Bilal Ahmed Shaik Kali Linux
Short Description
Descripción: kali Linux...
Description
Kali Linux 1. Kali Linux – Installation & Configuration
Kali Linux is one of the best security packages of an ethical hacker, containing a set of tools divided by the categories. It is an open source and its official webpage is https://www.kali.org. Generally, Kali Linux can be installed in a machine as an Operating System, as a virtual machine which we will discuss in the following section. Installing Kali Linux is a practical option as it provides more options to work and combine the tools. You can also create a live boot CD or USB. All this can be found in the following link: https://www.kali.org/downloads/ BackTrack was the old version of Kali Linux distribution. The latest release is Kali 2016.1 and it is updated very often.
*
E-illO···
Our Most Advanced Penetration Testing Distribution, Ever.
I
To install Kali Linux ─
First, we will download the Virtual box and install it.
Later, we will download and install Kali Linux distribution.
Download and Install the Virtual Box A Virtual Box is particularly useful when you want to test something on Kali Linux that you are unsure of. Running Kali Linux on a Virtual Box is safe when you want to experiment with unknown packages or when you want to test a code. With the help of a Virtual Box, you can install Kali Linux on your system (not directly in your hard disk) alongside your primary OS which can MAC or Windows or another flavor of Linux. Let’s understand how you can download and install the Virtual Box on your system.
1
Kali Linux
Step 1: To download, go to https://www.virtualbox.org/wiki/Downloads. Depending on your operating system, select the right package. In this case, it will be the first one for Windows as shown in the following screenshot.
VirtualBox Download VlrtualBox VlnualBox binaries • VirtUillBo.x. platloon p.tdl.tlqes. The bIn.aJ_.ate ~ • vi I x f ,wan • v .rtuaIBO)C S •.1..2 for OS X hOses M'Id64 • virtu.l.ox :5.1..' for Lift.u. bosb • Vfrtu.J80x 5.1..2 for SOAris bosts ..Mect you from the netwutc.
Proceed .. th nstalation
now?
Ir·myesm ..~
Version 5.1. 2
'111"","""
."'1WIt.
~O
Step 6: The Ready to Install screen pops up. Click Install.
R".dv to Install The Setup Wizard Is readv to begin the Custom installation.
Ock Instal to begin the nstala_. If youwant to review Q( change any of you nstalation setWl9S. dck Badt. Ock CIfnI to .>Cit the wizard.
Version 5.1.2
< Il.~c:k I[·.. :.'...~~tili"":"fl .... ~.J =j)
I:;ancel
4
Kali Linux
Step 7: Click the Finish button.
1M! Oracle
VM VirtualBox 5.1.2 Setup
Oracle VM VirtualBox 5.1.2 installation is complete. C6ck the Fmish button
to exit
the Setup Wizard.
~ Start Orade VM VirtualBox 5.1. 2 after installation
< Back
Version 5.1.2
1!,__Fil11_'sh_-,
Cancel
The Virtual Box application will now open as shown in the following screenshot. Now we are ready to install the rest of the hosts for this manual and this is also recommended for professional usage. t)
Oracle VM Virtual Box Manager
file
Machine
O@ New
Setbngs
!::!elp
Il, c" Discard
I iD Details I ~
~ots
Star t.
Welcome to Vortuallox! The IeftpartoftnsvMdowisatistofaDvirtualmachinesonyourcomputer. because you haven't aeall!d any virtual machines yet.
The list is empty now
In order to aeall! a new llirtual machine, press the New button In the mal> b:IoI bar Iocab!d at the top of the window.
You can press the f1key to get instant help, or visit _.lIirlulll>ox.oro for theiab!stlnformation and news.
5
Kali Linux
Install Kali Linux Now that we have successfully installed the Virtual Box, let’s move on to the next step and install Kali Linux. Step 1: Download the Kali https://www.kali.org/downloads/
o
18
Linux
package
from
its
official
website:
offensive-security.comjkaIHinux-vrnware-virtuaIbox-image-download
_11®
Blog
Courses
Certifications
Online labs
~ Prebuilt Kali Linux VMware Images
Image Name
Kali Linux 64 bit VM
Kali linux
32 bit VM PAE
1 1
Prebuilt Kali Linux Virtual Box Images
Torrent
Size
Version
SHA1Sum
Torrent
2.OG
2016.1
2b49bfle77cllecb5618249ca69a46f23a6f5d2d
Torrent
2.OG
2016.1
e7186 7a8bbf7ad55 fa43 7eb 7c93 fd6ge450f6759
Step 2: Click VirtualBox -> New as shown in the following screenshot. 9
Omdo VM ~onwISo. MlnagCl
f.l.
Mitlolnt
&,1
...
~ '.... 0
[GQ ... lOOt
Hq,
No A.dd .•
Cbl-"
Sdbn9'-
CtJI-5
Clone.
CtJI·O
~ ~ .........
(Id-I<
Gd
Cttl·u
Group
I!I
toe ...... 1
_:
~I
~_;
\'lndoMlIIoII~tI
}J
svotan
....
"""'"'
S"n
~Q
I....
~
D•
tll
-
.
,
Ctll·l
Sen
WOI4I Alopy.(lptal,kwclCo* VT • lAIC).", IIIa.... FOOi'!!. HtPoo
<
File name:
v
I
Open
[Cancel
1 .:!
Step 4: The following screenshot pops up. Click the Create button.
