Module_3

MODULE 3

Familiarising yourself with the Available Arsenal of
Tools



Aircrack-ng Tool

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and
WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless
network interface controller if the driver supports raw monitoring mode and can sniff 802.11a,
802.11b and 802.11g traffic. The ng stands for new generation.

Aircrack-ng has a comprehensive suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security such as:

Monitoring: Packet capture and export of data to text files for supplementary processing
by third party tools
Attacking: Replay attacks, fake access points, de-authentication and others via packet
injection
Testing: Checking WiFi cards and driver capabilities (capture and injection)
Cracking: WEP and WPA PSK (WPA 1 and 2)

All tools are command line which permits heavy scripting. A lot of GUIs have taken advantage of
this feature.



Aircrack-ng consists of tools such as:

1. airbase-ng -- Multi-purpose tool aimed at attacking clients as opposed to the Access
Point (AP) itself.

2. aircrack-ng -- 802.11 WEP and WPA/WPA2-PSK key cracking program.
3. airdecap-ng -- Decrypt WEP/WPA/WPA2 capture files.
4. airdecloak-ng -- Remove WEP Cloaking™ from a packet capture file.
5. airdrop-ng -- A rule based wireless deauthication tool.
6. aireplay-ng -- Inject and replay wireless frames.

7. airgraph-ng -- Graph wireless networks.
8. airmon-ng -- Enable and disable monitor mode on wireless interfaces.
9. airodump-ng -- Capture raw 802.11 frames.
10. airolib-ng -- Precompute WPA/WPA2 passphrases in a database to use it later with

aircrack-ng.
11. airserv-ng -- Wireless card TCP/IP server which allows multiple application to use a

wireless card.
12. airtun-ng -- Virtual tunnel interface creator.
13. packetforge-ng -- Create various type of encrypted packets that can be used for

injection.
14. Other tools - WZCook and ivstools





Demonstration of hacking Wi-fi network:

Step 1: Iwconfig

Before beginning with aircrcak-ng, we need to make certain that BackTrack recognizes your
wireless adapter. This can be done within any Linux system by typing:

bt > iwconfig

Here, we can see that BackTrack recognizes the USB wireless card, and it shows that it is capable
of 802.11bgn, that the ESSID is off, that the mode is managed, etc.

Now we're ready to start using aircrack-ng.

Step 2: Airmon-Ng

The first tool we will look at and need in nearly every WiFi hack is airmon-ng, which converts
our wireless card into a promiscuous mode wireless card.

When our network card is in promiscuous mode, it means that it can see and receive all
network traffic. Usually network cards will only receive packets intended for them as
determined by the MAC address of the NIC. However, with airmon-ng, it will receive all wireless
traffic intended for us or not.

We can start this tool by typing airmon-ng, the action (start/stop), and then
the interface (mon0):

bt > airmon-ng start wlan1





















Airmon-ng responds with some key information on our wireless adapter including the chipset
and driver. Most importantly, note that it has changed the designation for our wireless adapter
from wlan1 to mon0.

Step 3: Airodump-Ng

The next tool in the aircrack-ng suite that we will need is airodump-ng. It enables us to capture
packets of our specification. It's particularly useful in password cracking.

We activate this tool by typing the airodump-ng command and the renamed monitor
interface (mon0):

bt >airodump-ng mon0




As we can see in the screenshot above, airodump-ng displays all of the APs (access points)
within range with their BSSID (MAC address), their power, the number of beacon frames, the
number of data packets, the speed, the channel, the encryption method, the type of cipher
used, the authentication method used, and finally, the ESSID.

For hacking a Wi-Fi network, the most important fields will be the BSSID and the channel.

Step 4: Aircrack-Ng

Aircrack-ng, the main application with the aircrack-ng suite,is used for password cracking. It is
capable of using statistical techniques to crack WEP and dictionary cracks for WPA and WPA2
after capturing the WPA handshake.

