Things I've learned and want to share
Many thanks to INIT_SIX for also pointing out a quick way to reduce the size of your WPA handshake captures using pyrit:
pyrit -r /path/to/capture.cap -o /path/to/handshake-only-output.cap stripAdd the “-e” or “-b” switches to filter down to just a single AP by ESSID or BSSID respectively:
pyrit -r capture.cap -o output.cap -b "99:88:77:66:55:44" stripThat’s it! Good hunting!
Many thanks to INIT_SIX for recommending this quick-hit update to the previous WPA wireless attack article. If you find yourself making packet captures and airodump-ng reports that the handshake was captures, but aircrack-ng (or your tool of choice) is having issues, it’s time to break out some manual packet analysis. Let’s verify that capture!
The following is a quick-hit list of commands for attacking a WPA wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WPA network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.
For the sake of this tutorial the AP will be assumed to have a MAC address of “99:88:77:66:55:44” and the client will be assumed to have a MAC address of “00:11:22:33:44:55”. The wireless network card we will use will be assumed to be “wlan0”.
If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WPA & WPS (basic_0x01)
This is another one of those quick-hits that often comes in handy… you’ve captured a hash (maybe via mimikatz, through a Metasploit module such as post/windows/gather/hashdump, etc), and you need to want to directly use that hash rather than cracking it. How do you do that?
Continue reading “Pass The Hash for Command Line, MSF, and RDP”
If you need to install CrackMapExec (CME), which for some reason isn’t included in Kali Linux, you can do so with the following commands:
apt-get install -y libssl-dev libffi-dev python-dev build-essential
apt-get install virtualenvwrapper
source /usr/share/virtualenvwrapper/virtualenvwrapper.sh
mkvirtualenv CME
(CME) #~ pip install crackmapexec
Lifted from the CME Wiki install instructions.
Just throwing this here in case it’s useful to someone else… I often come across binary in challenges that needs to be reversed, and don’t always have a quick tool available. Assuming you have Perl installed, it’s a straightforward conversion (this assumes 8 bit, zero-padded data):
echo 01000001 01000010 01000011 01000100 | perl -lape '$_=pack"(B8)*",@F'
ABCD
Good hunting. 🙂
Hermit's Cave 