4. Disclaimer :-
Please note: This session and the ones following it are purely being organized for
educational and informational purposes. Any student found misusing the concepts
taught in the sessions will himself/herself be held responsible for it.
Pratiyush Ray and all the other members of the Developer Student Club, UIET are
not liable for any damage being inflicted by any of the students who were taught
under DSC, UIET.
Students willing to learn Cyber Security will have to sign a declaration form
accepting the above-mentioned conditions. Only after signing the declaration form
will the student get access to DSC UIET's Cyber Security Slack channel and link
to the remaining google meet sessions.
5. Kali Linux
Q) Why Kali Linux?
● Kali Linux is used by hackers because it is a free OS.
● It has over 600 tools for Penetration Testing & Security Analytics.
● Kali follows an open-source model and all the code is available on Git and allowed for tweaking.
● Kali has multi-language support that allows users to operate in their native language.
● Kali Linux is completely customizable according to their comfort all the way down the kernel.
https://www.kali.org/
6. Network Hacking
Q) What is Network Hacking?
● Network Hacking is gathering an
information from network and computers
over the internet.
Methods of Network Hacking:-
● Pre-connection Attacks
● Gaining Access
● Post-connection Attacks
8. Connect Wireless Adapter to Kali
Problems with Built-in Wireless cards
● Can’t be used in Virtual Machines
● Most built-in cards are not good for hacking.
Monitor Mode & Packet
Injection
5Ghz Support
Example Alfa AWUS036NHA Alfa AWUS036ACH
Atheros AR9271 Realtek AR8812AU
9. IPV4 vs IPV6
1. 198.162.1.1
IPV4 - Internet Protocol Version 4
A:B:C:D It lies between 0-255
2. 2001:0db8:85a3:0000:0000:8a2e:0370:7334
IPV6 - Internet Protocol Version 6
A:B:C:D:E:F:G:H It lies between 0-9 , a-f, A-F
Due to this limit of 255 only 4.2 Billion IP Address can connect internet but
population is 7.8 Billion.
IPV6 solved this issue of IPV4 but there is a problem that IPV6 cannot support old
devices.
Also, NAT (Network Address Translation)
10. MAC Address
● Media Access Control
1. Permanent
2. Physical
3. Unique
● Assigned by Manufacturer.
Client 1
Client 2
Access Point
Internet
Mac= 00:11:11:11:11:11
Mac= 00:11:22:33:44:55
Mac= 00:22:22:22:22:22
Source Mac: 00:11:11:11:11:11
Destination Mac: 00:22:22:22:22:22
Why change the MAC Address?
1. Increase Anonymity.
2. Impersonate other devices.
3. Bypass filters.
11. Network Hacking- Pre-connection
Attacks
Packet Sniffing Using Airodump-ng
1. Part of the aircrack-ng suit.
2. Airodump-ng is a packet sniffer.
3. Used to capture all packets within range.
4. Display detailed info about networks around us.
5. Connected clients...etc
Use:
airodump-ng[MonitorModeInterface]
12. Wifi Bands
● Decides the frequency range that can be used.
● Determines the channels that can be used.
● Clients need to support band used by router to communicate with it.
● Data can be sniffed from a certain band if the wireless adapter used
supports that band.
● Most common WiFi Bands are:
1. a uses 5 Ghz frequency only.
2. b,g both use 2.4 Ghz frequency only.
3. n uses 5 and 2.4 Ghz.
4. ac uses frequencies lower than 6 Ghz.
13. Deauthentication Attack
→ Disconnect any client from any network.
● Works on encrypted networks(WEP,WPA,WPA2).
● No need to know the network key.
● No need to connect to the network.
Use:
Aireplay-ng --deauth [#DeauthPackets] -a [NetworkMac] -c [TargetMac] [Interface]
14. Process Deauth Attack
Hacker
Client
Access Point
Internet
Mac= 00:11:11:11:11:11
Mac= 00:11:22:33:44:55
Mac= 00:22:22:22:22:22
Source MAC: 00:11:22:33:44:55
Destination MAC: 00:22:22:22:22:22
Message: I want to disconnect
15. Process Deauth Attack
Hacker
Client
Access Point
Internet
Mac= 00:11:11:11:11:11
Mac= 00:11:22:33:44:55
Mac= 00:22:22:22:22:22
Source MAC: 00:22:22:22:22:22
Destination MAC: 00:11:22:33:44:55
Message: Ok! You are going to be
disconnected.
16. Gaining Access
WEP Cracking
● Wired Equivalent Privacy.
● Old encryption.
● Uses an algorithm called RC4.
● Still used in some networks.
● Can be cracked easily.
17. Gaining Access
WEP Cracking
● Client encrypts data using a key.
● Encrypted packet sent in the air.
● Router decrypts packet using the key.
Client
Access Point
Internet
Data to
send to
the router
18. Gaining Access
WEP Cracking
● Each packet is encrypted using a unique key stream.
● Random initialization vector(IV) is used to generate the keys streams.
● The initialization vector is only 24 bits!
● IV+Key(password)=Key stream
Client
Access Point
Internet
Data to
send to
the router
19. Gaining Access
WEP Cracking
● (Initialization Vector) IV is too small(only 24 bits)
● IV is sent in plain text.
Result:
● IV’s will repeat on busy networks.
● This makes WEP vulnerable to statistical attacks.
● Repeated IVs can be used to determine the key stream;
● And break the encryption.