Step 5: Aireplay-Ng

Aireplay-ng is another powerful tool in the aircrack-ng arsenal. It can be used to generate or
accelerate traffic on the AP. This can be especially useful in attacks like a deauth attack that
bumps everyone off the access point, WEP and WPA2 password attacks, as well as ARP injection
and replay attacks.

Aireplay-ng can obtain packets from two sources:

1. A live stream of packets, or
2. A pre-captured pcap file

The pcap file is the standard file type associated with packet capture tools like libpcap and
winpcap. If you've ever used Wireshark, you've most likely worked with pcap files.




In the screenshot above, we can see that aireplay can filter by the BSSID of the access point, the
MAC address of either source or destination, the minimum and maximum packet length, etc. If
we scroll down the help screen, we can see some of the attack options using aireplay-ng:

These include deauth, fake deauth, interactive, arpreplay (necessary for fast WEP cracking),
chopchop (a form of statistical technique for WEP packet decrypting without cracking the
password), fragment, caffe latte (attacking the client side), and others.

These four tools in the aircrack-ng suite are our Wi-Fi hacking work horses. Each of these are
used in nearly every Wi-Fi hack. More hack-specific tools include, airtun-ng, airdecap-ng,
airolib-ng and airbase-ng.

Step 6: Airdecap-Ng

Once we have cracked the key, airdecap-ng permits us to decrypt wireless traffic. In other
words, once we have the key on the wireless access point, we use the bandwidth on the access
point as well as with airdecap-ng, we can decrypt everyone's traffic on the AP and monitor
everything they're doing. The key is used for both access and encryption.

Step 7: Airtun-Ng

Airtun-ng is a virtual tunnel interface creator. We can use airtun-ng to set up an IDS on the
wireless traffic to detect malicious or other traffic on the wireless access point. If we're looking
to get an alert of a particular type of traffic, we can use airtun-ng to set up a virtual tunnel that
connects to an IDS like Snort to send us alerts.

Step 8: Airolib-Ng

Airolib-ng stores or manages ESSID’s, the name of the access point, and password lists that will
help speed up WPA/WPA2 password cracking.

Step 9: Airbase-Ng

Airbase-ng enables us to turn our laptop and wireless card into an AP. This can be particularly
useful while performing a rogue access point or evil twin attacks. Essentially, airbase-ng allows
us to attack the clients, rather than the AP, and encourages the clients to associate with us
rather than the real AP.

THC Hydra



Hydra is often the tool of choice when one needs to brute force crack a remote authentication
service. It can perform rapid dictionary attacks against more than 50 protocols, including telnet,
ftp, http, https, smb, several databases, and much more. Hydra is a very well-known and
respected password cracking tool which can support many different services

How does Hydra work?
Hydra is a brute force password cracking tool. In information security, password cracking is the
process of guessing passwords from databases that have been stored in or are in transit within
a computer system or network. A common approach and the approach used by Hydra and
many other similar pentesting tools and programs are referred to as Brute Force.

Brute force means that the program launches a relentless barrage of passwords at a login to
guess the password. As we know, the majority of users have weak passwords and all too often
they are easily guessed. A little bit of social engineering and the chances of finding the correct
password for a user are significantly higher. Most people, especially those non-IT savvy, will
base their ‘secret’ passwords on words and nouns that they will not easily forget. These words
are common: names of loved ones, street addresses, place of birth, favorite football team, etc.
All these are easily obtained through social media. As soon as the hacker has collected this data,
it can be compiled within a ‘password list’.

Brute force will take the password list that the hacker built and will combine it with other
popular passwords and begin the attack. Depending on the processing speed of the hacker’s
computer, Internet connection and perhaps proxies, the brute force methodology will
systematically go through each password until the correct one is discovered. Although it is not
considered as being very subtle, it works.

Resources and tutorials
The majority of pentesting tools are created and developed from a security perspective. This
means that they are designed to aid the pentester find flaws in their client’s systems and take
appropriate action. Hydra works by helping professionals find weak passwords in their client’s
network. According to the Hydra developers, It is recommended that the professional do the
following when using Hydra:

Step 1: Make your network as secure as possible.
Step 2: Set up a test network
Step 3: Set up a test server
Step 4: Configure services
Step 5: Configure the ACL
Step 6: Choose good passwords
Step 7: Use SSL
Step 8: Use Cryptography
Step 9: Use an IDS
Step 10: Throw Hydra against the security and try and crack the logon commands.

