4 External USB Wifi Adapters for Kali Linux Pentesting

If you are like me, you have been working with Kali Linux, the Linux distribution for penetration testing and ethical hacking, and have been running it as a virtual machine on your 2015 Macbook Pro. And, you have been having issues with sniffing packets because your 2015 Macbook’s built-in wifi adapter is not going into true promiscuous mode — only a limited version that doesn’t give you everything you need. Sadly, other versions of the Macbook don’t seem to have this problem at all, so you may be finding yourself in need of an additional interface.

Or, perhaps you are not like me, and the chipset driving your PC’s Wifi adapter doesn’t let you do much at all, and you just want an external USB Wifi adapter that will make it easy to use tools such as Aircrack-ng for ethical hacking jobs.

Whatever the case, I’ve done some research and will present a few options that don’t break the bank and should provide you with a quick and easy way to do all the proper packet sniffing you deserve.

TP-Link N150

The first option on this list is the $13.45 TP-Link N150 dongle. A small USB device that sports a detachable antenna, it should get the job done if you prefer portability over power. This device uses the Atheros AR9271 chipset, which is known to work smoothly in Kali Linux (and probably most other distros).

USB Rt3070

The cheapest USB adapter, at a paltry $11.99, is the generic USB Rt3070, another dongle style device that is also the smallest you will find here. With similar specs as the TP-Link device, this one is even easier to conceal, and probably won’t raise any suspicions if you have it plugged into your laptop in a crowded place. While not the most powerful device by any means, if you are near the router you want to connect to, it shouldn’t be a problem.

Alfa AWUS051NH

Taking a big step up in everything, including features, power, and profile, we have the Alfa AWUS051NH. This one has been sitting on my Amazon wishlist for quite a while, and I think it’s about time I pick it up. It even has a holster with suction cups to stick to a window, and it will pick signals up from long range.

If you are needing to physically stay away from the target you are testing, while still being able to test it, try this sucker.

Alfa AWUS036NHA

Lastly, we have another Alfa device, both of which get really good reviews for Kali Linux in particular. At only $6 more than the AWUS051NH, the Alfa AWUS036NHA looks cooler and has a boost in power to let it pick up signals from even farther away. It also comes with the holster and suction cups for the windows of your vehicle, office, or home. According to its description, what sets it apart is the “High Transmitter Power of 28dBm – for Long-Rang and High Gain Wi-Fi.”

 

Are there others?

Have you tried any of these? What did you think? Know of any others that do a good job?

Quick Metasploit Guide

metasploit photoThese are some notes I find myself referring back to as I work through my studies for the OSCP exam. As I develop more of these, I’ll continue to post them here on my blog so that others might find them useful.

Use Kali Linux for all the following instructions.

Prep:
Ensure postgresql is running.

Set postgres to start on boot so you don’t have to worry about it again:

From the command line, fire up the Metasploit console:

Search for exploits related to what you are interested in:

Or, be more specific:

Or, in Kali, use searchsploit (from regular command line, outside of MSF):

Once you find an exploit you want to use, use it:

Then set a payload:

See what options are set:

Set options as needed:

LHOST is the IP of where the victim host will send info to (your Kali VM, ex.)

RHOST is the IP of the victim

Default port is 80, but choose one if you wish:

Run the exploit:

If trying to get a remote shell, beware that you may be looking at it if you see what you think is nothing happening. Just try executing a command and see what happens:

Photos by Christiaan008,

Kioptrix Level 1.3 (VM #4) Walkthrough

In my efforts to self-study in preparation for the OSCP certification later this year, I’ve been going through some of the intentionally vulnerable Virtual Machines (VMs) on vulnhub.com to sharpen and broaden my penetration testing and hacking skills. Among others I’ve completed, the Kioptrix series of VMs is allegedly similar to what you see in the actual OSCP test, so I’ve been going through them in order.

Part of completing the OSCP is providing a write-up of your hacking adventures to explain how and what you did to hack a server, so I figured I better start now. Other folks do similar write-ups on the VMs on vulnub.com, and I’ll see if they will add this to Kioptrix 1.3 page soon.

Hopefully, someone will find this useful either way.

It should be noted that this VM was known to have at least two possible paths to getting root on the system, and this writeup outline just one.

Discovery

On my local network, this VM turned up with the IP address of 192.168.0.110.

nmap

Running an nmap scan revealed some open ports and running services:

Poking Around

Checking things out by hand based on the nmap scan results, I found there was a login page running on port 80 at http://192.168.0.110

No basic SQL injection working from any initial attempts.

Nothing in the source code of note. Some other basic manual fuzzing and poking around didn’t reveal much either.

Nikto

Nikto turned up some basic stuff about Apache that I thought might be worth looking into later:

dirb and dirsearch

A basic dirb scan turned up a directory:
http://192.168.0.110/john/

I though that could be a username. Running dirb with a bigger wordlist (big.txt in Kali) turned up another one:
http://192.168.0.110/robert/

Both of those directories contained a file (robert.php and john.php) that, when clicked, would just redirect you back to the main login page.

