penetration testing with kali

Penetration Testing with Kali Linux

PWK Copyright © 2014 Offensive Security Ltd. All rights reserved. of 365




All rights reserved to Offensive Security, 2014 ©

No part of this publication, in whole or in part, may be reproduced,

copied, transferred or any other right reserved to its copyright owner,

including photocopying and all other copying, any transfer or

transmission using any network or other means of communication,

any broadcast for distant learning, in any form or by any means such

as any information storage, transmission or retrieval system, without

prior written permission from the author.



Penetration Testing: What You Should Know ........................................................ 13

About Kali Linux ......................................................................................................................... 13

About Penetration Testing .......................................................................................................... 14

Legal ............................................................................................................................................... 15

The megacorpone.com Domain ................................................................................................. 16

Offensive Security Labs .............................................................................................................. 16

VPN Labs Overview ................................................................................................................... 16

Lab Control Panel ....................................................................................................................... 19

Reporting .................................................................................................................................... 20

Getting Comfortable with Kali Linux ....................................................................... 23

Finding Your Way Around Kali ................................................................................................ 23

Booting Up Kali Linux ............................................................................................................... 23

The Kali Menu ............................................................................................................................ 24

find, locate, and which ................................................................................................................ 24

Exercises ..................................................................................................................................... 25

Managing Kali Linux Services ................................................................................................... 26

Default root Password ................................................................................................................ 26

SSH Service ................................................................................................................................ 27

HTTP Service ............................................................................................................................. 28

Exercises ..................................................................................................................................... 29

The Bash Environment ................................................................................................. 30

Intro to Bash Scripting ................................................................................................................. 30

Practical Bash Usage – Example 1 ............................................................................................. 30

Practical Bash Usage – Example 2 ............................................................................................. 34

Exercises ..................................................................................................................................... 37



The Essential Tools ....................................................................................................... 38

Netcat ............................................................................................................................................. 38

Connecting to a TCP/UDP Port ................................................................................................ 38

Listening on a TCP/UDP Port .................................................................................................. 40

Transferring Files with Netcat ................................................................................................... 42

Remote Administration with Netcat .......................................................................................... 44

Exercises ..................................................................................................................................... 50

Ncat ................................................................................................................................................ 50

Exercises ..................................................................................................................................... 52

Wireshark ...................................................................................................................................... 53

Wireshark Basics ........................................................................................................................ 53

Making Sense of Network Dumps ............................................................................................. 55

Capture and Display Filters ....................................................................................................... 56

Following TCP Streams ............................................................................................................. 57

Exercises ..................................................................................................................................... 58

Tcpdump ....................................................................................................................................... 59

Filtering Traffic .......................................................................................................................... 59

Advanced Header Filtering ........................................................................................................ 61

Exercises ..................................................................................................................................... 64

Passive Information Gathering .................................................................................. 65

A Tale From the Author .............................................................................................................. 65

Open Web Information Gathering ............................................................................................ 67

Google ............................................................................................................................................ 67

Enumerating with Google .......................................................................................................... 67

Google Hacking .......................................................................................................................... 72

Email Harvesting ....................................................................................................................... 76



Additional Resources .................................................................................................................. 77

Netcraft ....................................................................................................................................... 77

Whois Enumeration ................................................................................................................... 79

Exercise ....................................................................................................................................... 81

Recon-‐‑ng ........................................................................................................................................ 82

Active Information Gathering .................................................................................... 85

DNS Enumeration ........................................................................................................................ 85

Interacting With a DNS Server ................................................................................................. 85

Automating Lookups .................................................................................................................. 86

Forward Lookup Brute Force ...................................................................................................... 86

Reverse Lookup Brute Force ....................................................................................................... 87

DNS Zone Transfers .................................................................................................................. 88

Relevant Tools in Kali Linux ..................................................................................................... 92

Exercises ..................................................................................................................................... 95

Port Scanning ................................................................................................................................ 96

A Cautionary Tale From the Author ......................................................................................... 96

TCP CONNECT / SYN Scanning ............................................................................................ 96

UDP Scanning ........................................................................................................................... 98

Common Port Scanning Pitfalls ................................................................................................ 99

Port Scanning with Nmap ....................................................................................................... 100

OS Fingerprinting ................................................................................................................... 105

Banner Grabbing/Service Enumeration ................................................................................... 106

Nmap Scripting Engine (NSE) ................................................................................................ 107

Exercises ................................................................................................................................... 108

SMB Enumeration ...................................................................................................................... 109

Scanning for the NetBIOS Service .......................................................................................... 109

Null Session Enumeration. ...................................................................................................... 110



Nmap SMB NSE Scripts ......................................................................................................... 113

Exercises ................................................................................................................................... 115

SMTP Enumeration ................................................................................................................... 116

