Bilal Ahmed Shaik Kali Linux

Share Embed Donate


Short Description

Descripción: kali Linux...

Description

Kali Linux 1. Kali Linux – Installation & Configuration

Kali Linux is one of the best security packages of an ethical hacker, containing a set of tools divided by the categories. It is an open source and its official webpage is https://www.kali.org. Generally, Kali Linux can be installed in a machine as an Operating System, as a virtual machine which we will discuss in the following section. Installing Kali Linux is a practical option as it provides more options to work and combine the tools. You can also create a live boot CD or USB. All this can be found in the following link: https://www.kali.org/downloads/ BackTrack was the old version of Kali Linux distribution. The latest release is Kali 2016.1 and it is updated very often.

*

E-illO···

Our Most Advanced Penetration Testing Distribution, Ever.

I

To install Kali Linux ─ 

First, we will download the Virtual box and install it.



Later, we will download and install Kali Linux distribution.

Download and Install the Virtual Box A Virtual Box is particularly useful when you want to test something on Kali Linux that you are unsure of. Running Kali Linux on a Virtual Box is safe when you want to experiment with unknown packages or when you want to test a code. With the help of a Virtual Box, you can install Kali Linux on your system (not directly in your hard disk) alongside your primary OS which can MAC or Windows or another flavor of Linux. Let’s understand how you can download and install the Virtual Box on your system.

1

Kali Linux

Step 1: To download, go to https://www.virtualbox.org/wiki/Downloads. Depending on your operating system, select the right package. In this case, it will be the first one for Windows as shown in the following screenshot.

VirtualBox Download VlrtualBox VlnualBox binaries • VirtUillBo.x. platloon p.tdl.tlqes. The bIn.aJ_.ate ~ • vi I x f ,wan • v .rtuaIBO)C S •.1..2 for OS X hOses M'Id64 • virtu.l.ox :5.1..' for Lift.u. bosb • Vfrtu.J80x 5.1..2 for SOAris bosts ..Mect you from the netwutc.

Proceed .. th nstalation

now?

Ir·myesm ..~

Version 5.1. 2

'111"","""

."'1WIt.

~O

Step 6: The Ready to Install screen pops up. Click Install.

R".dv to Install The Setup Wizard Is readv to begin the Custom installation.

Ock Instal to begin the nstala_. If youwant to review Q( change any of you nstalation setWl9S. dck Badt. Ock CIfnI to .>Cit the wizard.

Version 5.1.2

< Il.~c:k I[·.. :.'...~~tili"":"fl .... ~.J =j)

I:;ancel

4

Kali Linux

Step 7: Click the Finish button.

1M! Oracle

VM VirtualBox 5.1.2 Setup

Oracle VM VirtualBox 5.1.2 installation is complete. C6ck the Fmish button

to exit

the Setup Wizard.

~ Start Orade VM VirtualBox 5.1. 2 after installation

< Back

Version 5.1.2

1!,__Fil11_'sh_-,

Cancel

The Virtual Box application will now open as shown in the following screenshot. Now we are ready to install the rest of the hosts for this manual and this is also recommended for professional usage. t)

Oracle VM Virtual Box Manager

file

Machine

[email protected] New

Setbngs

!::!elp

Il, c" Discard

I iD Details I ~

~ots

Star t.

Welcome to Vortuallox! The IeftpartoftnsvMdowisatistofaDvirtualmachinesonyourcomputer. because you haven't aeall!d any virtual machines yet.

The list is empty now

In order to aeall! a new llirtual machine, press the New button In the mal> b:IoI bar Iocab!d at the top of the window.

You can press the f1key to get instant help, or visit _.lIirlulll>ox.oro for theiab!stlnformation and news.

5

Kali Linux

Install Kali Linux Now that we have successfully installed the Virtual Box, let’s move on to the next step and install Kali Linux. Step 1: Download the Kali https://www.kali.org/downloads/

o

18

Linux

package

from

its

official

website:

offensive-security.comjkaIHinux-vrnware-virtuaIbox-image-download

_11®

Blog

Courses

Certifications

Online labs

~ Prebuilt Kali Linux VMware Images

Image Name

Kali Linux 64 bit VM

Kali linux

32 bit VM PAE

1 1

Prebuilt Kali Linux Virtual Box Images

Torrent

Size

Version

SHA1Sum

Torrent

2.OG

2016.1

2b49bfle77cllecb5618249ca69a46f23a6f5d2d

Torrent

2.OG

2016.1

e7186 7a8bbf7ad55 fa43 7eb 7c93 fd6ge450f6759

Step 2: Click VirtualBox -> New as shown in the following screenshot. 9

Omdo VM ~onwISo. MlnagCl

f.l.

Mitlolnt

&,1

...

~ '.... 0

[GQ ... lOOt

Hq,

No A.dd .•

Cbl-"

Sdbn9'-

CtJI-5

Clone.

CtJI·O

~ ~ .........

(Id-I<

Gd

Cttl·u

Group

I!I

toe ...... 1

_:

~I

~_;

\'lndoMlIIoII~tI

}J

svotan

....

"""'"'

S"n

~Q

I....

~

D•

tll

-

.

,

Ctll·l

Sen

WOI4I Alopy.(lptal,kwclCo* VT • lAIC).", IIIa.... FOOi'!!. HtPoo

<

File name:

v

I

Open

[Cancel

1 .:!

