Book Image

Kali Linux - An Ethical Hacker's Cookbook - Second Edition

By : Himanshu Sharma
Book Image

Kali Linux - An Ethical Hacker's Cookbook - Second Edition

By: Himanshu Sharma

Overview of this book

Many organizations have been affected by recent cyber events. At the current rate of hacking, it has become more important than ever to pentest your environment in order to ensure advanced-level security. This book is packed with practical recipes that will quickly get you started with Kali Linux (version 2018.4 / 2019), in addition to covering the core functionalities. The book will get you off to a strong start by introducing you to the installation and configuration of Kali Linux, which will help you to perform your tests. You will also learn how to plan attack strategies and perform web application exploitation using tools such as Burp and JexBoss. As you progress, you will get to grips with performing network exploitation using Metasploit, Sparta, and Wireshark. The book will also help you delve into the technique of carrying out wireless and password attacks using tools such as Patator, John the Ripper, and airoscript-ng. Later chapters will draw focus to the wide range of tools that help in forensics investigations and incident response mechanisms. As you wrap up the concluding chapters, you will learn to create an optimum quality pentest report. By the end of this book, you will be equipped with the knowledge you need to conduct advanced penetration testing, thanks to the book’s crisp and task-oriented recipes.

Related Content you might be interested in

Current Title:

Small book image
Kali Linux - An Ethical Hacker's Cookbook - Second Edition
Himanshu Sharma
Mar, 2019 | 472 pages
Small book image
Hands-On Red Team Tactics
Harpreet Singh | Himanshu Sharma
Sep, 2018 | 480 pages
Small book image
Kali Linux 2018: Assuring Security by Penetration Testing
Lee Allen | Alex Samm | Shakeel Ali | Damian Boodoo | Tedi Heriyanto | Gerard Johansen | Shiva V N Parasram
Oct, 2018 | 528 pages
Small book image
Hands-On Web Penetration Testing with Metasploit
Harpreet Singh | Himanshu Sharma
May, 2020 | 544 pages
Table of Contents (15 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Sections
Get in touch
Disclaimer
Free Chapter
1
Kali - An Introduction
Kali - An Introduction
Configuring Kali Linux
Configuring the Xfce environment
Configuring the MATE environment
Configuring the LXDE environment
Configuring the E17 environment
Configuring the KDE environment
Prepping with custom tools
Zone Walking using DNSRecon
Setting up I2P for anonymity
Pentesting VPN's ike-scan
Setting up proxychains
Going on a hunt with Routerhunter
2
Gathering Intel and Planning Attack Strategies
Gathering Intel and Planning Attack Strategies
Getting a list of subdomains
Using Shodan for fun and profit
Shodan Honeyscore
Shodan plugins
Censys
Using Nmap to find open ports
Bypassing firewalls with Nmap
Searching for open directories using GoBuster
Hunting for SSL flaws
Automating brute force with BruteSpray
Digging deep with TheHarvester
Finding technology behind webapps using WhatWeb
Scanning IPs with masscan
Finding origin servers with CloudBunny
Sniffing around with Kismet
Testing routers with Firewalk
3
Vulnerability Assessment - Poking for Holes
Vulnerability Assessment - Poking for Holes
Using the infamous Burp
Exploiting WSDLs with Wsdler
Using Intruder
Using golismero
Exploring Searchsploit
Exploiting routers with routersploit
Using Metasploit
Automating Metasploit
Writing a custom resource script
Setting up a database in Metasploit
Generating payloads with MSFPC
Emulating threats with Cobalt Strike
4
Web App Exploitation - Beyond OWASP Top 10
Web App Exploitation - Beyond OWASP Top 10
Exploiting XSS with XSS Validator
Injection attacks with sqlmap
Owning all .svn and .git repositories
Winning race conditions
Exploiting XXEs
Exploiting Jboss with JexBoss
Exploiting PHP Object Injection
Automating vulnerability detection using RapidScan
Backdoors using meterpreter
Backdoors using webshells
5
Network Exploitation
Network Exploitation
Introduction
MITM with hamster and ferret
Exploring the msfconsole
Railgun in Metasploit
Using the paranoid meterpreter
The tale of a bleeding heart
Exploiting Redis
Saying no to SQL – owning MongoDBs
Hacking embedded devices
Exploiting Elasticsearch
Good old Wireshark
This is Sparta
Exploiting Jenkins
Shellver – reverse shell cheatsheet
Generating payloads with MSFvenom Payload Creator (MSFPC)
6
Wireless Attacks - Getting Past Aircrack-ng
Wireless Attacks - Getting Past Aircrack-ng
The good old Aircrack
Hands-on with Gerix
Dealing with WPAs
Owning employee accounts with Ghost Phisher
Pixie dust attack
Setting up rogue access points with WiFi-Pumpkin
Using Airgeddon for Wi-Fi attacks
7
Password Attacks - The Fault in Their Stars
Password Attacks - The Fault in Their Stars
Identifying different types of hashes in the wild
Hash-identifier to the rescue
Cracking with Patator
Playing with John the Ripper
Johnny Bravo!
Using ceWL
Generating wordlists with crunch
Using Pipal
8
Have Shell, Now What?
Have Shell, Now What?
Spawning a TTY shell
Looking for weaknesses
Horizontal escalation
Vertical escalation
Node hopping – pivoting
Privilege escalation on Windows
Pulling a plaintext password with Mimikatz
Dumping other saved passwords from the machine
Pivoting
Backdooring for persistance
Age of Empire
Automating Active Directory (AD) exploitation with DeathStar
Exfiltrating data through Dropbox
Data exfiltration using CloakifyFactory
9
Buffer Overflows
Buffer Overflows
Exploiting stack-based buffer overflows
Exploiting buffer overflows on real software
SEH bypass
Exploiting egg hunters
An overview of ASLR and NX bypass
10
Elementary, My Dear Watson - Digital Forensics
Elementary, My Dear Watson - Digital Forensics
Using the volatility framework
Using Binwalk
Capturing a forensic image with guymager
11
Playing with Software-Defined Radios
Playing with Software-Defined Radios
Radio-frequency scanners
Hands-on with the RTLSDR scanner
Playing around with gqrx
Kalibrating your device for GSM tapping
Decoding ADS-B messages with Dump1090
12
Kali in Your Pocket - NetHunters and Raspberries
Kali in Your Pocket - NetHunters and Raspberries
Installing Kali on Raspberry Pi
Installing NetHunter
Superman typing – human interface device (HID) attacks
Can I charge my phone?
Setting up an evil access point
13
Writing Reports
Writing Reports
Using Dradis
Using MagicTree
Using Serpico
14
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Pentesting VPN's ike-scan