Exercise ..................................................................................................................................... 117

SNMP Enumeration ................................................................................................................... 118

A Note From the Author .......................................................................................................... 118

MIB Tree .................................................................................................................................. 119

Scanning for SNMP ................................................................................................................. 120

Windows SNMP Enumeration Example ................................................................................. 121

Exercises ................................................................................................................................... 122

Vulnerability Scanning .............................................................................................. 123

Vulnerability Scanning with Nmap ........................................................................................ 123

The OpenVAS Vulnerability Scanner ..................................................................................... 128

OpenVAS Initial Setup ............................................................................................................ 128

Exercises ................................................................................................................................... 135

Buffer Overflows ........................................................................................................ 136

Fuzzing ........................................................................................................................................ 137

Vulnerability History ............................................................................................................... 137

A Word About DEP and ASLR ............................................................................................... 137

Interacting with the POP3 Protocol ........................................................................................ 138

Exercises ................................................................................................................................... 141

Win32 Buffer Overflow Exploitation ...................................................................................... 142

Replicating the Crash ............................................................................................................... 142

Controlling EIP ........................................................................................................................ 142

Locating Space for Your Shellcode ........................................................................................... 146

Checking for Bad Characters .................................................................................................... 149



Redirecting the Execution Flow ............................................................................................... 152

Finding a Return Address ........................................................................................................ 152

Generating Shellcode with Metasploit ..................................................................................... 158

Getting a Shell .......................................................................................................................... 161

Improving the Exploit .............................................................................................................. 164

Linux Buffer Overflow Exploitation ....................................................................................... 165

Setting Up the Environment .................................................................................................... 165

Crashing Crossfire .................................................................................................................... 166

Controlling EIP ........................................................................................................................ 168

Finding Space for Our Shellcode .............................................................................................. 169

Improving Exploit Reliability .................................................................................................. 170

Discovering Bad Characters ..................................................................................................... 171

Finding a Return Address ........................................................................................................ 172

Getting a Shell .......................................................................................................................... 174

Working with Exploits .............................................................................................................. 177

Searching for Exploits ............................................................................................................... 178

Finding Exploits in Kali Linux ................................................................................................ 178

Finding Exploits on the Web .................................................................................................... 179

Customizing and Fixing Exploits ............................................................................................ 182

Setting Up a Development Environment ................................................................................ 182

Dealing with Various Exploit Code Languages ....................................................................... 182

Exercises ................................................................................................................................... 186

Post Exploitation ......................................................................................................... 187

A Word About Anti Virus Software ....................................................................................... 187

File Transfers .............................................................................................................................. 188

The Non-‐‑Interactive Shell ........................................................................................................ 188

Uploading Files ........................................................................................................................ 189



Exercises ................................................................................................................................... 196

Privilege Escalation ................................................................................................................... 196

Privilege Escalation Exploits ................................................................................................... 196

Configuration Issues ................................................................................................................ 202

Incorrect File and Service Permissions .................................................................................... 202

Think Like a Network Administrator ....................................................................................... 204

Exercises ................................................................................................................................... 204

Client Side Attacks ..................................................................................................... 205

Know Your Target ..................................................................................................................... 205

Passive Client Information Gathering ..................................................................................... 206

Active Client Information Gathering ....................................................................................... 207

Social Engineering and Client Side Attacks ............................................................................ 207

Exercises ................................................................................................................................... 208

MS12-‐‑037-‐‑ Internet Explorer 8 Fixed Col Span ID ................................................................ 208

Setting up the Client Side Exploit ........................................................................................... 210

Swapping Out the Shellcode .................................................................................................... 211

Exercises ................................................................................................................................... 212

Java Signed Applet Attack ........................................................................................................ 213

Exercises ................................................................................................................................... 218

Web Application Attacks ........................................................................................... 219

Essential Iceweasel Add-‐‑ons .................................................................................................... 219

Cross Site Scripting (XSS) ......................................................................................................... 220

Browser Redirection and IFRAME Injection .......................................................................... 223

Stealing Cookies and Session Information ............................................................................... 224

Exercises ................................................................................................................................... 226

File Inclusion Vulnerabilities ................................................................................................... 227



Local File Inclusion .................................................................................................................. 227

Exercises ................................................................................................................................... 233

Remote File Inclusion ............................................................................................................... 233

Exercise ..................................................................................................................................... 234

MySQL SQL Injection ................................................................................................................ 235

Authentication Bypass ............................................................................................................. 235

Exercises ................................................................................................................................... 240

Enumerating the Database ....................................................................................................... 240

Column Number Enumeration ................................................................................................ 241

Understanding the Layout of the Output ................................................................................ 243

Extracting Data from the Database ......................................................................................... 244

Exercises ................................................................................................................................... 245