John the Ripper



John the Ripper is a free password cracking software tool. Initially developed for the Unix
operating system, it now runs on fifteen different platforms, eleven of which are architecture-
specific versions of Unix, Win32, DOS, BeOS, and OpenVMS. It is one of the most popular
password testing and breaking program as it combines numerous password crackers into one
package, auto detects password hash types, and includes a customizable cracker. It can be run
against various encrypted password formats including several crypt password hash types most
commonly found on various Unix versions, Kerberos AFS, and Windows NT/2000/XP/2003 LM
hash. Additional modules have increased its ability to include MD4-based password hashes and
passwords stored in LDAP, MySQL, and others.

Attack types

One of the modes John can use is the dictionary attack. It takes text string samples ,usually
from a file, called a wordlist, containing words found in a dictionary or real passwords cracked
before and encrypts it in the same format as the password being examined, including both the
encryption algorithm and key. Then it compares the output to the encrypted string. It can also
make a variety of alterations to the dictionary words and try these. Many of these alterations
are also used in John's single attack mode, which modifies an associated plaintext such as a
username with an encrypted password and checks the variations against the hashes.

John also offers a brute force mode. In this type of attack, the program goes through all the
possible plaintexts, hashing each one and then comparing it to the input hash. John uses

character frequency tables to try plaintexts containing more frequently used characters first.
This method is useful for cracking passwords which do not appear in dictionary wordlists, but it
takes a long time to run.
Cracking passwords and hashes with John the Ripper
John the Ripper is the good old password cracker that uses wordlists/dictionary to crack a given
hash. It can crack various types of hashes including MD5, SHA and so on. It has free as well as
paid password lists available. It is cross platform



It is one of the most popular password testing and breaking programs as it combines a number
of password crackers into one package, auto detects password hash types, and includes a
customizable cracker. It can be run against various encrypted password formats including
several crypt password hash types most commonly found on various Unix versions (based on
DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional
modules have extended its ability to include MD4-based password hashes and passwords
stored in LDAP, MySQL, and others.
Metasploit Framework
The Metasploit Framework (Msf) is a free penetration testing solution developed by Rapid7 and
the open source community. Metasploit saves considerable time and effort by eliminating the
need for writing of individual exploits.

The use of Metasploit ranges from defending your own systems by breaking into them, to
learning about vulnerabilities that pose a real risk.

Metasploit Framework is a Ruby-based platform used to develop, test and execute exploits
against remote hosts. It includes a full collection of security tools used for penetration testing,
along with a powerful terminal-based console — called msfconsole — which allows you to find
targets, launch scans, exploit security flaws and collect all available data.

What can it do?

1. Reconnaissance
2. Scanning
3. Enumeration and Discovery
4. Exploitation
5. Gaining access.

Reconnaissance Phase

In this phase, it is necessary to gather as much information as possible about the target
network. The target network can be a website, an organization, or might be a full-fledged
fortune company. The most important aspect is to gather information about the target from
social media networks and use Google dorks (a way to extract sensitive information from
Google using specialized queries) to find sensitive information related to the target. Foot
printing the organization using active and passive attacks can also be an approach.

This phase is one of the most crucial phases in penetration testing. Properly acquired
knowledge about the target will help the tester to stimulate appropriate and exact attacks,
rather than trying all possible attack mechanisms. It will also help him or her save an ample
amount of time as well. This phase will consume 40 to 60 percent of the total time of the
testing, as gaining access to the target depends largely upon how well the system is foot
printed.

It's the duty of a penetration tester to gain adequate knowledge about the target by conducting
a variety of scans; scanning for services, looking for open ports, and identifying all the services
running on those ports, and also to decide which services are vulnerable and how to make use
of them to enter into the desired system.

Enumeration and Discovery

The first phase of penetration involves scanning a network or a host to gather information and
create an overview of the target machine.

