“KALI LINUX ™ is a trademark of Offensive Security.” .. metagoofil -d mmoonneeyy.info - t pdf -l -n 10 -o /tmp/ -f . people, jigsaw, all). This book is a complete unofficial documentation of all the tools in Kali Linux. The author(s) are not held liable for any mistakes done by the. Don't forget that Kali is not just a security tool, but a full-fledged Linux Any errors, mistakes, or tutorial goofs in this book are solely mine and should not reflect.
|Language:||English, Spanish, Hindi|
|ePub File Size:||15.53 MB|
|PDF File Size:||17.82 MB|
|Distribution:||Free* [*Regsitration Required]|
as you can with the internals of the penetration testing distribution – and that's what this training is all about – turning you into a Kali Linux professional user. For the purpose of the CC-BY-SA license, Kali Linux Revealed is an Adaptation of the Debian All Rights Not Explicitly Granted Above Are Reserved. This tutorial gives a complete understanding on Kali Linux and explains how to use it in practice. Audience All the content and graphics published in this e- book are the property of Tutorials Point (I). Pvt. Ltd. The user of this .. pdf-parser .
There are several different attacks we can perform all found under the Modules menu. December 5, Size: But what if we wanted to scan the entire network for systems that are running Samba? But we can also use Meterpreter to bypass Windows UAC protection and automate pulling user password hashes and even plain text password. The hostname search term can be used to search for servers by domain names.
In the database, it is stored in encrypted format. It protects your password if a hacker hack website database. Paytm use bit encryption mean if it will increase your password length which has 2 combinations for applying brute force attack.
It is a code program by Hacker which encrypts mean make them so nobody can open that data your whole Hard disk data then ask for some Money if you want to remover your data. IP address: Ip stands for internet protocol. It is the address of our Device. To find your IP address type in google what is my IP.
There are two types of Ip address. We connected through the internet by Public IP address. It can be changed by Vpn or using the proxy. VPN stands for virtual private network. VPN basically change your IP address. If you are using a Vpn and doing anything, nobody can know until VPN company does not expose you [ free VPN can if you doing something serious Ilegal]. Here is the working of Vpn. Web Server: No problem. It is a computer where files of a website are available. Dos attack: Mainly used to make website down or unavailable.
Fake traffic is sent to the web server. When data exceeds the limit of bandwidth, server crushes. Here is server down website screenshot when the server is down. The easiest way to protect Dos attack is a firewall which blocks activity from a particular computer. DDOS attack: In dos attack, there is only one machine but it DDOS there is multiple fake devices as shown in the screenshot.
There is only one way to protect DDOS attack. SQL injection: Hacker injects queries in the website database. Social engineering: It is not the hacking method. It is Hacking by the average person. Guessing password technique is known as social engineering. I am not expert in this, and it takes a lot of time. Different for the different person so very time-consuming. Ask from any hacker. Every hacker must recommend Python.
It is so easy and powerful. Here i s Python course for beginners. After completing you will able to read or write any Python syntax.
Beside Hacking, Python also helps in data science.
This is a long process. It is operating system used by hackers because it has all software that needed in Hacking.
It is free and open source Installing Kali Linux is some complex for beginners here is the full post to know how to fix it. You can dual boot with windows or install it inside the window known as virtualization.
No more words let come to point How to dual boot with Kali. The exploit then runs and when successful the payload executes and if the exploit works, we get a remote connection.
Connecting to a Remote Session Once we have a successful exploit we will be able to view any remote sessions that were created. Any sessions that were created will show up along with the IP address, computer name and user name of the target system.
When we connect to the session, the prompt will change into a meterpreter prompt: We will cover the Meterpreter shell in more depth in the next chapter. We also talked briefly about using payloads and setting necessary functions. Metasploit is able to do a ton of things; we just briefly brushed some of the more elementary core functions.
We will cover the entire Meterpreter exploit process later in greater detail. Next we will talk about the Meterpreter shell, an amazing and fun interface that we can use to manipulate systems that we successfully exploited.