? {-
X
Create Virtual Machine
Name and operating
system
Name: IKali 2016.1.
1
Type: ~l=in=ux==========================================.~~ Version:
1
·1
Other linux (64{>it)
,
Memory size
,
, ,
8192MB Hard disk
o o ®
Do not add a virtual hard disk Create a virtual hard disk now Use an existing virtual hard disk file KaIH.lnux-2016.1·vm-amd6~.vmdk
(NonMI. 3O.00G8)
Q.idod Mode
II
ere.te
II
Cancel
_j 7
Kali Linux
Step 5: Start Kali OS. The default username is root and the password is toor.
Update Kali It is important to keep updating Kali Linux and its tools to the new versions, to remain functional. Following are the steps to update Kali. Step 1: Go to Application -> Terminal. Then, type “apt-get update” and the update will take place as shown in the following screenshot.
root@kali: -
oao
8
Kali Linux
Step 2: Now to upgrade the tools, type “apt-get upgrade” and the new packages will be downloaded. ,,_"
.
root@kall:~ File Edit View
Searcn
Terminal
Help
Reading package lists ... Done >#
:-# :-# :-#
apt·get upgrade Reading package lists ... Done Building dependency tree Reading state information ... Done Calculating upgrade ... Done The following packages ~ere automatically installed and are no longer required: castxml gccxml gdebi-core libasnl-8-heimdal libgssapi3-heimdal libhcrypt04-heimdal libhdb9-heimdal libheimbasel-heimdal libheimntlmG-heimdal libhx509-5-heimdal libkdc2-heimdal libkrb5-26-heimdal libntdbl lib roksn lB -heimdal libwindG -heimdal python -ctypesl ib python -ecdsa python-ntdb python-pyatspi python-tidylib vlc-plugin-notify vlc-plugin-samba Use 'apt autoremove' to remove them. The following packages have been kept back: adwaita-icon-theme apktool backdoor-factory bind9-host binwalk bluez bluez-obexd bundler cadaver couchdb cpp cpp-5 cutycapt default-jdk default-j re default-j re-headless dnsutils dradis driftnet erlang-asnl erlang-base ef'lang-crypt o erlang-eunit erlang-inets erlang-mnesia erlang-os-mon ef'lang-public -key ef-lang-runtime-tools erlang-snmp erlang-ssl e rlang -syntax -tools e rlang -tool s e rlang -xme r'levolut ion -data -se rve r evolution-data-server-common file folks-common ftp g++ g++-5 gee gce-5 gec-5-base gdm3 gedit gedit-common ghostseript girl.2-gdkpixbuf-2.G girl.2-gnomedesktop-3.0 glrl.2-gst-plugins-base-l.G girl.2-gstreamer-l.0 . ,-
J
.
Step 3: It will ask if you want to continue. Type “Y” and “Enter”.
. "
I.
.i
" ,I
_.
'I'"
1
-!'
jf
'P~'I~' [
,
,'11,~I
II'
"
.... 1 fIt""
• I,
•• l'
I
.1
l ..
.1
•
• "
I'
•
'0
....
11
••
!-
1
I'
I.
jl
I
j •••
I:.'
j r
r"~
,
;
r ,I
.,j,
I
-j
'"11
J,"-
;.,
I.
~
c_
....
ro
9
Kali Linux
Step 4: To upgrade to a newer version of Operating System, type “apt-get distupgrade”.
Laboratory Setup In this section, we will set up another testing machine to perform the tests with the help of tools of Kali Linux. Step 1: Download Metasploitable, which is a Linux machine. It can be downloaded from the official webpage of Rapid7: https://information.rapid7.com/metasploitabledownload.html?LS=1631875&CS=web
--
o
RAPID·.
.
Metasploitable Ot.wnl t ..... t
od
It
t
'1
... ~t
r"AlfJfN~_"~c.. ,..,_~
.... ~ __
~_....... ~"'I~..".
..... _Lna .. ~
~'''' ~
• ~.~ far""...... -----~.~ ~.~~~ctoa,..~,..__ ........ -'"
dtWI'l ..... I.CO'IIN;I
...,....,_ I
(11w
~
.....
...........,..
'I'W ......
"'1!Inorv_~~ ......
.....
~
,
~ ~~c..
~LH
__
'woe,_,r:J
OownloM , ••• ~,...
.'tPI,.toanl
I I
- Virtual Machine to Test Metasploit
f'Md'n,. 1« evlllutt""
".-."-C!I"",,(lN,ltJ 1IIn.wonf .... ~.
"
'tOUQ to
"''"P.
-.c
_
.
]
'10
Miih!'M
10
Kali Linux
Step 2: Register by supplying your details. After filling the above form, we can download the software.
RAPID» Thank you for registering for Metasploitable To download Metasptoltal>te. dick here!
Do you have a ~opy of ~asptoll 10 US(! .ga''''1 Mela.ploltablel M~
c:.daI..,_ooe. ....
1~1I'W~"~1IP4I!ng
~OI
__
~m"""'"
.....e.cn. ...
,., ...
free Meta.plolt Download
-'il11Ih
Get 'tour CODY
or
the
Step 3: Click VirtualBox -> New.
9
Ohck IJM ~Mwlagu file
"".... .....
OIJ
,.11Nr._
Add ••
"'
-0 ........ R__ ... ~Q c......
I~...
",
~O
..... o.
fI!
0
•••
...,..