Step 4: The following screenshot pops up. Click the Create button.

? {-

X

Create Virtual Machine

Name and operating

system

Name: IKali 2016.1.

1

Type: ~l=in=ux==========================================.~~ Version:

1

·1

Other linux (64{>it)

,

Memory size

,

, ,

8192MB Hard disk

o o ®

Do not add a virtual hard disk Create a virtual hard disk now Use an existing virtual hard disk file KaIH.lnux-2016.1·vm-amd6~.vmdk

(NonMI. 3O.00G8)

Q.idod Mode

II

ere.te

II

Cancel

_j 7

Kali Linux

Step 5: Start Kali OS. The default username is root and the password is toor.

Update Kali It is important to keep updating Kali Linux and its tools to the new versions, to remain functional. Following are the steps to update Kali. Step 1: Go to Application -> Terminal. Then, type “apt-get update” and the update will take place as shown in the following screenshot.

[email protected]: -

oao

8

Kali Linux

Step 2: Now to upgrade the tools, type “apt-get upgrade” and the new packages will be downloaded. ,,_"

.

[email protected]:~ File Edit View

Searcn

Terminal

Help

Reading package lists ... Done >#

:-# :-# :-#

apt·get upgrade Reading package lists ... Done Building dependency tree Reading state information ... Done Calculating upgrade ... Done The following packages ~ere automatically installed and are no longer required: castxml gccxml gdebi-core libasnl-8-heimdal libgssapi3-heimdal libhcrypt04-heimdal libhdb9-heimdal libheimbasel-heimdal libheimntlmG-heimdal libhx509-5-heimdal libkdc2-heimdal libkrb5-26-heimdal libntdbl lib roksn lB -heimdal libwindG -heimdal python -ctypesl ib python -ecdsa python-ntdb python-pyatspi python-tidylib vlc-plugin-notify vlc-plugin-samba Use 'apt autoremove' to remove them. The following packages have been kept back: adwaita-icon-theme apktool backdoor-factory bind9-host binwalk bluez bluez-obexd bundler cadaver couchdb cpp cpp-5 cutycapt default-jdk default-j re default-j re-headless dnsutils dradis driftnet erlang-asnl erlang-base ef'lang-crypt o erlang-eunit erlang-inets erlang-mnesia erlang-os-mon ef'lang-public -key ef-lang-runtime-tools erlang-snmp erlang-ssl e rlang -syntax -tools e rlang -tool s e rlang -xme r'levolut ion -data -se rve r evolution-data-server-common file folks-common ftp g++ g++-5 gee gce-5 gec-5-base gdm3 gedit gedit-common ghostseript girl.2-gdkpixbuf-2.G girl.2-gnomedesktop-3.0 glrl.2-gst-plugins-base-l.G girl.2-gstreamer-l.0 . ,-

J

.

Step 3: It will ask if you want to continue. Type “Y” and “Enter”.

. "

I.

.i

" ,I

_.

'I'"

1

-!'

jf

'P~'I~' [

,

,'11,~I

II'

"

.... 1 fIt""

• I,

•• l'

I

.1

l ..

.1



• "

I'



'0

....

11

••

!-

1

I'

I.

jl

I

j •••

I:.'

j r

r"~

,

;

r ,I

.,j,

I

-j

'"11

J,"-

;.,

I.

~

c_

....

ro

9

Kali Linux

Step 4: To upgrade to a newer version of Operating System, type “apt-get distupgrade”.

Laboratory Setup In this section, we will set up another testing machine to perform the tests with the help of tools of Kali Linux. Step 1: Download Metasploitable, which is a Linux machine. It can be downloaded from the official webpage of Rapid7: https://information.rapid7.com/metasploitabledownload.html?LS=1631875&CS=web

--

o

RAPID·.

.

Metasploitable Ot.wnl t ..... t

od

It

t

'1

... ~t

r"AlfJfN~_"~c.. ,..,_~

.... ~ __

~_....... ~"'I~..".

..... _Lna .. ~

~'''' ~

• ~.~ far""...... -----~.~ ~.~~~ctoa,..~,..__ ........ -'"

dtWI'l ..... I.CO'IIN;I

...,....,_ I

(11w

~

.....

...........,..

'I'W ......

"'1!Inorv_~~ ......

.....

~

,

~ ~~c..

~LH

__

'woe,_,r:J

OownloM , ••• ~,...

.'tPI,.toanl

I I

- Virtual Machine to Test Metasploit

f'Md'n,. 1« evlllutt""

".-."-C!I"",,(lN,ltJ 1IIn.wonf .... ~.

"

'tOUQ to

"''"P.

-.c

_

.

]

'10

Miih!'M

10

Kali Linux

Step 2: Register by supplying your details. After filling the above form, we can download the software.

RAPID» Thank you for registering for Metasploitable To download Metasptoltal>te. dick here!

Do you have a ~opy of ~asptoll 10 US(! .ga''''1 Mela.ploltablel M~

c:.daI..,_ooe. ....

1~1I'W~"~1IP4I!ng

~OI

__

~m"""'"

.....e.cn. ...

,., ...

free Meta.plolt Download

-'il11Ih

Get 'tour CODY

or

the

Step 3: Click VirtualBox -> New.

9

Ohck IJM ~Mwlagu file

"".... .....

OIJ

,.11Nr._

Add ••

"'

-0 ........ R__ ... ~Q c......

I~...