Discovery Scan basically creates an IP list in the target network, discovering services running on
the machines. To do this in Metasploit, the command promp is used which are NMAP
commands incorporated in Metasploit.
Let’s see in practice how it exactly works. We started the target machine (Metasploitable) and
the Windows Server 2003 machine with the IP 192.168.1.101.




Next, we will start Metasploit. Here, we are using Kali Linux. Hence, the commands will always
start with nmap.
Let’s start to scan the network with range 192.168.0.0/24 and discover the machines.

As seen in the above screenshot, there are 5 hosts up in the network with details. Now that we
found the hosts that are alive, we will try to find the OS they are running on and their
background services.
We will try to attack the vulnerable machine with the IP 192.168.1.101. To do so, we will run
the following command – Nmap –sV-O –T4 192.168.1.101
Here,
–sV parameter will detect the services with their version details.
–O detects the version of OS which in this case is Linux 2.6.X
–T4 is the time that we let the scan to finish
You will get the following screen as an output of using the above command.



Metasploit Architecture

Filesystem and Libraries

The MSF filesystem is laid out in an intuitive manner and is organized by directory.

lib: the 'meat' of the framework code base
data: editable files used by Metasploit
tools: various useful command-line utilities
modules: the actual MSF modules
plugins: plugins that can be loaded at run-time
scripts: Meterpreter and other scripts
external: source code and third-party libraries

Libraries

Rex

The basic library for most tasks
Handles sockets, protocols, text transformations, and others
SSL, SMB, HTTP, XOR, Base64, Unicode

Msf::Core

Provides the 'basic' API
Defines the Metasploit Framework Msf::Base
Provides the 'friendly' API
Provides simplified APIs for use in the Framework

Modules and Locations

Metasploit, as presented to the user, is composed of modules.

Exploits

Defined as modules that use payloads
An exploit without a payload is an Auxiliary module

Payloads, Encoders, Nops

Payloads consist of code that runs remotely
Encoders ensure that payloads make it to their destination
Nops keep the payload sizes consistent.

Module Locations

Primary Module Tree

Located under $install/modules// User-Specified Module Tree
Located under ~/.msf3/modules//
This location is ideal for private module sets

Loading Additional Trees at Runtime

Pass the -m option when running msfconsole (./msfconsole -m)
Use the loadpath command within msfconsole

Metasploit Object Model

In the Metasploit Framework, all modules are Ruby classes.

Modules inherit from the type-specific class
The type-specific class inherits from the Msf::Module class
There is a shared common API between modules

Payloads are slightly different.

Payloads are created at runtime from various components
Glue together stagers with stages

Mixins and Plugins

A quick diversion into Ruby.

Every Class only has one parent
A class may include many Modules
Modules can add new methods
Modules can overload old methods
Metasploit modules inherit Msf::Module and include mixins to add features.

Metasploit Mixins

Mixins are quite simply, the reason why Ruby rocks.

Mixins 'include' one class into another
This is both different and similar to inheritance
Mixins can override a class' methods

Mixins can add new features and allows modules to have different 'flavors'.

Protocol-specific (ie: HTTP, SMB)
Behavior-specific (ie: brute force)
connect() is implemented by the TCP mixin
connect() is then overloaded by FTP, SMB, and others.

Mixins can change behavior.

The Scanner mixin overloads run()
Scanner changes run() for run_host() and run_range()
It calls these in parallel based on the THREADS setting

The BruteForce mixin is similar

Metasploit Plugins

Plugins work directly with the API.

They manipulate the framework as a whole
Plugins hook into the event subsystem
They automate specific tasks which would be tedious to do manually

Plugins only work in the msfconsole.

Plugins can add new console commands
They extend the overall Framework functionality

Accessing MSFconsole

MSFconsole provides a command line interface to access and work with the Metasploit
Framework. It is the most commonly used interface to work with the Metasploit Framework.
The console lets you scan targets, exploit vulnerabilities, and collect data.