SMwL ....
~.n~
" ""
c.t.Jtl!'~«tD~
Iiil
an·,
ao-.
..
"""0
"" _u
.......
(
c,
~
""·H I
... .....,
""'"
""
Q:8U'1O ~
\IIId::IM l!D (64«0
0_ ...
......
....()oWJ
,.
Itttt:1#ttT.....
l5Ot .... ~;;n~
.......
'IT--:fNi()ol(
"'1"'_"',,..,..~.,,,'I\'If""'''1lOn
uVCItt""""'" '_'_Od\_~
~~
.".
0Nb1P:f
~~=="'~"~--------------------------,
:J_
~:y;:;a, ~~It
"1.'Wd~,75.Q)CB)
(CDiIdCnood$N_O-CS_ ........
Sli:'),trron L
,.-_
..J.. j)CJ;U'I:_'WtfI_1.OOi_lll_6061~_
iP-
ttmcn.e-
............
wn:ir::IM~
11
Kali Linux
Step 4: Click “Use an existing virtual hard disk file”. Browse the file where you have downloaded Metasploitable and click Open.
·_............. -.........
_ ..._...._ -~_._,--
.... .-'"
x
~_
p
0
l
.~-
--.J-
')00
_
O_
•• ._, ,. '. ...- .. ....
_
...............
..,,_
.~•
--
.-..
t'
WNII .. ·..
--~~~.~M::o~'--
1iJ""'
\!a
-"_-'~
IDiMI_T
_
.'~~~~ ~
'8
lUiIGIl
,__
...........
HJIIftf' ....
ICEJI "'" Step 5: A screen to create a virtual machine pops up. Click “Create”.
?
X
11024
t=:=Il MB
Create Virtual Machin~
Name and operating system
I
Name: Metasploitabl~ Type: Version:
,
Memory size
I
,
I
,
I
I
I
I
I
I
I
I
I
I
I
I
I
•
I
I
I
I
I
,
I
I
4MB
8192 MB
Hard disk
o Do not add a \/i'tual hard disk o Create a virtual nard disk now @ Use an ~xisting virtual hard disk fie [MetasplOitable.vmdk (Normal, B,OO GB)
[Guided Mode
I"
Create
III
Cancel
I 12
Kali Linux
The default username is msfadmin and the password is msfadmin.
ea file
Metasploltable [Running) - Oracle VM Virtu,IBox
Machine
View
Input
Devices
o
x
Help
13
Kali Linux 2. Kali Linux ─ Information Gathering Tools
In this chapter, we will discuss the information gathering tools of Kali Linux.
NMAP and ZenMAP NMAP and ZenMAP are useful tools for the scanning phase of Ethical Hacking in Kali Linux. NMAP and ZenMAP are practically the same tool, however NMAP uses command line while ZenMAP has a GUI. NMAP is a free utility tool for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. NMAP uses raw IP packets in novel ways to determine which hosts are available on the network, what services (application name and version) those hosts are offering, which operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, etc. Now, let’s go step by step and learn how to use NMAP and ZenMAP. Step 1: To open, go to Applications -> 01-Information Gathering -> nmap or zenmap.
,.,
14
Kali Linux
Step 2: The next step is to detect the OS type/version of the target host. Based on the help indicated by NMAP, the parameter of OS type/version detection is variable “-O”. For more information, use this link: https://nmap.org/book/man-os-detection.html The command that we will use is: nmap -O 192.168.1.101 The following screenshot shows where you need to type the above command to see the Nmap output:
o
Zenmap
Sqn
Iools erofile Help
Ivl
Target: ~92.168.1.101 Command: Host.
Profile:[
Ivl
Scan
Cancel
r.G~m~a~p~.~O)1!19il2~.1~68a.~1~.1001'-:;1::::::~~c~o~rn~n~,;a~"clcltthh;attii~lI~s;edd------------------'
II
Services
1
Nmap OUlpul Ports/ Hosts Topology Ho.t Dttails Scans Inmap.O 192.168.1.101
OS • Host
'3l
x
192.168.1.101
~
Details
22/tcp open ssh 23/tcp open tel net 25/tcp open s.tp 53/tcp open domain se/tcp open http lll/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open .icrosoft-ds 5l2/tcp open exec 5l3/tcp open login 5l4/tcp open shell 1099/tcp open r.iregistry 1524/tcp open ingreslock 2049/tcp open nfs 2l2l/tcp open ccproxy·ftp 3306/tcp open .ysql 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open XII 6667/tcp open ire 8009/tcp open ajp13 8180/tcp open unknown MAC Address: 88:00:27:01:3368 (Oracle VirtuolBox virtual 11IC) Oevice type: general purpose Running: linux 2.6.X~ OS CPE: cpe:/o:linux:linux_kernel:2.6 _ OS details OS details: Linux 2.6.9 . 2.6.33_ Network Ois~ance: 1 hop
A
os detection performed. Please report any incorrect results at https://nmap.org/submit/ Nmao done: 1 IP address (1 host up) scanned in 17.55 seconds Filter Hosts
Step 3: Next, open the TCP and UDP ports. To scan all the TCP ports based on NMAP, use the following command: nmap -p 1-65535 -T4
192.168.1.101
Where the parameter “–p” indicates all the TCP ports that have to be scanned. In this case, we are scanning all the ports and “-T4” is the speed of scanning at which NMAP has to run. 15
Kali Linux
Following are the results. In green are all the TCP open ports and in red are all the closed ports. However, NMAP does not show as the list is too long. Target: [i_92.168.1.101
~
Profile:
I nmap -p 1-65535-T4 192.168.1.101 lr=seNices Nmap Output PortsI Hosts
Command: Hosts
os
< Host
~
Topology Host Details Scans
I~I§ I Detailsl
:nmap-pl-65535-T4192.168.1.101
192.168.1.101 Starting
Nmap 7.12 ( https://nmap.org
) at 2016-09-16
18:04 Central European Daylight Time Nmap scan report for 192.168.1.191
FilterHosts
Host is up (0.000010s latency). Not shown: 65505 closed ports~ PORT STATESERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain open http 80/tcp open rpcbind 111/tcp open netbios-ssn 139/tcp open microsoft-ds 445/tcp open 512/tcp exec login 513/tcp open 514/tcp open shell rmiregistry 1099/tcp open ingreslock 1524/tcp open open nfs 2049/tcp ccproxy-ftpJ 2121/tcp open mysql 3306/tcp open 3632!tcp open distccd S432!tcp open postlresql S900/tcp open vnc _/tcp open X11 6667/tcp open ire 6697/tcp open unknown 8009/tcp open ajp13 open unknown 8180/tcp 8787/tcp open unknown 48285/tcp open unknown 51161/tcp open unknown
Stealth Scan Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP three-way handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target would complete the connect and the port is listening. If an RST is received back from the target, then it is assumed the port isn’t active or is closed.
