to use Reaver to crack its password. As it turns out, DD-WRT does not
support WPS, so there's yet another reason to love the free router-booster. If
that's got you interested in DD-WRT, check their supported devices list to see
if your router's supported. It's a good security upgrade, and DD-WRT can also
do cool things like monitor your internet usage, set up a network hard drive,
act as a whole-house ad blocker, boost the range of your Wi-Fi network, and
more. It essentially turns your $60 router into a $600 router.
Dsniff and Arpspoof on Mac
This post was originally posted by Lump on machack.org on 24 September 2013 - 12:25 PM. I have not tested this myself, so no guarantees here.
Using this without authorization is illegal in most places. This guide is for educational and learning use only. Please use common sense and respect personal privacy.
1. What is a Man in the Middle Attack?
As the name describes, you will be the Man in the Middle meaning that you will sneak into the connection between the attacked Device and the Router. This implies that you are inside the same Network (WLAN) of the target.This Attack gives you access to all data running through the attacked Device Internet Connection giving you the possibility to sniff for Chats, Email, Passwords and many many more things.
2. How can I be save from that?
There are Tools that prevent others from flushing your ARP Cache or just use a high encryption while surfing on the Interent such as PGP (Emails) or HTTPS. Theese are just examples, you will find solutions if you search for them.
3. How does the Attack work?
The ARP Protocol is used to map IP Addresses to specific MAC Addresses. Computers do use this to identify other Devices in the local Network.By spoofing ARP Replays you can spoof your identity meaning that your Computer seems to be the targeted Computer (from the view of the Router) and at the same time the targeted Computer thinks you are the Router. Here is a basic schema of this setup:
4. Before we start:
First of all you need a Tool to spoof theese ARP Replays. There are some but for this Tutorial we will use the Tool ARPSpoof which is part of the DSniff Package.To get this Tool running on Mac OS X your best bet is to use Mac Ports, so go ahead and download the right Version for your Operating System: Download Page. After that you should be able to use the
5. Run the Attack:
Now you'r able to start the Attack, but before that you should choose the Device you want to Attack. To find all Devices in your local Network use this command:
The first IP is most likely your Routers Address.Now if you know the IP of your Victim and the IP of your Router then you have almost all information you need to start the Attack.We only need to do one more thing. There is one problem if you intercept someones Internet Connections: You recive Packets that are not meant to be sent to you, so the Operating System will not forward them to the destination, it will just drop them leaving the attacked one without Internet Connection.To get around this run this Commands in Terminal:
Keep theese two windows open until you want to stop your attack! Okay so now this is all you need to do, your now redirecting the Victims traffic over your Computer to the destination, so your able to read all transmitted Data.
6. How can I sniff Data?
The DSniff Package contains some more very nice Tools:mailsnarf - As the name explains, sniffes for Mailsdsniff - For Common Password sniffing (Does for some reason not capture all Passwords)msgsnarf - This is meant for specific messagesurlsnarf - To sniff for browsed Websites and User Agentsdnsspoof - To spoof DNS Request and redirect Websiteswebmitm - Used to decrypt SSL (HTTPS) with faked CertificatesOther usefull Tools:Ettercap-ng - ARPSpoofing and Password Sniffing ToolSSLStrip - To decrypt SSL (HTTPS) Websites (Did not get this one to run on OSX!)tcpdump - Dump all captured Traffic for later analyzis and Cookie Stealinghamster & ferret - Cookie HijackerThere are Scripts for Facebook Chat Sniffing and you will find much more if you search for it.
7. How do I stop the Attack?
Just hit ctrl+c in the opened Terminal, wait 3-4 sec and then the Tool should be terminated.I hope you enjoyed, happy hacking
Using this without authorization is illegal in most places. This guide is for educational and learning use only. Please use common sense and respect personal privacy.