Meterpreter is great for manipulating a system once you get a remote connection, so depending on what your goals are; a Meterpreter shell is usually preferred to a straight remote terminal shell. Meterpreter gives us a set of commands and utilities that can be run to greatly aid in security testing. In this section we will quickly cover the Meterpreter shell and some of its features.
Once executed the backdoor program connected out to our Kali system and a session was created. We were then automatically dropped into the active session as seen below: Once connected to the session we are given a Meterpreter prompt: When we do so, we see that the commands are broken out into sections. The commands are: It is a good idea to read through them all to get a basic understanding of what they can do. Core Commands As a beginner level user, you will probably only use background, help, load, migrate, run and exit from this list.
File System Commands When you have a Meterpreter shell, you basically are dealing with two file systems, the local and remote.
File system commands allow you to interact with both. Basically you can use standard Linux commands to get around and use the file system. But how do you differentiate between the local system and the remote system that you are attached to? All the commands are assumed to be used on the remote system. When you need to move around your local Kali file system there are a couple commands you can use.
Download allows you to download files from the target system, and conversely, upload allows you to send files to the remote system. So if we wanted to upload a file, just connect to the local and remote directories that you desire and execute the upload command with the file name you want to send, as shown below: We connected to the Desktop on the Kali machine where we had our tools file.
Download works the same way, just use download and the file name to pull the file off the remote system and store it on your local Kali machine: Network Commands These commands allow you to display and manipulate some basic networking features.
Though we will not be covering it in this book, using these two commands allow you to use the machine you have exploited to pivot or use it to attack other machines in the target network or networks. System Commands Below is a list of system commands. We may want to erase our tracks and clear the system logs on the target machine.
If we look at the logs on the Windows 7 system side, we can see that it is full of events: Some of those events may include things that we did. The Application, System and Security logs are wiped. Now obviously this will stick out like a sore thumb to anyone analyzing the logs. But if there are events you want removed, you can clear the log. This is the process ID number that our shell is using. If we go further down the list, looking for our pid number of we see this: It also shows that we are running under a powershell.
We can move our shell off of this PID to a process that has higher level access. Migrating also allows us to merge and hide our shell into another more common process, in essence hiding our connection. I thought this was completely ridiculous as you have been able to do this with Metasploit for years.
This will remotely display the webcam from the target system. The only hint you get on the target machine that something is wrong is that your webcam recording light if yours has one comes on. Other than that, you cannot tell that someone is remotely viewing your webcam. The webcam screenshot above is an actual image I got one day of my cat. If we open the file we see this: You can then open the saved file on your Kali system to listen to it: Running Scripts The last topic we will cover in this section is running scripts.
Meterpreter has over scripts that you can run to further expand your exploitation toolset. We actually have already touched on these. We will take a moment and cover a couple more of them. Here are a couple of the more interesting ones: Sometimes when you get a remote shell you are not sure if you are in a Virtual Machine or a standalone computer. You can check with this command. As you can see it correctly determined that our target was a VMware VM.
The user is added to both the remote desktop user group and the administrators group. This makes it handy if you want to connect back to the machine at a later date.
Then just run the program again and give it a username and password to use: This is a bit more secure as you are not sending clear text passwords over the wire. Once we login we will get a graphical Windows desktop on our Kali machine: Take some time and check them out. This is extremely easy once we have a Meterpreter session. We can now run any DOS command that we want. This could be very handy, as deleted files could contain information of interest for both the forensics and pentesting realm.
I then deleted the files: Using the Module The module requires that you have an open session to the target that you want to check. As you can see in the screenshot above, there are a couple settings that need to be set. Then just run the exploit: The exploit ran and found four files that it could recover, the two that we deleted and two other ones.