During a pentest, we may encounter VPN endpoints. However, finding vulnerabilities in those endpoints and exploiting them is not a well-known method. VPN endpoints use the Internet Key Exchange (IKE) protocol to set up a security association between multiple clients to establish a VPN tunnel.

IKE has two phases. Phase 1 is responsible for setting up and establishing a secure authenticated communication channel. Phase 2 encrypts and transports data.

Our focus of interest here is Phase 1. It uses two methods of exchanging keys:

  • Main mode
  • Aggressive mode

We hunt for Aggressive-mode-enabled VPN endpoints using PSK authentication.

Getting ready

For this recipe, we will use the ike-scan and ikeprobe tools. First, we install ike-scan by cloning the Git repository:

git clone https://github.com/royhills/ike-scan.git

Or, you can use the following URL: https://github.com/royhills/ike-scan.

How to do it...

  1. Browse to the directory where ike-scan is installed.
  2. Install autoconf by running the following command:
apt-get install autoconf
  1. Run autoreconf --install to generate a .configure file.
  2. Run ./configure.
  3. Run make to build the project.
  4. Run make check to verify the building stage.
  5. Run make install to install ike-scan.
  6. To scan a host for an Aggressive mode handshake, use the following command:
   ike-scan x.x.x.x –M -A

The following screenshot shows the output of the preceding command:

  1. Sometimes, we will see the response after providing a valid group name such as vpn:
ike-scan x.x.x.x –M –A id=vpn
  1. To view the list of all available options, we can run the following command:
ike-scan -h

The following screenshot shows the output of the preceding command:

We can even brute force the group names using the following link: https://github.com/SpiderLabs/groupenum.
Here is the command:
./dt_group_enum.sh x.x.x.x groupnames.dic

Cracking the PSK

  1. Adding a –P flag in the ike-scan command will show a response with the captured hash.
  2. To save the hash, we provide a filename along with the –P flag.
  3. Next, we can use psk-crack with the following command:
psk-crack –b 5 /path/to/pskkey

-b is brute force mode and length is 5.

  1. To use a dictionary-based attack, we use the following command with -d flag to input the dictionary file:
psk-crack –d /path/to/dictionary /path/to/pskkey

The following screenshot shows the output of the preceding command:

There's more...

In Aggressive mode, the authentication hash is transmitted as a response to the packet of the VPN client that tries to establish a connection tunnel (IPSec). This hash is not encrypted and hence it allows us to capture the hash and perform a brute force attack against it to recover our PSK.

This is not possible in Main mode, as it uses an encrypted hash along with a 6-way handshake, whereas Aggressive mode uses only a 3-way handshake.

Previous Section
End of Section 11
Next Section