Welcome back, my neophyte hackers!
Have you ever had a neighbor that you're certain is up to no good? Maybe you've seen him moving packages in and out at all hours of the night? Maybe you've seen people go into his home and never come out? He seems like a creep and sometimes you hear strange sounds coming from his home? You know he's up to no good, but you aren't sure what it is exactly.
Let's say I have such a neighbor.
I've called the police about his suspicious activities, but they don't take me seriously. They think I am just a nosy, suspicious neighbor. They asked me what kind of evidence I have that he's doing something illegal. Of course, I have nothing other than my suspicions and circumstantial evidence of the comings and going from that home.
What can I do?
In this hack, I will show you ways that you can find out what that suspicious neighbor is actually up to. This will require skills from multiple tutorials on here, so if you're a newbie, be patient and go through the guides I reference for you.
The first step is to crack his Wi-Fi. If we can get a connection to his Wi-Fi router/AP, we can connect to it and be inside his LAN.
First, we need to put our wireless card in monitor mode. We can do that with:
- bt > airmon-ng start wlan0
Then we need to start airodump-ng. This application allows us to "dump" all the info on available wireless devices to our screen:
- bt > airodump-ng mon0
As you can see below, I have a lot of wireless access points in my neighborhood. I also have a high gain antenna on my wireless card, so I am picking up wireless from blocks around.
My next step is to figure which of these is my creepy neighbor's AP. Since he is just few houses away, his signal would be relatively strong. The second column, PWR, gives me the power of the signal. Lower numbers are more powerful.
I'm guessing he is SSID "myquest3231," the fifth AP on my list. I know this because when I drove by his house a couple of days ago with my laptop and wireless in monitor mode, it was the strongest signal when I was in his vicinity. There is no way to know definitively, but that is my best guess. If it doesn't work, I'll try another.
Now we need to break the WPA2 encryption to get into his network.
The first step in WPA2 cracking is to lock onto his AP and capture his password hash. We can do this with the airodump-ng command and then forcing him to reauthenticate by bumping him off his AP with a deauthenticate (deauth) sent with the airoreplay-ng command. Check out my guide on cracking WPA2 passwords with aircrack-ng for help on this.
It may take a few hours, but now I have his WPA2 password and I'm inside his network!
Now that we're connected to his wireless network, let's see what systems are on his network. In an earlier tutorial, I showed you how to use the ARP protocol to enumerate all the systems on a network. Let's find out what systems he has INSIDE his home that we might be able to exploit.
- bt > netdiscover -r 192.168.1.0/24
As you can see from the screenshot above, there are several devices on his LAN. Before we decide to attack, let's do a quick nmap connect scan (-sT) of the devices and systems on his local network. For some background on nmap, check out my guide on conducting active recon with nmap.
Let's scan his entire network so see what ports are open.
- bt > nmap -sT 192.168.1.0/24
This is just a partial screenshot of the output from the nmap network scan, but it does include three IP addresses, 192.168.1.103 at the top, 192.168.1.017 just below it, and then 192.168.1.108 starting about the middle of the screen.
Interestingly, the 192.168.1.103 identifies the MAC address as "BarnesandNoble.com". My first inclination is that is a Barnes and Noble "Nook", the Android powered reader/tablet.
The second IP, 192.168.1.107, is probably a smartphone connected to his wireless as it has no ports open but 80.
Lastly, 192.168.1.108, appears to be a Windows PC with an awful lot of services running on it. That is probably the machine we want to attack.
Now that we know a little about the devices on his home network, we need to find one that is susceptible to exploitation. Let's do a xprobe2 OS detection against these systems to discover what operating system they are running. We are looking for one system we can exploit. For some background on this, check out my guide on conducting OS fingerprinting with xprobe2.
First, let's scan 192.168.1.103 on his network. That's the one that we suspect is a "Nook".
- bt > xprobe2 192.168.1.103
As you can see, its OS is a Linux-based kernel such as Android, so it might be a phone or tablet. We need a Windows system that we can exploit and hopefully turn on his webcam to see what he is up to. Let's scan the machine at 192.168.1.107.
- bt > xprobe2 192.168.1.107
Hmmm...xprobe2 estimates that his system is running Windows XP SP2?? That's kind of an old system, but he's kind of an old guy.
On the other hand, I know that xprobe2—as good as it is at OS fingerprinting—often misjudges the OS, especially if they are the same Microsoft OS build (or very close). Xprobe2 runs numerous tests by probing the system and seeing how it responds to those probes. Similar operating systems often will respond similarly. I happen to know from experience that xprobe2 often mistakes Windows Vista and Windows XP SP2. At least we have narrowed it down to those two.
Now, we know we need to find a hack that will work on either of those systems. Since Vista is a bit more secure than XP, let's assume it is Vista, as most hacks that work with Vista will also work with XP. If that doesn't work, we know for sure we can hack XP, as it is so flawed and vulnerable.
As I've shown you before, Windows Vista is vulnerable to multiple hacks. If you go back and read that tutorial, I showed how to hack Vista through SMB (port 445). If you look back at our nmap scan in Step #3 on this machine, you can see that port 445 is open, so this system might be vulnerable to this hack. Generally, this exploit works against Windows Vista and early versions of Windows Server 2008.
Let's fire up Metasploit and try to exploit this system with the follow command against my creepy neighbor's computer.
Now, let's load the meterpreter (windows/meterpreter/reverse_tcp) as our payload so that IF we get in, we can turn on his webcam and maybe see what he is up to.
Next, set the RHOST (remote host, the target) and the LHOST (us).
The only thing left to do now is EXPLOIT! This exploit does not always work, so I'm persistent and try several times before I finally get it to work and get a meterpreter prompt.
Now we're inside his system with the meterpreter. We own that system!
In an earlier tutorial, I showed you a script built into meterpreter that enables us to turn on the victim's webcam. Let's run that script and take a look inside our creepy neighbor's home. Before we do that, let's disable his antivirus program, just in case.
- meterpreter > run killav.rb
Now, let's take a snapshot from his webcam with:
- meterpreter > webcam_snap
This script saves the webcam snapshot by default to the /root/ directory. Now let's navigate to /root/ and open the .jpg file.
OMG! Just as I thought! He is up to no good. He's holding a hostage in his home!
With this evidence, certainly the police will now take my suspicions seriously. I will probably save this poor woman from a fate worse than death. I'll be a hero! My smiling face will be all over the news and the newspapers!
Of course, there is the small matter of explaining to law enforcement how I got this picture from his webcam, but I'm sure they will understand.
This is just another example of how hacking can be used for the forces of good and justice, so keep coming back my neophyte hackers for more adventures in Hackerland!