Start msfconsole:

In the terminal type #msfconsole

Now run the following commands:

msf> use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST <Listening_IP> (for example set LHOST 192.168.5.55)

msf exploit(handler) > set LPORT <Listening_Port> (for example set LPORT 4444)

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.75.35:4444

[*] Starting the payload handler…



Help Command

By typing the help command on the console, it will show you a list of core commands in
Metasploit along with their description.

msfupdate Command

msfupdate is an important administration command used to update Metasploit with the latest
vulnerability exploits. You will have to wait several minutes after running this command until
the update completes.

Search Command

Search is a powerful command in Metasploit that is used to find what you want to locate. For
example, the command to find exploits related to Microsoft will be −

msf >search name:Microsoft type:exploit

Here, search is the command, name is the name of the object that you are looking for,
and type is the kind of script you are searching.

Info Command

The info command provides information regarding a module or platform, such as where it is
used, vulnerability reference, who is the author, and its payload restriction.

NETCAT

Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network.
It can be used for both attacking and security. In the case of attacking, it can be driven by

scripts which makes it quite dependable back-end. In security aspects, it helps us to debug the
network along with investing it.
Features

Act as a simple TCP/UDP/SCTP/SSL client for interacting with web servers, telnet
servers, mail servers, and other TCP/IP network services. One of the best ways to
understand a service (for fixing problems, finding security flaws, or testing custom
commands) is to interact with it using Netcat. This lets you control every character sent
and view the raw, unfiltered responses.
Redirect or proxy TCP/UDP/SCTP traffic to other ports or hosts. This can be done using
simple redirection (everything sent to a port is automatically relayed somewhere else
you specify in advance) or by acting as a HTTP or SOCKS proxy so clients can specify their
own destinations. Netcat can connect to destinations through a chain of anonymous or
authenticated proxies in client mode.
Run on all major operating systems. Netcat complies Linux, Windows, and Mac OS X
binaries, and most other systems. No matter what computer you’re using, a trusted tool
must be available whenever you need it.
Encrypt communication with SSL and transport it over IPv4 or IPv6.
Act as a network gateway for execution of system commands, with I/O redirected to the
network. It was designed to work like the Unix utility cat, but for the network.
Act as a connection broker, allowing two or more clients to connect to each other
through a third brokering server. This enables multiple machines hidden behind NAT
gateways to communicate with each other as well as enables the simple Netcat chat
mode.
Getting start with NC
To start NC, the most basic option we can use the help command. This will show us all the
options that we can use with Netcat. The help command is as follows:

Connecting to a Server
Here, we have connected FTP Server with the IP Address 192.168.1.6. To connect to the server
at a specific port where a particular service running. In our case, the port is 21 i.e. FTP.
Syntax: nc [Target IP Address] [Target Port]
As we can see in the given image, we have vsFTPd installed on the server, and after giving the
Login credentials we have successfully logged in the FTP Server.

Fetching HTTP header
We can use netcat to fetch information about any webserver. Let’s get back to the server we
connected to earlier. It also has HTTP service running on port 80. So, we connected to HTTP
service using netcat as we did earlier. Now after connecting to the server, we use the option
that will give us the header along with the source code of the HTTP service running on the
remote server.

Chatting
Netcat can also be used to chat between two users. A connection must be established before
chatting. This is don eby the help of two devices. One will play the role of initiator and one will
be a listener to start the conversation. Once the connection is established, communication can
be done from both ends. Here we are going to create a scenario of chatting between two users
with the different operating system.
User 1
OS: Windows 10
IP Address: 192.168.1.4

Role: Listener
User 2
OS: Kali Linux
IP Address: 192.168.1.35
Role: Initiator

NMAP

Nmap is a free, open-source tool for vulnerability scanning and network discovery. It is short for
Network Mapper. Nmap is used by network administrators to identify what devices are running
on their systems, discovering hosts that are available and the services they offer, finding open
ports and detecting security risks.
Nmap can be used to monitor single hosts as well as vast networks that hold hundreds of
thousands of devices and multitudes of subnets.
Though Nmap has evolved over the years and is extremely flexible, at heart it's a port-scan tool,
gathering information by sending raw packets to system ports. It listens for responses and
determines whether ports are open, closed or filtered in some way by, for example, a firewall.
Other terms used for port scanning include port discovery or enumeration.