Now, say we only wanted to recover the txt files. If we surf to that directory we can find and open the text files that were saved: And view the file: And there we go, looks like there are 3 user accounts, including passwords, which we were able to recover from the remote machine! But what if we wanted to recover pdf files? As last time the recovered files were stored in the loot directory. We can open the PDF to verify that it worked: You can also set the module to recover multiple file types at once by simply listing what you want in the FILES variable and separate them with a comma.
Lastly, the files can also be recovered by the ID number not shown. Recovery File Module Wrap-Up The module seems to work really well on data drives, but not so well on drives where there are a lot of files to recover, like on the main drive of a single drive system. I ran this on a Windows 7 boot drive on a VM that I have used a lot and it literally took hours to run.
Here is a network packet capture of the module running against a drive with a lot of deleted files: But then again, how many people actually record and analyze their data traffic?
It was lightning fast and worked very well. Though we covered some of the basics of getting around and using the shell, we only touched on a fraction of its capabilities. Hopefully you can see why getting a Meterpreter shell gives you a whole lot more functionality than just getting a straight remote access shell.
Grabbing video and sound may seem to be a bit theatrical, but social engineers could use information they glean. Sound is interesting too. A social engineer could learn a lot about the target facility by being able to have a live microphone inside the building.
But we can also use Meterpreter to bypass Windows UAC protection and automate pulling user password hashes and even plain text password. We will talk about all of these features in upcoming chapters.
When a hacker attacks a target one of the normal stages they perform is information gathering. They want to learn as much about your network, their target, as they can, to make their lives easier. Maltego is a very popular tool one that is covered quite a bit in security books and training seminars. As it already has a lot of coverage, I figured we would look at some of the other tools included in Kali. In this chapter we will look at one of the newer tools, Recon-NG and a couple other tools that come with Kali.
Recon-NG The Recon-NG Framework is a powerful tool that allows you to perform automated information gathering and network reconnaissance. Think of it as Metasploit for information collection. Recon-NG automates a lot of the steps that are taken in the initial process of a penetration test. It has numerous features that allow you to collect user information for social engineering attacks, and network information for network mapping and much more.
You can automatically hit numerous websites to gather passive information on your target and even actively probe the target itself for data. Anyone who is familiar with Metasploit will feel right at home as the interface was made to have the same look and feel.
The command use and functions are very similar. Basically you can use Recon- NG to gather info on your target, and then attack it with Metasploit.
Some of the modules are passive; they never touch the target network. While some directly probe and can even attack the system you are interested in.
One tactic used to passively probe network structure is to use the Google search engine to enumerate site sub-domains. Then remove sub-domains -inurl that you find , so other subdomains will appear. This can take a while to do by hand and can require a lot of typing if the target has a large number of sub-domains. Recon-NG will do this for you automatically and record what it finds in a database.
This one only requires the target domain. You will then see a screen like the simulated one below: Within seconds, several of the sub-domains are listed. All the data collected by Recon-NG is placed in a database. You can create a report to view the data collected.
Simply use one of the report modules to automatically create a nice report of the data that you have obtained.
Recon-NG Wrap up Sub-domain enumeration is only one module you can run, there are many others to choose from. Using these you can get specific information from the corresponding sites about your targets. For example you can search Twitter for tweets from your target or even check Shodan for open systems. I have just briefly touched on some of the capabilities of Recon-NG. It is really an impressive tool that is well worth checking into. Dmitry Dmitry is a nice little tool for quickly finding out information about a site.
Just run Dmitry from the menu or command line. Netdiscover Netdiscover is another neat tool included in Kali. It too can be run from the command prompt or from the menu system. Netdiscover scans a network looking for devices and then displays them: Zenmap Zenmap is basically a graphical version of the ever popular nmap command. If you are not familiar with nmap, then Zenmap is a great place to start.
Like the previous commands, Zenmap can be started from the menu or command line. Once started, you will see the following screen: Just fill in the target IP address and choose what type of scan you want to perform from the Profile drop down box. Zenmap will show you what the resulting nmap command switches are in the command box. As you can see above the nmap command status shows up in the Nmap Output window.
