Tools of the trade
There are a huge number of FOSS tools available to help professional and budding hackers alike — we show you our favourites…
Aseasoned hacker will use a huge number of tools to perform reconnaissance, penetration testing, exploitation and data exfiltration. They might have access to exploits for which no patch exists, or spend time coding their own custom payloads. They could have access to a huge network of compromised machines (a botnet) that they could use to DDoS a target, or as a series of proxies to hide behind.
At the other end of the spectrum there are your script kiddies, who search the Internet for off-the-shelf exploits (a process that, depending on your search terms and where you click, can be pretty risky), eventually manage to get Kali Linux running, and then indiscriminately bombard machines with exploits. Don’t be a script kiddie: it’s not a good look and it might land you in a whole heap o’ trouble. Do get familiar with the tooling, though — here’s a selection of commonly employed software to help you learn the ropes.
Wireshark captures packets “off the wire” so you can study them from the comfort of a nice GUI. Obviously, if you’re on a busy network there will be a lot of traffic, so Wireshark allows you to filter by machine or protocol. People often run into difficulties getting started with Wireshark (and other packet capturing tools) since special privileges are required to sniff network traffic. Don’t run it as root, this is a bad idea. Instead add your user to the wireshark group with gpasswd -a youruser wireshark , then log out and log in again. Wireshark uses privilege separation to run the dumpcap with setuid root in the background. Much safer than running the whole application as root.
Network newbies may be slightly unsettled to see that all traffic connected to the same switch is visible, but this is how networks work. Traffic not intended for a particular host is silently ignored, but with Wireshark we can examine it. Passwords and credit card numbers entered into websites should always be encrypted via HTTPS — in fact, most web traffic nowadays should be. But you never know what a simple packet capture can turn up. If you’re feeling nosey and want to see which websites your network peers are visiting, then go to the Name Resolution section and check the “Resolve network addresses” option.
Wireshark is pivotal in attacks on Wi-Fi networks, for example setting up a rogue Wi-Fi hotspot in a coffee shop and running an SSL stripping attack. Old-style attacks on WEP encryption often depended on capturing and replaying ARP request packets, but no one should be using WEP encryption anymore. Wireshark is also useful for studying the behaviour of proprietary applications to see who they’re talking to and (in some cases) what they’re saying.
JOHN THE RIPPER
A long time ago a six-character password was considered secure, all the more so if it contained mixed case, some kind of punctuation and wasn’t based on a dictionary word. That guidance has not aged well (eight characters is almost acceptable if symbols are used), and many still people use hopelessly weak passwords to protect their data. John the Ripper is a password-cracking tool that can bring this fact to stark clarity.
It would be foolish to store passwords in the clear, so what usually happens is that the password is passed through a suitable hash function (for example, SHA256) and the output of that function is stored. The hash function is chosen to have certain mathematical properties (it shouldn’t be easily reversible) and when a password is entered it’s hashed and the output checked against what is stored. It should be incredibly unlikely that two passwords have the same hash, so if these match access is granted.
When a company gets hacked their databases are often stolen and sold or given away for free. This provides a bounty of hashes that a password cracker like John the Ripper can get stuck into. Some systems will lock you out after a handful of failed password attempts, but these rules don’t apply when you have a stolen database (for ‘online’ password cracking check out Hydra). John the Ripper can also make use of GPU power to test many thousands of passwords per second.
Besides random character combinations, John the Ripper can make use of wordlists that can vastly aid the password cracking process. Not only that, but John the Ripper can use rules to combine dictionary words with each other as well as random symbols, mimicking the process by which the crafty come up with their passwords. For example, it’s popular to use a capital letter at the beginning of a word and put a number at the end. In John’s syntax, this rule is written cAz”[0-9]”. Simple. The modern approach to password generation is to combine dictionary words to make a long password, and not try and be smart with random capitals and symbol substitutions. A similar approach is specified by the BIP39 standard to generate passphrases for
Bitcoin wallets, except there each word is uniquely identified by its first four letters.
Cracking wireless keys is either trivially easy if the long-deprecated WEP encryption is used, or generally quite hard everywhere else. However, sometimes we can get what we need without having the key. In October 2017 an attack on WPA2 (used by most home routers) was announced that enabled traffic to be intercepted by a third party in close proximity to the target. Sensitive data should all be encrypted over HTTPS, so this shouldn’t be so much of a concern, but the fact that virtually all Wi-Fi equipment was vulnerable (and probably a lot still is) certainly was.
Before we worry about breaking into Wi-Fi networks, it’s useful to scope them out first. Mapping out wireless networks over a geographical area is known as ‘wardriving’ and Kismet is the tool to help you with that. To be a war driver you need a GPS module and a wireless device that plays nice with Linux (it needs to support ‘monitor mode’). You possibly will need a vehicle too, depending on the area you’re investigating. We just made Jonni wander around APC Towers with a Raspberry Pi. Once enough signal data is gathered it can be converted to a .kmz file and imported into Google Earth. A GUI client, Kismon, is also available.
More often than not, the first step in scoping out a target machine is to see which ports are open and which services are running on them. There are many port scanning tools available but Nmap is one of the most highly regarded. It’s a command line affair, but a GUI (Zenmap) is bundled on most distributions, which is great for visually mapping out networks. Nmap results can also be saved as XML and imported to other tools for further analysis. They can also be imported directly into the Metasploit database, for example, so that different attacks can be tried on different hosts.
Nmap has enough options that its man pages span 3,000 lines, so we won’t cover them all here. However, in the spirit of Kali Linux’s motto, “The quieter you become, the more you are able to hear”, let’s talk in hushed voices about portscanning.
A standard TCP port scan involves a three-way handshake (we send a SYN flag, if the port is open the target responds with SYN-ACK and then we send an ACK), which means that (momentarily) a TCP session is established between the scanner and the target. If the administrator of the target machine wanted to, they could pour over firewall logs and the multitude of TCP connections from a portscan would be easy to spot.
Nmap’s default scan is slightly different. It aborts the scan after the server’s response, so leaves less in the way of footprints. This scan crafts packets directly, rather than using the sockets API, so it requires root privileges. You can see the difference between a TCP scan and a SYN scan in the screenshot (left). The SYN scan isn’t invisible, but fewer packets are transferred to obtain the same information (whether a packet is open, closed or blocked).
A quick scan of the APC Towers networks found a few services that someone less scrupulous might try and exploit (if they weren’t always on deadline).
A full TCP scan (left) is much noisier than Nmap’s default SYN scan (right). Also, Wireshark’s filters are pretty useful.