",

~O

..... o.

fI!

0

•••

...,..

SMwL ....

~.n~

" ""

c.t.Jtl!'~«tD~

Iiil

an·,

ao-.

..

"""0

"" _u

.......

(

c,

~

""·H I

... .....,

""'"

""

Q:8U'1O ~

\IIId::IM l!D (64«0

0_ ...

......

....()oWJ

,.

Itttt:1#ttT.....

l5Ot .... ~;;n~

.......

'IT--:fNi()ol(

"'1"'_"',,..,..~.,,,'I\'If""'''1lOn

uVCItt""""'" '_'_Od\_~

~~

.".

0Nb1P:f

~~=="'~"~--------------------------,

:J_

~:y;:;a, ~~It

"1.'Wd~,75.Q)CB)

(CDiIdCnood$N_O-CS_ ........

Sli:'),trron L

,.-_

..J.. j)CJ;U'I:_'WtfI_1.OOi_lll_6061~_

iP-

ttmcn.e-

............

wn:ir::IM~

11

Kali Linux

Step 4: Click “Use an existing virtual hard disk file”. Browse the file where you have downloaded Metasploitable and click Open.

·_............. -.........

_ ..._...._ -~_._,--

.... .-'"

x

~_

p

0

l

.~-

--.J-

')00

_

O_

•• ._, ,. '. ...- .. ....

_

...............

..,,_

.~•

--

.-..

t'

WNII .. ·..

--~~~.~M::o~'--

1iJ""'

\!a

-"_-'~

IDiMI_T

_

.'~~~~ ~

'8

lUiIGIl

,__

...........

HJIIftf' ....

ICEJI "'" Step 5: A screen to create a virtual machine pops up. Click “Create”.

?

X

11024

t=:=Il MB

Create Virtual Machin~

Name and operating system

I

Name: Metasploitabl~ Type: Version:

,

Memory size

I

,

I

,

I

I

I

I

I

I

I

I

I

I

I

I

I



I

I

I

I

I

,

I

I

4MB

8192 MB

Hard disk

o Do not add a \/i'tual hard disk o Create a virtual nard disk now @ Use an ~xisting virtual hard disk fie [MetasplOitable.vmdk (Normal, B,OO GB)

[Guided Mode

I"

Create

III

Cancel

I 12

Kali Linux

The default username is msfadmin and the password is msfadmin.

ea file

Metasploltable [Running) - Oracle VM Virtu,IBox

Machine

View

Input

Devices

o

x

Help

13

Kali Linux 2. Kali Linux ─ Information Gathering Tools

In this chapter, we will discuss the information gathering tools of Kali Linux.

NMAP and ZenMAP NMAP and ZenMAP are useful tools for the scanning phase of Ethical Hacking in Kali Linux. NMAP and ZenMAP are practically the same tool, however NMAP uses command line while ZenMAP has a GUI. NMAP is a free utility tool for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. NMAP uses raw IP packets in novel ways to determine which hosts are available on the network, what services (application name and version) those hosts are offering, which operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, etc. Now, let’s go step by step and learn how to use NMAP and ZenMAP. Step 1: To open, go to Applications -> 01-Information Gathering -> nmap or zenmap.

,.,

14

Kali Linux

Step 2: The next step is to detect the OS type/version of the target host. Based on the help indicated by NMAP, the parameter of OS type/version detection is variable “-O”. For more information, use this link: https://nmap.org/book/man-os-detection.html The command that we will use is: nmap -O 192.168.1.101 The following screenshot shows where you need to type the above command to see the Nmap output:

o

Zenmap

Sqn

Iools erofile Help

Ivl

Target: ~92.168.1.101 Command: Host.

Profile:[

Ivl

Scan

Cancel

r.G~m~a~p~.~O)1!19il2~.1~68a.~1~.1001'-:;1::::::~~c~o~rn~n~,;a~"clcltthh;attii~lI~s;edd------------------'

II

Services

1

Nmap OUlpul Ports/ Hosts Topology Ho.t Dttails Scans Inmap.O 192.168.1.101

OS • Host

'3l

x

192.168.1.101

~

Details

22/tcp open ssh 23/tcp open tel net 25/tcp open s.tp 53/tcp open domain se/tcp open http lll/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open .icrosoft-ds 5l2/tcp open exec 5l3/tcp open login 5l4/tcp open shell 1099/tcp open r.iregistry 1524/tcp open ingreslock 2049/tcp open nfs 2l2l/tcp open ccproxy·ftp 3306/tcp open .ysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open XII 6667/tcp open ire 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 88:00:27:01:3368 (Oracle VirtuolBox virtual 11IC) Oevice type: general purpose Running: linux 2.6.X~ OS CPE: cpe:/o:linux:linux_kernel:2.6 _ OS details OS details: Linux 2.6.9 . 2.6.33_ Network Ois~ance: 1 hop

A

os detection performed. Please report any incorrect results at https://nmap.org/submit/ Nmao done: 1 IP address (1 host up) scanned in 17.55 seconds Filter Hosts

Step 3: Next, open the TCP and UDP ports. To scan all the TCP ports based on NMAP, use the following command: nmap -p 1-65535 -T4

192.168.1.101

Where the parameter “–p” indicates all the TCP ports that have to be scanned. In this case, we are scanning all the ports and “-T4” is the speed of scanning at which NMAP has to run. 15