SYN+Port number
HOST 1
HOST 2
RST
(
Port Is Closed
J 16
Kali Linux
SYN+Port number
SYNIACK
HOST 1
RST
(
HOST 2
..
Port 18 Open
Now to see the SYN scan in practice, use the parameter –sS in NMAP. Following is the full command – nmap -sS -T4 192.168.1.101 The following screenshot shows how to use this command:
o
Zenmap
x
SCj!n Ioois £rofile J::!elp
Iv
Target: 1192.168.1.101 Command:
I
Hosts
[nmap -sS-p 1-6500192.168.1.101
II
Services I
os ~ Host ~
Profile:
Nmap Output PortsI Hosts Topology Host DetailsScans
Ivl ;; I Details
!nmap-sS-p1-65OO192.168.1.101
192.168.1.101 Starting 'Imap 7.12 ( https://nmap.org 22:34 Central European Daylight Time Nmap scan report for 192.168.1.101 Host is up (9.09930s latency). Not shown:
PORT 21/tcp 22/tcp 23/tcp 25/tcp S3/tcp S0/tcp lll/tcp
6479 closed
ports
STATE open open open open open open open
SERVICE ftp ssh telnet smtp da.ain http rpcbind
139/tcp
open
netbios-ssn
445/tcp
openl microsoft-ds
S12/tcp
open
exec
5l3/tcp 5l4/tcp
open open
login shell
1099/tcp open
) at 2016-09-16
rmiregistry
l524/tcp open increslock 2049/tcp open nfs 2l2l/tcp open ccproxy-ftp 3306/tcp open mysql 3632/tcp open distccd 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 MAC Address: 08:00:27:01:33:60 virtual tHC)
(Oracle VirtualBox
~maD done: 1 IP address (1 host up) scanned in 16.38 seconds
17
Kali Linux
Searchsploit Searchsploit is a tool that helps Kali Linux users to directly search with the command line from Exploit database archive. To open it, go to Applications -> 08-Exploitation Tools -> searchsploit, as shown in the following screenshot.
After opening the terminal, type "searchsploit exploit index name". root@kali: File Edit View : --it
Search Terminal
searchsploit
oeG
N
Help
windo,is
Exploit Title
r-licr-osoft WebDAV ' (rit dlL .dll ) Remot Microsoft WebDAV ' Remote PoC Exploi Microsoft RPC Locator Service, Remo Apache HTTP Server 2,x Memory Leak Exploit Microsoft Internet Explorer II ' Crash PoC (hlndi Server 1.0 ' Denial of Service Exploi Xeneo Web Server 2.2.9.0 ' Denial of Service Microsoft 5MB ' Authentication Remot Pi3Web 2.0.1 ' Denial of Service, Proof of Real Server < 8,0.2 ' Remote Exploit (Window Kerio Personal Firewall 2.1.4 ' Remote Code
I
I
Path (Ius rlsha r'e/exploitdb/plat fo rms) ./
.1 .1
I remoteil .c I r'emote/2.c
Iremote/S.c
,I
Idos/9.c
,I
Idos!37060.html
.r
Idos/13,c
,I ,I
Idos/l7.pl Ir'emote/20. txt
,I ,I
Idos/22.c
/r'emotei23.c remote/28.c
18
Kali Linux
DNS Tools In this section, we will learn how to use some DNS tools that Kali has incorporated. Basically, these tools help in zone transfers or domain IP resolving issues.
dnsenum.pl The first tool is dnsenum.pl which is a PERL script that helps to get MX, A, and other records connect to a domain. Click the terminal on the left panel.
'"
,••• " , 1
..
Type “dnsenum domain name” and all the records will be shown. In this case, it shows A records.