Conclusion:
To Crack WEP we need to:
● Capture a large number of packets/IVs → Using airodump-ng
● Analyse the captured IVs and crack the key. → Using aircrack-ng
20. Gaining Access
WPA/WPA2 Cracking
● Wi-Fi Protected Access (WPA)
● WPA based on TKIP (Temporal Key Integrity Protocol).
● WPA 2 based on CCMP (Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol).
● Both can be cracked using the same methods.
● Made to address the issues in WEP.
● Much more secure.
● Each packet is encrypted using a unique temporary key.
→ Packets contain no useful information.
21. Gaining Access
WPS Crack
● WPS is a feature that can be used with WPA/WPA2.
● Allows clients to connect without the password.
● Authentication is done using an 8 digit pin.
1. 8 Digits is very small.
2. We can try all possible pins in relatively short time.
3. Then the WPS pin can be used to compute the actual
password.
PS: This only works if the router is configured not to use PBC (Push
Button Authentication).
22. Capturing the Handshakes
● Fixed all weaknesses in WEP.
● Packets contain no useful data.
● Only packets that can aid with the cracking process are the handshake
packets.
○ These are 4 packets sent when a client connects to the network.
23. Creating A Wordlist
Crunch can be used to create a wordlist.
Syntax:
> crunch [min] [max] [characters] -t[pattern] -o[FileName]
Example:
> crunch 6 8 123abc$ -o wordlist -t a@@@@b
Some Wordlists:
1. http://wordlist.sourceforge.net/
2. http://www.openwall.com/mirrors/
3. https://github.com/danielmiessler/SecLists
Now, You have WPA handshake & Wordlist… Now you can hack WPA/WPA2
24. Securing Your Network From Hackers
We know how to test the security of all known wireless encryptions
(WEP/WPA/WPA2), it is relatively easy to secure our networks against these
attacks:-
1.Do not use WEP encryption, as we seen how easy it is to crack it regardless of the
complexity of the password and even if there is nobody connected to the network.
2. Use WPA2 with a complex password, make sure the password contains small letters,
capital letters, symbols and numbers.
3. Ensure that the WPS feature is disabled as it can be used to crack your complex WPA2
key by brute-forcing the easy WPS pin.
25. Post-connection Attacks
→ Work against WiFi & Ethernet.
→ Gather more info.
→ Intercept data (usernames, passwords ...etc)
→ Modify data on the fly
The Lab- Installing Windows(For Target Machine/Victim Machine)
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
29. A
D
CB
C
to A:- I have 10.0.2.6
My MAC
is 00:11:22:33:44:66
ARP Spoofing
IP: 10.0.2.1
MAC: 00:11:22:33:44:20
IP: 10.0.2.7
MAC: 00:11:22:33:44:55
IP: 10.0.2.6
MAC: 00:11:22:33:44:66
IP: 10.0.2.5
MAC: 00:11:22:33:44:77
30. ARP Spoofing
Internet
Hacker
Access Point
Victim
I am at 10.0.2.1
I am
at 10.0.2.7
IP: 10.0.2.7
IP: 10.0.2.1
Why ARP Spoofing is possible:
1. Clients accept responses even if they did not send a request.
2. Clients trust response without any form of verification.
31. ARP Spoofing
USING ARPSPOOF
● Arpspoof tool to run arp spoofing attacks.
● Simple and reliable.
● Ported to most operating systems including Android and iOS.
● Usage is always the same.
USE:
airspoof -i [interface] -t [clientIP] [gatewayIP]
airspoof -i [interface] -t [gatewayIP] [clientIP]
32. ARP Spoofing
USING BETTERCAP
● Framework to run network attacks.
● Can be used to:
○ ARP Spoof targets (redirect the flow of packets).
○ Sniff data (urls, username, passwords).
○ Bypass HTTPs.
○ Redirect domain requests (DNS Spoofing).
○ Inject code in loaded pages.
○ And more!
USE:
Bettercap -iface [interface]
33. Understanding HTTPS
HTTPS
Problem:
● Data in HTTP is sent as plain text.
● A MITM can read and edit requests and responses.
→ not secure
Solution:
● Use HTTPS.
● HTTPS is an adaptation of HTTP.
● Encrypt HTTP using TLS (Transport Layer Security) or SSL (Secure Sockets Layer).
35. Preventing MITM Attacks
Detection:
1. Analysing arp tables.
2. Using tools such as Xarp.
3. Using Wireshark.
Problems:
1. Detection is not the same as prevention.
2. Only works for ARP Spoofing.
Solution:
1. HTTPS everywhere plugin.
2. Using a VPN
36. Preventing MITM Attacks
Pros Cons
HTTPS Everywhere Free
- Only works with HTTPs
websites.
- Visited domains still visible.
- DNS spoofing still possible.
VPN (Virtual Private Network)
- Encrypts everything.
- Protects from all MITM
attacks.
- Not Free
- VPN Providers can see data.
HTTPS Everywhere
+
VPN
- Encrypts everything.
- Protects from all MITM
attacks.
- Not free
37. For next Workshop
Network Hacking:-
1. Burp Suite
2. Wireshark
3. Creating Fake Access Point
4. Injecting Javascript Codes
5. ARP Poisoning Attacks
6. Server Side Attacks
7. Post Exploitation
Website Hacking:-
1. Information Gathering
2. File Upload Vulnerabilities
3. SQL Injection Vulnerabilities
4. Cross Site Scripting
Vulnerabilities.
5. So on ...