Kali Linux

Following are the results. In green are all the TCP open ports and in red are all the closed ports. However, NMAP does not show as the list is too long. Target: [i_92.168.1.101

~

Profile:

I nmap -p 1-65535-T4 192.168.1.101 lr=seNices Nmap Output PortsI Hosts

Command: Hosts

os

< Host

~

Topology Host Details Scans

I~I§ I Detailsl

:nmap-pl-65535-T4192.168.1.101

192.168.1.101 Starting

Nmap 7.12 ( https://nmap.org

) at 2016-09-16

18:04 Central European Daylight Time Nmap scan report for 192.168.1.191

FilterHosts

Host is up (0.000010s latency). Not shown: 65505 closed ports~ PORT STATESERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain open http 80/tcp open rpcbind 111/tcp open netbios-ssn 139/tcp open microsoft-ds 445/tcp open 512/tcp exec login 513/tcp open 514/tcp open shell rmiregistry 1099/tcp open ingreslock 1524/tcp open open nfs 2049/tcp ccproxy-ftpJ 2121/tcp open mysql 3306/tcp open 3632!tcp open distccd S432!tcp open postlresql S900/tcp open vnc _/tcp open X11 6667/tcp open ire 6697/tcp open unknown 8009/tcp open ajp13 open unknown 8180/tcp 8787/tcp open unknown 48285/tcp open unknown 51161/tcp open unknown

Stealth Scan Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP three-way handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target would complete the connect and the port is listening. If an RST is received back from the target, then it is assumed the port isn’t active or is closed.

SYN+Port number

HOST 1

HOST 2

RST

(

Port Is Closed

J 16

Kali Linux

SYN+Port number

SYNIACK

HOST 1

RST

(

HOST 2

..

Port 18 Open

Now to see the SYN scan in practice, use the parameter –sS in NMAP. Following is the full command – nmap -sS -T4 192.168.1.101 The following screenshot shows how to use this command:

o

Zenmap

x

SCj!n Ioois £rofile J::!elp

Iv

Target: 1192.168.1.101 Command:

I

Hosts

[nmap -sS-p 1-6500192.168.1.101

II

Services I

os ~ Host ~

Profile:

Nmap Output PortsI Hosts Topology Host DetailsScans

Ivl ;; I Details

!nmap-sS-p1-65OO192.168.1.101

192.168.1.101 Starting 'Imap 7.12 ( https://nmap.org 22:34 Central European Daylight Time Nmap scan report for 192.168.1.101 Host is up (9.09930s latency). Not shown:

PORT 21/tcp 22/tcp 23/tcp 25/tcp S3/tcp S0/tcp lll/tcp

6479 closed

ports

STATE open open open open open open open

SERVICE ftp ssh telnet smtp da.ain http rpcbind

139/tcp

open

netbios-ssn

445/tcp

openl microsoft-ds

S12/tcp

open

exec

5l3/tcp 5l4/tcp

open open

login shell

1099/tcp open

) at 2016-09-16

rmiregistry

l524/tcp open increslock 2049/tcp open nfs 2l2l/tcp open ccproxy-ftp 3306/tcp open mysql 3632/tcp open distccd 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 MAC Address: 08:00:27:01:33:60 virtual tHC)

(Oracle VirtualBox

~maD done: 1 IP address (1 host up) scanned in 16.38 seconds

17

Kali Linux

Searchsploit Searchsploit is a tool that helps Kali Linux users to directly search with the command line from Exploit database archive. To open it, go to Applications -> 08-Exploitation Tools -> searchsploit, as shown in the following screenshot.

After opening the terminal, type "searchsploit exploit index name". [email protected]: File Edit View : --it

Search Terminal

searchsploit

oeG

N

Help

windo,is

Exploit Title

r-licr-osoft WebDAV ' (rit dlL .dll ) Remot Microsoft WebDAV ' Remote PoC Exploi Microsoft RPC Locator Service, Remo Apache HTTP Server 2,x Memory Leak Exploit Microsoft Internet Explorer II ' Crash PoC (hlndi Server 1.0 ' Denial of Service Exploi Xeneo Web Server 2.2.9.0 ' Denial of Service Microsoft 5MB ' Authentication Remot Pi3Web 2.0.1 ' Denial of Service, Proof of Real Server < 8,0.2 ' Remote Exploit (Window Kerio Personal Firewall 2.1.4 ' Remote Code

I

I

Path (Ius rlsha r'e/exploitdb/plat fo rms) ./

.1 .1

I remoteil .c I r'emote/2.c

Iremote/S.c

,I

Idos/9.c

,I

Idos!37060.html

.r

Idos/13,c

,I ,I

Idos/l7.pl Ir'emote/20. txt

,I ,I

Idos/22.c

/r'emotei23.c remote/28.c

18

Kali Linux

DNS Tools In this section, we will learn how to use some DNS tools that Kali has incorporated. Basically, these tools help in zone transfers or domain IP resolving issues.

dnsenum.pl The first tool is dnsenum.pl which is a PERL script that helps to get MX, A, and other records connect to a domain. Click the terminal on the left panel.

'"

,••• " , 1

..

Type “dnsenum domain name” and all the records will be shown. In this case, it shows A records.

19

Kali Linux

DNSMAP The second tool is DNSMAP which helps to find the phone numbers, contacts, and other subdomain connected to this domain, that we are searching. Following is an example. Click the terminal as in the upper section , then write “dnsmap domain name”

dnstracer The third tool is dnstracer, which determines where a given Domain Name Server (DNS) gets its information from for a given hostname. Click the terminal as in the upper section, then type “dnstracer domain name”.