19
Kali Linux
DNSMAP The second tool is DNSMAP which helps to find the phone numbers, contacts, and other subdomain connected to this domain, that we are searching. Following is an example. Click the terminal as in the upper section , then write “dnsmap domain name”
dnstracer The third tool is dnstracer, which determines where a given Domain Name Server (DNS) gets its information from for a given hostname. Click the terminal as in the upper section, then type “dnstracer domain name”.
:-# dnst racel" .com Tracing to . .com[a] via 127.8.0.1, maximum of 3 retries 127.0.0.1 (127.0.8.1) + + t ,
20
Kali Linux
LBD Tools LBD (Load Balancing Detector) tools are very interesting as they detect if a given domain uses DNS and/or HTTP load balancing. It is important because if you have two servers, one or the other may not be updated and you can try to exploit it. Following are the steps to use it: First, click the terminal on the left panel.
Then, type “lbd domainname”. If it produces a result as “FOUND”, it means that the server has a load balance. In this case, the result is “NOT FOUND”.
Hping3 Hping3 is widely used by ethical hackers. It is nearly similar to ping tools but is more advanced, as it can bypass the firewall filter and use TCP, UDP, ICMP and RAW-IP protocols. It has a traceroute mode and the ability to send files between a covered channel. Click the terminal on the left panel.
21
Kali Linux
Type “hping3 –h” which will show how to use this command.
:-# hping3 -h usage: hping3 host [options] -h --help show this help -v --version show version "C • -count packet count -i --interval wait (uX for X microseconds, for example -i u1000) --fast alias for ·i u10000 (10 packets for second) ·-faster alias for -i u1000 (100 packets for second) --flood sent packets as fast as possible. Don't show replies. -n --numeric nume ri c output -q --quiet quiet -I --interface interface name (otherwise default routing interface) verbose mode ·v ·-ve rbose -D --debug debugging info (default to dst port) --bind bind ct rL += to ttl -z ·-unbind unbind ct ,'1+= beep fa r eve '-y matching packet received --beep Mode default mode TCP RAW 1P mode -0 --rawip -1 ·-icmp 1CMP mode -2 --udp UDP mode The other command is “hping3 domain or IP -parameter” :-# hping3 192.168.1.102 -v using eth0, addr: 192.168.1.101, MTU: 1500 HPmG 192.168.1.102 (eth0 192.168.1.102): NO FLAGS are set, 40 headers bytes len=46 ip=192.168.1.102 ttl=64 DF id=0 tos=0 iplen=40 spa rt=0 flags=RA ssq=O win=0 rtt=10.6 ms seq=0 ack=982034245 sum=c40 urp=0
+
0 data
len=46 ip=192.168.1.102 ttl=64 DF id=0 tos=0 iplen=40 spo rt=O flags=RA seq=1 win=0 rtt=0.4 ms seq=0 ack=1964174310 sum=dfc0 urp=0
22
Kali Linux 3. Kali Linux ─ Vulnerability Analyses Tools
In this chapter, we will learn how to use some of the tools that help us exploit devices or applications in order to gain access.
Cisco Tools Kali has some tools that can be used to exploit Cisco router. One such tool is Cisco-torch which is used for mass scanning, fingerprinting, and exploitation. Let’s open the Terminal console by clicking the left pane.
Then, type “cisco-torch –parameter IP of host” and if there is nothing found to exploit, then the following result will be shown. :-# cisco-tor-ch -n Using config fi1e torch.conf . Loading inc1ude and p1ugin .
.1
############################################################### # Cisco Torch Mass Scanner # # Becase ~e need it... # http:// .. :vv ·''.arhont.com/cisco-tor-ch.p1 ###############################################################
# #
List of targets contains 1 host(s) 1735: Chec~lng 10.22.21.1 ... - - ->
- A11 scans done. Cisco Torch Mass Scanner --->
x·
23
Kali Linux
To see what are the parameters that can be used, type “cisco-touch ?” :-# cisco-torch? Using config file torch.conf Loading include and plugin ve rsi on usage: cisco-torch
or: cisco-torch
. .
-F
Available options: -0 -A All fingerprint scan types combined -t Cisco Telnetd scan -s Cisco SSHd scan -u Cisco SNMP scan -g Cisco config or tftp file download -n NTP fingerprinting scan -j TFTP fingerprinting scan -1 loglevel c c rLt Lcal (default) v ve rbose d debug -w Cisco Webserver scan
Cisco Auditing Tool It is a PERL script, which scans Cisco routers for common vulnerabilities. To use it, again open the terminal on the left pane as shown in the previous section and type “CAT –h hostname or IP”. You can add the port parameter “-p” as shown in the following screenshot, which in this case is 23 to brute-force it.
24
Kali Linux
Cisco Global Exploiter Cisco Global Exploiter (CGE) is an advanced, simple, and fast security testing tool. With these tools, you can perform several types of attacks as shown in the following screenshot. However, be careful while testing in a live environment as some of them can crash the Cisco devise. For example, option : -#
cge .ct
•
can stop the services.