Port scanning

The packets that Nmap sends out return with IP addresses and alot of other data, allowing you
to identify all sorts of network attributes, giving you a profile or map of the network as well as
allowing you to create a hardware and software inventory.

Different protocols use different types of packet structures. Nmap employs transport layer
protocols including TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and
SCTP (Stream Control Transmission Protocol), as well as supporting protocols like ICMP
(Internet Control Message Protocol), used to send error messages.

The various protocols serve different purposes and system ports. For example, the low resource
overhead of UDP is suited for real-time streaming video, where you sacrifice some lost packets
for speed, while non-real time streaming videos in YouTube are buffered and use the slower,
albeit more reliable TCP.

Along with its many other features, Nmap fundamental port scanning and packet-capture
capabilities are constantly being enhanced.

How to use Nmap

For network administrators and security auditors, there is a wide range of free network
monitoring utilities as well as free open-source vulnerability scanners available. What makes
Nmap stand out as the one of the best tools due to its flexibility and power. While the basis of
Nmap's functionality is port scanning, it allows for a variety of related capabilities including:

Network mapping: Nmap can identify the devices on a network, including servers, routers and
switches, and how they're physically connected. This is also call host discovery.

OS detection: Nmap can detect the operating systems running on network devices (also known
as OS fingerprinting), providing the vendor name, the underlying operating system, the version
of the software and even an estimate of devices' uptime.

Service discovery: Nmap can not only identify hosts on the network, but whether they're acting
as mail, web or name servers, and the particular applications and versions of the related
software they're running.

Security auditing: Network managers can determine their vulnerability to specific flaws by
figuring out what versions of operating systems and applications are running on network hosts.
For example, if a network admin receives an alert about a vulnerability in a particular version of

an application, they can scan the network to identify whether that software version is running
on the network and take steps to patch or update the relevant hosts. Scripts can also automate
tasks such as detecting specific vulnerabilities.

Commands of nmap:
nmap -sP 10.0.0.0/24

Ping scans the network, listing machines that respond to ping.

nmap -p 1-65535 -sV -sS -T4 target
Full TCP port scan using with service version detection - usually my first scan, I find T4
more accurate than T5 and still "pretty quick".

nmap -v -sS -A -T4 target

Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection +
traceroute and scripts against target services.
nmap -v -sS -A -T5 target
Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection +
traceroute and scripts against target services.

nmap -v -sV -O -sS -T5 target

Prints verbose output, runs stealth syn scan, T5 timing, OS and version detection.

nmap -v -p 1-65535 -sV -O -sS -T4 target

Prints verbose output, runs stealth syn scan, T4 timing, OS and version detection + full
port range scan.



NESSUS

Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities
and Exposures architecture for easy cross-linking between compliant security tools. It utilizes
the Nessus Attack Scripting Language (NASL) which is a simple language that describes
individual threats and potential attacks.

Nessus has a modular architecture consisting of centralized servers that conduct scanning as
well as remote clients that allow for administrator interaction. To develop customized scans,
administrators can include NASL descriptions of all suspected vulnerabilities. Other significant
capabilities of Nessus include:

Compatibility with computers and servers of all sizes.
Detection of security holes in local or remote hosts.
Detection of missing security updates and patches.
Simulated attacks to pinpoint vulnerabilities.
Execution of security tests in a contained environment.
Scheduled security audits.

Most of the tools used to test the security of a network are pretty complex. Nessus breaks this
trend as it incredibly easy to use, works quickly, and can give you a quick rundown of your
network’s security at the click of a button.

If someone wanted to hack your local network, the first thing they’d do is run a vulnerability
scan and then then a penetration test. A vulnerability scan searches through the various devices
on your network and looks for potential holes such as open ports, outdated software with
known vulnerabilities, or default passwords on devices. If they find anything, a hacker would
test those vulnerabilities, then find a way to exploit them. Testing these vulnerabilities is a two-
step process as a scan just reveals the possibility of problems whereas a penetration test
verifies that the problem is actually exploitable.

