230. Networking Tools (OBJ 5.3)
In this lesson, we’re going to briefly cover the different networking tools that you need to know for the exam. Now, networking tools are used to monitor, analyze, or modify network traffic on a given network. This includes tools like Wireshark, tcpdump, and hping. First, we have Wireshark, which is a powerful open-source protocol analysis tool that can conduct packet sniffing, decoding, and analysis. This means that when you’re using Wireshark and you can get your laptop on their network, you’re going to be able to capture the traffic that’s flowing around either from a wireless network or a wired network, and then, you can analyze that traffic, and by analyzing this traffic, you can capture anything that’s sent in plain text or clear text and be able to read it. For example, if there’s any usernames or passwords or emails that are being sent over that network using that unsecured channel, we’re going to be able to capture that and read those things and use them in further exploitation in attacks. Second, we have tcpdump. Now, tcpdump is a command-line protocol analysis tool that can conduct packet sniffing, decoding, and analysis. tcpdump is similar to Wireshark, but it uses a command-line interface instead of a GUI.
Many security professionals actually prefer to use tcpdump, because they can create filters and easily search through all that information using the text-based interface in conjunction with tools like Python and grep, and it becomes much faster than using Wireshark, because they’re really good at using automation and scripting to find those things they’re looking for inside of that network traffic. Third, we have hping. hping is an open-source packet crafting tool that’s used to exploit vulnerable firewalls and IDS and IPSs. By using hping, you can craft packets using TCP, UDP, ICMP, or Raw-IP packet protocols, and then it enables you to send and receive data using all these different things. hping is usually going to be used as part of your enumeration phase and you’re going to be using it to do fingerprinting. This is because you can change the way you’re sending TCP or UDP packets and then analyze the responses that come back, and by doing that, you’re going to be able to identify exactly what services are being run on which servers and what versions of those services. As you can see, all these networking tools are really useful inside the world of penetration testing, especially when you’re trying to reconnaissance and research and to gather more information about other targets you might be able to get into on that particular network segment.
231. Wireless Tools (OBJ 5.3)
In this lesson, I’m going to quickly list out all the different wireless tools that are used by penetration testers that are specifically listed in the exam objectives. This includes the aircrack-ng suite, Kismet, Wifite, rogue access points, EAPHammer, mdk4, Spooftooph, Reaver, wireless graphic logging engine or WiGLE, and Fern. For the exam, you do not have to be an expert in any of these tools, but you should be able to identify which tool is used for a giving use case such as reconnaissance, exploitation, or attack. First, we have Aircrack-ng, which is a suite of tools. Aircrack-ng is made up of several different command line tools for monitoring, attacking and testing the security of a wireless network. This includes airomon-ng, airodump-ng, aireplay-ng and aircrack-ng. And for the exam, you need to know what each of these tools is actually used for. For example, airomon-ng is used to set your wireless network adaptor into monitor or promiscuous mode. Airodump is used to monitor the wireless frequencies, identify the clients and the access points and then capture the network traffic it sees and saves it into a PCAP file. Aireplay-ng is used to conduct a deauthentication attack by resending spoof deauth requests from the client to the access point.
Aircrack-ng is used to conduct a dictionary or brute force attack against the captured handshakes to determine the plain text version of appreciated key. Second, we have Kismet. Kismet is a wireless network detector, packet sniffer, an intrusion detection system. What makes Kismet different is that it works passively and does not send any liable packets into the network. This makes it a very sneaky way to conduct reconnaissance and information gathering during your engagements. Kismet is also cross platform which means it can work on Linux, Mac or Windows devices. Third, we have Wifite. Wifite is a tool to audit web or WPA encrypted wireless networks, and those that also use WPS by using other tools like aircrack-ng, and Reaver in the background to perform the actual network audits. Wifite is an incredibly easy automated wireless attack tool for a penetration tester to use. Now as a penetration tester, you simply need to type in Wifite and it will come back and turn your card into monitoring mode, scan the airways for networks and then ask you to pick a number based on the networks that it finds. For instance, if it finds five networks, it’s going to list them out one through five, and then you’ll choose one of those, and it will then go and work on trying to capture the password, authenticate with the network and crack the pre shared key. Though this tool can and make our lives really easy, I still do recommend that you learn the hard way first by using a tool like aircrack-ng because Wifite doesn’t always work properly every single time, but when it does, it really does make our lives easier. Fourth, we have rogue access points.
Now rogue access points are listed under the “Tools” in the exam objectives. And what we’re really referring to here is any hardware device that you can configure to work as an evil twin or other access point that is outside of the target organization’s control. For example, you can use a dedicated device like a wifi pineapple to serve as a rogue access point which is a great option because it can conduct packet capture, captive portals and other attacks for you. Or you can simply buy an inexpensive wireless access point over at the electronic store. Then you connect it to the target organization’s network using a physical social engineering attack, and then you can use that as your entry point into their wired network from the parking lot because you now have control of this new wifi connection that you put into their network. Fifth, we have EAPHammer. Now EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. EAPHammer is designed to be used in full scope wireless assessments and red team engagements. And it provides an easy to use interface that can be leveraged to execute powerful wireless attacks with minimal manual configuration. EAPHammer can be used to execute credential stealing evil twin attacks against WPA and WPA2 EAP networks in just a few commands.