Leveraging SQL Injection for Code Execution ........................................................................ 246

Exercises ................................................................................................................................... 248

Web Application Proxies .......................................................................................................... 249

Exercises ................................................................................................................................... 251

Automated SQL Injection Tools .............................................................................................. 252

Exercises ................................................................................................................................... 255

Password Attacks ........................................................................................................ 256

Preparing for Brute Force ......................................................................................................... 256

Dictionary Files ........................................................................................................................ 256

Key-‐‑space Brute Force .............................................................................................................. 257

Pwdump and Fgdump .............................................................................................................. 259

Windows Credential Editor (WCE) ......................................................................................... 261

Exercises ................................................................................................................................... 262

Password Profiling ................................................................................................................... 263

Password Mutating .................................................................................................................. 264



Exercise ..................................................................................................................................... 266

Online Password Attacks .......................................................................................................... 266

Hydra Medusa and Ncrack ...................................................................................................... 266

Choosing the Right Protocol – Speed vs. Reward .................................................................... 269

Exercises ................................................................................................................................... 269

Password Hash Attacks ............................................................................................................ 270

Password Hashes ...................................................................................................................... 270

Password Cracking ................................................................................................................... 270

John the Ripper ......................................................................................................................... 272

Rainbow Tables ........................................................................................................................ 275

Passing the Hash in Windows ................................................................................................. 276

Exercises ................................................................................................................................... 277

Port Redirection and Tunneling .............................................................................. 278

Port Forwarding/Redirection ................................................................................................... 278

SSH Tunneling ........................................................................................................................... 281

Local Port Forwarding ............................................................................................................. 281

Remote Port Forwarding .......................................................................................................... 283

Dynamic Port Forwarding ....................................................................................................... 285

Proxychains ................................................................................................................................. 286

HTTP Tunneling ........................................................................................................................ 288

Traffic Encapsulation ................................................................................................................ 289

Exercises ................................................................................................................................... 290

The Metasploit Framework ....................................................................................... 291

Metaspliot User Interfaces ....................................................................................................... 292

Setting up Metasploit Framework on Kali ............................................................................... 293

Exploring the Metaspliot Framework ...................................................................................... 293



Auxiliary Modules ..................................................................................................................... 294

Getting Familiar with MSF Syntax ......................................................................................... 294

Metasploit Database Access ..................................................................................................... 300

Exercises ................................................................................................................................... 302

Exploit Modules ......................................................................................................................... 303

Exercises ................................................................................................................................... 306

Metasploit Payloads .................................................................................................................. 306

Staged vs. Non-‐‑Staged Payloads .............................................................................................. 306

Meterpreter Payloads ............................................................................................................... 307

Experimenting with Meterpreter ............................................................................................. 308

Executable Payloads ................................................................................................................. 310

Reverse HTTPS Meterpreter ................................................................................................... 312

Metasploit Exploit Multi Handler ........................................................................................... 312

Revisiting Client Side Attacks ................................................................................................. 315

Exercises ................................................................................................................................... 315

Building Your Own MSF Module ........................................................................................... 316

Exercise ..................................................................................................................................... 318

Post Exploitation with Metasploit ........................................................................................... 319

Meterpreter Post Exploitation Features ................................................................................... 319

Post Exploitation Modules ....................................................................................................... 320

Bypassing Antivirus Software .................................................................................. 323

Encoding Payloads with Metasploit ....................................................................................... 324

Crypting Known Malware with Software Protectors ........................................................... 326

Using Custom/Uncommon Tools and Payloads ................................................................... 328

Exercise ........................................................................................................................................ 330

Assembling the Pieces -‐‑ Penetration Test Breakdown ........................................ 331



Phase 0 – Scenario Description ................................................................................................ 331

Phase 1 – Information Gathering ............................................................................................. 332

Phase 2 – Vulnerability Identification and Prioritization .................................................... 332

Password Cracking ................................................................................................................... 333

Phase 3 – Research and Development .................................................................................... 336

Phase 4 – Exploitation ............................................................................................................... 337

Linux Local Privilege Escalation ............................................................................................. 337

Phase 5 – Post Exploitation ....................................................................................................... 340

Expanding Influence ................................................................................................................ 340

Client Side Attack Against Internal Network ......................................................................... 341

Privilege Escalation Through AD Misconfigurations ............................................................. 345

Port Tunneling ......................................................................................................................... 347

SSH Tunneling with HTTP Encapsulation ............................................................................ 348

Looking for High Value Targets ............................................................................................... 355

Domain Privilege Escalation .................................................................................................... 361

Going for the Kill ...................................................................................................................... 363

penetration testing with kali

Documents

kali linux penetration

kali linux pwk copyright

kali menu

managing kali linux

offensive security labs

copyright owner

means of communication

vpn labs overview