:-# dnst racel" .com Tracing to . .com[a] via 127.8.0.1, maximum of 3 retries 127.0.0.1 (127.0.8.1) + + t ,

20

Kali Linux

LBD Tools LBD (Load Balancing Detector) tools are very interesting as they detect if a given domain uses DNS and/or HTTP load balancing. It is important because if you have two servers, one or the other may not be updated and you can try to exploit it. Following are the steps to use it: First, click the terminal on the left panel.

Then, type “lbd domainname”. If it produces a result as “FOUND”, it means that the server has a load balance. In this case, the result is “NOT FOUND”.

Hping3 Hping3 is widely used by ethical hackers. It is nearly similar to ping tools but is more advanced, as it can bypass the firewall filter and use TCP, UDP, ICMP and RAW-IP protocols. It has a traceroute mode and the ability to send files between a covered channel. Click the terminal on the left panel.

21

Kali Linux

Type “hping3 –h” which will show how to use this command.

:-# hping3 -h usage: hping3 host [options] -h --help show this help -v --version show version "C • -count packet count -i --interval wait (uX for X microseconds, for example -i u1000) --fast alias for ·i u10000 (10 packets for second) ·-faster alias for -i u1000 (100 packets for second) --flood sent packets as fast as possible. Don't show replies. -n --numeric nume ri c output -q --quiet quiet -I --interface interface name (otherwise default routing interface) verbose mode ·v ·-ve rbose -D --debug debugging info (default to dst port) --bind bind ct rL += to ttl -z ·-unbind unbind ct ,'1+= beep fa r eve '-y matching packet received --beep Mode default mode TCP RAW 1P mode -0 --rawip -1 ·-icmp 1CMP mode -2 --udp UDP mode The other command is “hping3 domain or IP -parameter” :-# hping3 192.168.1.102 -v using eth0, addr: 192.168.1.101, MTU: 1500 HPmG 192.168.1.102 (eth0 192.168.1.102): NO FLAGS are set, 40 headers bytes len=46 ip=192.168.1.102 ttl=64 DF id=0 tos=0 iplen=40 spa rt=0 flags=RA ssq=O win=0 rtt=10.6 ms seq=0 ack=982034245 sum=c40 urp=0

+

0 data

len=46 ip=192.168.1.102 ttl=64 DF id=0 tos=0 iplen=40 spo rt=O flags=RA seq=1 win=0 rtt=0.4 ms seq=0 ack=1964174310 sum=dfc0 urp=0

22

Kali Linux 3. Kali Linux ─ Vulnerability Analyses Tools

In this chapter, we will learn how to use some of the tools that help us exploit devices or applications in order to gain access.

Cisco Tools Kali has some tools that can be used to exploit Cisco router. One such tool is Cisco-torch which is used for mass scanning, fingerprinting, and exploitation. Let’s open the Terminal console by clicking the left pane.

Then, type “cisco-torch –parameter IP of host” and if there is nothing found to exploit, then the following result will be shown. :-# cisco-tor-ch -n Using config fi1e torch.conf . Loading inc1ude and p1ugin .

.1

############################################################### # Cisco Torch Mass Scanner # # Becase ~e need it... # http:// .. :vv ·''.arhont.com/cisco-tor-ch.p1 ###############################################################

# #

List of targets contains 1 host(s) 1735: Chec~lng 10.22.21.1 ... - - ->

- A11 scans done. Cisco Torch Mass Scanner --->



23

Kali Linux

To see what are the parameters that can be used, type “cisco-touch ?” :-# cisco-torch? Using config file torch.conf Loading include and plugin ve rsi on usage: cisco-torch

or: cisco-torch



. .

-F

Available options: -0 -A All fingerprint scan types combined -t Cisco Telnetd scan -s Cisco SSHd scan -u Cisco SNMP scan -g Cisco config or tftp file download -n NTP fingerprinting scan -j TFTP fingerprinting scan -1 loglevel c c rLt Lcal (default) v ve rbose d debug -w Cisco Webserver scan

Cisco Auditing Tool It is a PERL script, which scans Cisco routers for common vulnerabilities. To use it, again open the terminal on the left pane as shown in the previous section and type “CAT –h hostname or IP”. You can add the port parameter “-p” as shown in the following screenshot, which in this case is 23 to brute-force it.

24

Kali Linux

Cisco Global Exploiter Cisco Global Exploiter (CGE) is an advanced, simple, and fast security testing tool. With these tools, you can perform several types of attacks as shown in the following screenshot. However, be careful while testing in a live environment as some of them can crash the Cisco devise. For example, option : -#

cge .ct



can stop the services.

