Book Image

Kali Linux - An Ethical Hacker's Cookbook - Second Edition

By : Himanshu Sharma
Book Image

Kali Linux - An Ethical Hacker's Cookbook - Second Edition

By: Himanshu Sharma

Overview of this book

Many organizations have been affected by recent cyber events. At the current rate of hacking, it has become more important than ever to pentest your environment in order to ensure advanced-level security. This book is packed with practical recipes that will quickly get you started with Kali Linux (version 2018.4 / 2019), in addition to covering the core functionalities. The book will get you off to a strong start by introducing you to the installation and configuration of Kali Linux, which will help you to perform your tests. You will also learn how to plan attack strategies and perform web application exploitation using tools such as Burp and JexBoss. As you progress, you will get to grips with performing network exploitation using Metasploit, Sparta, and Wireshark. The book will also help you delve into the technique of carrying out wireless and password attacks using tools such as Patator, John the Ripper, and airoscript-ng. Later chapters will draw focus to the wide range of tools that help in forensics investigations and incident response mechanisms. As you wrap up the concluding chapters, you will learn to create an optimum quality pentest report. By the end of this book, you will be equipped with the knowledge you need to conduct advanced penetration testing, thanks to the book’s crisp and task-oriented recipes.

Related Content you might be interested in

Current Title:

Small book image
Kali Linux - An Ethical Hacker's Cookbook - Second Edition
Himanshu Sharma
Mar, 2019 | 472 pages
Small book image
Hands-On Red Team Tactics
Harpreet Singh | Himanshu Sharma
Sep, 2018 | 480 pages
Small book image
Kali Linux 2018: Assuring Security by Penetration Testing
Lee Allen | Alex Samm | Shakeel Ali | Damian Boodoo | Tedi Heriyanto | Gerard Johansen | Shiva V N Parasram
Oct, 2018 | 528 pages
Small book image
Hands-On Web Penetration Testing with Metasploit
Harpreet Singh | Himanshu Sharma
May, 2020 | 544 pages
Table of Contents (15 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Sections
Get in touch
Disclaimer
Free Chapter
1
Kali - An Introduction
Kali - An Introduction
Configuring Kali Linux
Configuring the Xfce environment
Configuring the MATE environment
Configuring the LXDE environment
Configuring the E17 environment
Configuring the KDE environment
Prepping with custom tools
Zone Walking using DNSRecon
Setting up I2P for anonymity
Pentesting VPN's ike-scan
Setting up proxychains
Going on a hunt with Routerhunter
2
Gathering Intel and Planning Attack Strategies
Gathering Intel and Planning Attack Strategies
Getting a list of subdomains
Using Shodan for fun and profit
Shodan Honeyscore
Shodan plugins
Censys
Using Nmap to find open ports
Bypassing firewalls with Nmap
Searching for open directories using GoBuster
Hunting for SSL flaws
Automating brute force with BruteSpray
Digging deep with TheHarvester
Finding technology behind webapps using WhatWeb
Scanning IPs with masscan
Finding origin servers with CloudBunny
Sniffing around with Kismet
Testing routers with Firewalk
3
Vulnerability Assessment - Poking for Holes
Vulnerability Assessment - Poking for Holes
Using the infamous Burp
Exploiting WSDLs with Wsdler
Using Intruder
Using golismero
Exploring Searchsploit
Exploiting routers with routersploit
Using Metasploit
Automating Metasploit
Writing a custom resource script
Setting up a database in Metasploit
Generating payloads with MSFPC
Emulating threats with Cobalt Strike
4
Web App Exploitation - Beyond OWASP Top 10
Web App Exploitation - Beyond OWASP Top 10
Exploiting XSS with XSS Validator
Injection attacks with sqlmap
Owning all .svn and .git repositories
Winning race conditions
Exploiting XXEs
Exploiting Jboss with JexBoss
Exploiting PHP Object Injection
Automating vulnerability detection using RapidScan
Backdoors using meterpreter
Backdoors using webshells
5
Network Exploitation
Network Exploitation
Introduction
MITM with hamster and ferret
Exploring the msfconsole
Railgun in Metasploit
Using the paranoid meterpreter
The tale of a bleeding heart
Exploiting Redis
Saying no to SQL – owning MongoDBs
Hacking embedded devices
Exploiting Elasticsearch
Good old Wireshark
This is Sparta
Exploiting Jenkins
Shellver – reverse shell cheatsheet
Generating payloads with MSFvenom Payload Creator (MSFPC)
6
Wireless Attacks - Getting Past Aircrack-ng
Wireless Attacks - Getting Past Aircrack-ng
The good old Aircrack
Hands-on with Gerix
Dealing with WPAs
Owning employee accounts with Ghost Phisher
Pixie dust attack
Setting up rogue access points with WiFi-Pumpkin
Using Airgeddon for Wi-Fi attacks
7
Password Attacks - The Fault in Their Stars
Password Attacks - The Fault in Their Stars
Identifying different types of hashes in the wild
Hash-identifier to the rescue
Cracking with Patator
Playing with John the Ripper
Johnny Bravo!
Using ceWL
Generating wordlists with crunch
Using Pipal
8
Have Shell, Now What?
Have Shell, Now What?
Spawning a TTY shell
Looking for weaknesses
Horizontal escalation
Vertical escalation
Node hopping – pivoting
Privilege escalation on Windows
Pulling a plaintext password with Mimikatz
Dumping other saved passwords from the machine
Pivoting
Backdooring for persistance
Age of Empire
Automating Active Directory (AD) exploitation with DeathStar
Exfiltrating data through Dropbox
Data exfiltration using CloakifyFactory
9
Buffer Overflows
Buffer Overflows
Exploiting stack-based buffer overflows
Exploiting buffer overflows on real software
SEH bypass
Exploiting egg hunters
An overview of ASLR and NX bypass
10
Elementary, My Dear Watson - Digital Forensics
Elementary, My Dear Watson - Digital Forensics
Using the volatility framework
Using Binwalk
Capturing a forensic image with guymager
11
Playing with Software-Defined Radios
Playing with Software-Defined Radios
Radio-frequency scanners
Hands-on with the RTLSDR scanner
Playing around with gqrx
Kalibrating your device for GSM tapping
Decoding ADS-B messages with Dump1090
12
Kali in Your Pocket - NetHunters and Raspberries
Kali in Your Pocket - NetHunters and Raspberries
Installing Kali on Raspberry Pi
Installing NetHunter
Superman typing – human interface device (HID) attacks
Can I charge my phone?
Setting up an evil access point
13
Writing Reports
Writing Reports
Using Dradis
Using MagicTree
Using Serpico
14
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Prepping with custom tools

