Taylor Jolin

Hacker | Musician | Innovator | Dreamer

Category: Hacking

23Feb

Pentesting Methodology – Host & Asset Discovery

Please note before reading… this is my personal way of doing things and again; like the last post, this is more of a brain dump for those interested. Anyways…

Once inside the target, you will want to conduct host or asset discovery. This process should be pretty self explanatory. It can take a while so be patient. If you are doing an on-site pentest, time is not on your side. If you are doing a remote pentest, again… be patient.

With that, there are two types of asset discovery tests that can be ran, an internal or external test. An internal test would look for hosts on the internal network whereas an external test would look for assets on the perimeter of the network. One of the tricks that can be used for this is port scanning and ping sweeps.

With the right port scanning tool, you can learn all sorts of information about the network and about host devices. I prefer to use NMAP but there are a wealth of others. You can even call NMAP from Metasploit and run it. Once we have a target thoroughly mapped out and we have found all of the information we can, we can then move on to looking for vulnerabilities or known exploits.

In the event that you find multiple hosts on the network, try to do an OS discovery to see what is what and if it may be of any interest later on. One could usually assume that Linux, Mac, and Windows servers have some sort of misconfiguration somewhere. This goes the same for networking appliances such as firewalls, switches, routers, etc…

15Feb

Pentesting Methodology – Recon

This is probably my favorite part of a pentest. Doing the physical recon. As a U.S. Army Combat Veteran, I have learned a lot about physical reconnaissance and how to apply it outside of the battle field.

When doing physical recon, you should look for physical ways to penetrate the target. Look for ways to get in to the building, the network closets, the network/server racks, etc… Try a door, if it’s unlocked that’s one step closer to the end goal.

Another thing I like to do, since I have a background in networking, is carry a RS232 console cable and if I am able to get entry into an IDF/MDF, I will plug into the closest switch or router to the door and see if the engineer left the console logged in. If so I can do a ton of different things.

When you do conduct physical recon, and enter a target… make DAMN sure that you have a way out and a Get Out of Jail Free Card… or your Letter of Authorization.

03Jun

How to Soft-Jailbreak the iPhone 8 on iOS 16.5

So there are two different types of jailbreaks in my opinion… and this is probably universal however I don’t know the terms in the Jailbreak community. Anyways, a hard jailbreak, to me, is when you flash the iOS operating system with something else and it natively boots to that new operating system. A soft jailbreak, is when you boot an OS that is different but it is not written to the device, so when you reset the device the jailbreak is gone. This is the one we are going to focus on today, the soft jailbreak.

A quick disclaimer: I am not responsible if Apple turns you into a human centipad, sues you, whatever. I am also not responsible if you brick your phone.

There are a number of ways to do this, using a Windows computer (which I have not tested); a Linux computer, which is a little more cumbersome than my preferred method which, finally, is using an Apple computer.

Other things you will need:
-An Apple branded USB-A to lightning adapter cable
-A USB hub of some sort (I am using a USB-C to USB-A 3 port hub)

Another Disclaimer: if you want to use a Linux or Windows computer to do this, be warned that you should not do this using an AMD chip. Intel gives the best results.

The exploit we are going to use to do this is called PaleRa1n. You can get it here, but make sure to grab the appropriate version for your setup. One suggestion however, if you are on a Mac, either Intel or M series, grab the UNIVERSAL package and download.

First you may need some packages to run this exploit. Let’s get them by running the following in a terminal window.

sudo python3 -m ensurepip
sudo python3 -m pip install setuptools xattr

Now cd into your Downloads folder and enter the following.

sudo xattr -c palera1n-macos-universal This command sets extended attributes for the exploit we are going to run. Next run

sudo chmod +x palera1n-macos-universal This command makes the file executable.

Now for the next part… PAY CLOSE ATTENTION… Wipe your iPhone 8 and wait for it to revert to factory settings. You can either backup your data or not, that’s up to you and I am in no way responsible for lost data.

Once it is wiped and restored plug it into your Mac and navigate back to your downloads folder. In a terminal window run the following command:

./palera1n-macos-universal

And follow the onscreen prompts. You will then be prompted to hold some keys on the phone, do this and then you will enter DFU mode. Wait for your iPhone to fully boot and then go through the initial setup. Once complete you will see an app on there that looks like a raindrop called PaleRa1n, go ahead and open it and install the packages inside.

That’s it. You have soft jail broken your iPhone 8 on iOS 16.5. This will work for other iPhones and iOS’s as well but I have only detailed the one use case.

For more information on this goto PaleRa1n’s official GitHub or visit the install guide here if you have any further questions.

28May

Packet Sniffing with Airodump-ng

Airodump-ng is part of the Airocrack-ng suite. It is a packet sniffer designed to capture packets while in monitor mode.