Our main goal with EAPHammer is to steal the victim’s radius credentials by creating an evil twin attack against that victim. And then we want to use those credentials to gain access to the organization’s trusted wireless network by pretending to be the victimized client. Sixth, we have mdk4. Now mdk4 is a wifi testing tool that’s used to inject frames to exploit common 802.11 protocol weaknesses. Mdk4 has 10 different attack modes that can be used against both 2.4 gigahertz and five gigahertz wifi based networks. This includes beacon flooding, authentication, denial of service attacks, SSID probing and brute forcing, deauthentication and disassociation attacks, quality of service countermeasure attacks, EAP start and log off packet injections, mesh network attacks, wireless intrusion detection system confusion attacks, packet fuzzing, and proof of concept wifi protocol implementation vulnerability testing. Seventh, we have Spooftooph. Now Spooftooph is designed to automate spoofing or cloning of Bluetooth devices, name, class, and address information.
This can then be used by the attacker to pretend to be the victim so that the attacker’s Bluetooth device can hide in plain sight. This works because Bluetooth scanning software is designed to only list one of each device that it finds with the same name. So if there’s more than one on device inside that range and they all share the same device information, when we’re in discoverable mode, we’re only going to see one of them. And that’s what Spooftooph is designed to help us do. Eighth, we have Reaver. Reaver is used to perform a brute force attack against a wireless access points wifi protected setup or WPS pin number. Now, once the pin is found, the preshared key can easily be recovered using Reaver. Reaver can also be used to reconfigure the wireless access point settings once that pin is found as well. Ninth, we have WiGLE, which is the wireless geographic logging engine. WiGLE is a website for collecting information about the different wireless hotspots that are located all over the world.
Users can register on the website and upload hotspot data like GPS coordinates, SSID information, Mac address information, and the encryption type that is used in that hotspot. In addition, cellular tower data is also uploaded and displayed. WiGLE is a really useful tool during your reconnaissance and information gathering phase of the engagement. 10th, we have Fern. Fern is a wireless security auditing and attack software that’s written using the Python programming language and the Python Qt gooey library. Fern is able to crack and recover WAP, WPA and WPS keys and also it can be used to run network based attacks on wireless and ethernet based networks. The nice thing about Fern is that it uses a graphical user interface instead of the command line, making it easier for some users to understand and utilize. Now, I know that was a lot of different tools to remember but if you can remember the tool’s name, its basic category and its function, you’re going to do fine on the exam. For example, WiGLE is a wireless tool that’s used during the reconnaissance and information gathering phase. This is the level of detail you need to memorize to be successful on the exam for questions that come from objective 5.3.
232. Social Engineering Tools (OBJ 5.3)
In this lesson, we’re going to take a quick look at the different social engineering tools that you need to know for the exam. When I talk about social engineering tools, these are tools that are used to conduct technical social engineering campaigns, such as phishing, call spoofing, smishing and more. Really, we’re going to be focused on two main tools. SET, the social engineer toolkit and BeEF, the browser exploitation framework. First we have SET, which is the social engineering toolkit. SET is a Python-based collection of tools and scripts that are used to conduct social engineering during a penetration test. Now, when you use the social engineering toolkit, you’re going to be using this menu-driven text-based system and this allows you to select different social engineering attacks, penetration testing techniques and third party modules from all of its different text-based menu system commands. SET can be used to perform phishing and pharming attacks where we can use it to send out emails and redirect them to a website that we control and many other different social engineering techniques too. Now, when you go into an option, like the social engineering attacks menu, you’re going to get a sub-menu with the different vectors you can use.
In this particular case, we can use spear-phishing attacks, website attacks, infectious media generation, creating payloads and listeners, mass mail attacks, Arduino-based attacks, wireless access point attack vectors, QR code generation attacks, power shell attacks and other third party modules. There is a lot to the social engineering toolkit, but for the exam, you need to remember that the social engineering toolkit helps you to automate the process of technical social engineering attacks. The second tool we need to talk about is BeEF, which is the browser exploit framework. BeEF is used to assess the security posture of a target environment using cross-site attack vectors. When you’re using the browser exploitation framework, always remember that it’s a tool that’s focused on the victim’s web browser.
This helps us to attack all of those DOM-based exploits that we previously discussed back in our attack section. BeEF is used to hook a web browser for launch and command modules against the given browser. So we can use BeEF to perform clickjacking and cross-site scripting and other web-based attacks like that. Remember, when it comes to BeEF, it is a great tool for testing browsers and associated web servers and applications. That is the main purpose of using BeEF and it’s categorized under social engineering by the exam, because we are attacking the DOM or the web browser of the client and we’re doing that to try to trick them into taking some action, which then is categorized as social engineering.