Nessus is commercial software made to scan for vulnerabilities. However, the free home

version offers plenty of tools to help explore and strengthen your home network. If you want to

learn more, it also points you to a variety of different tools to perform a penetration test a

network.

How to Download and Setup Nessus

In order to download Nessus, first sign up for an online account so you can download the
software and get an activation code.

Register on the Nessus Home landing page by entering a name and email address, and
then click the Register button. Use a real email address here because Nessus sends an
activation code that you’ll need in a step later.
Click the Download button, then download Nessus for your operating system. It’s
available for Windows, Mac, and Linux.
Once the download is complete, run the installer package and follow the on-screen
instructions to finish installation.

Nessus creates a local server on your computer and runs from there which is a little different
from usual installation processes.

Step Two: Set Up Your Nessus Account and Activation Code

Once Nessus is installed, go to: https://localhost:8834/

Here, complete the signup and activate your copy of Nessus.

When you launch Nessus for the first time, you get a “Your connection is not secure” warning
from your browser. Click “Advanced” and then “Proceed to localhost” to bypass this warning.

Create an account on the Account Setup screen, leave the Registration as “Home, Professional,
or Manager,” and then enter the Activation Code from your email. Click “Continue.”

Next, Nessus will download a number of tools and plugins so it can properly scan your network
with updated utilities. This can take a few minutes, so grab a cup of coffee and make yourself
comfortable.

Step Three: Start a Vulnerability Scan

Now it’s time to test your network. Nessus can scan for quite a few different problems, but
most are content using the Basic Network Scan because it offers a good overview.

Click the “New Scan.”

Click “Basic Network Scan.”

Name your scan and add a description.

In the “Targets” field, you’ll want to enter IP scanning details about your home network.

For example, if your router is at 192.168.0.1, you’d want to enter 192.168.0.1/24. This

will make it so Nessus scans all the devices on your network (unless you have a ton of

devices this is probably as high as you’d need to go). If you’re not sure about the local IP

address for your router, here’s how to find it.

Click “Save.”

On the next screen, click the Play icon to launch the scan.

Depending on what and how many devices you have on your network, the scan takes a

while, so sit back and relax while Nessus does its work.

Aside from the Basic Network Scan, you can also run:

Advanced Scan - includes more parameters to narrow your search.
A Badlock Detection scan- hunts down a security issue with SAMBA.
A Shellshock scan- looks for vulnerabilities in old Linux or Mac machines.
A DROWN scan that looks for computers hosting sites susceptible to DROWN attacks
and a few other more acute scans.

Most of these issues will also get picked up with the Basic Network Scan. However, if
you’re doing anything beyond just maintaining a normal home network, like running a
private server that’s exposed to the Internet, then you’ll want to double-check that
everything is up-to-date using the more specific scanning modes.

References:

How to hack Wi-Fi using spectacle

https://learntohackbkp.wordpress.com/2015/10/24/how-to-hack-wi-fi-using-spectacle/

How to hack Wi-Fi: Getting started with the Aircrack-Ng Suite of Wi-Fi hacking tools

http://known-trended.blogspot.com/2015/03/how-to-hack-wi-fi-getting-started-with.html
Introduction: File system and Libraries
http://backboxguide.blogspot.com/2014/09/introduction.html
Metasploit Unleased: Mastering the Framework
https://www.scribd.com/document/135726404/Metasploit-Unleashed

Comprehensive Guide on Netcat – Raj Chandel
https://www.hackingarticles.in/comprehensive-guide-on-netcat/
What is Nmap? Why you need this network mapper – Marc Ferranti
https://www.networkworld.com/article/3296740/what-is-nmap-why-you-need-this-
network-mapper.html
Nmap Commands – Github
https://gist.github.com/samidrif123/c29006fd38301cf0e74eef06b56f51fe
Nessus – Digital Fortress LK
https://digitalfortresslk.wordpress.com/2017/10/23/nessus/