DISCLAIMER: As I have said before, I am not responsible if you choose to do something stupid and get yourself arrested. Hack legally and hack friendly!

How to use Airodump-ng

  1. First we must enable monitor mode on our interface. If you do not know how, read through this.
  2. Next, enter the following command to begin the program: airodump-ng INTERFACE_NAME
    NOTE: This program will run until you force it to quit.

Now analyze the data you retrieve. You will see a list of BSSIDs or Network Names.

Below is a list and explanation of what you will see.

BSSIDPWRBeacons# Data# /sCHMBENCCipherAuthESSID
Nodes MAC AddressSignal StrenghFrames sent by network to broadcast its existanceNumber of Data packetsNumber of packets collect in past 10 secondsChannel network broadcasts onMaximum Bandwidth SupportedEncryption TypeCipher used in network encryptionAuthentication used in networkName of network

NOTE: The best adapter to use to sniff packets across networks is the Alfa Network AWUS036AC* series. The one I am using is the AWUS036ACS, which is small and fits neatly into my bag. I also have a multitude of antennas to use for wireless sniffing.

How to listen to 5 Ghz channels

By default, Airodump-ng only listens to 2.4 Ghz channels, so to enable the 5 Ghz scanning do the following:

  1. Start Airodump-ng by using the band argument: airodump-ng --band a INTERFACE_NAME

You can also specify multiple bands using the band argument. For example;
airodump-ng --band abg INTERFACE_NAME

NOTE: Your wireless card needs to support this feature. Also keep in mind that this requires a great deal of power and slows resources.

28May

How to enter Monitor Mode for WiFi Hacking

Monitor mode allows you to sniff packets and capture them in real time. Using a program such as Wireshark, you can then rebuild and analyze these packet captures.

  1. First check the status of the wireless and see what mode it is in using: iwconfig
  2. Next we must disable our selected interface using: ifconfig INTERFACE-NAME down
  3. This step may be optional, but in most cases you will want to kill tasks that could be a detriment to the packet capture. Do this using: airmon-ng check kill
    • NOTE: Running the previous command will display some suggested apps to kill prior to running the capture. To kill these apps use: kill PID
  4. Now we will enable monitor mode. To do so use the following: iwconfig INTERFACE_NAME mode monitor
  5. Finally, you must re-enable the interface using: ifconfig INTERFACE_NAME up
  6. Test to make sure you are in monitor mode using: iwconfig
27May

Anonymous – How To Change Your MAC Address

In this short tutorial, I will teach you how to change your computers MAC address in order to remain anonymous while pen testing a network.

DISCLAIMER: I am not responsible for any illegal use of this technique.

NOTE: I am not using Kali Linux for my pen testing rig. I am using Ubuntu 22 and have built it out with all of the tools that I require to do my pen testing. This technique should work on newer Debian based distributions.

Why change the MAC Address

  • To maintain anonymity while performing network penetration testing.
  • To impersonate other devices on the network
  • Bypassing filters

How to change the MAC Address

  1. First, use ifconfig to list all interfaces on the machine.
  2. Find the interface you wish to choose the MAC address of.
    • note the MAC address and interface name
  3. In order to proceed with changing the MAC of your chosen interface, you must disable it first before changing it’s MAC address.
    • ifconfig INTERFACE-NAME down
  4. Now we can change the hardware address, or ether address
    • ifconfig INTERFACE-NAME hw ether 00:00:00:00:00:00
    • NOTE: you can use any address but it must start with 00
  5. Now we must re-enable the interface for it to work
    • ifconfig INTERFACE-NAME up
    • NOTE: The MAC Address will only remain until the computer is restarted. Once it is restarted it will revert back to the original hardware address.

27May

How to perform a WiFi De-authentication Attack

This is an old one but a fun one. I love doing this in my test environment and I have a lot of fun using this to prank my friends that choose to connect to it.

DISCLAIMER: Do not perform this attack on any network that you do not own. I am not responsible for any illegal use of this attack.

Now, I am assuming that you already know the basics of aircrack-ng and it’s suite of products.

This attack allows us to disconnect any device from any network.

  • Works on encrypted networks (WEP, WPA & WPA2)
  • No need to know the network key
  • No need to connect to the network

In order to do this, us the following:
aireplay-ng --deauth [#DeauthPackets] -a [NetworkMac] -c [TargetMac] [Interface]

For example
aireplay-ng --deauth 100000000 -a 00:11:22:33:44:55 -c 55:66:77:88:99:00 mon0

NOTE: In some cases you must run Airodump-ng in order to run this command. Run it in another thread or terminal using:
airodump-ng --bssid 00:11:22:33:44:55 --channel 2 mon0

This trick is handy with social engineering cases and Man In the Middle attacks. You can also use this to capture the handshake, which is used for WPA cracking.