Usage : pe rl cge.pl VUlnerabilities list [1] Cisco 677/678 Telnet Buffer Overflow VUlnerability [2] Cisco lOS Router Denial of Service VUlnerability [3] Cisco lOS HTTP Auth VUlnerability [4] Cisco lOS HTTP Configuration Arbitrary Administrative Access VUlnerability [5] Cisco Catalyst SSH ProtocoL Mismatch Denial of Service VUlnerability [6] Cisco 675 Web Administration Denial of Service VUlnerability [7] Cisco Catalyst 3500 XL Remote Arbitrary Command VUlnerability [8] Cisco lOS Software HTTP Request Denial of Service VUlnerability [9] Cisco 514 UDP Flood Denial of Service VUlnerability [10] - CiscoSecure ACS for Windows NT Server Denial of Service VUlnerability [11] - Cisc 0 Catal yst ~1emory Leak vutns rability [12] Cisco CatOS CiscoView HTTP Server Buffer Overfl.ow VUlnerability [13] - 0 Encoding IDS Bypass VUlnerability (UTF) [14] - Cisco lOS HTTP Denial of Service VUlnerability To use this tool, type “cge.pl IPaddress number of vulnerability”
I
The following screenshot shows the result of the test performed on Cisco router for the vulnerability number 3 from the list above. The result shows the vulnerability was successfully exploited. :-# cge.pl I
VUlnerabILIty
10.22.21.1 3
successfuL exploited wIth [http://10.22.21.1/1evel/17/exec/
....] .
,
I
25
Kali Linux
BED BED is a program designed to check daemons for potential buffer overflows, format strings, et. al. :-# bed
BED 0.5 by mjm (www.codito.de)
&
er-ic (www.snake-basket.de)
Usage: ./bed.pl -s -t
-p
-0
[ depends on the plugin
1 FTP/SMTP/POP/HTTP/IRC/IMAP/PJL/LPO/FINGER/SOCKS4/S0CKS5 Host to check (default: localhost) Port to connect to (default: standard port) seconds to wait after each test (default: 2 seconds) use "./bed.pl -s " to obtain the parameters you need for the plugin. Only -s is a mandatory switch.
I
In this case, we will test the testing machine with IP 192.168.1.102 and the protocol HTTP. The command will be “bed –s HTTP –t 192.168.1.102” and testing will continue. >#
bed -s HTTP -t 1'12.1'58.1.1G2
BED G.5 by mjm ( w"·,,.codito.de ) Buffer overflow testing: testing: 1 testing: 2 testing: 3 testing: 4 testing: 5 testing: 6 testing: 7 testing: 8 + Formatstring testing: testing: 1 testing: 2 testing: 3 testing: 4 testing: 5 testing: 6 testing: 7 testing: 8 • Normal tests + Buffer overflow testing: testing: 1 testing: 2 testing: 3 testing: 4 testing: 5 testing: 6 testing: 7
s
et-ic ( lII'ww.snake-basket.de )
+
HEAD XAXAX HTTP/I.G HEAD / XAXAX GET XAXAX HTTP/I.G GET ! XAXAX POST XAXAX HTTP/I.G POST / XAXAX GET /XAXAX POST /XAXAX
. . . . . . .
HEAD XAXAX HTTP/I.G HEAD / XAXAX GET XAXAX HTTP/I.G GET / XAXAX POST XAXAX HTTP/I.G POST / XAXAX GET IXAXAX POST /XAXAX User-Agent: XAXAX Host: XAXAX Accept: XAXAX Accept-Encoding: XAXAX Accept-Language: XAXAX Accept-Charset: XAXAX Connection: XAXAX
. . . . . . .
26
4. Kali Linux ─ Wireless Attacks
Kali Linux
In this chapter, we will learn how to use Wi-Fi cracking tools that Kali Linux has incorporated. However, it is important that the wireless card that you has a support monitoring mode.
Fern Wifi Cracker Fern Wifi cracker is one of the tools that Kali has to crack wireless. Before opening Fern, we should turn the wireless card into monitoring mode. To do this, Type “airmon-ng start wlan-0” in the terminal. roo.(IIIeaIl: -
Now, open Fern Wireless Cracker. Step 1: Applications -> Click “Wireless Attacks” -> “Fern Wireless Cracker”.
27
Kali Linux
Step 2: Select the Wireless card as shown in the following screenshot. Fem WIFI Cracker
""oc:!< EnAbled
Montor
1::: Rerr.. ,
e
.. wtonO
Dr!
(c·»
l'
mCH"'O
San fot Access poru
Deltel"" SU~
~WPA (kIIbte tt. (he(". for l,.pcltes,network
tl,.,tOut
Koy Oatabo..,
No KIYEnl'tH
PylhOnVIfSlon 171 d.r.u(t Al 03-Web Application Analysis -> owaspzap.
Step 2: Click “Accept”. rYWASPZIoI'
0&0
Ucensed under the Apache Li~nse. version 2.0.
to 'PCI!)'\I1, 111)"1'1; Lie ..",. 10)'011' wo.1(
APflCf,lOOC Il~
"'Of'' . ",toe"
TO.,:jlI)t; thot Alt",nt lI(", •• to )OilY' U\f '0'10"'1\0 bOll,rpM" I'ICKIC" ",-'U' \1'1, Nidi Inc'i).leI by "".(k.t. 'II' "'Il't 04-Database Assessment -> sqlmap.
The webpage having vulnerable parameters to SQL Injection is metasploitable.
•
!7,
0 ..
Mutillidae: Born to be Hacked Hinl.~ OO•• .....t1O .11rj"h.r..
VIew
-)-
_I..agaed
In
our detailS
Please enll!'r UHmIlmI! and pauword to v1tw account detJlllS
y,... AGCOUM
~1Id.
0IaI'ft,
DofX""WI"f1'aca:J1mt"~u$o"~t~~
Ii" .... rt _""ollty.