1. What is a Man in the Middle Attack?
As the name describes, you will be the Man in the Middle meaning that you will sneak into the connection between the attacked Device and the Router. This implies that you are inside the same Network (WLAN) of the target.This Attack gives you access to all data running through the attacked Device Internet Connection giving you the possibility to sniff for Chats, Email, Passwords and many many more things.
2. How can I be save from that?
There are Tools that prevent others from flushing your ARP Cache or just use a high encryption while surfing on the Interent such as PGP (Emails) or HTTPS. Theese are just examples, you will find solutions if you search for them.
3. How does the Attack work?
The ARP Protocol is used to map IP Addresses to specific MAC Addresses. Computers do use this to identify other Devices in the local Network.By spoofing ARP Replays you can spoof your identity meaning that your Computer seems to be the targeted Computer (from the view of the Router) and at the same time the targeted Computer thinks you are the Router. Here is a basic schema of this setup:
4. Before we start:
First of all you need a Tool to spoof theese ARP Replays. There are some but for this Tutorial we will use the Tool ARPSpoof which is part of the DSniff Package.To get this Tool running on Mac OS X your best bet is to use Mac Ports, so go ahead and download the right Version for your Operating System: Download Page. After that you should be able to use the
port
command in Terminal (/Applications/Utilities/Terminal.app)Runsudo port selfupdate
followed bysudo port install dsniff-develor
sudo port install dsniff
Note that when you type in your Admin Password it will not be displayed!Let the Installation run, this can take some time. After its finished you should be able to use thearpspoof
command in Terminal.5. Run the Attack:
Now you'r able to start the Attack, but before that you should choose the Device you want to Attack. To find all Devices in your local Network use this command:
arp -a
The first IP is most likely your Routers Address.Now if you know the IP of your Victim and the IP of your Router then you have almost all information you need to start the Attack.We only need to do one more thing. There is one problem if you intercept someones Internet Connections: You recive Packets that are not meant to be sent to you, so the Operating System will not forward them to the destination, it will just drop them leaving the attacked one without Internet Connection.To get around this run this Commands in Terminal:
sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1This will enable Packet Forwarding on OS X Systems.Now open up two new Terminal Windows and run theese two commands:
sudo arpspoof -i YOURINTERFACE -t VICTIMIP ROUTERIP
sudo arpspoof -i YOURINTERFACE -t ROUTERIP VICTIMIPReplace:YOURINTERFACE with the name of your Interface (For WLAN Connections most likely en1 and for LAN most likely en0)VICTIMIP with the IP Address of your VictimROUTERIP with your Router IPAfter this it should look like this:
Resized to 80% (was 835 x 364) - Click image to enlarge
Keep theese two windows open until you want to stop your attack! Okay so now this is all you need to do, your now redirecting the Victims traffic over your Computer to the destination, so your able to read all transmitted Data.
6. How can I sniff Data?
The DSniff Package contains some more very nice Tools:mailsnarf - As the name explains, sniffes for Mailsdsniff - For Common Password sniffing (Does for some reason not capture all Passwords)msgsnarf - This is meant for specific messagesurlsnarf - To sniff for browsed Websites and User Agentsdnsspoof - To spoof DNS Request and redirect Websiteswebmitm - Used to decrypt SSL (HTTPS) with faked CertificatesOther usefull Tools:Ettercap-ng - ARPSpoofing and Password Sniffing ToolSSLStrip - To decrypt SSL (HTTPS) Websites (Did not get this one to run on OSX!)tcpdump - Dump all captured Traffic for later analyzis and Cookie Stealinghamster & ferret - Cookie HijackerThere are Scripts for Facebook Chat Sniffing and you will find much more if you search for it.
7. How do I stop the Attack?
Just hit ctrl+c in the opened Terminal, wait 3-4 sec and then the Tool should be terminated.I hope you enjoyed, happy hacking
This post has been edited by Lump: 25 September 2013 - 02:32 AM
Subscribe to:
Posts (Atom)