Reflections about Backtrack, Aircrack, Metasploit and Hacking.

[gfcantu]

Hello all, I'm "new" at the forum because i usually don't ask, i read and search. Anyway, I'm still learning a lot about tools and how/when to use them - there're a LOT of them!
Some questions keep going on my mind and i haven't found a post that discuss exactly what I'm looking for and, maybe, it will help others with the same questions:

About Aircrack on WPA:
I have read a lot of way cracking wireless and i found two ways for WPA/WPA2: Bruteforce and Evil twin.
1-Is there any other effective way of cracking WPA?
2-How effective is bruteforcing with a Dictionary attack? I know there are programs to reduce and "fit" to a specif model your wordlist, but i think it is still so inefficient. For example, my wireless in a 8 numbers passaword length and i tried bruteforcing. Reducing my dictionary to a only 8 digits numbers would take, in average, 6 days to crack my password. Is this the idea? To let the computer running for days until it finds the correct match? I know i could batch the wordlist, etc, but it still ends at the leave-the-computer idea.

About MetaSploit:
1-All videos I've seen they can only exploit the computer when it has the AV down. So, I thought, at real, how effective is this exploit?
2-Is the bypass a A.V. and a Firewall the most hard difficulty when hacking into computers?
3-A lot of videos use some kind of social engineering to get the archive to the victims computer or it makes the person tell what he want. So what i conclude of this is that it is almost impossible to hack into someone's computer if you don't get any "help" from the victim. Am i right?

The Objective of this thread is to instinctive the discussion, the reflection about how the entire hacking process work.
Hope to get some useful answers and interesting points of view.

It is all for now,

Cantu.

[rastamouse]

There is a weakness in the implementation of Wi-Fi Protected Setup, which allows you to brute-force the PIN and obtain WPA/2 passphrases. Look into a tool called Reaver for details on that. There is a small weakness with TKIP and QoS, but is not implemented into a full attack. See tkiptun-ng for that one. Brute-forcing in general is an inefficient process and always will be, doing the maths confirms that. Your best hope when brute-forcing something like WPA is that a weak / predictable passphrase has been used. You can do clever things like GPU boxes and such, but if you're up against a 63 character passphrase with upper, lowercase, number and special chars... You're going to be waiting a while.

The problem with fancy Metasploit videos, is that are invariably made by people who are either a) showing off or b) simply demonstrating its use in a controlled environment. There are probably very few real-life situations where one could simply Metasploit their way into a box - there are other complications as you mention (AV, UAC etc). These can be overcome, but the techniques are perhaps not as widely known since the people in group 'a' can't do it... Maybe that's just my pessimistic view though...

[1stamendment]

Here is the thing, I am new too btw.

A lot of what you use in backtrack tool wise is just surface stuff. What works and what does not work "up here" is constantly changing as companies and developers leapfrog each other. Eventually u hit a point where u realize u need to start learning some programming languages and move down a few layers if you really want to get in to any well secured system.

As far as WPA goes I remember reading some Japanese guys developed a way to crack a wpa in minutes, but you will have to look that up more. I think the thing to remember is if that wpa doesnt want to crack from say both a buteforce in john | aircrack and a slew of wordlists through aircrack then u just need to socially engineer more or find another way in besides that ap.

As far as metasploit goes, have u messed with encoding and stages for payloads much? Given there are some avs that are nightmares like kasperski but even kasperski can be flaunted. What type of payload are you using? Meterpreters will set off av's sometimes. Maybe simply get a shell session and list ur processes then turn off the av and stage a meterpreter payload once the beach is secure. Again also when you start drilling on some programming languages and scripting u can start writing modules for metasploit that can do exactly what you want.

Backtrack out of the box will give u the basic tools to probe a network and find vulnerabilities but these tools can not be fully realized unless u learn how to develop parts of them. Given a poorly secured network will get owned by backtrack but a well secured one will require not just backtrack but a great grasp of social engineering, scripting, programming, and just general understanding of protocols in use on the network you are testing.

Again I am a noob so this is only my own realizations from the endless days I have spent searching forums and learning.

[bazju]

Although not the OP, thanks for the response!

I'm fairly new to this and it can be a bit overwhelming and confusing in the beginning. I've started learning Python and C++ and writing scripts/programs to increase not only my efficiency, but also my basic understanding of how computers work in the real world.