'"* with '--NIl wn:.e.c_l
VALl ~eq"'6~DOr$e
.'",0 I
nilij?IO!
_
_
_
"QlI~ft. I" IIuoknlWo'lt:l31'-1),,5otW,.~r(lund .t:'htt":I/~I"$(!"'ldltJsq'_lrIJ("(lj0j selec:t/sQI \rfectlon ~t'l~ PM-, -usmqHTTP tMtho Exploit Tools -> Armitage.
64
Kali Linux
Click the Connect button, as shown in the following screenshot.
When it opens, you will see the following screen.
•. ,
rml a e
'!' ~
I<
.d",ln ·lil'Ctp ..!l tOI!)(;lt_ad"'IMflt.r.ltlOn
to,""OIt_Utfe_tT_ru+
.it .t",n",
'iii .....
Modules
Armitage is user friendly. The area “Targets” lists all the machines that you have discovered and you are working with, the hacked targets are red in color with a thunderstorm on it.
65
Kali Linux
After you have hacked the target, you can right-click on it and continue exploring with what you need to do such as exploring (browsing) the folders.
nll0#
invitefLood
invitefLood
-h
vo rst on 2.0 June 09, 2006
Usage: ~landatoI-Y interface (e.g. eth0) target user- (e.g. "" or j ohn doe or-5000 or "1+210·555-1212") target domain (e.g. enterprlse.com or an IPv4 address) IPv4 addr of flood target (ddd.ddd.ddd.ddd) flood stage (i.e. number of packets) Optional -a flood tool "From:" alias (e.g. jane.doe) -i IPv4 source IP address [default is IP address of interface] -S s roPo rt (0 - 65535) [default is weH-kno'wn discaro port 9] -D destPort (0 - 65535) [default is well-known SIP port 5060] -1 lineString line used by SNOM [default is blank] -s sleep time btwn INVITE msgs (usec) -h help - print this usage -v verbose output mode i
Next, you can use the following command: inviteflood eth0 target_extension
target_domain target_ip number_of_packets
Where,
target_extension is 2000 target_domain is 192.168.x.x target_ip is 192.168.x.x number_of_packets is 1 -a is alias of SIP account
Iaxflood Iaxflood is a VoIP DoS tool. To open it, type “iaxflood sourcename destinationname numpackets” in the terminal. To know how to use, type “iaxflood –h”
:-# Lax f l ood
-h
usage: laxflood sourcename destlnationname
numpackets 85
Kali Linux
thc-ssl-dos THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THCSSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. Following is the command: thc-ssl-dos victimIP httpsport –accept In this example, it will be – thc-ssl-dos 192.168.1.1 443 –accept Its output would be as follows: rootOluallJ
•
86
10. Kali Linux ─ Sniffing & Spoofing
Kali Linux
The basic concept of sniffing tools is as simple as wiretapping and Kali Linux has some popular tools for this purpose. In this chapter, we will learn about the sniffing and spoofing tools available in Kali.
Burpsuite Burpsuite can be used as a sniffing tool between your browser and the webservers to find the parameters that the web application uses. To open Burpsuite, go to Applications -> Web Application Analysis -> burpsuite.
To make the setup of sniffing, we configure burpsuite to behave as a proxy. To do this, go to Options as shown in the following screenshot. Check the box as shown. In this case, the proxy IP will be 127.0.0.1 with port 8080.
87
Kali Linux
oao
Burp 50th! frff Edilion 111.6.31
.
, ..I.
,
Pro.f!tusn It!,....r
t..ueners to rec..e;.Ve1"'Amlln; HTI'P ft'quut
9w'p
l!!t1.ibl. U
from
yc..I
bro•• er You wJI Md
!!.taroq
to
t4n1.... e )'OUr broMwr ta
\1M
one d the U.unen
.5 ItJ fKO:ly
qgift;1I!~ Ft.r'f't"Olit
• f.tk
I.,
f"I ..
, , •r
f!:!J
,.nM.lon err &ud 4''''''.''' t6elt 01••• IN<
un .. 0_
I
I
I
~rtf!
~It
""tln~'...U~ u••
1lJ.0"" (A. U"1i~.lit Ih"l DrollY ... ,.llano. oJ B"~
~"
".~."O
$Sl. CO"".ctjon, YOIIc.n I"...,
Cit
.,-pol1lh.,
C,.,lnflltle
!I'
,,11('" .hl," ,oquuu foil "'""tIC ,._nl t>at.d o••h.lof4w"'f
ve. Ill...... Itft9. ~
... Wlr..4 tor .... '.0 ..... odltJ.Q,n tho ,~.pt
tAlo
""" IIcI.bo...wp
D
,
, e •• dm ••
_ """ch
_---_'--
I·U~II·""" ·PR41t·ullI·,.11
J
Then configure the browser proxy which is the IP of burpsuite machine and the port. Connection Settings
"
Configure Proxies to Access the Internet
r---
lEI
No proxx Auto-detect
proxy settings for this ne~ork
1!se system proxy settings '~, ~anual proxy configuration: HTTPProl!.Y:
127.0.0.1
r
fort:
1:1
8080
S
_ U!e this proxy server for all protocols
ETP Proxy:
I I
SOhKS Host
I
SS!, Proxy:
c SOC~S
v4 0S0CKSyS
PQrt:
I
o
Port:
r
~AI
POr!:
r
o
o Remote
[AI IAI
QNS
No Proxy for: Ilocalhost,
127.0.0.1
I Example: .mozilla.org, .netnz.