Usage : pe rl cge.pl VUlnerabilities list [1] Cisco 677/678 Telnet Buffer Overflow VUlnerability [2] Cisco lOS Router Denial of Service VUlnerability [3] Cisco lOS HTTP Auth VUlnerability [4] Cisco lOS HTTP Configuration Arbitrary Administrative Access VUlnerability [5] Cisco Catalyst SSH ProtocoL Mismatch Denial of Service VUlnerability [6] Cisco 675 Web Administration Denial of Service VUlnerability [7] Cisco Catalyst 3500 XL Remote Arbitrary Command VUlnerability [8] Cisco lOS Software HTTP Request Denial of Service VUlnerability [9] Cisco 514 UDP Flood Denial of Service VUlnerability [10] - CiscoSecure ACS for Windows NT Server Denial of Service VUlnerability [11] - Cisc 0 Catal yst ~1emory Leak vutns rability [12] Cisco CatOS CiscoView HTTP Server Buffer Overfl.ow VUlnerability [13] - 0 Encoding IDS Bypass VUlnerability (UTF) [14] - Cisco lOS HTTP Denial of Service VUlnerability To use this tool, type “cge.pl IPaddress number of vulnerability”

I

The following screenshot shows the result of the test performed on Cisco router for the vulnerability number 3 from the list above. The result shows the vulnerability was successfully exploited. :-# cge.pl I

VUlnerabILIty

10.22.21.1 3

successfuL exploited wIth [http://10.22.21.1/1evel/17/exec/

....] .

,

I

25

Kali Linux

BED BED is a program designed to check daemons for potential buffer overflows, format strings, et. al. :-# bed

BED 0.5 by mjm (www.codito.de)

&

er-ic (www.snake-basket.de)

Usage: ./bed.pl -s -t

-p



-0

[ depends on the plugin

1 FTP/SMTP/POP/HTTP/IRC/IMAP/PJL/LPO/FINGER/SOCKS4/S0CKS5 Host to check (default: localhost) Port to connect to (default: standard port) seconds to wait after each test (default: 2 seconds) use "./bed.pl -s " to obtain the parameters you need for the plugin. Only -s is a mandatory switch.

I

In this case, we will test the testing machine with IP 192.168.1.102 and the protocol HTTP. The command will be “bed –s HTTP –t 192.168.1.102” and testing will continue. >#

bed -s HTTP -t 1'12.1'58.1.1G2

BED G.5 by mjm ( w"·,,.codito.de ) Buffer overflow testing: testing: 1 testing: 2 testing: 3 testing: 4 testing: 5 testing: 6 testing: 7 testing: 8 + Formatstring testing: testing: 1 testing: 2 testing: 3 testing: 4 testing: 5 testing: 6 testing: 7 testing: 8 • Normal tests + Buffer overflow testing: testing: 1 testing: 2 testing: 3 testing: 4 testing: 5 testing: 6 testing: 7

s

et-ic ( lII'ww.snake-basket.de )

+

HEAD XAXAX HTTP/I.G HEAD / XAXAX GET XAXAX HTTP/I.G GET ! XAXAX POST XAXAX HTTP/I.G POST / XAXAX GET /XAXAX POST /XAXAX

. . . . . . .

HEAD XAXAX HTTP/I.G HEAD / XAXAX GET XAXAX HTTP/I.G GET / XAXAX POST XAXAX HTTP/I.G POST / XAXAX GET IXAXAX POST /XAXAX User-Agent: XAXAX Host: XAXAX Accept: XAXAX Accept-Encoding: XAXAX Accept-Language: XAXAX Accept-Charset: XAXAX Connection: XAXAX

. . . . . . .

26

4. Kali Linux ─ Wireless Attacks

Kali Linux

In this chapter, we will learn how to use Wi-Fi cracking tools that Kali Linux has incorporated. However, it is important that the wireless card that you has a support monitoring mode.

Fern Wifi Cracker Fern Wifi cracker is one of the tools that Kali has to crack wireless. Before opening Fern, we should turn the wireless card into monitoring mode. To do this, Type “airmon-ng start wlan-0” in the terminal. roo.(IIIeaIl: -

Now, open Fern Wireless Cracker. Step 1: Applications -> Click “Wireless Attacks” -> “Fern Wireless Cracker”.

27

Kali Linux

Step 2: Select the Wireless card as shown in the following screenshot. Fem WIFI Cracker

""oc:!< EnAbled

Montor

1::: Rerr.. ,

e

.. wtonO

Dr!

(c·»

l'

mCH"'O

San fot Access poru

Deltel"" SU~

~WPA (kIIbte tt. (he(". for l,.pcltes,network

tl,.,tOut

Koy Oatabo..,

No KIYEnl'tH

PylhOnVIfSlon 171 d.r.u(t Al 03-Web Application Analysis -> owaspzap.

Step 2: Click “Accept”. rYWASPZIoI'

0&0

Ucensed under the Apache Li~nse. version 2.0.

to 'PCI!)'\I1, 111)"1'1; Lie ..",. 10)'011' wo.1(

APflCf,lOOC Il~

"'Of'' . ",toe"

TO.,:jlI)t; thot Alt",nt lI(", •• to )OilY' U\f '0'10"'1\0 bOll,rpM" I'ICKIC" ",-'U' \1'1, Nidi Inc'i).leI by "".(k.t. 'II' "'Il't 04-Database Assessment -> sqlmap.

The webpage having vulnerable parameters to SQL Injection is metasploitable.



!7,

0 ..

Mutillidae: Born to be Hacked Hinl.~ OO•• .....t1O .11rj"h.r..

VIew

-)-

_I..agaed

In

our detailS

Please enll!'r UHmIlmI! and pauword to v1tw account detJlllS

y,... AGCOUM

~1Id.

0IaI'ft,

DofX""WI"f1'aca:J1mt"~u$o"~t~~

Ii" .... rt _""ollty.