Conclusion In this chapter we looked at the multi-faceted tool Recon-NG. We saw how it was created to mimic Metasploit so users who are familiar with it could pick up Recon-NG fairly quickly. We also covered a couple other tools used in Host identification, reconnaissance and information gathering. Shodan allows you to find computers on the web by searching for them by keyword. For example, you can search for all the Microsoft IIS 7.
The trick to using Shodan effectively is to know the right keywords. But once you know these magic keys, in seconds you can search the world for these devices. Or by using filter commands you can refine your search to certain devices and areas. It can also allow them to find possible rogue or unauthorized devices that have been added to the company network.
In this section we will briefly discuss why scanning your network space with Shodan is a good idea. We will then look at how we can do these searches from the web interface, Shodanhq. Why scan your network with Shodan?
There are a large number of seemingly important systems that should never be publicly viewable on the Internet. All can be found easily with just a couple keyword searches.
But that is not all. Sadly, in this new high tech world, computer systems are not the only things that can be found online. Sure you can find large industrial HVAC environmental and building temperature controls completely open and unsecured. But you can also find other non-common devices like aquariums with an online control interface and unbelievably, even remote controlled doors: Often the online device has security, but it comes with it turned off from the manufacturer, and all the user needs to do is turn it on or assign a password.
And many times when a password is used, it is left to the factory default password easily found or a simple password easily cracked. The company owner may not have even been the one directly to put one of these devices online. There have been a couple reports of internet enabled building controls from major companies found online over the years.
The building contractor, obviously not understanding internet security, left them completely open or with default credentials. Searching for open systems using Shodan has become very popular. And once interesting systems are found on Shodan, the keyword searches are usually shared amongst friends or publicly posted on the internet.
Granted many are just surfing Shodan to grab screenshots of ridiculous things that people put on the web, but it is also a tool that those with nefarious purposes could also use.
Shodan Website To use Shodan, simply point your web browser to Shodanhq. Then all you need to do is enter your keyword to use and click, search just as you would on any search engine.
Shodan returns links to about two million Cisco routers worldwide. You can click on any IP address to surf directly to the device found. On the left side of the screen, Shodan also shows you how many of the total devices are from a certain country or location. You can click on any of them to zero in your search, or you could use keyword filters directly in the search to fine tune the results.
Filter Guide Using Filter commands you can quickly narrow down your searches to very specific things. You could enter something like the line below: This quickly and easily sorts through the millions of servers out there and returns the ones that match the query. Here is a sample search return: Server title information. You can search for other servers that contain the identical title text by putting the information into the title command.
Designates the server country location, again search-able by using the country command. The hostname search term can be used to search for servers by domain names. Body text area. Any text entered into Shodan without a filter will be assumed to be a body text search and will look for servers that have the requested information in the body text area. To use these commands or to get more than one page of results, you need to sign up for a free Shodan Account.
US city: Memphis Better yet, combine the two if the city you are looking for is located in more than one country. You can scan the entire Internet or your entire domain looking for title keywords. For instance if you wanted to find all the servers running Apache server version 2. Just use a minus sign and the HTML error code: Boston Or you could do a quick security scan of your domain for old systems that need to be updated.
FR Title searches work great too. If cameras were not allowed on your network you could quickly check for that. Say you were creating a network map and wanted to search for Linux servers located near Damascus, Syria: Other search terms you can use include: Search by port number.
Search by Operating System. Search for servers using dates. Shodan Searches with Metasploit Shodan search capabilities have been added to the Metasploit Framework. You just need to sign up from a free Shodan user account and get an API key from their website. Using an API key allows you to automate Shodan searches.
To find systems with Metasploit, you simply use it like any other exploit: Create a free account on Shodanhq. Obtain an API key - http: Now set the Query field with the keyword you want to search for: After a few seconds, you will receive some statistics on your search keyword: And then you will see actual returns: If you want to use filter keywords, or get more than one page of responses, you will have to purchase an unlocked API key. Conclusion In this section we learned about the computer search engine Shodan.
We learned that there are thousands if not millions of unsecured or under secured systems that can be found quickly and easily on Shodan. We then learned how to search Shodan using keywords and filters, and finally we learned how to search Shodan from within Kali using Metasploit. It is critical that companies know what systems that they have publicly available on the web.
Shodan is a quick and easy way to find these devices. I highly recommend security teams and even small business and home owners scan their systems to see what systems they have publicly available on the web.
Metasploitable 2 is a purposefully vulnerable Linux distribution. What this means is that it has known bugs and vulnerabilities built in on purpose. It is a training platform made to be used with Metasploit to practice and hone your computer security skills in a legal environment.
The resources above cover a lot of information on installing and using Metasploitable 2 so I will not spend a lot of time on this topic. But we will go through a couple of the exploits using Kali just to see how things work.
Just download the file, unzip it and open it with VMWare Player. A link to the video can found in the Resources section above. Once Metasploitable boots up you will come to the main login screen: To login, enter the name and password shown on the menu: And they put it right on the login screen! Logging in is pretty anti-climactic. You basically just end up at a text based terminal prompt: But we are not here to use the system from the keyboard; the goal is to try to get into the system remotely from our Kali system.
If we can determine open ports and service program versions, then we may be able to exploit a vulnerability in the service and compromise the machine.
The first thing to do is to run an nmap scan and see what services are installed. This will show us the open ports and try to enumerate what services are running: In a few minutes you will see a screen that looks like this: For each port, we see the port number, service type and even an attempt at the service software version.
We see several of the normal ports are open in the image above. Usually in tutorials they cover going after the main port services first. But I recommend looking at services sitting at higher ports. What is more likely to be patched and up to date, common core services or a secondary service that was installed and one time and possibly forgotten about?
Our next step is to do a search for vulnerabilities for that software release. But why use Google when we can search with Metasploit? Running this search returns: An Unreal 3. This is great news, as the exploits are ranked according to the probability of success and stability. If you remember from our introduction to Metasploit, there are several steps to exploiting a vulnerability: Doing so we find the following: This backdoor was present in the Unreal3. All that is needed is the remote host address: Unfortunately they are all command shells.
A Meterpreter shell would be better than a command shell, and give us more options, but for now we will just use the generic reverse shell. This will drop us right into a terminal shell with the target when the exploit is finished. Now, just type: Notice it says that a session is opened, but then it just gives you a blinking cursor.
You are actually sitting in a terminal shell with the target machine! The Root user is the highest level user that you can be on a Linux machine. It worked! All the standard Linux commands work with our shell that we have. For instance we can display the password file: We would have to crack the password file to get the actual passwords; we will take a look at this in the Password Attacks Chapter. Conclusion In this chapter we learned how to use nmap to find open ports on a test target system.
We also learned how to find out what services are running on those ports. We then found out how to find and use an exploit against a vulnerable service. Next we will take a quick look at some of the scanners built into Metasploit that helps us find and exploit specific services. Chapter 8 — Metasploitable - Part Two: Scanners Introduction In the last chapter we looked at scanning the system with Nmap to look for open ports and services.
This time we will take a look at some of the built in auxiliary scanners that come with Metasploit. Running our nmap scan produced a huge amount of open ports for us to pick and choose from.
These scanners let us search and recover service information from a single computer or an entire network! For this tutorial we again will be using our Kali system as the testing platform and the purposefully vulnerable Metasploitable 2 virtual machine as our target system. For this tutorial we will narrow our attention on the common ports that we found open. As a refresher here are the results from the nmap scan performed in the last chapter: Go ahead and search Metasploit for ssh scanners: Notice that several are available.
We see that our target is indeed running an SSH server and we see the software version: Notice the command we set for the remote host is plural, RHOSTS, we can put in a whole range of systems here enabling us to scan an entire network quickly and easily to find ssh servers. I will leave this exercise up to you. Using Additional Scanners Some scanners return different information than others.