192.168.1.0/24
(; ~utomatic proxy configuration URL:
_II
--
o Do not prompt ~
Help
for authentication
R~load
I
if password is saved
~el
III
OK
II~ 88
Kali Linux
To start interception, go to Proxy -> Intercept -> click “Intercept is on”. Continue to navigate on the webpage that you want to find the parameter to test for vulnerabilities.
ITlIf'f~~ IJw.an$t
11$0111,( Hrlfl bltory
~1Ii:ftOIltlO"",
riflt...-u II"",
,~e",.,. I~
'k·~II~ wdl-1:o6.:tb hmory
~••
I c-.rtT-1
~tT
o,,~
Alt'1U
:0 liJ ~
"
'M~' Ii.'"'''' "°1
In this case, it is metasploitable machine with IP 192.168.1.102 Damn __ ICaiJ Unt,llt. an Off."w.
f. .J' ~
s- "
O;t.wt ~
I
w.b A..
WmApp (!:MIlA) -Logln-lcewusel •
II OEH
•
192.168.1.102,.'_~
-_. Go to “HTTP History”. In the following screenshot, the line marked in red arrow shows the last request. In Raw and the hidden parameter such as the Session ID and other parameter such as user name and password has been underlined in red.
89
Kali Linux
.
, "-
~1Qo-;;iiil,.
•, J..
11)"
110-'--
U'IL
,,"'LMI(.
1UqJ+llltl,li'l.l'l IIttPHlI2-1il.1.101 iTttpJil'l.l'lll'l III!»:lIl.:ll$, l )'Z
GET
J..,p)Jl1" ••
'Off
;)QST ' .........
"aq''''.'h.
GET
"rr
~tt
eft
4CC"Jlt·Ent-Ddt ....
,zh
~,
J U
_oj ""~"hp
'0< 40<
a
U
~_~fl""
..,
,1'11(:
. --=-!.
4,. "0
HlM. HI....
"'. lco
toI.lA~dir.2 '&Ga 14.'l Feurlii ",. HotFtu!'lCl
utt
"'"TH....I..
..,.
0.....11 ~t.tt
Ii)
"fI"
....
~
..Wt
Hl"'W/1.1
.-.9' "1"
fl."
lJS,ctI it'"D.S
...
___ fltte.r htHITJJl.J2.H. :Oot-le t;cc.uf1.tY.. "IlghI tetll'l.C11M: ,lOA :.011,,,,,,1- T,.... ...,t
.."",frtt-UItO'H,
e;.t.,.,119"1
J
/f .....r:c.ni(.
It:. 1,,;0,1 102 I 'trnl\./~IO Hilli Unu, •• _64 4(;cep1 te)'t Ih1.l .ppl lut1.,"hl' Password Attacks -> Online Attacks -> hydra.
95
Kali Linux
It will open the terminal console, as shown in the following screenshot. Examples: hydra hydroa hydra hydra hyd ra
-1 -L -C -1 -L
user -P passlist.txt ftp://192.168.0.1 use r'l i s t t x t -p defauLtpw imap://192.168.0.l!PLAHI defaults. txt -6 pop3s://[2001 :db8: :1] :143/TLS:DIGEST-MDS admin -p password ftp://[192.168.0.0/24]/ logins.txt -P pws.txt -r~ targets.txt ssh i
:-#
In this case, we will brute force FTP service of metasploitable machine, which has IP 192.168.1.101
..
.u.o
on
Lirl'. c uc op Ef.hc ruu t IfW,,,\d!" 00 Z7.0c:c'J.(,,, i uc t ",\d!":l'JL lGU.l.10l IJc"c.ll'JL.1GU.l.Lc,c, M"sk:LC,C,.LC,C,.LC,C,.O i u e Lb a d d r- : feUO. :dOO.2"111 .leOc:c'JGe/G4 ;;cupe.Lirlk
We have created in Kali a word usr\share\wordlist\metasploit.
<
~
)
,.....
In'
(9
...
wwd!1 ...
r:
.. II
the
path
Q. vl!'C'IOOr_ ..
-
d.,......
p_
If'P""
==
unot ...~
.........
'In, ~
.~y
dex2jar This is an application that helps convert APK file (android) to JAR file in order to view the source code. To use it, open the terminal and write ”d2j-dex2jar –d /file location”. In this case, the file is “classes.dex” on the desktop.
The following line shows that a JAR file has been created.
109
Kali Linux
< ) Q. cLassts·d~x~.jar
--~============~------
iii Oesttql
D
Oowmilnts
o 00wnI0Ids n MusIC
jd-gui JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code. In this case, we can reconstruct the file that we extracted from the dex2jar tool. To launch it, open the terminal and write “jd-gui” and the following view will open. To import the file, click the open folder the file. Java Decompiler File
Edit
I> ED .usr I>
Navigate
mm:tl'lrftll
Search
icon on the left upper corner and then import
- javaversion.class
Help
I!l
javaversion.class Reporting Tools -> dradis.
The web URL will open. Anybody in LAN can open it in the following URL https://IP of kali machine:3004
112
Kali Linux
Log in with the username and password that was used for the first time. weteeme to Oradi$ -
ICOWQ;)$ol
Wetcome to Dradis
.. [a http' IDMo,tVisitedv
1Z7 0.0. t 1004/'.'
View more...
Comments