'"* with '--NIl wn:.e.c_l

VALl ~eq"'6~DOr$e

.'",0 I

nilij?IO!

_

_

_

"QlI~ft. I" IIuoknlWo'lt:l31'-1),,5otW,.~r(lund .t:'htt":I/~I"$(!"'ldltJsq'_lrIJ("(lj0j selec:t/sQI \rfectlon ~t'l~ PM-, -usmqHTTP tMtho Exploit Tools -> Armitage.

64

Kali Linux

Click the Connect button, as shown in the following screenshot.

When it opens, you will see the following screen.

•. ,

rml a e

'!' ~

I<

.d",ln ·lil'Ctp ..!l tOI!)(;lt_ad"'IMflt.r.ltlOn

to,""OIt_Utfe_tT_ru+

.it .t",n",

'iii .....

Modules

Armitage is user friendly. The area “Targets” lists all the machines that you have discovered and you are working with, the hacked targets are red in color with a thunderstorm on it.

65

Kali Linux

After you have hacked the target, you can right-click on it and continue exploring with what you need to do such as exploring (browsing) the folders.

nll0#

invitefLood

invitefLood

-h

vo rst on 2.0 June 09, 2006

Usage: ~landatoI-Y interface (e.g. eth0) target user- (e.g. "" or j ohn doe or-5000 or "1+210·555-1212") target domain (e.g. enterprlse.com or an IPv4 address) IPv4 addr of flood target (ddd.ddd.ddd.ddd) flood stage (i.e. number of packets) Optional -a flood tool "From:" alias (e.g. jane.doe) -i IPv4 source IP address [default is IP address of interface] -S s roPo rt (0 - 65535) [default is weH-kno'wn discaro port 9] -D destPort (0 - 65535) [default is well-known SIP port 5060] -1 lineString line used by SNOM [default is blank] -s sleep time btwn INVITE msgs (usec) -h help - print this usage -v verbose output mode i

Next, you can use the following command: inviteflood eth0 target_extension

target_domain target_ip number_of_packets

Where,     

target_extension is 2000 target_domain is 192.168.x.x target_ip is 192.168.x.x number_of_packets is 1 -a is alias of SIP account

Iaxflood Iaxflood is a VoIP DoS tool. To open it, type “iaxflood sourcename destinationname numpackets” in the terminal. To know how to use, type “iaxflood –h”

:-# Lax f l ood

-h

usage: laxflood sourcename destlnationname

numpackets 85

Kali Linux

thc-ssl-dos THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THCSSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. Following is the command: thc-ssl-dos victimIP httpsport –accept In this example, it will be – thc-ssl-dos 192.168.1.1 443 –accept Its output would be as follows: rootOluallJ



86

10. Kali Linux ─ Sniffing & Spoofing

Kali Linux

The basic concept of sniffing tools is as simple as wiretapping and Kali Linux has some popular tools for this purpose. In this chapter, we will learn about the sniffing and spoofing tools available in Kali.

Burpsuite Burpsuite can be used as a sniffing tool between your browser and the webservers to find the parameters that the web application uses. To open Burpsuite, go to Applications -> Web Application Analysis -> burpsuite.

To make the setup of sniffing, we configure burpsuite to behave as a proxy. To do this, go to Options as shown in the following screenshot. Check the box as shown. In this case, the proxy IP will be 127.0.0.1 with port 8080.

87

Kali Linux

oao

Burp 50th! frff Edilion 111.6.31

.

, ..I.

,

Pro.f!tusn It!,....r

t..ueners to rec..e;.Ve1"'Amlln; HTI'P ft'quut

9w'p

l!!t1.ibl. U

from

yc..I

bro•• er You wJI Md

!!.taroq

to

t4n1.... e )'OUr broMwr ta

\1M

one d the U.unen

.5 ItJ fKO:ly

qgift;1I!~ Ft.r'f't"Olit

• f.tk

I.,

f"I ..

, , •r

f!:!J

,.nM.lon err &ud 4''''''.''' t6elt 01••• IN<

un .. 0_

I

I

I

~rtf!

~It

""tln~'...U~ u••

1lJ.0"" (A. U"1i~.lit Ih"l DrollY ... ,.llano. oJ B"~

~"

".~."O

$Sl. CO"".ctjon, YOIIc.n I"...,

Cit

.,-pol1lh.,

C,.,lnflltle

!I'

,,11('" .hl," ,oquuu foil "'""tIC ,._nl t>at.d o••h.lof4w"'f

ve. Ill...... Itft9. ~

... Wlr..4 tor .... '.0 ..... odltJ.Q,n tho ,~.pt

tAlo

""" IIcI.bo...wp

D

,

, e •• dm ••

_ """ch

_---_'--

I·U~II·""" ·PR41t·ullI·,.11

J

Then configure the browser proxy which is the IP of burpsuite machine and the port. Connection Settings

"

Configure Proxies to Access the Internet

r---

lEI

No proxx Auto-detect

proxy settings for this ne~ork

1!se system proxy settings '~, ~anual proxy configuration: HTTPProl!.Y:

127.0.0.1

r

fort:

1:1

8080

S

_ U!e this proxy server for all protocols

ETP Proxy:

I I

SOhKS Host

I

SS!, Proxy:

c SOC~S

v4 0S0CKSyS

PQrt:

I

o

Port:

r

~AI

POr!:

r

o

o Remote

[AI IAI

QNS

No Proxy for: Ilocalhost,

127.0.0.1

I Example: .mozilla.org, .netnz.