The scan reveals that MySQL 5. But others can reveal some more interesting information. If we use a username and password, it will try to log in to the service.
Notice that this is unlike the others we have covered so far; on the Metasploitable machine it does not return a version number, it performs a banner grab. But sometimes you can find some very interesting information by using it. Now, when we type exploit we see this: Just looks like a bunch of text with no hint as to what level of software is running. But if we look closer, we can see something else: Are you kidding me?
And we are in! If we run the ID command, we can see that this user which is the main user is a member of multiple groups: We might be able to use this information to exploit further services.
Sounds kind of unbelievable that a company would include legit login credentials on a service login page, but believe it or not, it happens in real life more than you would believe.
Scanning a Range of Addresses What is interesting too is that with these scanner programs we have different options that we can set. But what if we wanted to scan the entire network for systems that are running Samba? Instead of just scanning a single host, you can scan all clients on the Notice now it scanned all hosts on the network and found the Samba running on our Metasploitable 2 machine at This makes things much easier if you are just scanning for certain services running on a network.
I set the threads command too. If you are scanning a local LAN, you can bump this up to to make it go faster, or up to 50 if testing a remote network. This will give us a little more practice in running exploits and get us used to finding and exploiting vulnerable services. So, all we need to do is just use the exploit, set the RHOST value to our target Metasploitable system and run the exploit: Conclusion In this section we learned how to use some of the built in scanners to quickly scan for specific services.
Some professional pentesters no longer rely on nmap as the main tool in finding services. Many go for a quick kill by looking for specific vulnerabilities commonly available before turning to nmap. Scanning for specific services that have a tendency to be vulnerable can be a quick way into a network.
We looked at several of the core service scanners and learned how they function. Shockingly, we were able to obtain clear text passwords from the telnet service. Once we get a set of credentials, we could use the auxiliary scanners in Metasploit to further exploit the network.
Just plug those credentials into one of the scanners and sweep the entire network to see what other systems that they would work on. It would be a good idea for you to take some time and look through them to see what they can do.
Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks. But the truth is far from that. One part of penetration testing is getting past that pesky anti-virus. Veil is one way that we can accomplish this.
Many Anti-Virus programs work by pattern or signature matching. If a program looks like malware that it has been programed to look for , it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat.
If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system.
Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that. It takes a standard Metasploit payload and through a Metasploit like program allows you to create multiple payloads that most likely will bypass anti-virus. And this will bring you to the main menu: This will select the payload and present us with the following screen: We will just choose the default, msfvenom.
This means that their computer will connect back to us. Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter.
Then enter the Local port that you will be using. I chose to use port And that is it! Veil will then generate our shellcode with the options that we chose. Now we need to give our created file a name. If you know they like cute puppies, then our chosen file name is perfect. Whatever you think would be the best. Veil now has all that it needs and creates our booby-trapped file. Just take the created.
When it is run, it will try to connect out to our machine.
We will now need to start a handler listener to accept the connection. Getting a Remote Shell To create the remote handler, we will be using Metasploit. Start the Metasploit Framework from the menu or terminal mfsconsole. Be sure to put in the IP address for your machine and the port that you entered into Veil. They must match exactly. Metasploit will then start the handler and wait for a connection: Now we just need the victim to run the file that we sent them.
On the Windows 7 machine, if the file is executed, we will see this on our Kali system: A reverse shell session! This specific program is classified in the Unix-Linux OS category where you can find some other similar courses. Thanks to people like you? Who share their knowledge, you can discover the extent of our being selected to easily learn without spending a fortune!
Kali Linux. But also many other tutorials are accessible just as easily! Computer PDF guide you and allow you to save on your studies. You should come see our Unix-Linux OS documents. You will find your happiness without trouble! The latest news and especially the best tutorials on your favorite topics, that is why Computer PDF is number 1 for courses and tutorials for download in pdf files - Kali Linux.
Download other tutorials for advice on Kali Linux.