I also ran DIRSEARCH, a python tool that also works well for finding directories and files.
found file: database.sql

(Note: Dirsearch is not included in Kali by default. Requires you to setup Python 3 in a virtual environment to run it.)

enum4linux

Since ports 139 and 445 were being used, I went on try enum4linux

acccheck

I ran acccheck on the ‘robert’ user with the big.txt pw list, to no avail. Can circle back to try the other usernames if needed.

THC Hydra

You can use Hydra to brute force FTP, SSH, POP3, and SMTP account. Let’s try Hydra with those usernames to find SSH accounts! Trying the usernames found via acccheck with SSH logins:

robert
root
loneferret
john

hydra -L users -P 10_million_password_list_top_100000.txt -t 4 192.168.0.110 ssh -vv

Nothing turned up! Bummer.

database.sql

This was found during discover with dirsearch, and it appears to be a short MySQL dump file. Since other avenues were turning out to be fruitless, I thought I’d give this a closer look.

Immediately, the first thing to note is that there’s a username and password shown in the dump file.

john
1234

Let’s try it on the HTML login form at http://192.168.0.110/index.php?. No luck!
I thought maybe that was a default password, so I tested it on the other known users as well (robert, root, loneferret), but still no luck.

Perhaps it’d work with SSH or SMB?
Negatory

The file at least led me to believe MySQL was in place, so perhaps some more SQLi exploration would help.

After a number of failed attempts and errors by trying various SQL injection strings, using this worked:

That took me to the User Admin Panel and showed the actual password.

That seemed kinda easy. But this is when things got hard, actually.

I logged out and confirmed that the password worked. It logged me back into that same page. But what good is that? Let’s try SSH again!

Shell obtained. However, the shell seemed to be extremely limited. As instructed at login, typing ? or ‘help’ gets you a list of allowed commands:

I was warned about trying to cd into the root directory, and getting kicked out if I tried again.

lpath is the same as pwd.

The only available command that looks somewhat useful is echo. Let’s see if we can echo the contents of .profile


Uh oh. It really did kick me out! Luckily, all I had to do was reconnect via SSH. Let’s try a different file:

Bummer. How about getting around now that we know it is possible to simply re-log via SSH if you get kicked out? No luck.

Must break out of the restricted “LigGoat” shell. To the Google!

Searching for “escape restricted shell echo” I found a handy article:
https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

Trying a number of things, I finally found the right trick, which is to use Python to switch shells:

That was weird, but it worked, and I got a less restricted shell. This website was of much help to find the specific command needed: http://netsec.ws/?p=337

Finally, a useful shell. Well, more useful. It still seems to be a basic user account with no real privileges. So where to next? MySQL exists and can be leveraged to take over a box under the right circumstances, so before exploring other vectors, I decided to start with it.

MySQL

Revisiting the web directory and the application running on the website, I found a handy SQL statement in checklogin.php. This statement had the mysql connection string, including the username and password, which were simply:

user: root
pass: (empty)

That suggested the root password was never changed when MySQL was installed, so this was probably a default installation with few tweaks or security enhancements. Sure enough, I was able to log in:

Things got off track for a while here, as I wasn’t really sure what to do from this point. However, this Google search helped me:

That led me to a Facebook post, of all things:

https://www.facebook.com/notes/security-training-share/mysql-root-to-system-root-with-lib_mysqludf_sys-for-windows-and-linux/865458806817957/

It described the situation perfectly:

“We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.”

The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn’t need to grab it from sqlmap and upload it to the system.

Modifying those instructions a little, there was no need to compile a c script (which I was unable to do as user ‘john’ anyway.

Where that article has this line:

Just do this instead:

Then drop out of MySQL and run this:

It should drop you into a root shell!

Root obtained. Mission complete!

 

VMware – RHEL / CentOS 6.2 – Network Issues

Howdy folks,

I just grabbed CentOS 6.2 (don’t know if it’s an issue in 6.0, 6.1), but an installation with the “Basic Server” within VMware Fusion 4.1.1 delivered no IP address etc. when leaving DHCP/NAT as the default.

Finding: Seems, either something is goofed in the dhclient or NetworkManager (now default for RHEL 6.x).

Fix: I brought the network interface up “ifup eth0”, then ran “dhclient eth0”, obtained an IP and ran “yum update -y”, after which (I noticed dhclient was in the updates), I was able to reboot and all worked well.

Not a big deal, as you could have just manually configured your network script, but maybe it will help someone. 🙂

High End Desktop for a Low End price

Want to build a high end desktop computer for a low end price (around $600 or less)?

Note: I don’t include Windows 7 in the default build, as you can just download Ubuntu, Fedora, or OpenSuSE Linux etc. for free. However, I’ve included links for Windows 7 (student and normal) in the Additional options section.

I would like to suggest the following components for people that want a really nice system without breaking the bank.

I just built a new machine that could support running multiple VMware instances, encode FLAC quickly, and surf the web etc. without breaking the bank. I didn’t need or want video gaming support since I use a PS3 for that.
However, I’ll suggest a view options (including gaming cards) that will allow you to alter the basic system we’ll be discussing.

This build is based on AMD/ATI since it really does perform well and saves a good chunk of money, but the parts can be swapped very easily to make it an Intel system that won’t break the bank either.

I’ll expand on why I chose the parts and provide direct links as well. (I use Newegg, but use anyone you like)

Continue reading