In this recipe, we will set up a few tools beforehand; not to worry, we will be covering their usage in detail in later chapters.

Getting ready

Here is a list of some tools that we will need before we dive deeper into penetration testing. Don't worry, we will learn about their usage with some real-life examples in the next few chapters. But those of us who are excited about them right now can run the following simple commands to view the -help section where toolname is the name of the tool we would like to view the help of:

toolname -help
toolname -h

How to do it...

We will be looking at two tools in this section.

Aquatone

Aquatone is a tool for visually inspecting websites across a large amount of hosts and is convenient for quickly gaining an overview of an HTTP-based attack surface. Aquatone has four major modules: discover, scanner, gather, and takeover. Each of these can be used to perform in-depth enumeration of a target:

  1. We will use a simple command to install aquatone:
gem install aquatone

The following screenshot shows the output of the preceding command:

  1. Next, we create a directory in /root/folder using the following command:
mkdir /root/aquatone/
  1. As aquatone uses different modules to hunt for subdomains, we will have to configure aquatone's discovery module before running it.
  2. For example, to configure the shodan, we can use the following command:
aquatone-discover --set-key shodan XXXXXXXXXXX

The following screenshot shows the output of the preceding command:

  1. Similarly, we can set keys for other services too, such as Censys and PassiveTotal.
  2. Once it is all set, we can start our subdomain hunting. We can do this using the following command:
aquatone-discover -d domain.com

The following screenshot shows the output of the preceding command:

  1. Aquatone also allows us to set a custom wordlist by using the -w flag, and we can also set the threads by using the -t flag.
  2. By default, aquatone stores the output in TXT as well as JSON format in the /root/aquatone/ directory.
  3. After we find the subdomains, we can use the aquatone scanner to scan for open ports on the discovered hosts. Let's look at an example:
aquatone-scan --ports 80 -d packtpub.com

The following screenshot shows the output of the preceding command:

  1. This will look for the domain's hosts.json file in the aquatone directory.
    Aquatone by default has four inbuilt port scanning flags (small, medium, large, and huge). These flags will decide the number of ports being scanned on the hosts, or we can define custom ports by using the -ports flag.
    • aquatone-gather: This tool makes a connection to the web services found using the discover and scanner modules of aquatone and takes screenshots of discovered web pages for later analysis.
    • aquatone-takeover: This module is used to find subdomains that are vulnerable to the subdomain takeover vulnerability.

Let's refer to the following screenshot:

Subfinder

Subfinder is considered as a successor to sublist3r. It is amazingly fast and finds valid subdomains using passive online sources such as Ask, Archive.is, Baidu, Bing, Censys, CertDB, CertSpotter, Commoncrawl, CrtSH, DnsDB and so on.

  1. Install subfinder. It needs Go to be installed, which we can install by using the following command:
apt install golang

The following screenshot shows the output of the preceding command:

  1. Next, we clone subfinder by using the following command:
git clone https://github.com/subfinder/subfinder.git

The following screenshot shows the output of the preceding command:

Or you can download and save it from https://github.com/subfinder/subfinder.

  1. To install subfinder, we go to the cloned directory and run the go build command.
  2. Once the installation is complete, we will need a wordlist for it to run, so we can download dnspop's list. This list can be used in the previous recipe too: https://github.com/bitquark/dnspop/tree/master/results.
  3. Now that both are set up, we browse into subfinder's directory and run it using the ./subfinder -h command.

The following screenshot shows the output of the preceding command:

  1. To run it against a domain with our wordlist, we use the following command:
./subfinder -w /path/to/wordlist -d hostname.com

If we do not specify a wordlist the tool will run with a default wordlist as shown in the following screenshot:

Once the enumeration is complete, the output will be shown onscreen as follows:

  1. Subfinder is also designed to work with services such as shodan, censys, and virustotal, but they need to be configured in the config.json file shown here:

There's more...

A subdomain takeover vulnerability exists when a service that previously pointed to a subdomain is removed but the CNAME record still exists. More information can be read about it at the following GitHub link: https://github.com/EdOverflow/can-i-take-over-xyz/.

Aquatone-takeover is based on the same methodology described by EdOverflow at the preceding URL.

Previous Section
End of Section 8
Next Section