192.168.1.0/24

(; ~utomatic proxy configuration URL:

_II

--

o Do not prompt ~

Help

for authentication

R~load

I

if password is saved

~el

III

OK

II~ 88

Kali Linux

To start interception, go to Proxy -> Intercept -> click “Intercept is on”. Continue to navigate on the webpage that you want to find the parameter to test for vulnerabilities.

ITlIf'f~~ IJw.an$t

11$0111,( Hrlfl bltory

~1Ii:ftOIltlO"",

riflt...-u II"",

,~e",.,. I~

'k·~II~ wdl-1:o6.:tb hmory

~••

I c-.rtT-1

~tT

o,,~

Alt'1U

:0 liJ ~

"

'M~' Ii.'"'''' "°1

In this case, it is metasploitable machine with IP 192.168.1.102 Damn __ ICaiJ Unt,llt. an Off."w.

f. .J' ~

s- "

O;t.wt ~

I

w.b A..

WmApp (!:MIlA) -Logln-lcewusel •

II OEH



192.168.1.102,.'_~

-_. Go to “HTTP History”. In the following screenshot, the line marked in red arrow shows the last request. In Raw and the hidden parameter such as the Session ID and other parameter such as user name and password has been underlined in red.

89

Kali Linux

.

, "-

~1Qo-;;iiil,.

•, J..

11)"

110-'--

U'IL

,,"'LMI(.

1UqJ+llltl,li'l.l'l IIttPHlI2-1il.1.101 iTttpJil'l.l'lll'l III!»:lIl.:ll$, l )'Z

GET

J..,p)Jl1" ••

'Off

;)QST ' .........

"aq''''.'h.

GET

"rr

~tt

eft

4CC"Jlt·Ent-Ddt ....

,zh

~,

J U

_oj ""~"hp

'0< 40<

a

U

~_~fl""

..,

,1'11(:

. --=-!.

4,. "0

HlM. HI....

"'. lco

toI.lA~dir.2 '&Ga 14.'l Feurlii ",. HotFtu!'lCl

utt

"'"TH....I..

..,.

0.....11 ~t.tt

Ii)

"fI"

....

~

..Wt

Hl"'W/1.1

.-.9' "1"

fl."

lJS,ctI it'"D.S

...

___ fltte.r htHITJJl.J2.H. :Oot-le t;cc.uf1.tY.. "IlghI tetll'l.C11M: ,lOA :.011,,,,,,1- T,.... ...,t

.."",frtt-UItO'H,

e;.t.,.,119"1

J

/f .....r:c.ni(.

It:. 1,,;0,1 102 I 'trnl\./~IO Hilli Unu, •• _64 4(;cep1 te)'t Ih1.l .ppl lut1.,"hl' Password Attacks -> Online Attacks -> hydra.

95

Kali Linux

It will open the terminal console, as shown in the following screenshot. Examples: hydra hydroa hydra hydra hyd ra

-1 -L -C -1 -L

user -P passlist.txt ftp://192.168.0.1 use r'l i s t t x t -p defauLtpw imap://192.168.0.l!PLAHI defaults. txt -6 pop3s://[2001 :db8: :1] :143/TLS:DIGEST-MDS admin -p password ftp://[192.168.0.0/24]/ logins.txt -P pws.txt -r~ targets.txt ssh i

:-#

In this case, we will brute force FTP service of metasploitable machine, which has IP 192.168.1.101

..

.u.o

on

Lirl'. c uc op Ef.hc ruu t IfW,,,\d!" 00 Z7.0c:c'J.(,,, i uc t ",\d!":l'JL lGU.l.10l IJc"c.ll'JL.1GU.l.Lc,c, M"sk:LC,C,.LC,C,.LC,C,.O i u e Lb a d d r- : feUO. :dOO.2"111 .leOc:c'JGe/G4 ;;cupe.Lirlk

We have created in Kali a word usr\share\wordlist\metasploit.

<

~

)

,.....

In'

(9

...

wwd!1 ...

r:

.. II

the

path

Q. vl!'C'IOOr_ ..

-

d.,......

p_

If'P""

==

unot ...~

.........

'In, ~

.~y

dex2jar This is an application that helps convert APK file (android) to JAR file in order to view the source code. To use it, open the terminal and write ”d2j-dex2jar –d /file location”. In this case, the file is “classes.dex” on the desktop.

The following line shows that a JAR file has been created.

109

Kali Linux

< ) Q. cLassts·d~x~.jar

--~============~------

iii Oesttql

D

Oowmilnts

o 00wnI0Ids n MusIC

jd-gui JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code. In this case, we can reconstruct the file that we extracted from the dex2jar tool. To launch it, open the terminal and write “jd-gui” and the following view will open. To import the file, click the open folder the file. Java Decompiler File

Edit

I> ED .usr I>

Navigate

mm:tl'lrftll

Search

icon on the left upper corner and then import

- javaversion.class

Help

I!l

javaversion.class Reporting Tools -> dradis.

The web URL will open. Anybody in LAN can open it in the following URL https://IP of kali machine:3004

112

Kali Linux

Log in with the username and password that was used for the first time. weteeme to Oradi$ -

ICOWQ;)$ol

Wetcome to Dradis

.. [a http' IDMo,tVisitedv

1Z7 0.0. t 1004/'.'
View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF